开启mysql5.6 5.7的audit审计日志
因为公司的某个项目要过等保n级,也是本人第一次接触这个等保,在网上查找了开启mysql审计日志的方法,测试过程如下:
mysql5.6 开启审计日志
1、yum安装mysql5.6
查看已安装的 Mariadb 数据库版本。
# rpm -qa|grep -i mariadb
卸载已安装的 Mariadb 数据库。
# rpm -qa|grep mariadb|xargs rpm -e --nodeps
再次查看已安装的 Mariadb 数据库版本,确认是否卸载完成。
# rpm -qa|grep -i mariadb
下载rpm
按照依赖关系依次安装rpm包 依赖关系依次为common→libs→client→server
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-server-5.6.47-2.el7.x86_64.rpm
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-client-5.6.47-2.el7.x86_64.rpm
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-libs-5.6.47-2.el7.x86_64.rpm
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql56-community-el7/mysql-community-common-5.6.47-2.el7.x86_64.rpm
安装yum源
# yum -y install mysql-community-common-5.6.47-2.el7.x86_64.rpm mysql-community-libs-5.6.47-2.el7.x86_64.rpm mysql-community-client-5.6.47-2.el7.x86_64.rpm mysql-community-server-5.6.47-2.el7.x86_64.rpm
首先启动MySQL
# systemctl start mysqld.service
查看MySQL运行状态:
# systemctl status mysqld.service -l
设置密码 。
mysql5.6 安装完成后,它的 root 用户的密码默认是空的,我们需要及时用 mysql 的 root 用户登录(第一次直接回车,不用输入密码),并修改密码。
# mysql -u root
mysql> use mysql;
mysql> update user set password='xmlgrg...' where User='root';
mysql> flush privileges;
设置主机登录
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'xmlgrg...';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' IDENTIFIED BY 'xmlgrg...';
mysql> flush privileges;
mysql> exit
测试可以登录
# mysql -h127.0.0.1 -uroot -pxmlgrg...
开启审计日志
先测试看看默认有没有
# mysql -h127.0.0.1 -uroot -pxmlgrg...
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
Empty set (0.00 sec)
查看MySQL插件目录
mysql> show global variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| plugin_dir | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.00 sec)
[root@localhost opt]# ll
总用量 496
-rw-r--r-- 1 root root 507046 3月 16 09:49 audit-plugin-mysql-5.6-1.1.7-805-linux-x86_64.zip
[root@localhost opt]# unzip audit-plugin-mysql-5.6-1.1.7-805-linux-x86_64.zip
Archive: audit-plugin-mysql-5.6-1.1.7-805-linux-x86_64.zip
creating: audit-plugin-mysql-5.6-1.1.7-805/
creating: audit-plugin-mysql-5.6-1.1.7-805/lib/
inflating: audit-plugin-mysql-5.6-1.1.7-805/lib/libaudit_plugin.so
inflating: audit-plugin-mysql-5.6-1.1.7-805/COPYING
inflating: audit-plugin-mysql-5.6-1.1.7-805/THIRDPARTY.txt
inflating: audit-plugin-mysql-5.6-1.1.7-805/README.txt
inflating: audit-plugin-mysql-5.6-1.1.7-805/plugin-name.txt
creating: audit-plugin-mysql-5.6-1.1.7-805/utils/
inflating: audit-plugin-mysql-5.6-1.1.7-805/utils/offset-extract.sh
[root@localhost opt]# cd audit-plugin-mysql-5.6-1.1.7-805
[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd lib/
[root@localhost lib]# cp libaudit_plugin.so /usr/lib64/mysql/plugin/
[root@localhost lib]# cd /usr/lib64/mysql/plugin/
[root@localhost plugin]# chmod +x libaudit_plugin.so
[root@localhost plugin]# chown mysql.mysql libaudit_plugin.so
[root@localhost plugin]#
# cd /opt/audit-plugin-mysql-5.6-1.1.7-805 #利用插件包中的offset脚本计算出偏移量
[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# ll
总用量 36
-rw-r--r-- 1 root root 19071 10月 26 2018 COPYING
drwxr-xr-x 2 root root 32 10月 26 2018 lib
-rw-r--r-- 1 root root 1833 10月 26 2018 plugin-name.txt
-rw-r--r-- 1 root root 1905 10月 26 2018 README.txt
-rw-r--r-- 1 root root 6494 10月 26 2018 THIRDPARTY.txt
drwxr-xr-x 2 root root 31 10月 26 2018 utils
[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd utils/
[root@localhost utils]# ll
总用量 8
-rw-r--r-- 1 root root 4475 10月 26 2018 offset-extract.sh
[root@localhost utils]# chmod +x offset-extract.sh
[root@localhost utils]# which mysqld
/usr/sbin/mysqld
[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld
ERROR: gdb not found. Make sure gdb is installed and on the path.
