在MySQL中使用init-connect与binlog来实现用户操作追踪记录_MySQL
前言:
测试环境莫名其妙有几条重要数据被删除了,由于在binlog里面只看到是公用账号删除的,无法查询是那个谁在那个时间段登录的,就考虑怎么记录每一个MYSQL账号的登录信息,在MYSQL中,每个连接都会先执行init-connect,进行连接的初始化,我们可以在这里获取用户的登录名称和thread的ID值。然后配合binlog,就可以追踪到每个操作语句的操作时间,操作人等。实现审计。
1,在mysql服务器db中建立单独的记录访问信息的库
set names utf8;
create databaseaccess_log;
CREATE TABLE`access_log`
(
`id`int(11) NOT NULL AUTO_INCREMENT,
`thread_id` int(11) DEFAULT NULL, -- 线程ID,这个值很重要
`log_time`timestamp NOT NULL DEF AULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, -- 登录时间
`localname` varchar(30) DEFAULT NULL, -- 登录名称
`matchname` varchar(30) DEFAULT NULL, -- 登录用户
PRIMARYKEY (`id`)
) ENGINE=InnoDBAUTO_INCREMENT=1 DEFAULT CHARSET=utf8 comment '录入用户登录信息';
2,在配置文件中配置init-connect参数。登录时插入日志表。如果这个参数是个错误的SQL语句,登录就会失败。
vim/usr/local/mysql/my.cnf
init-connect='INSERTINTO access_log.access_logVALUES(NULL,CONNECTION_ID(),NOW(),USER(),CURRENT_USER());'
然后重启数据库
3,创建普通用户,不能有super权限,而且用户必须有对access_log库的access_log表的insert权限,否则会登录失败。
给登录用户赋予insert权限,但是不赋予access_log的insert、select权限,
GRANTINSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%' IDENTIFIED BY'cacti_user1603';
mysql> GRANTCREATE,DROP,ALTER,INSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%'IDENTIFIED BY 'cacti_user1603';
Query OK, 0 rowsaffected (0.00 sec)
mysql> exit
然后去用新的audit_user登录操作
[root@db_server~]# /usr/local/mysql/bin/mysql -uaudit_user -p -S/usr/local/mysql/mysql.sock
Enter password:
Welcome to theMySQL monitor. Commands end with ; or \g.
Your MySQL connectionid is 25
Server version:5.6.12-log
Copyright (c)2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is aregistered trademark of Oracle Corporation and/or its
affiliates. Othernames may be trademarks of their respective
owners.
Type 'help;' or'\h' for help. Type '\c' to clear the current input statement.
mysql> lect *from access_log.access_log;
ERROR 2006(HY000): MySQL server has gone away
No connection.Trying to reconnect...
Connection id: 26
Current database:*** NONE ***
ERROR 1184(08S01): Aborted connection 26 to db: 'unconnected' user: 'audit_user' host:'localhost' (init_connect command failed)
mysql>
看到报错信息 (init_connect command failed),再去错误日志error log验证一下:
tail -fn 5/usr/local/mysql/mysqld.log
2014-07-28 16:03:3123743 [Warning] Aborted connection 25 to db: 'unconnected' user: 'audit_user'host: 'localhost' (init_connect command failed)
2014-07-2816:03:31 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
2014-07-2816:04:04 23743 [Warning] Aborted connection 26 to db: 'unconnected' user:'audit_user' host: 'localhost' (init_connect command failed)
2014-07-2816:04:04 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
看到必须要有对access_log库的access_log表的insert权限才行。
4,赋予用户access_log的insert、select权限,然后重新赋予权限:
GRANTSELECT,INSERT ON access_log.* TO audit_user@'%';
mysql>
mysql> GRANTSELECT,INSERT ON access_log.* TO audit_user@'%';
Query OK, 0 rowsaffected (0.00 sec)
mysql> exit
Bye
再登录,报错如下:
[root@db_server~]# /usr/local/mysql/bin/mysql -uaudit_user -p -S/usr/local/mysql/mysql.sock
Enter password:
ERROR 1045(28000): Access denied for user 'audit_user'@'localhost' (using password: YES)
[root@db_server~]#
去查看error日志:
2014-07-2816:15:29 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
2014-07-2816:15:41 23743 [Warning] Aborted connection 37 to db: 'unconnected' user:'audit_user' host: 'localhost' (init_connect command failed)
2014-07-2816:15:41 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
