MySQL日志审计 帮你揪出内个干坏事的小子
简介
Part1:写在最前
MySQL本身并不像MariaDB和Percona一样提供审计功能,但如果我们想对数据库进行审计,去看是谁把我的数据库数据给删了,该怎么办呢?我们主要利用init-connect参数,让每个登录的用户都记录到我们的数据库中,并抓取其connection_id(),再根据binlog就能够找出谁干了那些破事儿。
MariaDB如何审计,可移步:
准备
Part1:创建所需库
1 2 3 4 5 6 7 8 9 10 11 12 13 | [root@HE3 telegraf]# mysql -uroot -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 859Server version: 5.7.16-log MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> create database auditdb;Query OK, 1 row affected (0.00 sec) |
Part2:创建所需表
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | [root@HE3 ~]# mysql -uroot -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 266Server version: 5.7.16-log MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> use auditdb;Database changedmysql> CREATE TABLE accesslog ( -> ID INT (10) UNSIGNED NOT NULL PRIMARY KEY auto_increment, -> ConnectionID INT (10) UNSIGNED, -> ConnUser VARCHAR (30) NOT NULL DEFAULT '', -> MatchUser VARCHAR (30) NOT NULL DEFAULT '', -> LoginTime datetime -> );Query OK, 0 rows affected (0.02 sec) |
Part3:在my.cnf中添加
1 | init-connect='Insert into auditdb.accesslog(ConnectionID ,ConnUser ,MatchUser ,LoginTime)values(connection_id(),user(),current_user(),now());' |
并重启数据库
1 2 3 | [root@HE3 ~]# /etc/init.d/mysqld restartShutting down MySQL.... SUCCESS! Starting MySQL. SUCCESS! |
测试
Part1:环境
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [root@HE3 ~]# mysql -uroot -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 266Server version: 5.7.16-log MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> use auditdb;mysql> use helei;Database changedmysql> select * from t1;+----+| id |+----+| 2 || 3 || 4 || 5 || 6 || 7 || 8 || 9 |+----+8 rows in set (0.00 sec) |
Part2:用不同用户登录操作
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | [root@HE3 telegraf]# mysql -uhelei -pMANAGERmysql: [Warning] Using a password on the command line interface can be insecure.Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 185Server version: 5.7.16-log MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> use helei;Database changedmysql> select * from t1;+----+| id |+----+| 2 || 3 || 4 || 5 || 6 || 7 || 8 || 9 |+----+8 rows in set (0.00 sec)mysql> delete from t1 where id = 2;Query OK, 1 row affected (0.00 sec)mysql> delete from t1 where id = 4;Query OK, 1 row affected (0.00 sec)[root@HE3 telegraf]# mysql -uyuhao -pMANAGERmysql: [Warning] Using a password on the command line interface can be insecure.Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 185Server version: 5.7.16-log MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> use helei;Database changedmysql> select * from t1;+----+| id |+----+| 3 || 5 || 6 || 7 || 8 || 9 |+----+8 rows in set (0.00 sec)mysql> delete from t1 where id = 3;Query OK, 1 row affected (0.00 sec) |
Part3:查看用户ID
1 2 3 4 5 6 7 8 9 10 11 12 | mysql> select * from accesslog;+----+--------------+-----------------+-----------+---------------------+| ID | ConnectionID | ConnUser | MatchUser | LoginTime |+----+--------------+-----------------+-----------+---------------------+| 1 | 10 | helei@localhost | helei@% | 2016-12-08 19:07:49 || 2 | 19 | helei@localhost | helei@% | 2016-12-08 19:08:44 || 3 | 125 | helei@localhost | helei@% | 2016-12-08 19:24:46 || 4 | 128 | yuhao@localhost | yuhao@% | 2016-12-08 19:25:01 || 5 | 182 | helei@localhost | helei@% | 2016-12-08 19:33:02 || 6 | 185 | yuhao@localhost | yuhao@% | 2016-12-08 19:33:20 |+----+--------------+-----------------+-----------+---------------------+6 rows in set (0.00 sec) |
Part4:binlog日志对比
这里可以看到t1表的id=2和id=4列是由thread_id=182用户删掉的,也就是helei用户
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | #161208 19:33:39 server id 1250 end_log_pos 5275 CRC32 0x2ae798a9 Query thread_id=182 exec_time=0 error_code=0SET TIMESTAMP=1481254419/*!*/;BEGIN/*!*/;# at 5275#161208 19:33:39 server id 1250 end_log_pos 5324 CRC32 0x2cf42817 Rows_query# delete from t1 where id=2#161208 19:34:07 server id 1250 end_log_pos 5885 CRC32 0x947106d4 Query thread_id=182 exec_time=0 error_code=0SET TIMESTAMP=1481254447/*!*/;BEGIN/*!*/;# at 5885#161208 19:34:07 server id 1250 end_log_pos 5934 CRC32 0xfe1eb7fc Rows_query# delete from t1 where id=4 |
这里可以看到t1表的id=3列是由thread_id=185用户删掉的,也就是yuhao用户
1 2 3 4 5 6 7 | #161208 19:33:49 server id 1250 end_log_pos 5579 CRC32 0x5f8d9879 Query thread_id=185 exec_time=0 error_code=0SET TIMESTAMP=1481254429/*!*/;BEGIN/*!*/;# at 5579#161208 19:33:49 server id 1250 end_log_pos 5630 CRC32 0x71feeadc Rows_query# delete from t1 where id = 3 |
参考资料: