mysql行爲審記 mysql添加mcafee 審計插件

mysql添加mcafee 審計插件

 

插件源碼地址
https://github.com/mcafee/mysql-audit
插件安裝方法
https://github.com/mcafee/mysql-audit/wiki/Installation
插件下載地址
https://bintray.com/mcafee/mysql-audit-plugin/release/1.0.9-585

一、查看mysql插件存放目錄
mysql> SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
+---------------+-----------------------------------+
| Variable_name | Value |
+---------------+-----------------------------------+
| plugin_dir | /usr/local/mysql/lib/plugin/ |
+---------------+-----------------------------------+
1 row in set (0.01 sec)

二、複製libaudit_plugin.so 至 mysql插件目錄
mv libaudit_plugin.so /usr/local/mysql/lib/plugin/
chmod a+x /usr/local/mysql/lib/plugin/*
chown mysql:mysql /usr/local/mysql/lib/plugin/*

三、安裝插件
初使使用在線安裝，可是安裝失敗
mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
ERROR 1524 (HY000): Plugin 'AUDIT' is not loaded

而後使用修改配置，而後重啓數據庫，官方推薦使用修改配置方式安裝。
Note: On production systems, McAfee recommends using the plugin-load option for installing the audit plugin.

修改my.cnf文件，添加加載審計插件代碼
plugin-load=AUDIT=libaudit_plugin.so
audit_json_file=1
audit_force_record_logins=1
audit_json_file_sync=1
audit_whitelist_users=test2,test1 #不記錄行爲的用戶

audit_whitelist_cmds =BEGIN,COMMIT,SELECT  #這個參數看須要要不要設，過濾掉查詢的

重啓數據庫
/etc/init.d/mysql.server restart

 

[root@localhost mysql]# tail mysql-audit.json
{"msg-type":"activity","date":"1490176712103","thread-id":"3","query-id":"0","user":"root","priv_user":"root","host":"localhost","cmd":"Connect","query":"Connect"}
{"msg-type":"activity","date":"1490176712106","thread-id":"3","query-id":"11","user":"root","priv_user":"root","host":"localhost","cmd":"select","query":"select @@version_comment limit 1"}
{"msg-type":"activity","date":"1490176724747","thread-id":"3","query-id":"12","user":"root","priv_user":"root","host":"localhost","cmd":"select","query":"SELECT DATABASE()"}
{"msg-type":"activity","date":"1490176724748","thread-id":"3","query-id":"13","user":"root","priv_user":"root","host":"localhost","cmd":"Init DB","objects":[{"db":"test","obj_type":"DATABASE"}],"query":"Init DB"}
{"msg-type":"activity","date":"1490176724754","thread-id":"3","query-id":"14","user":"root","priv_user":"root","host":"localhost","cmd":"show_databases","objects":[{"db":"information_schema","name":"/tmp/#sql_a6c_0","obj_type":"TABLE"}],"query":"show databases"}
{"msg-type":"activity","date":"1490176724769","thread-id":"3","query-id":"15","user":"root","priv_user":"root","host":"localhost","cmd":"show_tables","objects":[{"db":"information_schema","name":"/tmp/#sql_a6c_0","obj_type":"TABLE"}],"query":"show tables"}
{"msg-type":"activity","date":"1490176724771","thread-id":"3","query-id":"16","user":"root","priv_user":"root","host":"localhost","cmd":"show_fields","query":"show_fields"}
{"msg-type":"activity","date":"1490176753954","thread-id":"3","query-id":"17","user":"root","priv_user":"root","host":"localhost","cmd":"show_tables","objects":[{"db":"information_schema","name":"/tmp/#sql_a6c_0","obj_type":"TABLE"}],"query":"show tables"}
{"msg-type":"activity","date":"1490176769225","thread-id":"3","query-id":"18","user":"root","priv_user":"root","host":"localhost","cmd":"select","objects":[{"db":"test","name":"t1","obj_type":"TABLE"}],"query":"select * from t1"}
{"msg-type":"activity","date":"1490176779812","thread-id":"3","query-id":"19","user":"root","priv_user":"root","host":"localhost","cmd":"Quit","query":"Quit"}