2014-07-2816:15:50 23743 [Warning] Aborted connection 38 to db: 'unconnected' user:'audit_user' host: 'localhost' (init_connect command failed)
2014-07-2816:15:50 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
需要用root用户登录进去,清空掉用户为''的用户记录。
mysql>select user,host,password from mysql.user;
+----------------+-----------+-------------------------------------------+
| user | host | password |
+----------------+-----------+-------------------------------------------+
| root | localhost | |
| root | db_server | |
| root | 127.0.0.1 | |
| root | ::1 | |
| | localhost | |
| | db_server | |
| cacti_user | % |*EB9E3195E443D577879101A35EF64A701B35F949 |
| cacti_user | 1 |*D5FF9B53A78232DA13D3643965A5961449B387DB |
| cacti_user | 2 | *D5FF9B53A78232DA13D3643965A5961449B387DB|
| test_user | 192.% |*8A447777509932F0ED07ADB033562027D95A0F17 |
| test_user | 1 |*8A447777509932F0ED07ADB033562027D95A0F17 |
| weakpwd_user_1| 10.% | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| weakpwd_user_2| 10.% | *B1461C9C68AFA1129A5F968C343636192A084ADB |
| weakpwd_user_3| 10.% | *DCB7DF5FFC82C441503300FFF165257BC551A598 |
| audit_user | % |*AEAB1915B137FAFDE9B949D67A9A42DDB68DD8A2 |
+----------------+-----------+-------------------------------------------+
15 rows in set(0.00 sec)
mysql> dropuser ''@'localhost';
Query OK, 0 rowsaffected (0.00 sec)
mysql> dropuser ''@'db_server';
Query OK, 0 rowsaffected (0.00 sec)
mysql>
再用已经分配了access_log表的Insert权限的audit_user登录
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time | localname | matchname |
+----+-----------+---------------------+---------------------------+--------------+
| 4 | 41 | 2014-07-28 16:19:37 | audit_user@localhost | audit_user@% |
| 5 | 42 | 2014-07-28 16:20:32 | audit_user@localhost | audit_user@% |
| 6 | 45 | 2014-07-28 16:21:11 | audit_user@localhost | audit_user@% |
+----+-----------+---------------------+---------------------------+--------------+
6 rows in set(0.00 sec)
mysql> showfull processlist;
+----+------------+-----------+------+---------+------+-------+-----------------------+
| Id | User | Host | db | Command | Time |State | Info |
+----+------------+-----------+------+---------+------+-------+-----------------------+
| 45 | audit_user| localhost | NULL | Query | 0 | init | show fullprocesslist |
+----+------------+-----------+------+---------+------+-------+-----------------------+
1 row in set(0.00 sec)
mysql>
5,再用另外一个用户登录建表,录入测试数据。
建表录入数据记录
mysql> usetest;
Database changed
mysql> createtable t1 select 1 as a, 'wa' as b;
Query OK, 1 rowaffected (0.01 sec)
Records: 1 Duplicates: 0 Warnings: 0
查看跟踪用户行为记录。
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time | localname | matchname |
+----+-----------+---------------------+---------------------------+--------------+
| 4 | 41 | 2014-07-28 16:19:37 | audit_user@localhost | audit_user@% |
| 5 | 42 | 2014-07-28 16:20:32 | audit_user@localhost | audit_user@% |
| 6 | 45 | 2014-07-28 16:21:11 | audit_user@localhost | audit_user@% |
| 7 | 48 | 2014-07-28 16:30:42 | audit_user@192.168.3.62 | audit_user@% |
| 8 | 50 | 2014-07-28 16:46:11 | audit_user@192.168.3.62 | audit_user@% |
+----+-----------+---------------------+---------------------------+--------------+
8 rows in set(0.00 sec)
去mysqldb服务器上查看binlog 内容,解析完后,没有insert语句,怎么回事,去看my.cnf
#binlog-ignore-db=mysql # No sync databases
#binlog-ignore-db=test # No sync databases
#binlog-ignore-db=information_schema # No sync databases
#binlog-ignore-db=performance_schema
原来是对test库有binlog过滤设置,全部注释掉。重启mysql库,重新来一遍,可以在看到binlog
