Shulou(Shulou.com)06/01 Report--

How to implement log audit in MySQL database? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

0x0 background

Because MySQL Community Edition does not have its own audit function or plug-in, there is a certain degree of dissatisfaction with the requirements of database management in grade protection. Putting aside the rules and not talking about the log of the database is worth studying. By collecting the log of the database to the enterprise SOC platform to facilitate the traceability and fault analysis of security events, with the current UEBA technology, many malicious events can be easily found.

According to the content of grade protection, in the fourth section of "Database Security Audit" in Chapter 4, "Security Technical requirements of Database Management system", it is clearly put forward that the security audit of database management system should:

1. Establish an independent security audit system

two。 Define audit events related to database security

3. Set up special security auditors

4. Set up a security audit library dedicated to storing database system audit data

5. Provides tools for setting up, analyzing, and consulting security audit for database systems.

0x1 deployment plug-in

To save money on buying some security devices, try using some open source log audit plug-ins. Mysql-audit is a SQL audit plug-in for MySQL developed by macfee based on percona.

The source address is as follows: https://github.com/mcafee/mysql-audit

First of all, make sure that the current version of mysql downloads the corresponding plug-ins on the official website:

After decompressing the plug-in, you need to confirm the installation directory of the mysql plug-in:

Copy the extracted plug-in libaudit_plugin.so to the plug-in directory:

Use mysql's function install plugin to import this plug-in and confirm whether the import is successful through show plugin.

The main commands are as follows:

Install plugin audit soname 'libaudit_plugin.so'

The audit content does not start immediately after the installation is completed, and some parameters need to be defined.

The parameter Audit_json_file controls whether the audit function is enabled or not. Use the command:

Set variables audit_json_file=on

Enable the audit function:

The audited record name can be obtained from the query variable audit_json_log_file:

Show variables like "audit_json_log_file"

The default audit record format is as follows:

The Json format is as follows:

At the same time, the plug-in supports some custom parameters and commands, including whitelist and blacklist functions.

Audit_whitelist_users: do not audit all commands of user users

Aduit_record_cmds: types of commands that need to be audited

For more parameter configuration items, please refer to the official manual:

Https://github.com/mcafee/mysql-audit/wiki/Configuration

0x2 summary

1. The audit of mysql logs can be realized through plug-ins, and log preservation and analysis can be realized through the framework of ELK, and then many functions such as security detection and business analysis can be realized by writing some scripts in the later stage. The key is that zero cost is especially suitable for those "one-person security department" colleagues with this need.

two。 According to some test data, the impact of plug-ins on performance is relatively large. About 20% of the consumption needs to be evaluated in combination with specific business conditions.

This is the answer to the question about how to implement log audit in MySQL database. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.