vlambda博客
学习文章列表

开启mysql5.6 5.7的audit审计日志

    因为公司的某个项目要过等保n级,也是本人第一次接触这个等保,在网上查找了开启mysql审计日志的方法,测试过程如下:

mysql5.6 开启审计日志

1、yum安装mysql5.6查看已安装的 Mariadb 数据库版本。# rpm -qa|grep -i mariadb卸载已安装的 Mariadb 数据库。# rpm -qa|grep mariadb|xargs rpm -e --nodeps再次查看已安装的 Mariadb 数据库版本,确认是否卸载完成。# rpm -qa|grep -i mariadb

下载rpm按照依赖关系依次安装rpm包 依赖关系依次为common→libs→client→server
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-server-5.6.47-2.el7.x86_64.rpm# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-client-5.6.47-2.el7.x86_64.rpm# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-libs-5.6.47-2.el7.x86_64.rpm# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-common-5.6.47-2.el7.x86_64.rpm
安装yum源# yum -y install mysql-community-common-5.6.47-2.el7.x86_64.rpm mysql-community-libs-5.6.47-2.el7.x86_64.rpm mysql-community-client-5.6.47-2.el7.x86_64.rpm mysql-community-server-5.6.47-2.el7.x86_64.rpm


首先启动MySQL# systemctl start mysqld.service
查看MySQL运行状态:# systemctl status mysqld.service -l

设置密码 。mysql5.6 安装完成后,它的 root 用户的密码默认是空的,我们需要及时用 mysql 的 root 用户登录(第一次直接回车,不用输入密码),并修改密码。
# mysql -u rootmysql> use mysql;mysql> update user set password='xmlgrg...' where User='root';mysql> flush privileges;
设置主机登录mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'xmlgrg...';mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' IDENTIFIED BY 'xmlgrg...';mysql> flush privileges;
mysql> exit

测试可以登录# mysql -h127.0.0.1 -uroot -pxmlgrg...


开启审计日志先测试看看默认有没有# mysql -h127.0.0.1 -uroot -pxmlgrg...
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';Empty set (0.00 sec)

查看MySQL插件目录mysql> show global variables like 'plugin_dir';+---------------+--------------------------+| Variable_name | Value |+---------------+--------------------------+| plugin_dir | /usr/lib64/mysql/plugin/ |+---------------+--------------------------+1 row in set (0.00 sec)