在MySQL客户端上重新执行。
mysql> usetest;
Database changed
mysql> insertinto test.t1 select 5,'t5';
Query OK, 1 rowaffected (0.00 sec)
Records: 1 Duplicates: 0 Warnings: 0
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time | localname | matchname |
+----+-----------+---------------------+---------------------------+--------------+
| 1 | 17 | 2014-07-28 15:41:04 | cacti_user@192.168.171.71| cacti_user@% |
| 2 | 18 | 2014-07-28 15:41:05 | cacti_user@192.168.171.71| cacti_user@% |
| 3 | 19 | 2014-07-28 15:41:05 | cacti_user@192.168.171.71| cacti_user@% |
| 4 | 41 | 2014-07-28 16:19:37 | audit_user@localhost | audit_user@% |
| 5 | 42 | 2014-07-28 16:20:32 | audit_user@localhost | audit_user@% |
| 6 | 45 | 2014-07-28 16:21:11 | audit_user@localhost | audit_user@% |
| 7 | 48 | 2014-07-28 16:30:42 | audit_user@192.168.3.62 | audit_user@% |
| 8 | 50 | 2014-07-28 16:46:11 | audit_user@192.168.3.62 | audit_user@% |
| 9 | 56 | 2014-07-28 19:32:12 | audit_user@192.168.1.12 | audit_user@% |
| 10 | 1 | 2014-07-28 20:02:56 |audit_user@192.168.3.62 | audit_user@% |
+----+-----------+---------------------+---------------------------+--------------+
10 rows in set(0.00 sec)
看到thread_id为1
6,如何查看何跟踪用户行为记录。
去mysql数据库服务器上查看binlog,应该thread_id=1的binlog记录。
[root@db_serverbinlog]# /usr/local/mysql/bin/mysqlbinlog --base64-output=DECODE-ROWS mysql-bin.000018 -v>3.log
[root@db_serverbinlog]# vim 3.log
# at 1103
#140728 20:12:48server id 72 end_log_pos 1175 CRC32 0xa323c00e Query thread_id=1 exec_time=0 error_code=0
SETTIMESTAMP=1406549568/*!*/;
BEGIN
/*!*/;
# at 1175
#140728 20:12:48server id 72 end_log_pos 1229 CRC32 0xbb8ca914 Table_map: `test`.`t1` mapped to number 72
# at 1229
#140728 20:12:48server id 72 end_log_pos 1272 CRC32 0x8eed1450 Write_rows: table id 72 flags: STMT_END_F
### INSERT INTO `test`.`t1`
### SET
### @1=5
### @2='t5'
# at 1272
#140728 20:12:48server id 72 end_log_pos 1303 CRC32 0x72b26336 Xid = 14
COMMIT/*!*/;
看到thread_id=1,然后,就可以根据thread_id=1来判断执行这条insert命令的来源,还可以在mysql服务器上执行show full processlist;来得到MySQL客户端的请求端口,
mysql> showfull processlist;
+----+------------+-------------------+------+---------+------+-------+-----------------------+
| Id | User | Host |db | Command | Time | State | Info |
+----+------------+-------------------+------+---------+------+-------+-----------------------+
| 1 |audit_user | 192.168.3.62:44657 | test | Sleep | 162 | | NULL |
| 3 | root | localhost | NULL | Query | 0 | init | show full processlist |
+----+------------+-------------------+------+---------+------+-------+-----------------------+
2 rows in set(0.00 sec)
mysql>
看到Id为1的线程,端口是44657。
我们切换回mysql客户端,去查看端口是44657的是什么进程,如下所示:
[tim@db_client~]$ netstat -antlp |grep 44657
(Not allprocesses could be identified, non-owned process info
will not beshown, you would have to be root to see it all.)
tcp 0 0 192.168.3.62:44657 192.168.1.12:3307 ESTABLISHED 6335/mysql
[tim@db_client~]$
获取到该进程的PID,再通过ps -eaf得到该进程所执行的命令,如下所示:
[tim@db_client~]$ ps -eaf|grep 6335
tim 633525497 0 19:59 pts/1 00:00:00 mysql -uaudit_user -p -h192.168.1.12 -P3307
tim 6993 6906 0 20:16 pts/2 00:00:00 grep 6335
[tim@db_client ~]$
最后查到是通过mysql客户端登陆连接的。加入这个6335是某个web工程的,那么,也可以根据ps-eaf命令查询得到web工程的进程信息。
来自:http://blog.itpub.net/26230597/viewspace-1240386/
参考文章地址:http://blog.chinaunix.net/uid-24086995-id-168445.html
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
How to use Xiaohongshu account to find users? Can I find my mobile phone number?
