在MySQL中使用init-connect与binlog来实现用户操作追踪记录

分类: MySQL

前言:

测试环境莫名其妙有几条重要数据被删除了,由于在binlog里面只看到是公用账号删除的,无法查询是那个谁在那个时间段登录的,就考虑怎么记录每一个MYSQL账号的登录信息,在MYSQL中,每个连接都会先执行init-connect,进行连接的初始化,我们可以在这里获取用户的登录名称和thread的ID值。然后配合binlog,就可以追踪到每个操作语句的操作时间,操作人以及客户端的连接进程信息等。实现审计。

,在mysql服务器db中建立单独的记录访问信息的库

set names utf8;

create database access_log;

CREATE TABLE `access_log`

(

  `id` int() NOT NULL AUTO_INCREMENT,

  `thread_id` int() DEFAULT NULL, -- 线程ID,这个值很重要

  `log_time` timestamp NOT NULL DEF AULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, -- 登录时间

  `localname` varchar() DEFAULT NULL, -- 登录名称

  `matchname` varchar() DEFAULT NULL, -- 登录用户

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT= DEFAULT CHARSET=utf8 comment '录入用户登录信息';

,在配置文件中配置init-connect参数。登录时插入日志表。如果这个参数是个错误的SQL语句,登录就会失败。

vim /usr/local/mysql/my.cnf

init-connect='INSERT INTO access_log.access_log VALUES(NULL,CONNECTION_ID(),NOW(),USER(),CURRENT_USER());'

然后重启数据库

,创建普通用户,不能有super权限,而且用户必须有对access_log库的access_log表的insert权限,否则会登录失败。

给登录用户赋予insert权限,但是不赋予access_log的insert、select权限,

GRANT INSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%' IDENTIFIED BY 'cacti_user1603';

mysql> GRANT CREATE,DROP,ALTER,INSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%' IDENTIFIED BY 'cacti_user1603';

Query OK,  rows affected (0.00 sec)

mysql> exit

然后去用新的audit_user登录操作

[root@db_server ~]# /usr/local/mysql/bin/mysql  -uaudit_user -p -S /usr/local/mysql/mysql.sock

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is

Server version: 5.6.-log

Copyright (c) , , Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> lect * from access_log.access_log;

ERROR  (HY000): MySQL server has gone away

No connection. Trying to reconnect...

Connection id:

Current database: *** NONE ***

ERROR  (08S01): Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

mysql>

看到报错信息 (init_connect command failed),再去错误日志error log验证一下:

tail -fn  /usr/local/mysql/mysqld.log

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

看到必须要有对access_log库的access_log表的insert权限才行。

,赋予用户access_log的insert、select权限,然后重新赋予权限:

GRANT SELECT,INSERT ON access_log.* TO audit_user@'%';

mysql>

mysql> GRANT SELECT,INSERT ON access_log.* TO audit_user@'%';

Query OK,  rows affected (0.00 sec)

mysql> exit

Bye

再登录,报错如下:

[root@db_server ~]# /usr/local/mysql/bin/mysql  -uaudit_user -p -S /usr/local/mysql/mysql.sock

Enter password:

ERROR  (): Access denied for user 'audit_user'@'localhost' (using password: YES)

[root@db_server ~]# 

去查看error日志:

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

-- ::  [Warning] Aborted connection  to db: 'unconnected' user: 'audit_user' host: 'localhost' (init_connect command failed)

-- ::  [Warning] INSERT command denied to user ''@'localhost' for table 'access_log'

需要用root用户登录进去,清空掉用户为''的用户记录。

 mysql> select user,host,password from mysql.user;

+----------------+-----------+-------------------------------------------+

| user           | host      | password                                  |

+----------------+-----------+-------------------------------------------+

| root           | localhost |                                           |

| root           | db_server   |                                           |

| root           | 127.0.0.1 |                                           |

| root           | ::       |                                           |

|                | localhost |                                           |

|                | db_server   |                                           |

| cacti_user     | %         | *EB9E3195E443D577879101A35EF64A701B35F949 |

| cacti_user     |          | *D5FF9B53A78232DA13D3643965A5961449B387DB |

| cacti_user     |          | *D5FF9B53A78232DA13D3643965A5961449B387DB |

| test_user      | .%     | *8A447777509932F0ED07ADB033562027D95A0F17 |

| test_user      |          | *8A447777509932F0ED07ADB033562027D95A0F17 |

| weakpwd_user_1 | .%      | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |

| weakpwd_user_2 | .%      | *B1461C9C68AFA1129A5F968C343636192A084ADB |

| weakpwd_user_3 | .%      | *DCB7DF5FFC82C441503300FFF165257BC551A598 |

| audit_user     | %         | *AEAB1915B137FAFDE9B949D67A9A42DDB68DD8A2 |

+----------------+-----------+-------------------------------------------+

 rows in set (0.00 sec)

mysql> drop user ''@'localhost';

Query OK,  rows affected (0.00 sec)

mysql> drop user ''@'db_server';

Query OK,  rows affected (0.00 sec)

mysql> 

再用已经分配了access_log表的Insert权限的audit_user登录

mysql> select * from access_log.access_log;

