May
20
2014
--

Database auditing alternatives for MySQL

Database auditing is the monitoring of selected actions of database users. It doesn’t protect the database in case privileges are set incorrectly, but it can help the administrator detect mistakes.

Audits are needed for security. You can track data access and be alerted to suspicious activity. Audits are required for data integrity. They are the only way to validate that changes made to data are correct and legal.

There are several regulations that require database audits:

  • Sarbanes-Oxley (SOX) Act of 2002 is a US federal law that regulates how financial data must be handled and protected.
  • Payment Card Industry Data Security Standard, otherwise known as PCI-DSS is an international standard developed to protect cardholder’s data.
  • Health Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress to protect medical and personal information.

MySQL since version 5.5.3 provides the Audit Plugin API which can be used to write an Audit Plugin. The API provides notification for the following events:

  • messages written to general log (LOG)
  • messages written to error log (ERROR)
  • query results sent to client (RESULT)
  • logins (including failed) and disconnects (CONNECT)

All current audit plugins for MySQL provide an audit log as result of their work. They differ in record format, filtering capabilities and verbosity of log records.

McAfee MySQL Audit Plugin
This plugin is available for MySQL versions 5.1, 5.5, 5.6. It does not officially support Percona Server and MariaDB. It doesn’t use the Audit API and has better verbosity and better filtering features. This is achieved by binary patching the server at runtime inserting the hooks which extract data stored in known offsets in memory. Thus, the plugin is sensitive to any changes of server code.

Summary:

  • json log format
  • log to file or UNIX socket (allows to log with syslog-ng)
  • filter logged events by users, databases and tables, commands (insert, update, delete)

Oracle Enterprise Audit Log Plugin
Oracle provides this audit plugin as a part of the MySQL Enterprise pack. It uses the MySQL Audit API and is able to log RESULT and CONNECT events. The plugin has support for two XML-based formats.

Summary:

  • XML format
  • log to file
  • filter by event type

MariaDB Audit Plugin
MariaDB developers extended the MySQL Audit API by adding fields for existing events and adding new TABLE event which notifies of operation with tables (read, write, create, drop, alter). The plugin can still be used with MySQL and Percona Server but MariaDB’s additions will not be available.

Summary:

  • CSV log format
  • log to file or syslog
  • filter by users, event types

Percona Server Audit Log feature
Percona has developed an audit log feature that is a part of Percona Server since 5.5.35-37.0 and 5.6.17-65.0. It’s goal is to be compatible with Oracle’s Enterprise Audit Plugin providing a similar set of features for Percona Server users. It asynchronously logs all queries and connections in order to “audit” Percona Server usage, without the overhead of the General Query Log. The Audit Log feature can be very beneficial for web applications that deal with sensitive data (e.g., credit card numbers or medical records) and require security compliance (e.g., HIPAA or SOX). Administrators of multi-tenant applications or MySQL as a service can easily audit data access from a security and performance standpoint when using the Audit Log feature in Percona Server. The Audit Log feature is helpful for investigating and troubleshooting issues and auditing performance, too. The Audit Log feature can be dynamically enabled (does not require a server restart).

The post Database auditing alternatives for MySQL appeared first on MySQL Performance Blog.

May
07
2014
--

MySQL Audit Plugin now available in Percona Server 5.5 and 5.6

The MySQL Audit Plugin is now available for free in Percona ServerThe new Percona Server 5.5.37-35.0 and Percona Server 5.6.17-65.0-56, announced yesterday (May 6), both include the open source version of the MySQL Audit Plugin. The MySQL Audit Plugin is used to log all queries or connections (“audit” MySQL usage). Until yesterday’s release, the MySQL Audit Plugin was only available in MySQL Enterprise.

EDIT:  Just to be clear, this implementation is alternative to the MySQL Enterprise Audit Log Plugin. Percona re-implemented the Audit Plugin code as GPL as Oracle’s code was closed source.

EDIT 2: I should also mention: two other Open Source Audit Plugin implementations existed for a while: McAfee MySQL Audit Plugin and MariaDB Audit Plugin for MySQL. Both these implementation use their own audit log formats different from what Oracle’s implementation is using. Percona’s implementation is the first to be a drop-in replacement for MySQL Enterprise Audit Plugin.

Logging all MySQL usage is very important for a number of applications, for example:

  • Required: applications which deals with sensitive data (credit cards, medical records, etc); required for security compliances (i.e. HIPAA)
  • Very helpful: multi-tenants applications or MySQL as a service; MySQL administrators can audit the MySQL usage from the security and performance standpoint
  • Very helpful: investigating and troubleshooting; it is great to have a full log of all queries, which can help a lot for troubleshooting of MySQL and even for performance audit.