Mar 22, 2024 am 08:40 AM
With the rapid development of social media, Xiaohongshu has become one of the most popular social platforms. Users can create a Xiaohongshu account to show their personal identity and communicate and interact with other users. If you need to find a user’s Xiaohongshu number, you can follow these simple steps. 1. How to use Xiaohongshu account to find users? 1. Open the Xiaohongshu APP, click the "Discover" button in the lower right corner, and then select the "Notes" option. 2. In the note list, find the note posted by the user you want to find. Click to enter the note details page. 3. On the note details page, click the "Follow" button below the user's avatar to enter the user's personal homepage. 4. In the upper right corner of the user's personal homepage, click the three-dot button and select "Personal Information"
Local users and groups are missing on Windows 11: How to add it
Sep 22, 2023 am 08:41 AM
The Local Users and Groups utility is built into Computer Management and can be accessed from the console or independently. However, some users find that local users and groups are missing in Windows 11. For some people who have access to it, the message suggests that this snap-in may not work with this version of Windows 10. To manage user accounts for this computer, use the User Accounts tool in Control Panel. The issue has been reported in previous iterations of Windows 10 and is usually caused by issues or oversights on the user's side. Why are local users and groups missing in Windows 11? You are running Windows Home edition, local users and groups are available on Professional edition and above. Activity
Log in to Ubuntu as superuser
Mar 20, 2024 am 10:55 AM
In Ubuntu systems, the root user is usually disabled. To activate the root user, you can use the passwd command to set a password and then use the su- command to log in as root. The root user is a user with unrestricted system administrative rights. He has permissions to access and modify files, user management, software installation and removal, and system configuration changes. There are obvious differences between the root user and ordinary users. The root user has the highest authority and broader control rights in the system. The root user can execute important system commands and edit system files, which ordinary users cannot do. In this guide, I'll explore the Ubuntu root user, how to log in as root, and how it differs from a normal user. Notice
Explore Windows 11 guide: How to access user folders on your old hard drive
Sep 27, 2023 am 10:17 AM
Certain folders are not always accessible due to permissions, and in today’s guide we will show you how to access user folders on your old hard drive on Windows 11. The process is simple but can take a while, sometimes even hours, depending on the size of the drive, so be extra patient and follow the instructions in this guide closely. Why can't I access my user folders on my old hard drive? User folders are owned by another computer, so you cannot modify them. You don't have any permissions on the folder other than ownership. How to open user files on old hard drive? 1. Take ownership of the folder and change permissions Find the old user directory, right-click on it and select Properties. Navigate to "An
Tutorial: How to delete a normal user account in Ubuntu system?
Jan 02, 2024 pm 12:34 PM
Many users have been added to the Ubuntu system. I want to delete the users that are no longer in use. How to delete them? Let’s take a look at the detailed tutorial below. 1. Open the terminal command line and use the userdel command to delete the specified user. Be sure to add the sudo permission command, as shown in the figure below. 2. When deleting, be sure to be in the administrator directory. Ordinary users do not have this permission. , as shown in the figure below 3. After the delete command is executed, how to judge whether it has been truly deleted? Next we use the cat command to open the passwd file, as shown in the figure below 4. We see that the deleted user information is no longer in the passwd file, which proves that the user has been deleted, as shown in the figure below 5. Then we enter the home file
What is sudo and why is it important?
Feb 21, 2024 pm 07:01 PM
sudo (superuser execution) is a key command in Linux and Unix systems that allows ordinary users to run specific commands with root privileges. The function of sudo is mainly reflected in the following aspects: Providing permission control: sudo achieves strict control over system resources and sensitive operations by authorizing users to temporarily obtain superuser permissions. Ordinary users can only obtain temporary privileges through sudo when needed, and do not need to log in as superuser all the time. Improved security: By using sudo, you can avoid using the root account during routine operations. Using the root account for all operations may lead to unexpected system damage, as any mistaken or careless operation will have full permissions. and
Windows 11 KB5031455 fails to install, causing other issues for some users
Nov 01, 2023 am 08:17 AM
Microsoft began rolling out KB2 to the public as an optional update for Windows 503145511H22 or later. This is the first update to enable Windows 11 Moment 4 features by default, including Windows Copilot in supported areas, preview support for items in the Start menu, ungrouping of the taskbar, and more. Additionally, it fixes several Windows 11 bugs, including potential performance issues that caused memory leaks. But ironically, the optional update for September 2023 will be a disaster for users trying to install the update, or even for those who have already installed it. Many users will not install this Wi
Win11 new version of drawing: remove background with one click to realize cutout function
Sep 15, 2023 pm 10:53 PM
Microsoft invites WindowsInsider project members in the Canary and Dev channels to test and experience the new Paint application. The latest version number is 11.2306.30.0. The most noteworthy new feature of this version update is the one-click cutout function. Users only need to click once to automatically eliminate the background and highlight the main body of the picture, making it easier for users to perform subsequent operations. The whole step is very simple. The user imports the picture in the new layout application, and then clicks the "removebackground" button on the toolbar to delete the background in the picture. The user can also use a rectangle to select the area to remove the background.
