Database auditing alternatives for MySQL
Audits are needed for security. You can track data access and be alerted to suspicious activity. Audits are required for data integrity. They are the only way to validate that changes made to data are correct and legal.
There are several regulations that require database audits:
- Sarbanes-Oxley (SOX) Act of 2002 is a US federal law that regulates how financial data must be handled and protected.
- Payment Card Industry Data Security Standard, otherwise known as PCI-DSS is an international standard developed to protect cardholder’s data.
- Health Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress to protect medical and personal information.
MySQL since version 5.5.3 provides the Audit Plugin API which can be used to write an Audit Plugin. The API provides notification for the following events:
- messages written to general log (LOG)
- messages written to error log (ERROR)
- query results sent to client (RESULT)
- logins (including failed) and disconnects (CONNECT)
All current audit plugins for MySQL provide an audit log as result of their work. They differ in record format, filtering capabilities and verbosity of log records.
McAfee MySQL Audit Plugin
This plugin is available for MySQL versions 5.1, 5.5, 5.6. It does not officially support Percona Server and MariaDB. It doesn’t use the Audit API and has better verbosity and better filtering features. This is achieved by binary patching the server at runtime inserting the hooks which extract data stored in known offsets in memory. Thus, the plugin is sensitive to any changes of server code.
Summary:
- json log format
- log to file or UNIX socket (allows to log with syslog-ng)
- filter logged events by users, databases and tables, commands (insert, update, delete)
Oracle Enterprise Audit Log Plugin
Oracle provides this audit plugin as a part of the MySQL Enterprise pack. It uses the MySQL Audit API and is able to log RESULT and CONNECT events. The plugin has support for two XML-based formats.
Summary:
- XML format
- log to file
- filter by event type
MariaDB Audit Plugin
MariaDB developers extended the MySQL Audit API by adding fields for existing events and adding new TABLE event which notifies of operation with tables (read, write, create, drop, alter). The plugin can still be used with MySQL and Percona Server but MariaDB’s additions will not be available.
Summary:
- CSV log format
- log to file or syslog
- filter by users, event types
Percona Server Audit Log feature
Percona has developed an audit logfeature that is a part of Percona Server since 5.5.35-37.0 and 5.6.17-65.0. It’s goal is to be compatible with Oracle’s Enterprise Audit Plugin providing a similar set of features forPercona Serverusers. It asynchronously logs all queries and connections in order to “audit” Percona Server usage, without the overhead of the General Query Log. The Audit Log feature can be very beneficial for web applications that deal with sensitive data (e.g., credit card numbers or medical records) and require security compliance (e.g., HIPAA or SOX). Administrators of multi-tenant applications or MySQL as a service can easily audit data access from a security and performance standpoint when using the Audit Log feature in Percona Server. The Audit Log feature is helpful for investigating and troubleshooting issues and auditing performance, too. The Audit Log feature can be dynamically enabled (does not require a server restart).
上一篇: PHP三层结构(下)PHP实现AOP
下一篇: js控制文件拖拽并获取拖拽内容实现代码
推荐阅读
-
the security settings could not be applied to the database(mysql安装error)【简记】
-
解决mysql创建数据库后出现:Access denied for user 'root'@'%' to database 'xxx'的问题
-
提示:ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'mysql'的错误如何解决?
-
What is a schema in a MySQL database?
-
安装mysql-8.0.19-winx64遇到的问题:Can't create directory 'xxxx\Database\'
-
mysql 数据库 Database page corruption 时的恢复参数 innodb_force_recovery、innodb_purge_threads
-
Leetcode database 刷题 MySQL 简单部分
-
pycharm连接mysql是出现Connection to orm02@127.0.0.1 failed. [08001] Could not create connection to database server. Attempted reconnect 3 times. Giving up.
-
mysql备份数据出现mysqldump: Got error: 1049: Unknown database ‘jxgl>jxgl.sql‘ when selecting the database
-
Oracle Database 11g MySQL 5.6开发手册》试读有感