aharonrobbins
commented
6 years ago Hi. Please try the latest version of the plugin. It has offsets for the versions you're using. Thanks!
Open atze234 opened 6 years ago
aharonrobbins
commented
6 years ago Hi. Please try the latest version of the plugin. It has offsets for the versions you're using. Thanks!
kubo
commented
6 years ago @aharonrobbins I think you misunderstood the issue. @atze234 uses the latest or the previous of the latest version of the plugin. Offsets for 5.7.20 are in the plugin as follows.
2017-12-20T09:20:32.304481Z 0 [Note] McAfee Audit Plugin: Using offsets from offset version: 5.7.20 (1e793b9a2c327a27309b3ff8a6b5d731)@atze234 Please provide more details on MySQL version, which Linux dist, where you got the MySQL from and so on. We test on the distributions from MySQL. Thanks.
aharonrobbins
commented
6 years ago I think I just had the 'Aha'. If you have selinux enabled, you will need to disable it for the plugin to work. Please check into that. Thanks.
atze234
commented
6 years ago Hi @aharonrobbins, we don't have SELinux or Apparmor enabled. Linux Dist: latest Debian Stretch 9.3 Mysql Dist: from Repositories at repo.mysql.com -> mysqld Ver 5.7.20 for Linux on x86_64 (MySQL Community Server (GPL)) Audit Plugin: Latest Dev Snapshot: 1.1.5-761 Thank you
aharonrobbins
commented
6 years ago Dang! I didn't see this comment until just now. I'm not sure why this is still failing for you. We will push a new dev snapshot shortly.
aharonrobbins
commented
6 years ago We pushed a new dev-snapshot and binary release last week. Had this made a difference for you? Thanks.
atze234
commented
6 years ago Hi, it isnt working with the latest dev snapshot :( Still this error message in mysql 5.7:
2018-01-29T11:02:22.645671Z 0 [Note] McAfee Audit Plugin: starting up. Version: 1.1.6 , Revision: 779 (64bit). MySQL AUDIT plugin interface version: 1025 (0x401). MySQL Server version: 5.7.20-log.
2018-01-29T11:02:22.645689Z 0 [Note] McAfee Audit Plugin: setup_offsets audit_offsets: (null) validate_checksum: 1 offsets_by_version: 1
2018-01-29T11:02:22.650437Z 0 [Note] InnoDB: Buffer pool(s) load completed at 180129 12:02:22
2018-01-29T11:02:22.720230Z 0 [Note] McAfee Audit Plugin: mysqld: /usr/sbin/mysqld (2766f7e403d4168141e414feced5dc95)
2018-01-29T11:02:22.720288Z 0 [Note] McAfee Audit Plugin: extended offsets validate res: MySQL thread id 123456, OS thread handle 0, query id 789 aud_tusr
2018-01-29T11:02:22.720297Z 0 [Note] McAfee Audit Plugin: Using offsets from offset version: 5.7.20 (1e793b9a2c327a27309b3ff8a6b5d731)
2018-01-29T11:02:22.720330Z 0 [Note] McAfee Audit Plugin: Set whitelist_cmds num: 3, value: BEGIN,COMMIT,PING
2018-01-29T11:02:22.720347Z 0 [Note] McAfee Audit Plugin: Set whitelist_users num: 1, value: xxxx
2018-01-29T11:02:22.720365Z 0 [Note] McAfee Audit Plugin: Set password_masking_cmds num: 8, value: CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,UPDATE
2018-01-29T11:02:22.720439Z 0 [Note] McAfee Audit Plugin: Compile password_masking_regex res: [1]
2018-01-29T11:02:22.720448Z 0 [Note] McAfee Audit Plugin: Set password_masking_regex value: [identified(?:/\*.*?\*/|\s)*?by(?:/\*.*?\*/|\s)*?(?:password)?(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?\((?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"](?:/\*.*?\*/|\s)*?\)|password(?:/\*.*?\*/|\s)*?(?:for(?:/\*.*?\*/|\s)*?\S+?)?(?:/\*.*?\*/|\s)*?=(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]]
2018-01-29T11:02:22.720461Z 0 [Note] McAfee Audit Plugin: Set json_socket_name str: [] value: [/var/run/db-audit/mysql.audit__data_mysql-data_3306]
2018-01-29T11:02:22.720548Z 0 [Note] McAfee Audit Plugin: bufsize for file [/data/mysql-log/mysql-audit.log]: 1. Value of json_file_bufsize: 1.
2018-01-29T11:02:22.720615Z 0 [Note] McAfee Audit Plugin: success opening file: /data/mysql-log/mysql-audit.log.
2018-01-29T11:02:22.720627Z 0 [Note] McAfee Audit Plugin: mem func addr: 0x7f841f00d330 mem start addr: 0x7f841f00e000 page size: 4096
2018-01-29T11:02:22.720635Z 0 [Note] Audit Plugin: hot patching function: 0x55a09cfa0da0, trampolineFunction: 0x7f841f00e000 trampolinePage: 0x7f841f00e000
2018-01-29T11:02:22.720721Z 0 [Note] McAfee Audit Plugin: hot patch for: mysql_execute_command (0x55a09cfa0da0) complete. Audit func: 0x7f841f011a20, Trampoline address: 0x7f841f00e000, size: 16, used: 30.
2018-01-29T11:02:22.720732Z 0 [Note] Audit Plugin: hot patching function: 0x55a09cf56b60, trampolineFunction: 0x7f841f00e020 trampolinePage: 0x7f841f00e000
2018-01-29T11:02:22.720750Z 0 [ERROR] Audit Plugin: unable to disassemble at address: 0x0x55a09cf56b67. Found relative addressing for instruction: [jnz 0x55a09cf56b75]. Aborting.