[root@localhost opt]# ll总用量 496-rw-r--r-- 1 root root 507046 3月 16 09:49 audit-plugin-mysql-5.6-1.1.7-805-linux-x86_64.zip[root@localhost opt]# unzip audit-plugin-mysql-5.6-1.1.7-805-linux-x86_64.zipArchive: audit-plugin-mysql-5.6-1.1.7-805-linux-x86_64.zipcreating: audit-plugin-mysql-5.6-1.1.7-805/creating: audit-plugin-mysql-5.6-1.1.7-805/lib/inflating: audit-plugin-mysql-5.6-1.1.7-805/lib/libaudit_plugin.soinflating: audit-plugin-mysql-5.6-1.1.7-805/COPYINGinflating: audit-plugin-mysql-5.6-1.1.7-805/THIRDPARTY.txtinflating: audit-plugin-mysql-5.6-1.1.7-805/README.txtinflating: audit-plugin-mysql-5.6-1.1.7-805/plugin-name.txtcreating: audit-plugin-mysql-5.6-1.1.7-805/utils/inflating: audit-plugin-mysql-5.6-1.1.7-805/utils/offset-extract.sh[root@localhost opt]# cd audit-plugin-mysql-5.6-1.1.7-805[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd lib/[root@localhost lib]# cp libaudit_plugin.so /usr/lib64/mysql/plugin/[root@localhost lib]# cd /usr/lib64/mysql/plugin/[root@localhost plugin]# chmod +x libaudit_plugin.so[root@localhost plugin]# chown mysql.mysql libaudit_plugin.so[root@localhost plugin]#
# cd /opt/audit-plugin-mysql-5.6-1.1.7-805 #利用插件包中的offset脚本计算出偏移量[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# ll总用量 36-rw-r--r-- 1 root root 19071 10月 26 2018 COPYINGdrwxr-xr-x 2 root root 32 10月 26 2018 lib-rw-r--r-- 1 root root 1833 10月 26 2018 plugin-name.txt-rw-r--r-- 1 root root 1905 10月 26 2018 README.txt-rw-r--r-- 1 root root 6494 10月 26 2018 THIRDPARTY.txtdrwxr-xr-x 2 root root 31 10月 26 2018 utils[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd utils/[root@localhost utils]# ll总用量 8-rw-r--r-- 1 root root 4475 10月 26 2018 offset-extract.sh[root@localhost utils]# chmod +x offset-extract.sh[root@localhost utils]# which mysqld/usr/sbin/mysqld[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld ERROR: gdb not found. Make sure gdb is installed and on the path.[root@localhost utils]# yum install gdb -y
[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld//offsets for: /usr/sbin/mysqld (5.6.47){"5.6.47","406d4a420f3f3df0644437ffe1f91dda", 7000, 7048, 4008, 4528, 72, 2704, 96, 0, 32, 104, 136, 7136, 4400, 2800, 2808, 2812, 536, 0, 0, 6368, 6392, 6376, 13056, 548, 516},
在配置文件my.cnf的[mysqld]中加入不用重启mysql服务# vi /etc/my.cnf[mysqld]audit_json_file=onaudit_force_record_logins=onaudit_json_file_sync=1audit_offsets= 7000, 7048, 4008, 4528, 72, 2704, 96, 0, 32, 104, 136, 7136, 4400, 2800, 2808, 2812, 536, 0, 0, 6368, 6392, 6376, 13056, 548, 516audit_record_cmds='insert,delete,update,create,drop,alter,grant,truncate,show'




安装audit-plugin插件并启动

MySQL [(none)]> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';MySQL [(none)]> SET GLOBAL audit_json_file=ON;
查看audit-plugin参数mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';


查看audit-plugin版本
mysql> show global status like 'AUDIT_version';+---------------+-----------+| Variable_name | Value |+---------------+-----------+| Audit_version | 1.1.7-805 |+---------------+-----------+1 row in set (0.00 sec)
默认的审计日志在mysql的datadir目录下# cat /var/lib/mysql/mysql-audit.json


mysql5.7 开启审计日志

1、yum安装mysql5.7查看已安装的 Mariadb 数据库版本。# rpm -qa|grep -i mariadb卸载已安装的 Mariadb 数据库。# rpm -qa|grep mariadb|xargs rpm -e --nodeps再次查看已安装的 Mariadb 数据库版本,确认是否卸载完成。# rpm -qa|grep -i mariadb
下载rpm按照依赖关系依次安装rpm包 依赖关系依次为common→libs→client→server
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-server-5.7.29-1.el7.x86_64.rpm# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-client-5.7.29-1.el7.x86_64.rpm# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-libs-5.7.29-1.el7.x86_64.rpm# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-common-5.7.29-1.el7.x86_64.rpm
安装yum源# yum -y install mysql-community-common-5.7.29-1.el7.x86_64.rpm mysql-community-libs-5.7.29-1.el7.x86_64.rpm mysql-community-client-5.7.29-1.el7.x86_64.rpm mysql-community-server-5.7.29-1.el7.x86_64.rpm


首先启动MySQL# systemctl start mysqld.service
查看MySQL运行状态:# systemctl status mysqld.service -l
为了加强安全性,MySQL5.7为root用户随机生成了一个密码,在error log中,关于error log的位置,如果安装的是RPM包,则默认是/var/log/mysqld.log此时MySQL已经开始正常运行,不过要想进入MySQL还得先找出此时root用户的密码,通过如下命令可以在日志文件中找出密码:# grep "password" /var/log/mysqld.log2019-07-30T01:07:09.841895Z 1 [Note] A temporary password is generated for root@localhost: B<wtKKkkJ0ka
如下命令进入数据库:# mysql -uroot -p
输入初始密码,此时不能做任何事情,因为MySQL默认必须修改密码之后才能操作数据库:更改密码mysql> set password=password('[email protected]');Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)
mysql> grant all privileges on *.* to root@'%' identified by '[email protected]' with grant option;Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)