+----+-----------+---------------------+---------------------------+--------------+

| id | thread_id | log_time            | localname                 | matchname    |

+----+-----------+---------------------+---------------------------+--------------+

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

+----+-----------+---------------------+---------------------------+--------------+

 rows in set (0.00 sec)

mysql> show full processlist;

+----+------------+-----------+------+---------+------+-------+-----------------------+

| Id | User       | Host      | db   | Command | Time | State | Info                  |

+----+------------+-----------+------+---------+------+-------+-----------------------+

|  | audit_user | localhost | NULL | Query   |     | init  | show full processlist |

+----+------------+-----------+------+---------+------+-------+-----------------------+

 row in set (0.00 sec)

mysql> 

,再用另外一个用户登录建表,录入测试数据。

建表录入数据记录

mysql> use test;

Database changed

mysql> create table t1 select  as a, 'wa' as b;

Query OK,  row affected (0.01 sec)

Records:   Duplicates:   Warnings: 

查看跟踪用户行为记录。

mysql> select * from access_log.access_log;

+----+-----------+---------------------+---------------------------+--------------+

| id | thread_id | log_time            | localname                 | matchname    |

+----+-----------+---------------------+---------------------------+--------------+

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

+----+-----------+---------------------+---------------------------+--------------+

 rows in set (0.00 sec)

去mysql db服务器上查看binlog 内容,解析完后,没有insert语句,怎么回事,去看my.cnf

#binlog-ignore-db=mysql                         # No sync databases

#binlog-ignore-db=test                          # No sync databases

#binlog-ignore-db=information_schema            # No sync databases

#binlog-ignore-db=performance_schema

原来是对test库有binlog过滤设置,全部注释掉。重启mysql库,重新来一遍,可以在看到binlog

在MySQL客户端上重新执行。

mysql> use test;

Database changed

mysql> insert into test.t1 select ,'t5';

Query OK,  row affected (0.00 sec)

Records:   Duplicates:   Warnings: 

mysql> select * from access_log.access_log;

+----+-----------+---------------------+---------------------------+--------------+

| id | thread_id | log_time            | localname                 | matchname    |

+----+-----------+---------------------+---------------------------+--------------+

|   |         | -- :: | cacti_user@192.168.171.71 | cacti_user@% |

|   |         | -- :: | cacti_user@192.168.171.71 | cacti_user@% |

|   |         | -- :: | cacti_user@192.168.171.71 | cacti_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@localhost      | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

|   |         | -- :: | audit_user@192.168.3.62    | audit_user@% |

|   |         | -- :: | audit_user@192.168.1.12    | audit_user@% |

|  |          | -- :: | audit_user@192.168.3.62    | audit_user@% |

+----+-----------+---------------------+---------------------------+--------------+

 rows in set (0.00 sec)

看到thread_id为1

,如何查看何跟踪用户行为记录。

去mysql数据库服务器上查看binlog,应该thread_id=1的binlog记录。

[root@db_server binlog]# /usr/local/mysql/bin/mysqlbinlog  --base64-output=DECODE-ROWS  mysql-bin. -v>.log

[root@db_server binlog]# vim .log

# at

# :: server id   end_log_pos  CRC32 0xa323c00e        Query   thread_id=     exec_time=     error_code=

SET TIMESTAMP=/*!*/;

BEGIN

/*!*/;

# at

# :: server id   end_log_pos  CRC32 0xbb8ca914        Table_map: `access_log`.`t1` mapped to number

# at

# :: server id   end_log_pos  CRC32 0x8eed1450        Write_rows: table id  flags: STMT_END_F

### INSERT INTO `access_log`.`t1`

### SET

###   @=

###   @='w0'

# at

# :: server id   end_log_pos  CRC32 0x72b26336        Xid =

COMMIT/*!*/;

看到thread_id=,然后,就可以根据thread_id=1来判断执行这条insert命令的来源,还可以在mysql服务器上执行show full processlist;来得到MySQL客户端的请求端口,

mysql> show full processlist;

+----+------------+-------------------+------+---------+------+-------+-----------------------+

| Id | User       | Host              | db   | Command | Time | State | Info                  |

+----+------------+-------------------+------+---------+------+-------+-----------------------+

|   | audit_user | 192.168.3.62: | test | Sleep   |   |       | NULL                  |

|   | root       | localhost         | NULL | Query   |     | init  | show full processlist |

+----+------------+-------------------+------+---------+------+-------+-----------------------+

 rows in set (0.00 sec)

mysql>

看到Id为1的线程,端口是44657。

我们切换回mysql客户端,去查看端口是44657的是什么进程,如下所示:

[tim@db_client ~]$ netstat -antlp |grep

(Not all processes could be identified, non-owned process info

 will not be shown, you would have to be root to see it all.)

tcp               192.168.3.62:           192.168.1.12:            ESTABLISHED /mysql

[tim@db_client ~]$ 

获取到该进程的PID ,再通过ps -eaf得到该进程所执行的命令,如下所示:

[tim@db_client ~]$ ps -eaf|grep

tim       : pts/    :: mysql -uaudit_user -p -h 192.168.1.12 -P3307

tim        : pts/    :: grep

[tim@db_client ~]$

最后查到是通过mysql客户端登陆连接的。加入这个6335是某个web工程的,那么,也可以根据ps -eaf命令查询得到web工程的进程信息。

参考文章地址:http://blog.chinaunix.net/uid-24086995-id-168445.html
 

在MySQL中使用init-connect与binlog来实现用户操作追踪记录的更多相关文章

  1. 0816关于MySQL的审计 init-connect+binlog实现用户操作追踪

    转自:http://blog.sina.com.cn/s/blog_605f5b4f01013xkv.html mysql 用init-connect+binlog实现用户操作追踪 做access 的 ...

