引言
引入MySQL审计主要是为了数据库安全,防止数据库在某些情况被人操作,提升安全.
MySQL审计使用到了Mariadb自带的server_audit插件,server_audit插件是由MariaDB开发,目前在MariaDB自带。
1.安装server_audit.so插件
#查询数据库插件所在目录
MariaDB [(none)]> show variables like '%plugin_dir%';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| plugin_dir | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.001 sec)#查看目录是否存在server_audit.so文件
[root@node212 ~]# ls /usr/lib64/mysql/plugin/
auth_ed25519.so caching_sha2_password.so file_key_management.so ha_federatedx.so ha_spider.so query_cache_info.so simple_password_check.so
auth_gssapi_client.so client_ed25519.so ha_archive.so ha_mroonga.so locales.so query_response_time.so sql_errlog.so
auth_pam.so dialog.so ha_blackhole.so handlersocket.so metadata_lock_info.so server_audit.so wsrep_info.so
auth_socket.so disks.so ha_federated.so ha_sphinx.so mysql_clear_password.so sha256_password.so#安装插件
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
Query OK, 0 rows affected (0.008 sec)#查看audit配置变量
MariaDB [(none)]> show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_logging | OFF |
| server_audit_mode | 0 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+
15 rows in set (0.001 sec)2.server_audit配置说明
server_audit_events:审计的事件,可包含的配置项为CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL,QUERY_DML_NO_SELECT
server_audit_excl_users:不审计这个字段的用户
server_audit_file_path:审计日志的存放路径
server_audit_file_rotate_now:用户可以通过此变量强制轮转日志
server_audit_file_rotate_size:日志的轮转大小
server_audit_file_rotations:
server_audit_incl_users
server_audit_logging
server_audit_mode:内部使用变量不修改
server_audit_output_type:指定日志输出类型,有效值SYSLOG或FILE
server_audit_query_log_limit:查询限制
server_audit_syslog_facility: SYSLOG模式变量
server_audit_syslog_ident:SYSLOG模式变量。每个系统日志记录的“ ident”部分的字符串值
server_audit_syslog_info
server_audit_syslog_priority: SYSLOG模式变量。定义syslogd的日志记录的优先级。可用值LOG_EMERG,LOG_ALERT,LOG_CRIT,LOG_ERR,LOG_WARNING,LOG_NOTICE,LOG_INFO,LOG_DEBUG
3.server_audit配置:有效值OFF,ON,FORCE,FORCE_PLUS_PERMANENT
OFF-禁用插件而不将其从mysql.plugins表中删除。ON-启用插件。如果无法初始化插件,则服务器仍将继续启动,但是插件将被禁用。FORCE-启用插件。如果无法初始化插件,则服务器将无法启动并显示错误。FORCE_PLUS_PERMANENT-启用插件。如果无法初始化插件,则服务器将无法启动并显示错误。此外,无法在服务器运行时UNINSTALL SONAME或UNINSTALL PLUGIN在服务器运行时将其卸载。
3.服务器配置
server_audit_logging=ON #开启日志记录
server_audit=FORCE_PLUS_PERMANENT #防止审核被卸载
server_audit_events='CONNECT,TABLE,QUERY_DDL,QUERY_DML_NO_SELECT,QUERY_DCL' #审计哪些操作
server_audit_file_path =/var/lib/mysql/server_audit.log #目录的权限一定要是数据库用户可读写4.查看产物
[root@node212 ~]# tail -F /var/lib/mysql/server_audit.log
20200722 09:51:35,node212,root,192.168.0.5,13,69,CREATE,test,user,
20200722 09:51:35,node212,root,192.168.0.5,13,69,QUERY,test,'create table user(id int ,name varchar(40))',0
20200722 09:52:10,node212,root,192.168.0.5,13,76,QUERY,test,'insert into user(1,\'aaaa\')',1064
20200722 09:53:16,node212,root,192.168.0.5,13,98,READ,test,test,
20200722 09:54:20,node212,root,192.168.0.5,10,0,DISCONNECT,test,,0
20200722 09:54:20,node212,root,192.168.0.5,13,0,DISCONNECT,test,,0
20200722 09:54:20,node212,root,192.168.0.5,11,0,DISCONNECT,test,,0
20200722 09:54:20,node212,root,192.168.0.5,9,0,DISCONNECT,,,0
20200722 09:54:28,node212,root,192.168.0.5,8,0,CONNECT,,,0
20200722 09:54:28,node212,root,192.168.0.5,8,6,READ,test,user,
#日志格式
[timestamp][syslog_host][syslog_ident]:[syslog_info][serverhost],[username],[host],
[connectionid],[queryid],[operation],[database],[object],[retcode]