在MySQL中使用init-connect與binlog來實現使用者操作追蹤記錄

來源:互聯網
上載者:User

標籤:style   blog   http   color   使用   os   strong   檔案   

前言:
測試環境莫名其妙有幾條重要資料被刪除了,由於在binlog裡面只看到是公用帳號刪除的,無法查詢是那個誰在那個時間段登入的,就考慮怎麼記錄每一個MYSQL帳號的登入資訊,在MYSQL中,每個串連都會先執行init-connect,進行串連的初始化,我們可以在這裡擷取使用者的登入名稱稱和thread的ID值。然後配合binlog,就可以追蹤到每個動作陳述式的操作時間,操作人等。實現審計。


1,在mysql伺服器db中建立單獨的記錄訪問資訊的庫
set names utf8;
create databaseaccess_log;
CREATE TABLE`access_log` 
(
  `id`int(11) NOT NULL AUTO_INCREMENT,
 `thread_id` int(11) DEFAULT NULL, -- 線程ID,這個值很重要
  `log_time`timestamp NOT NULL DEF AULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, -- 登入時間
 `localname` varchar(30) DEFAULT NULL, -- 登入名稱稱
 `matchname` varchar(30) DEFAULT NULL, -- 登入使用者
  PRIMARYKEY (`id`)
) ENGINE=InnoDBAUTO_INCREMENT=1 DEFAULT CHARSET=utf8 comment ‘錄入使用者登入資訊‘;



2,在設定檔中配置init-connect參數。登入時插入日誌表。如果這個參數是個錯誤的SQL語句,登入就會失敗。
vim/usr/local/mysql/my.cnf
init-connect=‘INSERTINTO access_log.access_logVALUES(NULL,CONNECTION_ID(),NOW(),USER(),CURRENT_USER());‘
然後重啟資料庫

3,建立普通使用者,不能有super許可權,而且使用者必須有對access_log庫的access_log表的insert許可權,否則會登入失敗。
給登入使用者賦予insert許可權,但是不賦予access_log的insert、select許可權,
GRANTINSERT,DELETE,UPDATE,SELECT ON test.* TO [email protected]‘%‘ IDENTIFIED BY‘cacti_user1603‘;
mysql> GRANTCREATE,DROP,ALTER,INSERT,DELETE,UPDATE,SELECT ON test.* TO [email protected]‘%‘IDENTIFIED BY ‘cacti_user1603‘;
Query OK, 0 rowsaffected (0.00 sec)
mysql> exit
然後去用新的audit_user登入操作
[[email protected]_server~]# /usr/local/mysql/bin/mysql  -uaudit_user -p -S/usr/local/mysql/mysql.sock
Enter password: 
Welcome to theMySQL monitor.  Commands end with ; or \g.
Your MySQL connectionid is 25
Server version:5.6.12-log

Copyright (c)2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is aregistered trademark of Oracle Corporation and/or its
affiliates. Othernames may be trademarks of their respective
owners.

Type ‘help;‘ or‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

mysql> lect *from access_log.access_log;
ERROR 2006(HY000): MySQL server has gone away
No connection.Trying to reconnect...
Connection id:   26
Current database:*** NONE ***


ERROR 1184(08S01): Aborted connection 26 to db: ‘unconnected‘ user: ‘audit_user‘ host:‘localhost‘ (init_connect command failed)
mysql> 
看到報錯資訊 (init_connect command failed),再去錯誤記錄檔error log驗證一下:
tail -fn 5/usr/local/mysql/mysqld.log 
2014-07-28 16:03:3123743 [Warning] Aborted connection 25 to db: ‘unconnected‘ user: ‘audit_user‘host: ‘localhost‘ (init_connect command failed)
2014-07-2816:03:31 23743 [Warning] INSERT command denied to user ‘‘@‘localhost‘ for table‘access_log‘
2014-07-2816:04:04 23743 [Warning] Aborted connection 26 to db: ‘unconnected‘ user:‘audit_user‘ host: ‘localhost‘ (init_connect command failed)
2014-07-2816:04:04 23743 [Warning] INSERT command denied to user ‘‘@‘localhost‘ for table‘access_log‘
看到必須要有對access_log庫的access_log表的insert許可權才行。


4,賦予使用者access_log的insert、select許可權,然後重新賦予許可權:
GRANTSELECT,INSERT ON access_log.* TO [email protected]‘%‘;
mysql> 
mysql> GRANTSELECT,INSERT ON access_log.* TO [email protected]‘%‘;
Query OK, 0 rowsaffected (0.00 sec)

mysql> exit
Bye

再登入,報錯如下:
[[email protected]_server~]# /usr/local/mysql/bin/mysql  -uaudit_user -p -S/usr/local/mysql/mysql.sock
Enter password: 
ERROR 1045(28000): Access denied for user ‘audit_user‘@‘localhost‘ (using password: YES)
[[email protected]_server~]# 

