前言:
测试环境莫名其妙有几条重要数据被删除了,由于在binlog里面只看到是公用账号删除的,无法查询是那个谁在那个时间段登录的,就考虑怎么记录每一个MYSQL账号的登录信息,在MYSQL中,每个连接都会先执行init-connect,进行连接的初始化,我们可以在这里获取用户的登录名称和thread的ID值。然后配合binlog,就可以追踪到每个操作语句的操作时间,操作人等。实现审计。
1,在mysql服务器db中建立单独的记录访问信息的库
set names utf8;
create databaseaccess_log;
CREATE TABLE`access_log`
(
`id`int(11) NOT NULL AUTO_INCREMENT,
`thread_id` int(11) DEFAULT NULL, -- 线程ID,这个值很重要
`log_time`timestamp NOT NULL DEF AULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, -- 登录时间
`localname` varchar(30) DEFAULT NULL, -- 登录名称
`matchname` varchar(30) DEFAULT NULL, -- 登录用户
PRIMARYKEY (`id`)
) ENGINE=InnoDBAUTO_INCREMENT=1 DEFAULT CHARSET=utf8 comment '录入用户登录信息';
2,在配置文件中配置init-connect参数。登录时插入日志表。如果这个参数是个错误的SQL语句,登录就会失败。
vim/usr/local/mysql/my.cnf
init-connect='INSERTINTO access_log.access_logVALUES(NULL,CONNECTION_ID(),NOW(),USER(),CURRENT_USER());'
然后重启数据库
3,创建普通用户,不能有super权限,而且用户必须有对access_log库的access_log表的insert权限,否则会登录失败。
给登录用户赋予insert权限,但是不赋予access_log的insert、select权限,
GRANTINSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%' IDENTIFIED BY'cacti_user1603';
mysql> GRANTCREATE,DROP,ALTER,INSERT,DELETE,UPDATE,SELECT ON test.* TO audit_user@'%'IDENTIFIED BY 'cacti_user1603';
Query OK, 0 rowsaffected (0.00 sec)
mysql> exit
然后去用新的audit_user登录操作
[root@db_server~]# /usr/local/mysql/bin/mysql -uaudit_user -p -S/usr/local/mysql/mysql.sock
Enter password:
Welcome to theMySQL monitor. Commands end with ; or \g.
Your MySQL connectionid is 25
Server version:5.6.12-log
Copyright (c)2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is aregistered trademark of Oracle Corporation and/or its
affiliates. Othernames may be trademarks of their respective
owners.
Type 'help;' or'\h' for help. Type '\c' to clear the current input statement.
mysql> lect *from access_log.access_log;
ERROR 2006(HY000): MySQL server has gone away
No connection.Trying to reconnect...
Connection id: 26
Current database:*** NONE ***
ERROR 1184(08S01): Aborted connection 26 to db: 'unconnected' user: 'audit_user' host:'localhost' (init_connect command failed)
mysql>
看到报错信息 (init_connect command failed),再去错误日志error log验证一下:
tail -fn 5/usr/local/mysql/mysqld.log
2014-07-28 16:03:3123743 [Warning] Aborted connection 25 to db: 'unconnected' user: 'audit_user'host: 'localhost' (init_connect command failed)
2014-07-2816:03:31 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
2014-07-2816:04:04 23743 [Warning] Aborted connection 26 to db: 'unconnected' user:'audit_user' host: 'localhost' (init_connect command failed)
2014-07-2816:04:04 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
看到必须要有对access_log库的access_log表的insert权限才行。
4,赋予用户access_log的insert、select权限,然后重新赋予权限:
GRANTSELECT,INSERT ON access_log.* TO audit_user@'%';
mysql>
mysql> GRANTSELECT,INSERT ON access_log.* TO audit_user@'%';
Query OK, 0 rowsaffected (0.00 sec)
mysql> exit
Bye
再登录,报错如下:
[root@db_server~]# /usr/local/mysql/bin/mysql -uaudit_user -p -S/usr/local/mysql/mysql.sock
Enter password:
ERROR 1045(28000): Access denied for user 'audit_user'@'localhost' (using password: YES)
[root@db_server~]#
去查看error日志:
2014-07-2816:15:29 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
2014-07-2816:15:41 23743 [Warning] Aborted connection 37 to db: 'unconnected' user:'audit_user' host: 'localhost' (init_connect command failed)
2014-07-2816:15:41 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
2014-07-2816:15:50 23743 [Warning] Aborted connection 38 to db: 'unconnected' user:'audit_user' host: 'localhost' (init_connect command failed)
