MySQL伪审计实现

1.1 需求描述

  线下MySQL数据库每隔一段时间某表数据就会被莫名改掉,现在需要知道变更操作对应的用户以及IP(类似于审计功能)。

1.2 需求分析

  首先我们可以知道,MySQL的社区版是不支持审计功能,另外从binlog可以得知变更的内容、线程ID、操作时间等信息,其实唯独缺的就是操作的用户。MySQL的查询日志可以实现这个需求,但是又有些多余,因为查询日志会将我的所有操作都记录下来。

1.3 需求实现

  其实对于MySQL来讲通过init_connect参数来实现: 官方文档的解释是服务器为每个连接的客户端执行设置字符串。但是对于具有super的用户无效。

1.    A string to be executed by the server for each client that connects. The string consists of one or more SQL statements, separated by semicolon characters.  
2.    For users that have the SUPER privilege, the content of init_connect is not executed. This is done so that an erroneous value for init_connect does not prevent all clients from connecting. For example, the value might contain a statement that has a syntax error, thus causing client connections to fail. Not executing init_connect for users that have the SUPER privilege enables them to open a connection and fix the init_connect value.   
3.    As of MySQL 5.7.22, init_connect execution is skipped for any client user with an expired password. This is done because such a user cannot execute arbitrary statements, and thus init_connect execution will fail, leaving the client unable to connect. Skipping init_connect execution enables the user to connect and change password.   
4.    The server discards any result sets produced by statements in the value of of init_connect.

  所以我们可以通过建立一张审计表,然后当每个连接进来的时候插入相关信息,再通过binlog中记录的线程ID与记录的连接ID对应,这样就可以查到执行变更操作对应的用户。
  建立如下表结构并且设置连接时执行的SQL:
MySQL伪审计实现MySQL伪审计实现
  使用具有非super权限用户登陆并进行变更操作:
MySQL伪审计实现
  读取binlog找到thread_id与表中进行对应即可查到操作的对应用户和登陆时间。
MySQL伪审计实现
4、总结
  此种方法只能配合binlog实现,也就是说只能找到涉及到变更操作的用户,并且每次有用户登陆都会触发,有一定的性能影响。

上一篇:Service Mesh 发展趋势:云原生中流砥柱


下一篇:JUnit使用方法