[root@localhost utils]# yum install gdb -y
[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.6.47)
{"5.6.47","406d4a420f3f3df0644437ffe1f91dda", 7000, 7048, 4008, 4528, 72, 2704, 96, 0, 32, 104, 136, 7136, 4400, 2800, 2808, 2812, 536, 0, 0, 6368, 6392, 6376, 13056, 548, 516},
在配置文件my.cnf的[mysqld]中加入
不用重启mysql服务
# vi /etc/my.cnf
[mysqld]
audit_json_file=on
audit_force_record_logins=on
audit_json_file_sync=1
audit_offsets= 7000, 7048, 4008, 4528, 72, 2704, 96, 0, 32, 104, 136, 7136, 4400, 2800, 2808, 2812, 536, 0, 0, 6368, 6392, 6376, 13056, 548, 516
audit_record_cmds='insert,delete,update,create,drop,alter,grant,truncate,show'
安装audit-plugin插件并启动
MySQL [(none)]> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
MySQL [(none)]> SET GLOBAL audit_json_file=ON;
查看audit-plugin参数
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
查看audit-plugin版本
mysql> show global status like 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.1.7-805 |
+---------------+-----------+
1 row in set (0.00 sec)
默认的审计日志在mysql的datadir目录下
# cat /var/lib/mysql/mysql-audit.json
mysql5.7 开启审计日志
1、yum安装mysql5.7
查看已安装的 Mariadb 数据库版本。
# rpm -qa|grep -i mariadb
卸载已安装的 Mariadb 数据库。
# rpm -qa|grep mariadb|xargs rpm -e --nodeps
再次查看已安装的 Mariadb 数据库版本,确认是否卸载完成。
# rpm -qa|grep -i mariadb
下载rpm
按照依赖关系依次安装rpm包 依赖关系依次为common→libs→client→server
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-server-5.7.29-1.el7.x86_64.rpm
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-client-5.7.29-1.el7.x86_64.rpm
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-libs-5.7.29-1.el7.x86_64.rpm
# wget https://mirror.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el7/mysql-community-common-5.7.29-1.el7.x86_64.rpm
安装yum源
# yum -y install mysql-community-common-5.7.29-1.el7.x86_64.rpm mysql-community-libs-5.7.29-1.el7.x86_64.rpm mysql-community-client-5.7.29-1.el7.x86_64.rpm mysql-community-server-5.7.29-1.el7.x86_64.rpm
首先启动MySQL
# systemctl start mysqld.service
查看MySQL运行状态:
# systemctl status mysqld.service -l
为了加强安全性,MySQL5.7为root用户随机生成了一个密码,在error log中,关于error log的位置,如果安装的是RPM包,则默认是/var/log/mysqld.log
此时MySQL已经开始正常运行,不过要想进入MySQL还得先找出此时root用户的密码,通过如下命令可以在日志文件中找出密码:
# grep "password" /var/log/mysqld.log
2019-07-30T01:07:09.841895Z 1 [Note] A temporary password is generated for root@localhost: B<wtKKkkJ0ka
如下命令进入数据库:
# mysql -uroot -p
输入初始密码,此时不能做任何事情,因为MySQL默认必须修改密码之后才能操作数据库:
更改密码
mysql> set password=password('[email protected]');
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> grant all privileges on *.* to root@'%' identified by '[email protected]' with grant option;