2014-07-2816:15:50 23743 [Warning] INSERT command denied to user ''@'localhost' for table'access_log'
需要用root用户登录进去,清空掉用户为''的用户记录。
mysql>select user,host,password from mysql.user;
+----------------+-----------+-------------------------------------------+
| user | host | password |
+----------------+-----------+-------------------------------------------+
| root | localhost | |
| root | db_server | |
| root | 127.0.0.1 | |
| root | ::1 | |
| | localhost | |
| | db_server | |
| cacti_user | % |*EB9E3195E443D577879101A35EF64A701B35F949 |
| cacti_user | 1 |*D5FF9B53A78232DA13D3643965A5961449B387DB |
| cacti_user | 2 | *D5FF9B53A78232DA13D3643965A5961449B387DB|
| test_user | 192.% |*8A447777509932F0ED07ADB033562027D95A0F17 |
| test_user | 1 |*8A447777509932F0ED07ADB033562027D95A0F17 |
| weakpwd_user_1| 10.% | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| weakpwd_user_2| 10.% | *B1461C9C68AFA1129A5F968C343636192A084ADB |
| weakpwd_user_3| 10.% | *DCB7DF5FFC82C441503300FFF165257BC551A598 |
| audit_user | % |*AEAB1915B137FAFDE9B949D67A9A42DDB68DD8A2 |
+----------------+-----------+-------------------------------------------+
15 rows in set(0.00 sec)
mysql> dropuser ''@'localhost';
Query OK, 0 rowsaffected (0.00 sec)
mysql> dropuser ''@'db_server';
Query OK, 0 rowsaffected (0.00 sec)
mysql>
再用已经分配了access_log表的Insert权限的audit_user登录
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time | localname | matchname |
+----+-----------+---------------------+---------------------------+--------------+
| 4 | 41 | 2014-07-28 16:19:37 | audit_user@localhost | audit_user@% |
| 5 | 42 | 2014-07-28 16:20:32 | audit_user@localhost | audit_user@% |
| 6 | 45 | 2014-07-28 16:21:11 | audit_user@localhost | audit_user@% |
+----+-----------+---------------------+---------------------------+--------------+
6 rows in set(0.00 sec)
mysql> showfull processlist;
+----+------------+-----------+------+---------+------+-------+-----------------------+
| Id | User | Host | db | Command | Time |State | Info |
+----+------------+-----------+------+---------+------+-------+-----------------------+
| 45 | audit_user| localhost | NULL | Query | 0 | init | show fullprocesslist |
+----+------------+-----------+------+---------+------+-------+-----------------------+
1 row in set(0.00 sec)
mysql>
5,再用另外一个用户登录建表,录入测试数据。
建表录入数据记录
mysql> usetest;
Database changed
mysql> createtable t1 select 1 as a, 'wa' as b;
Query OK, 1 rowaffected (0.01 sec)
Records: 1 Duplicates: 0 Warnings: 0
查看跟踪用户行为记录。
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time | localname | matchname |
+----+-----------+---------------------+---------------------------+--------------+
| 4 | 41 | 2014-07-28 16:19:37 | audit_user@localhost | audit_user@% |
| 5 | 42 | 2014-07-28 16:20:32 | audit_user@localhost | audit_user@% |
| 6 | 45 | 2014-07-28 16:21:11 | audit_user@localhost | audit_user@% |
| 7 | 48 | 2014-07-28 16:30:42 | audit_user@192.168.3.62 | audit_user@% |
| 8 | 50 | 2014-07-28 16:46:11 | audit_user@192.168.3.62 | audit_user@% |
+----+-----------+---------------------+---------------------------+--------------+
8 rows in set(0.00 sec)
去mysqldb服务器上查看binlog 内容,解析完后,没有insert语句,怎么回事,去看my.cnf
#binlog-ignore-db=mysql # No sync databases
#binlog-ignore-db=test # No sync databases
#binlog-ignore-db=information_schema # No sync databases
#binlog-ignore-db=performance_schema
原来是对test库有binlog过滤设置,全部注释掉。重启mysql库,重新来一遍,可以在看到binlog
在MySQL客户端上重新执行。
mysql> usetest;
Database changed
mysql> insertinto test.t1 select 5,'t5';
Query OK, 1 rowaffected (0.00 sec)
Records: 1 Duplicates: 0 Warnings: 0
