MySQL日志审计 帮你揪出内个干坏事儿的小子
Part1:写在最前
MySQL本身并不像MariaDB和Percona一样提供审计功能,但如果我们想对数据库进行审计,去看是谁把我的数据库数据给删了,该怎么办呢?我们主要利用init-connect参数,让每个登录的用户都记录到我们的数据库中,并抓取其connection_id(),再根据binlog就能够找出谁干了那些破事儿。
MariaDB如何审计,可移步:
http://suifu.blog.51cto.com/9167728/1857594
准备
Part1:创建所需库
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@HE3 telegraf] # mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 859
Server version: 5.7.16-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and /or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and /or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database auditdb;
Query OK, 1 row affected (0.00 sec)
|
Part2:创建所需表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
[root@HE3 ~] # mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 266
Server version: 5.7.16-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and /or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and /or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use auditdb;
Database changed
mysql> CREATE TABLE accesslog (
-> ID INT (10) UNSIGNED NOT NULL PRIMARY KEY auto_increment,
-> ConnectionID INT (10) UNSIGNED,
-> ConnUser VARCHAR (30) NOT NULL DEFAULT '' ,
-> MatchUser VARCHAR (30) NOT NULL DEFAULT '' ,
-> LoginTime datetime
-> );
Query OK, 0 rows affected (0.02 sec)
|
Part3:在my.cnf中添加
1
|
init-connect= 'Insert into auditdb.accesslog(ConnectionID ,ConnUser ,MatchUser ,LoginTime)values(connection_id(),user(),current_user(),now());'
|
并重启数据库
1
2
3
|
[root@HE3 ~] # /etc/init.d/mysqld restart
Shutting down MySQL.... SUCCESS!
Starting MySQL. SUCCESS!
|
测试
Part1:环境
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
[root@HE3 ~] # mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 266
Server version: 5.7.16-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and /or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and /or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use auditdb;
mysql> use helei;
Database changed
mysql> select * from t1;
+----+
| id |
+----+
| 2 |
| 3 |
| 4 |
| 5 |
| 6 |
| 7 |
| 8 |
| 9 |
+----+
8 rows in set (0.00 sec)
|
Part2:用不同用户登录操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
[root@HE3 telegraf] # mysql -uhelei -pMANAGER
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 185
Server version: 5.7.16-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and /or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and /or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use helei;
Database changed
mysql> select * from t1;
+----+
| id |
+----+
| 2 |
| 3 |
| 4 |
| 5 |
| 6 |
| 7 |
| 8 |
| 9 |
+----+
8 rows in set (0.00 sec)
mysql> delete from t1 where id = 2;
Query OK, 1 row affected (0.00 sec)
mysql> delete from t1 where id = 4;
Query OK, 1 row affected (0.00 sec)
[root@HE3 telegraf] # mysql -uyuhao -pMANAGER
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 185
Server version: 5.7.16-log MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle and /or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and /or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use helei;
Database changed
mysql> select * from t1;
+----+
| id |
+----+
| 3 |
| 5 |
| 6 |
| 7 |
| 8 |
| 9 |
+----+
8 rows in set (0.00 sec)
mysql> delete from t1 where id = 3;
Query OK, 1 row affected (0.00 sec)
|
Part3:查看用户ID
1
2
3
4
5
6
7
8
9
10
11
12
|
mysql> select * from accesslog;
+----+--------------+-----------------+-----------+---------------------+
| ID | ConnectionID | ConnUser | MatchUser | LoginTime |
+----+--------------+-----------------+-----------+---------------------+
| 1 | 10 | helei@localhost | helei@% | 2016-12-08 19:07:49 |
| 2 | 19 | helei@localhost | helei@% | 2016-12-08 19:08:44 |
| 3 | 125 | helei@localhost | helei@% | 2016-12-08 19:24:46 |
| 4 | 128 | yuhao@localhost | yuhao@% | 2016-12-08 19:25:01 |
| 5 | 182 | helei@localhost | helei@% | 2016-12-08 19:33:02 |
| 6 | 185 | yuhao@localhost | yuhao@% | 2016-12-08 19:33:20 |
+----+--------------+-----------------+-----------+---------------------+
6 rows in set (0.00 sec)
|
Part4:binlog日志对比
这里可以看到t1表的id=2和id=4列是由thread_id=182用户删掉的,也就是helei用户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#161208 19:33:39 server id 1250 end_log_pos 5275 CRC32 0x2ae798a9 Query thread_id=182 exec_time=0 error_code=0
SET TIMESTAMP=1481254419/*!*/;
BEGIN
/*!*/;
# at 5275
#161208 19:33:39 server id 1250 end_log_pos 5324 CRC32 0x2cf42817 Rows_query
# delete from t1 where id=2
#161208 19:34:07 server id 1250 end_log_pos 5885 CRC32 0x947106d4 Query thread_id=182 exec_time=0 error_code=0
SET TIMESTAMP=1481254447/*!*/;
BEGIN
/*!*/;
# at 5885
#161208 19:34:07 server id 1250 end_log_pos 5934 CRC32 0xfe1eb7fc Rows_query
# delete from t1 where id=4
|
这里可以看到t1表的id=3列是由thread_id=185用户删掉的,也就是yuhao用户
1
2
3
4
5
6
7
|
#161208 19:33:49 server id 1250 end_log_pos 5579 CRC32 0x5f8d9879 Query thread_id=185 exec_time=0 error_code=0
SET TIMESTAMP=1481254429/*!*/
BEGIN
/*!*/;
# at 5579
#161208 19:33:49 server id 1250 end_log_pos 5630 CRC32 0x71feeadc Rows_query
# delete from t1 where id = 3
|
参考资料:
http://dbspace.blog.51cto.com/6873717/1881053
——总结——
审计多多少少会影响数据库的性能,能不开尽量不开。另外开启审计数据库用户要实名制或者一对一,以免干了坏事儿的人赖账~由于笔者的水平有限,编写时间也很仓促,文中难免会出现一些错误或者不准确的地方,不妥之处恳请读者批评指正。
本文转自 dbapower 51CTO博客,原文链接:http://blog.51cto.com/suifu/1881116,如需转载请自行联系原作者
MySQL日志审计 帮你揪出内个干坏事儿的小子相关推荐
- MariaDB日志审计 帮你揪出内个干坏事儿的小子
Part1:谁干的? 做DBA的经常会遇到,一些表被误操作了,被truncate.被delete.甚至被drop.引起这方面的原因大多数都是因为人为+权限问题导致的.一些公共账户,例如ceshi账户, ...
