altmannmarcelo
commented
6 years ago Hi @alokthereal . I believe you posted the same question on https://blog.marceloaltmann.com/en-auditing-mysql-with-mcafee-audit-plugin-pt-auditando-mysql-com/#comment-3898326255 .
I can get the plugin to work on 5.6.40 over centos7:
2018-05-15 14:23:23 4946 [Note] InnoDB: 5.6.40 started; log sequence number 1626007
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: starting up. Version: 1.1.6 , Revision: 784 (64bit). MySQL AUDIT plugin interface version: 769 (0x301). MySQL Server version: 5.6.40.
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: setup_offsets audit_offsets: 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516 validate_checksum: 1 offsets_by_version: 1
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: mysqld: /usr/sbin/mysqld (d156a1659a2a6b64ca0ea3f5e4c77c5b)
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: setup_offsets Audit_formatter::thd_offsets values: 6992 7040 4000 4520 72 2704 96 0 32 104 136 7128 4392 2800 2808 2812 536 0 0 6360 6384 6368 13048 548 516
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: extended offsets validate res: MySQL thread id 123456, OS thread handle 0x0, query id 789 aud_tusr
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Validation passed. Using offsets from audit_offsets: 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Set whitelist_cmds num: 3, value: BEGIN,COMMIT,PING
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Set password_masking_cmds num: 8, value: CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,UPDATE
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Compile password_masking_regex res: [1]
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Set password_masking_regex value: [identified(?:/\*.*?\*/|\s)*?by(?:/\*.*?\*/|\s)*?(?:password)?(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?\((?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"](?:/\*.*?\*/|\s)*?\)|password(?:/\*.*?\*/|\s)*?(?:for(?:/\*.*?\*/|\s)*?\S+?)?(?:/\*.*?\*/|\s)*?=(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]]
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Set json_socket_name str: [] value: [/var/run/db-audit/mysql.audit__var_lib_mysql_3306]
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: bufsize for file [mysql-audit.json]: 1. Value of json_file_bufsize: 1.
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: success opening file: mysql-audit.json.
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: mem via 32bit mmap: 0x40739000 page size: 4096
2018-05-15 14:23:23 4946 [Note] Audit Plugin: hot patching function: 0x6f1f20, trampolineFunction: 0x40739000 trampolinePage: 0x40739000
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: hot patch for: mysql_execute_command (0x6f1f20) complete. Audit func: 0x7fcb95990f40, Trampoline address: 0x40739000, size: 6, used: 34.
2018-05-15 14:23:23 4946 [Note] Audit Plugin: hot patching function: 0x6b6340, trampolineFunction: 0x40739030 trampolinePage: 0x40739000
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: hot patch for: send_result_to_client (0x6b6340) complete. Audit func: 0x7fcb95990360, Trampoline address: 0x40739030, size: 6, used: 34.
2018-05-15 14:23:23 4946 [Note] Audit Plugin: hot patching function: 0x6ee540, trampolineFunction: 0x40739060 trampolinePage: 0x40739000
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: hot patch for: check_table_access (0x6ee540) complete. Audit func: 0x7fcb95990ce0, Trampoline address: 0x40739060, size: 6, used: 34.
2018-05-15 14:23:23 4946 [Note] Audit Plugin: hot patching function: 0x6b15a0, trampolineFunction: 0x40739090 trampolinePage: 0x40739000
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: hot patch for: open_tables (0x6b15a0) complete. Audit func: 0x7fcb95990050, Trampoline address: 0x40739090, size: 6, used: 34.
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Done initializing sql command names. status_vars_index: [141], com_status_vars: [0x125c600].
2018-05-15 14:23:23 4946 [Note] McAfee Audit Plugin: Init completed successfully.
2018-05-15 14:23:23 4946 [Note] Server hostname (bind-address): '*'; port: 3306
2018-05-15 14:23:23 4946 [Note] IPv6 is available.
2018-05-15 14:23:23 4946 [Note] - '::' resolves to '::';
2018-05-15 14:23:23 4946 [Note] Server socket created on IP: '::'.
2018-05-15 14:23:23 4946 [Note] Event Scheduler: Loaded 0 events
2018-05-15 14:23:23 4946 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.6.40' socket: '/var/lib/mysql/mysql.sock' port: 3306 MySQL Community Server (GPL)
[root@localhost log]# mysql -e "show global status like 'AUDIT_version';"
+---------------+-----------+
| Variable_name | Value |
+---------------+-----------+
| Audit_version | 1.1.6-784 |
+---------------+-----------+Make sure you have the right offsets and on Centos7 you need to either allow the audit plugin on setlinux or disabled it:
setenforce 0;Here is the audit part of my.cnf
[mysqld]
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808, 2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516
audit_json_file=1
getmysql
Hello All,
I am installing McAfee Audit Plugin 1.1.6 in my Centos 7 MySQL version 5.6.40 followed by all installation instruction given on Wiki . After all troubleshooting I'm not able to Load Plugin either my.cnf or INSTALL PLUGIN. Always getting fail to initialize AUDIT error. Observed in ,MySQL error log and found "McAfee Audit Plugin: Couldn't find proper THD offsets for: 5.6.40". We have also extract offset and OFF checksum but not Loaded plugin.
Any one help me on urgent basis.