mysql> select* from access_log.access_log;
+----+-----------+---------------------+---------------------------+--------------+
| id | thread_id| log_time | localname | matchname |
+----+-----------+---------------------+---------------------------+--------------+
| 1 | 17 | 2014-07-28 15:41:04 | cacti_user@192.168.171.71| cacti_user@% |
| 2 | 18 | 2014-07-28 15:41:05 | cacti_user@192.168.171.71| cacti_user@% |
| 3 | 19 | 2014-07-28 15:41:05 | cacti_user@192.168.171.71| cacti_user@% |
| 4 | 41 | 2014-07-28 16:19:37 | audit_user@localhost | audit_user@% |
| 5 | 42 | 2014-07-28 16:20:32 | audit_user@localhost | audit_user@% |
| 6 | 45 | 2014-07-28 16:21:11 | audit_user@localhost | audit_user@% |
| 7 | 48 | 2014-07-28 16:30:42 | audit_user@192.168.3.62 | audit_user@% |
| 8 | 50 | 2014-07-28 16:46:11 | audit_user@192.168.3.62 | audit_user@% |
| 9 | 56 | 2014-07-28 19:32:12 | audit_user@192.168.1.12 | audit_user@% |
| 10 | 1 | 2014-07-28 20:02:56 |audit_user@192.168.3.62 | audit_user@% |
+----+-----------+---------------------+---------------------------+--------------+
10 rows in set(0.00 sec)
看到thread_id为1
6,如何查看何跟踪用户行为记录。
去mysql数据库服务器上查看binlog,应该thread_id=1的binlog记录。
[root@db_serverbinlog]# /usr/local/mysql/bin/mysqlbinlog --base64-output=DECODE-ROWS mysql-bin.000018 -v>3.log
[root@db_serverbinlog]# vim 3.log
# at 1103
#140728 20:12:48server id 72 end_log_pos 1175 CRC32 0xa323c00e Query thread_id=1 exec_time=0 error_code=0
SETTIMESTAMP=1406549568/*!*/;
BEGIN
/*!*/;
# at 1175
#140728 20:12:48server id 72 end_log_pos 1229 CRC32 0xbb8ca914 Table_map: `test`.`t1` mapped to number 72
# at 1229
#140728 20:12:48server id 72 end_log_pos 1272 CRC32 0x8eed1450 Write_rows: table id 72 flags: STMT_END_F
### INSERT INTO `test`.`t1`
### SET
### @1=5
### @2='t5'
# at 1272
#140728 20:12:48server id 72 end_log_pos 1303 CRC32 0x72b26336 Xid = 14
COMMIT/*!*/;
看到thread_id=1,然后,就可以根据thread_id=1来判断执行这条insert命令的来源,还可以在mysql服务器上执行show full processlist;来得到MySQL客户端的请求端口,
mysql> showfull processlist;
+----+------------+-------------------+------+---------+------+-------+-----------------------+
| Id | User | Host |db | Command | Time | State | Info |
+----+------------+-------------------+------+---------+------+-------+-----------------------+
| 1 |audit_user | 192.168.3.62:44657 | test | Sleep | 162 | | NULL |
| 3 | root | localhost | NULL | Query | 0 | init | show full processlist |
+----+------------+-------------------+------+---------+------+-------+-----------------------+
2 rows in set(0.00 sec)
mysql>
看到Id为1的线程,端口是44657。
我们切换回mysql客户端,去查看端口是44657的是什么进程,如下所示:
[tim@db_client~]$ netstat -antlp |grep 44657
(Not allprocesses could be identified, non-owned process info
will not beshown, you would have to be root to see it all.)
tcp 0 0 192.168.3.62:44657 192.168.1.12:3307 ESTABLISHED 6335/mysql
[tim@db_client~]$
获取到该进程的PID,再通过ps -eaf得到该进程所执行的命令,如下所示:
[tim@db_client~]$ ps -eaf|grep 6335
tim 633525497 0 19:59 pts/1 00:00:00 mysql -uaudit_user -p -h192.168.1.12 -P3307
tim 6993 6906 0 20:16 pts/2 00:00:00 grep 6335
[tim@db_client ~]$
最后查到是通过mysql客户端登陆连接的。加入这个6335是某个web工程的,那么,也可以根据ps-eaf命令查询得到web工程的进程信息。
来自:http://blog.itpub.net/26230597/viewspace-1240386/
参考文章地址:http://blog.chinaunix.net/uid-24086995-id-168445.html
Explain the role of InnoDB redo logs and undo logs.Apr 15, 2025 am 12:16 AMInnoDB uses redologs and undologs to ensure data consistency and reliability. 1.redologs record data page modification to ensure crash recovery and transaction persistence. 2.undologs records the original data value and supports transaction rollback and MVCC.