- “跨国视频造假窝点”曝光!这个大规模数据集,帮AI揪出99%换脸视频
乾明 郭一璞 发自 凹非寺 量子位 报道 | 公众号 QbitAI 上回说到,奥巴马deepfake怼川普,斯嘉丽怒斥网友假视频. deepfake,视频造假神器,把一个人的脸庞,转移到另一个的身上 ...
- 开发者被要求向破解者道歉,竟揪出“阿里云假员工”,网友:这人有前科
文末包邮送3本技术书! 浩楠 鱼羊 发自 凹非寺 量子位 报道 | 公众号 QbitAI 咄咄怪事,起于知乎. 「我是如何被逼到向我软件的破解者道歉的?」 没错,就是这样一则愤怒和无奈溢出屏幕的&qu ...
- SLS日志审计:最新技术总结
本文概述了过去一年 SLS 日志审计的技术发展. SLS 日志审计介绍 什么是日志审计 日志审计服务是阿里云日志服务 SLS 平台下的一款应用,它在继承了日志服务 SLS 的全部功能以外,还有强大的多 ...
- 装mysql最后一步没响应_每天14点遭遇惊魂时刻,如何一步一步揪出真凶?
" 笔者所在的公司有一款大 DAU(日活)的休闲游戏.这款游戏的后端架构很简单,可以简单理解为通讯-逻辑-存储三层结构.其中存储层大量使用了 Redis 和 MySQL. 图片来自 Pexe ...
- 揪出MySQL延迟上千秒的元凶
揪出MySQL延迟上千秒的元凶 背景 Part1:写在最前 MySQL的延迟告警想必大家一定不陌生,MySQL引起从库延迟的原因有很多,从硬件上讲可能是网卡,磁盘,内存达到瓶颈,从数据库层面来讲,可能 ...
- 开源日志审计系统_一文掌握mysql数据库审计特点、实现方案及审计插件部署教程...
概述 数据库审计(简称DBAudit)能够实时记录网络上的数据库活动,对数据库操作进行细粒度审计的合规性管理,对数据库遭受到的风险行为进行告警,对攻击行为进行阻断.它通过对用户访问数据库行为的记录.分 ...
- 超干货!为了让你彻底弄懂MySQL事务日志,我通宵肝出了这份图解!
还记得刚上研究生的时候,导师常挂在嘴边的一句话,"科研的基础不过就是数据而已."如今看来,无论是人文社科,还是自然科学,或许都可在一定程度上看作是数据的科学. 倘若剥开研究领域的外 ...
- 为了让你彻底弄懂 MySQL 事务日志,我通宵肝出了这份图解!
点击上方"五分钟学算法",选择"星标"公众号 重磅干货,第一时间送达 还记得刚上研究生的时候,导师常挂在嘴边的一句话,"科研的基础不过就是数据而已.& ...
最新文章
- IPod在Linux下的实战
- VS2010 SP1
- Linux下运行纯dos软件,在linux下运行dos软件(转)
- 选对论文,效率提升50% | 本周值得读
- NET问答: 说说你对 LookupTKey, TElement 的看法 ?
- 23根火柴游戏 c语言,23 根火柴游戏
- 小程序 bindtouchmove 使用拖动按钮 页面跟着滑动并拖动卡顿感 问题
- RxJava API使用示例
- 快手联合创始人银鑫卸任A站法定代表人、董事、经理
- dlut-KFQ概率上机2
- django debug=false后静态文件丢失_Django DEBUG=False后DEBUG=True带来的问题
- 电子电工产品IP防水测试及测试设备
- GET和POST 区别
- 上海市申请享受生育保险待遇的程序
- 关于BigDecimal.ROUND_HALF_EVEN银行家算法
- Python多继承mro
- CCRC信息安全服务资质分类及申请流程
- 横向扩展与纵向扩展区别详解
- Nginx代理https强制http跳转https
- Mac 搭建本地Apache服务器
热门文章
- 7-4 吃货的最短路径 (10 分)
- 7-114 吉老师的回归 (15 分)
- 4008-基于邻接矩阵的新边的增加(C++,附思路)
- c语言ntc程序,NTC热敏电阻测温度 单片机C和汇编源程序
- 如何创建一个简单 APT 仓库
- Alpha冲刺 - (4/10)
- Jenkins-Pipeline 流水线发布
- github ssl验证跳过
- CentOS7显卡驱动问题
- Java并发专题 带返回结果的批量任务运行 CompletionService ExecutorService.invokeAll