2018-01-29T11:02:22.720768Z 0 [ERROR] McAfee Audit Plugin: unable to hot patch send_result_to_client (0x55a09cf56b60). res: -1.
2018-01-29T11:02:22.720776Z 0 [ERROR] Plugin 'AUDIT' init function returned error.
2018-01-29T11:02:22.720783Z 0 [ERROR] Plugin 'AUDIT' registration as a AUDIT failed.
2018-01-29T11:02:22.720799Z 0 [Note] McAfee Audit Plugin: deinit
2018-01-29T11:02:22.720807Z 0 [Note] Audit Plugin: removing hot patching function: 0x55a09cfa0da0 targetPage: 0x55a09cfa0000 trampolineFunction: 0x7f841f00e000Thanks for the update. I don't have an immediate answer for you, and I don't know if or when I will be able to try to reproduce the issue.
I would suggest compiling MySQL from source (it's pretty easy to do) and seeing if the plugin will load into a locally compiled mysqld. You should first extract the offsets from what you compile locally and verify that they match what's in the plugin source code. If they differ, you can either add the offsets to the plugin and compile it, or put them into the /etc/my.cnf file.
Hope this helps.
kubo
commented
6 years ago 2017-12-20T09:20:32.304797Z 0 [Note] Audit Plugin: hot patching function: 0x556b8886eb60, trampolineFunction: 0x7f874bb4f020 trampolinePage: 0x7f874bb4f000
2017-12-20T09:20:32.304814Z 0 [ERROR] Audit Plugin: unable to disassemble at address: 0x0x556b8886eb67. Found relative addressing for instruction: [jnz 0x556b8886eb75]. Aborting.How about allocating trampolinePage near hot patching function by using mmap with a non-null first argument? When the distance is less than 2G, the hot patching succeeds.
Edited: The first argument of mmap should be an unused address in /proc/self/maps.
aharonrobbins
commented
6 years ago Can you set up a pull request to show how to do this? @atze234 will you be able to test it? Unfortunately, I don't have the cycles at the moment to work on this. Thanks!
kubo
commented
6 years ago Well, I have the skill to do it but I cannot do it. Sorry.
kubo
commented
6 years ago When MySQL is compiled from source, this issue will disappear, I guess.
MySQL executables distributed by Oracle are compiled as PIE. On the other hand MySQL compiled from source isn't PIE. When mysqld isn't PIE, it is mapped at 0x4000000 in the address space and trampolinePage is allocated under 2G by using mmap with MAP_32BIT flag.
kubo
commented
6 years ago The following is the reason of my suggestion.
I thought that it wasn't due to SELinux because hot patching for mysql_execute_command didn't fail. If it was due to SELinux, it failed.
2017-12-20T09:20:32.304797Z 0 [Note] Audit Plugin: hot patching function: 0x556b8886eb60, trampolineFunction: 0x7f874bb4f020 trampolinePage: 0x7f874bb4f000
2017-12-20T09:20:32.304814Z 0 [ERROR] Audit Plugin: unable to disassemble at address: 0x0x556b8886eb67. Found relative addressing for instruction: [jnz 0x556b8886eb75]. Aborting.The hot patching failed due to relative addressing at address 0x556b8886eb67, which is 7th byte after the hot patching function at 0x556b8886eb60. When the distance from the hot patching function to trampolineFunction is less than 2G, 5 bytes are required to insert a jump instruction. On the other hand, when it is more than 2G, 14 bytes are required however relative addressing was found at the 7th byte.
If the distance becomes less than 2G, the hot patching succeeds because there is no relative addressing within the first 6 bytes of the hot patching function.
aharonrobbins
commented
6 years ago Thanks for the explanation and links.
As I said earlier, I am not in a position right now to try your suggestion of a non-null first argument to mmap. I see now that you are also unable to do it. So perhaps @atze234 can try it and let us know...
Thanks.
atze234
commented
6 years ago Hi, sorry, unfortunately i dont have the C skills and knowledge of this addressing to change things here :(
atze234
commented
6 years ago Why this issue is closed? Is it fixed in a new version? Or should Oracles Mysql Distribution not be supported anymore? Maybe this can be fixed in the future?
aharonrobbins
commented
6 years ago Reopening. Unfortunately I don't have the cycles to work on this right now. I will leave it open for the future.
egegunes
commented
4 years ago @kubo was right on PIE executables:
Hot patching send_result_client succeeds with this build:
/usr/local/mysql/bin/mysqld: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=654322e6d4af29555f1e555b57d46004ac61f51d, not strippedHot patching fails on this:
/usr/local/mysql/bin/mysqld: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64. so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e183498ec80d2d706b51507f076c32cef5286147, not stripped @aharonrobbins any intention to fix this issue? I'm willing to work on it but I'm going to need a significant assistance.
aharonrobbins
commented
3 years ago @egegunes Hello. I don't check this email account very often; I just now saw your comment.
I have not been affiliated with McAfee for close to 3 years. They moved development of their database security product, and with it the MySQL and Postgres plugins, to another site.
It is (sadly) rather clear that they've abandoned development of the plugins, but that's not anything I can influence. I also am not in a position to provide any assistance for work you may care to do on the plugin.
Sorry. Best wishes -- Aharon
Currently the audit Plugin isnt starting in mysql 5.6 and 5.7 community Edition from Oracle. It returns these Errors on Startup: 5.7:
relevant output on 5.6:
My.cnf for audit plugin:
Whats wrong there? Thanks for your help Jörg