What are the key metrics to look for in an EXPLAIN output (type, key, rows, Extra)?Apr 15, 2025 am 12:15 AMKey metrics for EXPLAIN commands include type, key, rows, and Extra. 1) The type reflects the access type of the query. The higher the value, the higher the efficiency, such as const is better than ALL. 2) The key displays the index used, and NULL indicates no index. 3) rows estimates the number of scanned rows, affecting query performance. 4) Extra provides additional information, such as Usingfilesort prompts that it needs to be optimized.
What is the Using temporary status in EXPLAIN and how to avoid it?Apr 15, 2025 am 12:14 AMUsingtemporary indicates that the need to create temporary tables in MySQL queries, which are commonly found in ORDERBY using DISTINCT, GROUPBY, or non-indexed columns. You can avoid the occurrence of indexes and rewrite queries and improve query performance. Specifically, when Usingtemporary appears in EXPLAIN output, it means that MySQL needs to create temporary tables to handle queries. This usually occurs when: 1) deduplication or grouping when using DISTINCT or GROUPBY; 2) sort when ORDERBY contains non-index columns; 3) use complex subquery or join operations. Optimization methods include: 1) ORDERBY and GROUPB
Describe the different SQL transaction isolation levels (Read Uncommitted, Read Committed, Repeatable Read, Serializable) and their implications in MySQL/InnoDB.Apr 15, 2025 am 12:11 AMMySQL/InnoDB supports four transaction isolation levels: ReadUncommitted, ReadCommitted, RepeatableRead and Serializable. 1.ReadUncommitted allows reading of uncommitted data, which may cause dirty reading. 2. ReadCommitted avoids dirty reading, but non-repeatable reading may occur. 3.RepeatableRead is the default level, avoiding dirty reading and non-repeatable reading, but phantom reading may occur. 4. Serializable avoids all concurrency problems but reduces concurrency. Choosing the appropriate isolation level requires balancing data consistency and performance requirements.
MySQL vs. Other Databases: Comparing the OptionsApr 15, 2025 am 12:08 AMMySQL is suitable for web applications and content management systems and is popular for its open source, high performance and ease of use. 1) Compared with PostgreSQL, MySQL performs better in simple queries and high concurrent read operations. 2) Compared with Oracle, MySQL is more popular among small and medium-sized enterprises because of its open source and low cost. 3) Compared with Microsoft SQL Server, MySQL is more suitable for cross-platform applications. 4) Unlike MongoDB, MySQL is more suitable for structured data and transaction processing.
How does MySQL index cardinality affect query performance?Apr 14, 2025 am 12:18 AMMySQL index cardinality has a significant impact on query performance: 1. High cardinality index can more effectively narrow the data range and improve query efficiency; 2. Low cardinality index may lead to full table scanning and reduce query performance; 3. In joint index, high cardinality sequences should be placed in front to optimize query.
MySQL: Resources and Tutorials for New UsersApr 14, 2025 am 12:16 AMThe MySQL learning path includes basic knowledge, core concepts, usage examples, and optimization techniques. 1) Understand basic concepts such as tables, rows, columns, and SQL queries. 2) Learn the definition, working principles and advantages of MySQL. 3) Master basic CRUD operations and advanced usage, such as indexes and stored procedures. 4) Familiar with common error debugging and performance optimization suggestions, such as rational use of indexes and optimization queries. Through these steps, you will have a full grasp of the use and optimization of MySQL.
Real-World MySQL: Examples and Use CasesApr 14, 2025 am 12:15 AMMySQL's real-world applications include basic database design and complex query optimization. 1) Basic usage: used to store and manage user data, such as inserting, querying, updating and deleting user information. 2) Advanced usage: Handle complex business logic, such as order and inventory management of e-commerce platforms. 3) Performance optimization: Improve performance by rationally using indexes, partition tables and query caches.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Zend Studio 13.0.1
Powerful PHP integrated development environment
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
