search

trellix-enterprise / mysql-audit

AUDIT Plugin for MySQL. See wiki and readme for description. If you find the plugin useful, please star us on GitHub. We love stars and it's a great way to show your feedback.
Other
239 stars 57 forks source link

Installation on mysql 5.7.37 docker( unable to hot patch send_result_to_client (0x561c36fc7b90). res: -1.) #242

Open geostar123 opened 2 years ago

geostar123 commented 2 years ago

Dear all: Although successfully executed offset_extract.sh I still failed to install libaudit_plugin on mysql 5.7.37 docker container,following the error log below: ................. 2022-04-13T07:26:34.278739Z 4 [Note] McAfee Audit Plugin: Set json_socket_name str: [] value: [/var/run/db-audit/mysql.auditvar_lib_mysql_3306] 2022-04-13T07:26:34.278772Z 4 [Note] McAfee Audit Plugin: bufsize for file [mysql-audit.json]: 1. Value of json_file_bufsize: 1. 2022-04-13T07:26:34.278809Z 4 [Note] McAfee Audit Plugin: success opening file: mysql-audit.json. 2022-04-13T07:26:34.278820Z 4 [Note] McAfee Audit Plugin: mem func addr: 0x7f2c1d732e70 mem start addr: 0x7f2c1d733000 page size: 4096 2022-04-13T07:26:34.278825Z 4 [Note] Audit Plugin: hot patching function: 0x561c3700ec40, trampolineFunction: 0x7f2c1d733000 trampolinePage: 0x7f2c1d733000 2022-04-13T07:26:34.278946Z 4 [Note] McAfee Audit Plugin: hot patch for: mysql_execute_command (0x561c3700ec40) complete. Audit func: 0x7f2c1d737610, Trampoline address: 0x7f2c1d733000, size: 16, used: 30. 2022-04-13T07:26:34.278953Z 4 [Note] Audit Plugin: hot patching function: 0x561c36fc7b90, trampolineFunction: 0x7f2c1d733020 trampolinePage: 0x7f2c1d733000 2022-04-13T07:26:34.278976Z 4 [Note] ud_obj.mnemonic == UD_Ijmp: 0 2022-04-13T07:26:34.278981Z 4 [Note] ud_obj.mnemonic == UD_Icall: 0 2022-04-13T07:26:34.278985Z 4 [Note] ud_obj.operand[0].type == UD_OP_JIMM: 1 2022-04-13T07:26:34.278989Z 4 [Note] x86_64__ 2022-04-13T07:26:34.278994Z 4 [ERROR] Audit Plugin: unable to disassemble at address: 0x0x561c36fc7b97. Found relative addressing for instruction: [jnz 0x561c36fc7be0]. Aborting. 2022-04-13T07:26:34.279002Z 4 [ERROR] McAfee Audit Plugin: unable to hot patch send_result_to_client (0x561c36fc7b90). res: -1. 2022-04-13T07:26:34.279007Z 4 [ERROR] Plugin 'AUDIT' init function returned error. 2022-04-13T07:26:34.279023Z 4 [ERROR] Plugin 'AUDIT' registration as a AUDIT failed. 2022-04-13T07:26:34.279042Z 4 [Note] Shutting down plugin 'AUDIT' 2022-04-13T07:26:34.279049Z 4 [Note] McAfee Audit Plugin: deinit 2022-04-13T07:26:34.279052Z 4 [Note] trampolinesize: 0 2022-04-13T07:26:34.279056Z 4 [Note] saved_code->size: 0 2022-04-13T07:26:34.279059Z 4 [Note] Audit Plugin: not removing as hot patch was not set: 0x561c36fc32c0 2022-04-13T07:26:34.279062Z 4 [Note] trampolinesize: 0 2022-04-13T07:26:34.279065Z 4 [Note] saved_code->size: 0 2022-04-13T07:26:34.279069Z 4 [Note] Audit Plugin: not removing as hot patch was not set: 0x561c36fc7b90 2022-04-13T07:26:34.279072Z 4 [Note] trampolinesize: 0 2022-04-13T07:26:34.279075Z 4 [Note] saved_code->size: 0 2022-04-13T07:26:34.279078Z 4 [Note] Audit Plugin: not removing as hot patch was not set: 0x561c3710b4b0 2022-04-13T07:26:34.279081Z 4 [Note] trampolinesize: 16 2022-04-13T07:26:34.279084Z 4 [Note] saved_code->size: 16 2022-04-13T07:26:34.279088Z 4 [Note] Audit Plugin: removing hot patching function: 0x561c3700ec40 targetPage: 0x561c3700e000 trampolineFunction: 0x7f2c1d733000 ....

As you want to see my.cnf shown below: !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mysql.conf.d/ [mysqld] pid-file=/var/run/mysqld/mysqld.pid log-error=/var/log/mysql/mysql-error.log socket=/var/run/mysqld/mysqld.sock datadir=/var/lib/mysql socket=/var/run/mysqld/mysqld.sock plugin-load=AUDIT=libaudit_plugin.so audit_offsets = 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0 audit_json_file=on

audit version:5.7-1.1.11-985 mysql version: 5.7.37 docker version:Debian GNU/Linux 10 \n \l

Any help will be appericated.Thanks.

geostar123 commented 2 years ago

BTW:I succeeded in finishing installation on non-docker(audit version:5.7-1.1.11-985 +mysql version: 5.7.37).

bestmem commented 2 years ago

I execute ./offset-extract.sh and report an error, how do you solve it

bash-4.2# ./offset-extract.sh /usr/sbin/mysqld symbols //offsets for: /usr/sbin/mysqld (5.7.39) {"5.7.39","f0455e82c3706e4a2f88c491ecf144e0"offsets.gdb:7: Error in sourced command file: No symbol table is loaded. Use the "file" command.,

javaecrainbow commented 2 years ago

mysql 5.7.34 made the same error。how can i solve it the mysql server info image docker info image

yuanjinyong commented 2 years ago

227