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
测试可以登录
# mysql -h127.0.0.1 -uroot [email protected]
开启审计日志
先测试看看默认有没有
# mysql -h127.0.0.1 -uroot -pxmlgrg...
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
Empty set (0.00 sec)
查看MySQL插件目录
mysql> show global variables like 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| plugin_dir | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.00 sec)
[root@localhost opt]# ll
总用量 496
-rw-r--r-- 1 root root 507046 3月 16 09:49 audit-plugin-mysql-5.7-1.1.7-866-linux-x86_64.zip
[root@localhost opt]# unzip audit-plugin-mysql-5.7-1.1.7-866-linux-x86_64.zip
[root@localhost opt]# cd audit-plugin-mysql-5.7-1.1.7-866
[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd lib/
[root@localhost lib]# cp libaudit_plugin.so /usr/lib64/mysql/plugin/
[root@localhost lib]# cd /usr/lib64/mysql/plugin/
[root@localhost plugin]# chmod +x libaudit_plugin.so
[root@localhost plugin]# chown mysql.mysql libaudit_plugin.so
[root@localhost plugin]#
# cd /opt/audit-plugin-mysql-5.7-1.1.7-866 #利用插件包中的offset脚本计算出偏移量
[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# ll
总用量 36
-rw-r--r-- 1 root root 19071 10月 26 2018 COPYING
drwxr-xr-x 2 root root 32 10月 26 2018 lib
-rw-r--r-- 1 root root 1833 10月 26 2018 plugin-name.txt
-rw-r--r-- 1 root root 1905 10月 26 2018 README.txt
-rw-r--r-- 1 root root 6494 10月 26 2018 THIRDPARTY.txt
drwxr-xr-x 2 root root 31 10月 26 2018 utils
[root@localhost audit-plugin-mysql-5.6-1.1.7-805]# cd utils/
[root@localhost utils]# ll
总用量 8
-rw-r--r-- 1 root root 4475 10月 26 2018 offset-extract.sh
[root@localhost utils]# chmod +x offset-extract.sh
[root@localhost utils]# which mysqld
/usr/sbin/mysqld
[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld
ERROR: gdb not found. Make sure gdb is installed and on the path.
[root@localhost utils]# yum install gdb -y
[root@localhost utils]# ./offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.7.29)
{"5.7.29","00b4b7c8931e964887789044c56346fa", 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672},
在配置文件my.cnf的[mysqld]中加入
不用重启mysql服务
# vi /etc/my.cnf
[mysqld]
audit_json_file=on
audit_force_record_logins=on
audit_json_file_sync=1
plugin-load = AUDIT=libaudit_plugin.so
audit_offsets= 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672
audit_record_cmds='delete,update,create_table,create_db,drop_db,drop_table,alter_table,grant,truncate'
audit_json_log_file = /data/mysql-audit.json
# mkdir /data
# touch /data/mysql-audit.json
# chown mysql.mysql /data/mysql-audit.json
# systemctl restart mysqld.service
安装audit-plugin插件并启动
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
mysql> SET GLOBAL audit_json_file=ON;
mysql> set global audit_record_cmds='delete,update,create_table,create_db,drop_db,drop_table,alter_table,grant,truncate';
查看audit-plugin参数
mysql> SHOW GLOBAL VARIABLES LIKE '%audi%';
查看audit-plugin版本
mysql> show global status like 'AUDIT_version';
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.1.7-866 |
+---------------+-----------+
1 row in set (0.00 sec)
默认的审计日志在mysql的datadir目录下
# cat /data/mysql-audit.json
后期需要考虑的事情是如何分割audit的日志和卸载audit,下一个推文再说吧~~