Originally, the only “easy” option was to enable general log. (Other options included using binary logs which does not include select queries or enabling queries “trace” in the application or MySQL connector). However, logging all queries using a general log may dramatically decrease performance in the highly loaded MySQL applications: Aleksandr Kuzminsky published a benchmark in 2009 to show the overhead of MySQL general and slow log. The main benefit of MySQL Log Audit plugin is that it logs all queries asynchronously (can be changed in the config). I’ve decided to try the new audit plugin in Percona Server and measure the performance impact of the new plugin compared to enabling the general log for the CPU bound applications.

How to start with MySQL Audit Plugin

First, we will need to enable (or “install”) MySQL audit plugin as decribed in the doc:

mysql> select version();
+-------------+
| version()   |
+-------------+
| 5.5.37-35.0 |
+-------------+
1 row in set (0.00 sec)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)

Now can see all MySQL audit plugin options:

mysql> show global variables like '%audit%';
+--------------------------+--------------+
| Variable_name            | Value        |
+--------------------------+--------------+
| audit_log_buffer_size    | 1048576      |
| audit_log_file           | audit.log    |
| audit_log_flush          | OFF          |
| audit_log_format         | OLD          |
| audit_log_policy         | ALL          |
| audit_log_rotate_on_size | 0            |
| audit_log_rotations      | 0            |
| audit_log_strategy       | ASYNCHRONOUS |
+--------------------------+--------------+
8 rows in set (0.00 sec)

There are a bunch of options we can tweak here, the most important for MySQL performance are:

  • audit_log_buffer_size; this buffer is used to cache the queries (for asynchronous operation).
  • audit_log_strategy; All options are listed in the documentation page:

Value Meaning
ASYNCHRONOUS Log asynchronously, wait for space in output buffer
PERFORMANCE Log asynchronously, drop request if insufficient space in output buffer
SEMISYNCHRONOUS Log synchronously, permit caching by operating system
SYNCHRONOUS Log synchronously, call sync() after each request

The most useful option in my mind is ASYNCHRONOUS, providing us with good balance between performance and not loosing transactions if the output buffer is not large enough.

  •  audit_log_policy; we can log all queries or MySQL logins only (very useful if we only need to audit MySQL connections)

Open Source Audit Plugin in MySQL Community server

You can also use Percona Open Source version of Audit Plugin in MySQL community version (5.5.37 and 5.6.17). Simply download the linux tarball of Percona Server and copy the  audit_log.so to your MySQL plugin dir.

Find plugin dir:

mysql> show global variables like '%plugin%';
+---------------+------------------------------+
| Variable_name | Value                        |
+---------------+------------------------------+
| plugin_dir    | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+
1 row in set (0.00 sec)

Copy the file:

# cp audit_log.so /usr/local/mysql/lib/plugin/

Install plugin:

Server version: 5.5.37 MySQL Community Server (GPL)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)
Server version: 5.6.17 MySQL Community Server (GPL)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)

Using MySQL audit plugin

When plugin is enabled, it will log entries in audit.log file in XML format. Example:

<AUDIT_RECORD
  "NAME"="Audit"
  "RECORD"="1_2014-04-30T00:04:42"
  "TIMESTAMP"="2014-04-30T00:04:42 UTC"
  "MYSQL_VERSION"="5.5.37-35.0"
  "STARTUP_OPTIONS"="--basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/lib/mysql/localhost.localdomain.pid --socket=/var/lib/mysql/mysql.sock"
  "OS_VERSION"="x86_64-Linux",
/>
<AUDIT_RECORD
  "NAME"="Query"
  "RECORD"="2_2014-04-30T00:04:42"
  "TIMESTAMP"="2014-04-30T00:04:42 UTC"
  "COMMAND_CLASS"="install_plugin"
  "CONNECTION_ID"="1"
  "STATUS"="0"
  "SQLTEXT"="INSTALL PLUGIN audit_log SONAME 'audit_log.so'"
  "USER"="root[root] @ localhost []"
  "HOST"="localhost"
  "OS_USER"=""
  "IP"=""
/>
<AUDIT_RECORD
  "NAME"="Query"
  "RECORD"="3_2014-04-30T00:04:42"
  "TIMESTAMP"="2014-04-30T00:05:07 UTC"
  "COMMAND_CLASS"="show_variables"
  "CONNECTION_ID"="1"
  "STATUS"="0"
  "SQLTEXT"="show global variables like '%audit%'"
  "USER"="root[root] @ localhost []"
  "HOST"="localhost"
  "OS_USER"=""
  "IP"=""
/>