  2. mysql 用init-connect+binlog实现用户操作追踪做access的ip的log记录

    在MYSQL中,每个连接都会先执行init-connect,进行连接的初始化.我们可以在这里获取用户的登录名称和thread的ID值.然后配合binlog,就可以追踪到每个操作语句的操作时间,操作人等 ...

  3. mysql中如何不重复插入满足某些条件的重复的记录的问题

    最近在项目中遇到了这样的一个问题“: 在mysql数据库中需要每次插入的时候不能插入三个字段都相同的记录.在这里使用到了 insert into if not exists  和insert igno ...

  4. mysql中Can't connect to MySQL server on 'localhost' (10061)

    Can't connect to MySQL server on 'localhost' (10061) 第一问题有两个解决方案: 1)没有启动sql服务,以下是具体步骤: 右键-计算机-管理-服务和 ...

  5. mysql中更改字段属性实际上都做了哪些操作

     mysql> set profiling=1; Query OK, 0 rows affected (0.00 sec) mysql> alter table test modify n ...

  6. ORACLE与mysql中查询第n条到第m条的数据记录的方法

    ORACLE: SELECT * FROM             (                  SELECT 表名.*, ROWNUM AS CON FROM 表名 WHERE ROWNUM ...

  7. mySQL中如何给某一IP段的用户授权?

    给一个用用户use ip: 192.168.0.1 语句是: grant all on *.* to root@192.168.0.1 identified by 'pass' 来授权 其中:root ...

  8. 探究MySQL中SQL查询的成本

    成本 什么是成本,即SQL进行查询的花费的时间成本,包含IO成本和CPU成本. IO成本:即将数据页从硬盘中读取到内存中的读取时间成本.通常1页就是1.0的成本. CPU成本:即是读取和检测是否满足条 ...

  9. 【MySQL】centos6中/etc/init.d/下没有mysqld启动文件,怎么办

    如果/etc/init.d/下面没有mysqld的话,service mysqld start也是不好使的,同样,chkconfig mysqld on也是不能用 解决办法: 将mysql的mysql ...

随机推荐

  1. android 数据库_sql语句总结

    表的创建db.execSQL("create table info(_id integer primary key autoincrement,name varchar(20)") ...

  2. ZigBee profile

        每个ZigBee设备都与一个特定模板相关联,可能是公共模板或私有模板.这些模板定义了设备的应用环境.设备类型以及用于设备间通信的簇.采用公共模板,可以确保不同供应商的设备在相同应用领域的互操作 ...

  3. Apache HTTP Server安装教程

    Apache HTTP Server安装教程 Apache HTTP Server的官方网站是:http://httpd.apache.org/,可以从中下载最新版本的Apache HTTP Serv ...

  4. linux 下权限问题

    linux 系统下的文件权限 drwxr-xr-x. 2 weblogic weblogic 4096 Dec 26 2012 console-ext-rwxr-xr-x. 1 weblogic we ...

  5. Flex-box 学习

    .flex-cont{ /*定义为flexbox的“父元素”*/ display: -webkit-box; display: -webkit-flex; display: flex; /*子元素沿主 ...

  6. [DevExpress]ChartControl之柱状图示例

    关键代码: using System; using System.Data; using System.Windows.Forms; using CSharpUtilHelpV2; using Dev ...

  7. mongodb的常用操作

    对于nosql之前工作中有用到bekerlydb,最近开始了解mongodb,先简单写下mongodb的一些常用操作,当是个总结: 1.mongodb使用数据库(database)和集合(collec ...

  8. Jquery操作Cookie取值错误的解决方法

    使用JQuery操作cookie时 发生取的值不正确,结果发现cookie有四个不同的属性,分享下错误的原因及解决方法. 使用JQuery操作cookie时 发生取的值不正确的问题:  结果发现coo ...

  9. MemProof教程

    简介 MemProof(内存清道夫)是AutomatedQA出品的一款非常不错的检测内存泄漏和资源泄漏的免费调试工具,适合于WIN32平台下使用DELPHI/C++ BUILDER开发的应用程序. 利 ...

  10. 简单的优化处理 By LINQ TO SQL

    最近在做关于新浪微博授权的一些minisite,数据库并不复杂,所以在数据打交道这块采用了linqtosql,开发起来更快更简单...但是随着用户访问逐渐增多,用户上传的图片也越来越多,因为首页是一个 ...