去查看error日誌:
2014-07-2816:15:29 23743 [Warning] INSERT command denied to user ‘‘@‘localhost‘ for table‘access_log‘
2014-07-2816:15:41 23743 [Warning] Aborted connection 37 to db: ‘unconnected‘ user:‘audit_user‘ host: ‘localhost‘ (init_connect command failed)
2014-07-2816:15:41 23743 [Warning] INSERT command denied to user ‘‘@‘localhost‘ for table‘access_log‘
2014-07-2816:15:50 23743 [Warning] Aborted connection 38 to db: ‘unconnected‘ user:‘audit_user‘ host: ‘localhost‘ (init_connect command failed)
2014-07-2816:15:50 23743 [Warning] INSERT command denied to user ‘‘@‘localhost‘ for table‘access_log‘

需要用root使用者登入進去,清空掉使用者為‘‘的使用者記錄。
 mysql>select user,host,password from mysql.user;
+----------------+-----------+-------------------------------------------+
| user          | host      | password                                |
+----------------+-----------+-------------------------------------------+
| root          | localhost |                                         |
| root          | db_server   |                                         |
| root          | 127.0.0.1 |                                         |
| root          | ::1       |                                         |
|               | localhost |                                         |
|               | db_server   |                                         |
| cacti_user    | %         |*EB9E3195E443D577879101A35EF64A701B35F949 |
| cacti_user    | 1         |*D5FF9B53A78232DA13D3643965A5961449B387DB |
| cacti_user    | 2         | *D5FF9B53A78232DA13D3643965A5961449B387DB|
| test_user     | 192.%     |*8A447777509932F0ED07ADB033562027D95A0F17 |
| test_user     | 1         |*8A447777509932F0ED07ADB033562027D95A0F17 |
| weakpwd_user_1| 10.%      | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| weakpwd_user_2| 10.%      | *B1461C9C68AFA1129A5F968C343636192A084ADB |
| weakpwd_user_3| 10.%      | *DCB7DF5FFC82C441503300FFF165257BC551A598 |
| audit_user    | %         |*AEAB1915B137FAFDE9B949D67A9A42DDB68DD8A2 |
+----------------+-----------+-------------------------------------------+
15 rows in set(0.00 sec)

mysql> dropuser ‘‘@‘localhost‘;
Query OK, 0 rowsaffected (0.00 sec)

mysql> dropuser ‘‘@‘db_server‘;
Query OK, 0 rowsaffected (0.00 sec)

mysql> 

再用已經分配了access_log表的Insert許可權的audit_user登入
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time            | localname                | matchname    |
+----+-----------+---------------------+---------------------------+--------------+
|  4 |       41 | 2014-07-28 16:19:37 | [email protected]     | [email protected]% |
|  5 |       42 | 2014-07-28 16:20:32 | [email protected]     | [email protected]% |
|  6 |       45 | 2014-07-28 16:21:11 | [email protected]     | [email protected]% |
+----+-----------+---------------------+---------------------------+--------------+
6 rows in set(0.00 sec)

mysql> showfull processlist;
+----+------------+-----------+------+---------+------+-------+-----------------------+
| Id | User      | Host      | db   | Command | Time |State | Info                  |
+----+------------+-----------+------+---------+------+-------+-----------------------+
| 45 | audit_user| localhost | NULL | Query   |    0 | init  | show fullprocesslist |
+----+------------+-----------+------+---------+------+-------+-----------------------+
1 row in set(0.00 sec)

mysql> 

5,再用另外一個使用者登入建表,錄入測試資料。
建表錄入資料記錄
mysql> usetest;
Database changed
mysql> createtable t1 select 1 as a, ‘wa‘ as b;
Query OK, 1 rowaffected (0.01 sec)
Records: 1 Duplicates: 0  Warnings: 0
查看跟蹤使用者行為記錄。
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time            | localname                | matchname    |
+----+-----------+---------------------+---------------------------+--------------+
|  4 |       41 | 2014-07-28 16:19:37 | [email protected]     | [email protected]% |
|  5 |       42 | 2014-07-28 16:20:32 | [email protected]     | [email protected]% |
|  6 |       45 | 2014-07-28 16:21:11 | [email protected]     | [email protected]% |
|  7 |       48 | 2014-07-28 16:30:42 | [email protected]   | [email protected]% |
|  8 |       50 | 2014-07-28 16:46:11 | [email protected]   | [email protected]% |
+----+-----------+---------------------+---------------------------+--------------+
8 rows in set(0.00 sec)

