search

trellix-enterprise / mysql-audit

AUDIT Plugin for MySQL. See wiki and readme for description. If you find the plugin useful, please star us on GitHub. We love stars and it's a great way to show your feedback.
Other
239 stars 57 forks source link

Support for MySQL v8.0.25 #248

Open northboys opened 2 years ago

northboys commented 2 years ago

Environment

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:    20.04
Codename:   focal

# sestatus
SELinux status:                 disabled

# mysql --version
mysql  Ver 8.0.25 for Linux on x86_64 (MySQL Community Server - GPL)

mysql> SHOW VARIABLES LIKE "%version%";
+--------------------------+-------------------------------+
| Variable_name            | Value                         |
+--------------------------+-------------------------------+
| admin_tls_version        | TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 |
| immediate_server_version | 999999                        |
| innodb_version           | 8.0.25                        |
| original_server_version  | 999999                        |
| protocol_version         | 10                            |
| slave_type_conversions   |                               |
| tls_version              | TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 |
| version                  | 8.0.25                        |
| version_comment          | MySQL Community Server - GPL  |
| version_compile_machine  | x86_64                        |
| version_compile_os       | Linux                         |
| version_compile_zlib     | 1.2.11                        |
+--------------------------+-------------------------------+
12 rows in set (0.00 sec)

MySQL Logs

2022-07-28T05:41:14.176047Z 8 [Warning] [MY-000080] [Server] option 'audit-json-file-bufsize': signed value 0 adjusted to 1.
2022-07-28T05:41:14.176093Z 8 [Warning] [MY-000080] [Server] option 'plugin-audit-json-file-bufsize': signed value 0 adjusted to 1.
2022-07-28T05:41:14.323519Z 8 [ERROR] [MY-000000] [Server] Audit Plugin: unable to disassemble at address: 0x560cc7ac0ff0. Aborting.
2022-07-28T05:41:14.323560Z 8 [ERROR] [MY-000000] [Server] Trellix Audit Plugin: unable to hot patch mysql_execute_command (0x560cc7ac0ff0). res: -1.
2022-07-28T05:41:14.323582Z 8 [ERROR] [MY-010202] [Server] Plugin 'AUDIT' init function returned error.
2022-07-28T05:41:14.323595Z 8 [ERROR] [MY-010734] [Server] Plugin 'AUDIT' registration as a AUDIT failed.
northboys commented 2 years ago

But on docker with same mysql version it's working fine.

root@gcp-testing:/home/northboy/mysql-audit/audit-plugin-mysql-8.0-1.1.12-999/lib# docker cp libaudit_plugin.so mysql-docker-db-1:/usr/lib/mysql/plugin
root@gcp-testing:/home/northboy/mysql-audit/audit-plugin-mysql-8.0-1.1.12-999/lib# docker exec -it mysql-docker-db-1 /bin/bash
root@faabdd0287d2:/# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 8.0.25 MySQL Community Server - GPL

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';
Query OK, 0 rows affected (0.15 sec)

mysql> show plugins;
+---------------------------------+----------+--------------------+--------------------+---------+
| Name                            | Status   | Type               | Library            | License |
+---------------------------------+----------+--------------------+--------------------+---------+
| binlog                          | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| mysql_native_password           | ACTIVE   | AUTHENTICATION     | NULL               | GPL     |
| sha256_password                 | ACTIVE   | AUTHENTICATION     | NULL               | GPL     |
| caching_sha2_password           | ACTIVE   | AUTHENTICATION     | NULL               | GPL     |
| sha2_cache_cleaner              | ACTIVE   | AUDIT              | NULL               | GPL     |
| daemon_keyring_proxy_plugin     | ACTIVE   | DAEMON             | NULL               | GPL     |
| CSV                             | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| MEMORY                          | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| InnoDB                          | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| INNODB_TRX                      | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_CMP                      | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_CMP_RESET                | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_CMPMEM                   | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_CMPMEM_RESET             | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_CMP_PER_INDEX            | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_CMP_PER_INDEX_RESET      | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_BUFFER_PAGE              | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_BUFFER_PAGE_LRU          | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_BUFFER_POOL_STATS        | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_TEMP_TABLE_INFO          | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_METRICS                  | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_FT_DEFAULT_STOPWORD      | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_FT_DELETED               | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_FT_BEING_DELETED         | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_FT_CONFIG                | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_FT_INDEX_CACHE           | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_FT_INDEX_TABLE           | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_TABLES                   | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_TABLESTATS               | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_INDEXES                  | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_TABLESPACES              | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_COLUMNS                  | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_VIRTUAL                  | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_CACHED_INDEXES           | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| INNODB_SESSION_TEMP_TABLESPACES | ACTIVE   | INFORMATION SCHEMA | NULL               | GPL     |
| MyISAM                          | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| MRG_MYISAM                      | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| PERFORMANCE_SCHEMA              | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| TempTable                       | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| ARCHIVE                         | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| BLACKHOLE                       | ACTIVE   | STORAGE ENGINE     | NULL               | GPL     |
| FEDERATED                       | DISABLED | STORAGE ENGINE     | NULL               | GPL     |
| ngram                           | ACTIVE   | FTPARSER           | NULL               | GPL     |
| mysqlx_cache_cleaner            | ACTIVE   | AUDIT              | NULL               | GPL     |
| mysqlx                          | ACTIVE   | DAEMON             | NULL               | GPL     |
| AUDIT                           | ACTIVE   | AUDIT              | libaudit_plugin.so | GPL     |
+---------------------------------+----------+--------------------+--------------------+---------+
46 rows in set (0.00 sec)

mysql>

Docker Logs

2022-07-28 06:13:49+00:00 [Note] [Entrypoint]: MySQL init process done. Ready for start up.

2022-07-28T06:13:49.742313Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.25) starting as process 1
2022-07-28T06:13:49.755393Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2022-07-28T06:13:49.935711Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2022-07-28T06:13:50.044287Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2022-07-28T06:13:50.119635Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2022-07-28T06:13:50.120024Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2022-07-28T06:13:50.124187Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2022-07-28T06:13:50.145617Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.25'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.
mbind: Operation not permitted
mbind: Operation not permitted
mbind: Operation not permitted
mbind: Operation not permitted
mbind: Operation not permitted
2022-07-28T06:17:39.756611Z 13 [Warning] [MY-000080] [Server] option 'audit-json-file-bufsize': signed value 0 adjusted to 1.
2022-07-28T06:17:39.756660Z 13 [Warning] [MY-000080] [Server] option 'plugin-audit-json-file-bufsize': signed value 0 adjusted to 1.
northboys commented 2 years ago

Working fine using Debian 10 and MySQL v8.0.25.

root@gcp-test:/home/northboy/mysql-audit# tail -f /var/log/mysql/mysql-audit.log
{"msg-type":"header","date":"1659001124459","audit-version":"1.1.12-999","audit-protocol-version":"1.0","hostname":"gcp-test","mysql-version":"8.0.25","mysql-program":"/usr/sbin/mysqld","mysql-socket":"/var/run/mysqld/mysqld.sock","mysql-port":"3306","server_pid":"2760"}
{"msg-type":"activity","date":"1659001140088","thread-id":"8","query-id":"0","user":"izalul","priv_user":"izalul","ip":"103.125.592","host":"103.125.59.592","_pid":"26065","_os":"osx10.12","_platform":"x86_64","_client_version":"8.0.22","_client_name":"libmysql","cmd":"Connect","query":"Connect"}
spihiker commented 2 years ago

MySQL8.0.23 work well .but can't work using centos7.9 and MySQL 8.0.30.