[root@wallet01 ~]# wget https://github.com/mcafee/mysql-audit/releases/download/v1.1.8/audit-plugin-mysql-5.7-1.1.8-953-linux-x86_64.zip

[root@wallet01 ~]# unzip audit-plugin-mysql-5.7-1.1.8-953-linux-x86_64.zip

[root@wallet01 ~]# mysql -uroot -pabcd.1234
mysql> show global variables like ‘plugin_dir‘;
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| plugin_dir    | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.00 sec)

[root@wallet01 ~]# cp audit-plugin-mysql-5.7-1.1.8-953/lib/libaudit_plugin.so /usr/lib64/mysql/plugin/

mysql> install plugin audit soname ‘libaudit_plugin.so‘;
ERROR 1123 (HY000): Can‘t initialize function ‘audit‘; Plugin initialization function failed.

[root@wallet01 ~]# cd audit-plugin-mysql-5.7-1.1.8-953/utils/
[root@wallet01 utils]# chmod +x offset-extract.sh

[root@wallet01 utils]# which mysqld
/usr/sbin/mysqld

[root@wallet01 utils]# ./offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.7.34)
{"5.7.34","4a211fa462e69504ab7907c4158b0b8a", 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0},

[root@wallet01 ~]# vim /etc/my.cnf
[mysqld]
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets = 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0

[root@wallet01 ~]# systemctl restart mysqld.service

mysql> show global status like ‘audit_version‘;
+---------------+-----------+
| Variable_name | Value     |
+---------------+-----------+
| Audit_version | 1.1.8-953 |
+---------------+-----------+
1 row in set (0.00 sec)

mysql> set @@global.audit_json_file = on;   
Query OK, 0 rows affected (0.00 sec)

mysql> set @@global.audit_record_cmds = ‘select,insert,update,delete‘; 
Query OK, 0 rows affected (0.00 sec)

mysql> set @@global.audit_record_objs = ‘soe.*‘;
Query OK, 0 rows affected (0.00 sec)

[root@gscf201 ~]# tail -n 20 /var/lib/mysql/mysql-audit.json

{"msg-type":"activity","date":"1623998586464","thread-id":"10","query-id":"1135081","user":"soe","priv_user":"soe","ip":"192.168.40.201","host":"gscf201","_os":"Linux","_client_name":"libmysql","_pid":"18701","_client_version":"5.7.34","_platform":"x86_64","rows":"1","status":"0","cmd":"delete","objects":[{"db":"soe","name":"new_orders","obj_type":"TABLE"}],"query":"DELETE FROM new_orders WHERE no_o_id = 2240 AND no_d_id = 8 AND no_w_id = 8"}
{"msg-type":"activity","date":"1623998586464","thread-id":"10","query-id":"1135082","user":"soe","priv_user":"soe","ip":"192.168.40.201","host":"gscf201","_os":"Linux","_client_name":"libmysql","_pid":"18701","_client_version":"5.7.34","_platform":"x86_64","rows":"1","status":"0","cmd":"select","objects":[{"db":"soe","name":"orders","obj_type":"TABLE"}],"query":"SELECT o_c_id FROM orders WHERE o_id = 2240 AND o_d_id = 8 AND o_w_id = 8"}
{"msg-type":"activity","date":"1623998586464","thread-id":"10","query-id":"1135083","user":"soe","priv_user":"soe","ip":"192.168.40.201","host":"gscf201","_os":"Linux","_client_name":"libmysql","_pid":"18701","_client_version":"5.7.34","_platform":"x86_64","rows":"1","status":"0","cmd":"update","objects":[{"db":"soe","name":"orders","obj_type":"TABLE"}],"query":"UPDATE orders SET o_carrier_id = 10 WHERE o_id = 2240 AND o_d_id = 8 AND o_w_id = 8"}

【MySQL】数据库审计：McAfee Audit Plugin