去mysqldb伺服器上查看binlog 內容,解析完後,沒有insert語句,怎麼回事,去看my.cnf
#binlog-ignore-db=mysql                       # No sync databases
#binlog-ignore-db=test                        # No sync databases
#binlog-ignore-db=information_schema           # No sync databases
#binlog-ignore-db=performance_schema
原來是對test庫有binlog過濾設定,全部注釋掉。重啟mysql庫,重新來一遍,可以在看到binlog
在MySQL用戶端上重新執行。
mysql> usetest;
Database changed
mysql> insertinto test.t1 select 5,‘t5‘;
Query OK, 1 rowaffected (0.00 sec)
Records: 1 Duplicates: 0  Warnings: 0

mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time            | localname                | matchname    |
+----+-----------+---------------------+---------------------------+--------------+
|  1 |       17 | 2014-07-28 15:41:04 | [email protected]| [email protected]% |
|  2 |       18 | 2014-07-28 15:41:05 | [email protected]| [email protected]% |
|  3 |       19 | 2014-07-28 15:41:05 | [email protected]| [email protected]% |
|  4 |       41 | 2014-07-28 16:19:37 | [email protected]     | [email protected]% |
|  5 |       42 | 2014-07-28 16:20:32 | [email protected]     | [email protected]% |
|  6 |       45 | 2014-07-28 16:21:11 | [email protected]     | [email protected]% |
|  7 |       48 | 2014-07-28 16:30:42 | [email protected]   | [email protected]% |
|  8 |       50 | 2014-07-28 16:46:11 | [email protected]   | [email protected]% |
|  9 |       56 | 2014-07-28 19:32:12 | [email protected]   | [email protected]% |
| 10 |        1 | 2014-07-28 20:02:56 |[email protected]    | [email protected]% |
+----+-----------+---------------------+---------------------------+--------------+
10 rows in set(0.00 sec)
看到thread_id為1


6,如何查看何跟蹤使用者行為記錄。
去mysql資料庫伺服器上查看binlog,應該thread_id=1的binlog記錄。
[[email protected]_serverbinlog]# /usr/local/mysql/bin/mysqlbinlog  --base64-output=DECODE-ROWS mysql-bin.000018 -v>3.log
[[email protected]_serverbinlog]# vim 3.log
# at 1103
#140728 20:12:48server id 72  end_log_pos 1175 CRC32 0xa323c00e       Query   thread_id=1     exec_time=0    error_code=0
SETTIMESTAMP=1406549568/*!*/;
BEGIN
/*!*/;
# at 1175
#140728 20:12:48server id 72  end_log_pos 1229 CRC32 0xbb8ca914       Table_map: `test`.`t1` mapped to number 72
# at 1229
#140728 20:12:48server id 72  end_log_pos 1272 CRC32 0x8eed1450       Write_rows: table id 72 flags: STMT_END_F
### INSERT INTO `test`.`t1`
### SET
###   @1=5
###   @2=‘t5‘
# at 1272
#140728 20:12:48server id 72  end_log_pos 1303 CRC32 0x72b26336       Xid = 14
COMMIT/*!*/;


看到thread_id=1,然後,就可以根據thread_id=1來判斷執行這條insert命令的來源,還可以在mysql伺服器上執行show full processlist;來得到MySQL用戶端的請求連接埠,
mysql> showfull processlist;
+----+------------+-------------------+------+---------+------+-------+-----------------------+
| Id | User      | Host              |db   | Command | Time | State | Info                 |
+----+------------+-------------------+------+---------+------+-------+-----------------------+
|  1 |audit_user | 192.168.3.62:44657 | test | Sleep   |  162 |      | NULL                 |
|  3 | root      | localhost         | NULL | Query  |    0 | init  | show full processlist |
+----+------------+-------------------+------+---------+------+-------+-----------------------+
2 rows in set(0.00 sec)


mysql> 
看到Id為1的線程,連接埠是44657

我們切換回mysql用戶端,去查看連接埠是44657的是什麼進程,如下所示:
[[email protected]_client~]$ netstat -antlp |grep 44657
(Not allprocesses could be identified, non-owned process info
 will not beshown, you would have to be root to see it all.)
tcp       0      0 192.168.3.62:44657          192.168.1.12:3307           ESTABLISHED 6335/mysql          
[[email protected]_client~]$ 
擷取到該進程的PID,再通過ps -eaf得到該進程所執行的命令,如下所示:
[[email protected]_client~]$ ps -eaf|grep 6335
tim   633525497  0 19:59 pts/1    00:00:00 mysql -uaudit_user -p -h192.168.1.12 -P3307
tim   6993 6906  0 20:16 pts/2    00:00:00 grep 6335
[[email protected]_client ~]$
最後查到是通過mysql用戶端登陸串連的。加入這個6335是某個web工程的,那麼,也可以根據ps-eaf命令查詢得到web工程的進程資訊。


來自:http://blog.itpub.net/26230597/viewspace-1240386/

參考文章地址:http://blog.chinaunix.net/uid-24086995-id-168445.html


相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.