测试可以登录# mysql -h127.0.0.1 -uroot [email protected]


开启审计日志先测试看看默认有没有# mysql -h127.0.0.1 -uroot -pxmlgrg...
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';Empty set (0.00 sec)

查看MySQL插件目录mysql> show global variables like 'plugin_dir';+---------------+--------------------------+| Variable_name | Value |+---------------+--------------------------+| plugin_dir | /usr/lib64/mysql/plugin/ |+---------------+--------------------------+1 row in set (0.00 sec)



[root@localhost opt]# ll总用量 496-rw-r--r-- 1 root root 507046 3月 16 09:49 audit-plugin-mysql-5.7-1.1.7-866-linux-x86_64.zip[root@localhost opt]# unzip audit-plugin-mysql-5.7-1.1.7-866-linux-x86_64.zip
[root@localhost opt]# cd audit-plugin-mysql-5.7-1.1.7-866[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd lib/[root@localhost lib]# cp libaudit_plugin.so /usr/lib64/mysql/plugin/[root@localhost lib]# cd /usr/lib64/mysql/plugin/[root@localhost plugin]# chmod +x libaudit_plugin.so[root@localhost plugin]# chown mysql.mysql libaudit_plugin.so[root@localhost plugin]#
# cd /opt/audit-plugin-mysql-5.7-1.1.7-866 #利用插件包中的offset脚本计算出偏移量[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# ll总用量 36-rw-r--r-- 1 root root 19071 10月 26 2018 COPYINGdrwxr-xr-x 2 root root 32 10月 26 2018 lib-rw-r--r-- 1 root root 1833 10月 26 2018 plugin-name.txt-rw-r--r-- 1 root root 1905 10月 26 2018 README.txt-rw-r--r-- 1 root root 6494 10月 26 2018 THIRDPARTY.txtdrwxr-xr-x 2 root root 31 10月 26 2018 utils[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd utils/[root@localhost utils]# ll总用量 8-rw-r--r-- 1 root root 4475 10月 26 2018 offset-extract.sh[root@localhost utils]# chmod +x offset-extract.sh[root@localhost utils]# which mysqld/usr/sbin/mysqld[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld ERROR: gdb not found. Make sure gdb is installed and on the path.[root@localhost utils]# yum install gdb -y
[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld//offsets for: /usr/sbin/mysqld (5.7.29){"5.7.29","00b4b7c8931e964887789044c56346fa", 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672},

在配置文件my.cnf的[mysqld]中加入不用重启mysql服务# vi /etc/my.cnf[mysqld]audit_json_file=onaudit_force_record_logins=onaudit_json_file_sync=1plugin-load = AUDIT=libaudit_plugin.soaudit_offsets= 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672audit_record_cmds='delete,update,create_table,create_db,drop_db,drop_table,alter_table,grant,truncate'audit_json_log_file = /data/mysql-audit.json



# mkdir /data# touch /data/mysql-audit.json# chown mysql.mysql /data/mysql-audit.json# systemctl restart mysqld.service
安装audit-plugin插件并启动

mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';mysql> SET GLOBAL audit_json_file=ON;mysql> set global audit_record_cmds='delete,update,create_table,create_db,drop_db,drop_table,alter_table,grant,truncate';
查看audit-plugin参数mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';


查看audit-plugin版本
mysql> show global status like 'AUDIT_version';+---------------+-----------+| Variable_name | Value |+---------------+-----------+| Audit_version | 1.1.7-866 |+---------------+-----------+1 row in set (0.00 sec)

默认的审计日志在mysql的datadir目录下
# cat /data/mysql-audit.json


后期需要考虑的事情是如何分割audit的日志和卸载audit,下一个推文再说吧~~