CentOS系统MySQL数据库审计插件部署指南
一、获取审计插件文件
首先从MariaDB官方仓库下载包含审计插件的压缩包:
cd /usr/local/src
wget https://downloads.mariadb.com/MariaDB/mariadb-10.1.23/bintar-linux-x86_64/mariadb-10.1.23-linux-x86_64.tar.gz二、解压并部署插件文件
将下载的压缩包解压,并提取审计插件到MySQL插件目录:
tar zxf mariadb-10.1.23-linux-x86_64.tar.gz
cd mariadb-10.1.23-linux-x86_64
cp lib/plugin/server_audit.so /usr/local/mysql/lib/plugin/
cd /usr/local/mysql/lib/plugin/
chown -R mysql:mysql server_audit.so
chmod 755 server_audit.so三、加载审计插件
登录MySQL数据库,执行插件安装命令:
mysql -u root -p
mysql> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
Query OK, 0 rows affected (0.00 sec)验证插件安装状态,查看相关配置参数:
mysql> SHOW VARIABLES LIKE '%audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | OFF |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+
16 rows in set (0.00 sec)四、临时启用审计功能
通过全局变量临时开启审计,配置日志文件路径及轮转参数:
mysql> SET GLOBAL server_audit_logging = ON;
Query OK, 0 rows affected (0.00 sec)
mysql> SET GLOBAL server_audit_file_path = '/var/lib/mysql/audit.log';
Query OK, 0 rows affected (0.00 sec)
mysql> SET GLOBAL server_audit_file_rotations = 10;
Query OK, 0 rows affected (0.00 sec)
mysql> SET GLOBAL server_audit_file_rotate_size = 1073741824;
Query OK, 0 rows affected (0.00 sec)确认配置已生效:
mysql> SHOW VARIABLES LIKE '%audit%';
+-------------------------------+---------------------------------------+
| Variable_name | Value |
+-------------------------------+---------------------------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | /var/lib/mysql/audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1073741824 |
| server_audit_file_rotations | 10 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | ON |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+---------------------------------------+
16 rows in set (0.00 sec)五、配置持久化生效
修改MySQL配置文件 /etc/my.cnf,在 [mysqld] 区块中添加以下参数:
[client]
port = 3306
socket = /tmp/mysql.sock
[mysqld]
# 审计插件配置
server_audit_logging = ON
server_audit_file_path = /var/lib/mysql/audit.log
server_audit = FORCE_PLUS_PERMANENT
server_audit_file_rotate_size = 1G
server_audit_file_rotations = 10注意:server_audit = FORCE_PLUS_PERMANENT 参数可防止插件被意外卸载。
配置修改完成后,重启MySQL服务使配置生效:
systemctl restart mysqld
# 或使用
service mysqld restart六、验证审计日志
审计日志默认按照配置路径生成,可通过以下命令查看:
cat /var/lib/mysql/audit.log
tail -f /var/lib/mysql/audit.log日志记录示例:
20230113 17:11:48,centos7-1,root,localhost,1,3,QUERY,,'set global server_audit_logging=on',0
20230113 17:11:48,centos7-1,root,localhost,1,4,QUERY,,'set global server_audit_file_path=\'/var/lib/mysql/audit.log\'',0
20230113 17:15:00,centos7-1,root,localhost,1,0,CONNECT,,,0
20230113 17:15:00,centos7-1,root,localhost,1,1,QUERY,,'select @@version_comment limit 1',0
20230113 17:15:17,centos7-1,root,localhost,1,2,QUERY,,'create database test1',0
20230113 17:15:21,centos7-1,root,localhost,1,3,QUERY,,'create database test2',0
20230113 17:15:27,centos7-1,root,localhost,1,4,QUERY,,'drop database test1',0日志字段含义:时间戳、主机名、用户、连接主机、连接ID、查询ID、操作类型、对象信息、SQL语句、执行结果。