<AUDIT_RECORD
  "NAME"="Query"
  "RECORD"="10_2014-04-30T00:04:42"
  "TIMESTAMP"="2014-04-30T12:33:20 UTC"
  "COMMAND_CLASS"="grant"
  "CONNECTION_ID"="2"
  "STATUS"="0"
  "SQLTEXT"="grant all on sbtest.* to sb@localhost identified by 'sb'"
  "USER"="root[root] @ localhost []"
  "HOST"="localhost"
  "OS_USER"=""
  "IP"=""
/>
<AUDIT_RECORD
  "NAME"="Connect"
  "RECORD"="11_2014-04-30T00:04:42"
  "TIMESTAMP"="2014-04-30T12:34:53 UTC"
  "CONNECTION_ID"="3"
  "STATUS"="0"
  "USER"="sb"
  "PRIV_USER"="sb"
  "OS_LOGIN"=""
  "PROXY_USER"=""
  "HOST"="localhost"
  "IP"=""
  "DB"="sbtest"
/>
<AUDIT_RECORD
 "NAME"="Query"
 "RECORD"="1292_2014-04-30T00:04:42"
 "TIMESTAMP"="2014-04-30T12:45:07 UTC"
 "COMMAND_CLASS"="select"
 "CONNECTION_ID"="32"
 "STATUS"="1146"
 "SQLTEXT"="SELECT pad FROM sbtest8 WHERE id=5036031"
 "USER"="sb[sb] @ localhost []"
 "HOST"="localhost"
 "OS_USER"=""
 "IP"=""
/>

 Important notes: 

  • As all queries will be logged here, the passwords from “GRANT” will also be saved in clear text (as you can see above). It is very important to secure the file on disk.

EDIT: Clear text passwords issue only applies to MySQL 5.5 version.  As of MySQL 5.6.3, passwords in statements written to the general query log are rewritten by the server not to occur literally in plain text (quote from the documentation).

In MySQL 5.6 version here is what we will see:

<AUDIT_RECORD
  "NAME"="Query"
  "RECORD"="14_2014-05-05T21:56:20"
  "TIMESTAMP"="2014-05-07T13:51:04 UTC"
  "COMMAND_CLASS"="grant"
  "CONNECTION_ID"="2"
  "STATUS"="0"
  "SQLTEXT"="GRANT ALL PRIVILEGES ON `test`.* TO 'test'@'localhost' IDENTIFIED BY PASSWORD '*1E752E353CAA631945738535152AE894E47F5A48'"
  "USER"="root[root] @ localhost []"
  "HOST"="localhost"
  "OS_USER"=""
  "IP"=""
/>

  • The file can grow very large on disk:
ls -lah /var/lib/mysql/audit.log
-rw-rw---- 1 mysql mysql 7.1G May 4 07:30 /var/lib/mysql/audit.log

Searching the Audit Log entries

MySQL utilities provide a useful tool, mysqlauditgrep, to search / grep the logs file.  Unfortunately, I was not able to make it work (tried both v. 1.3 and v 1.4)  with audit plugin format created by Percona server. According to this bug  it can’t parse the “new” audit format. In my case, mysqlauditgrep will return a parsing error when I use the default format and returned no results when I set the “audit_log_format=NEW”. It will be nice to use the mysqlauditgrep as it looks like a very powerful tool, but for now our searching options are limited to conventional linux grep (which is not very easy for XML documents) or custom application to parse/search XML.

Performance overhead of Audit Log Plugin and General Log 

Finally, I wanted to measure the overhead of the Audit Log Plugin compared to General Log. I did a quick benchmark with sysbench OLTP test (CPU bound workload) with 4 modes:

  1. Audit Plugin disabled (to measure baseline)
  2. Audit Plugin enabled and logs all queries
  3. Audit Plugin enabled and logs only logins
  4. General Log enabled, Audit Plugin disabled

Here are the results:

Test Overhead
Plugin +  audit_log_policy = ALL ~15% overhead
Plugin +  audit_log_policy = LOGINS ~0% overhead (sysbench only connects once, so there may be bigger overhead here)
General_log ~62% overhead

As we can see here, audit log is not free from overhead, however, it is much smaller than enabling general_log to log all and every query. Those are quick benchmark results and more tests are need for more accurate measurements. Also, as always, your milage can vary.

Nice to have features

What I would love to have for audit plugin is the ability to log only some specific actions. For example, only log activity from a specific user or access to a specific table (i.e. a table with a sensitive data), etc. This will give more control and less overhead (=better performance).

Conclusion

The MySQL Audit Plugin is a great feature – it is a valuable tool for MySQL security and performance audits. The performance overhead may be a concern for a highly loaded systems, however, it looks reasonable and is much better than using general log to log all queries.

If you use general log or any other audit plugins, please share your experience in the comments.

The post MySQL Audit Plugin now available in Percona Server 5.5 and 5.6 appeared first on MySQL Performance Blog.

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com