Want to subscribe to topics you're interested in?
Become a Member

Beta Branch add tools/auditd.sh for auditd logging setup in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Oct 9, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    8:50 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  2. pamamolf

    pamamolf Well-Known Member

    2,824
    253
    83
    May 31, 2014
    Ratings:
    +448
    Local Time:
    12:50 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Need some info please :)

    Do we have to run it every x hours/days or is it one time task to enable it?

    After enabling it where we have to look for the extra info?

    Any sample data ?

    Does it cause any overhead for MariaDb?

    Thank you!!!!
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    8:50 PM
    Nginx 1.13.x
    MariaDB 5.5
    It's still work in progress hence why i disabled it by default as haven't decided on how i want the regular maintenance to be. Auditd has a few niggling issues like it will stop adding additional auditd rules if it hits a rule it doesn't like i.e. if the rule is to watch and monitor a directory or file that doesn't exist at the time of adding the rule. So you don't want auditd to be merging in new auditd rules when a directory doesn't exist and have to think carefully about which files/directories you want to monitor.

    auditd has ausearch, auditctl commands which work on /var/log/audit/audit.log etc. So you need to learn how to use those commands and i won't provide support for that. I will have a sticky thread for info links which i'll post below too

    How to use and interpret the auditd provided logs is left to end user as there's no support provided by me. The official Redhat documentation applies to CentOS as well so a starting point would be here.
    Then there's a few guides online
    auditd doesn't touch MariaDB. But tools/auditd.sh also has a 2nd component to optionally install (disabled by default) MariaDB's on Audit Plugin

    The linked guides have plenty of examples :)
     
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    8:50 PM
    Nginx 1.13.x
    MariaDB 5.5
    as to MariaDB Audit Plugin overhead, you'd have to try and see yourself :)

    I'd updated it to just log connect and query_dml (INSERT/UPDATES) so an example when i used MySQL/MariaDB's native mysqlslap command to generate some sql workload and sql file

    Code (Text):
    Database Name ? sbtest
    Drop Database If Exists ? y/n: y
    Which Storage Engine ? innodb
    Number of Secondary Indexes ? 4
    Number of Int Col ? 4
    Number of Char Col ? 4
    Number of Queries ? 1000
    mysqlslap.sql created
    -rw-r--r--   1 root root 388K Oct  9 20:45 mysqlslap.sql
    +------------+----------------+----------------+-----------+------------+--------+
    | Table Name | Number of Rows | Storage Engine | Data Size | Index Size | Total  |
    +------------+----------------+----------------+-----------+------------+--------+
    | sbtest.t1  | 644 Rows       | InnoDB         | 0.02MB    | 0.06MB     | 0.08MB |
    +------------+----------------+----------------+-----------+------------+--------+


    Code (Text):
    tail -6 /var/lib/mysql/server_audit.log
    20161009 20:45:59,host.domain.com,root,localhost,6,1758,QUERY,sbtest,'INSERT INTO t1 VALUES (NULL,uuid(),uuid(),uuid(),uuid(),166730292,284589771,1502859928,1209427991,\'BFb8ySFkYGWQmhKxeRC55ORSNWGbLceYsEhiaoIy4gOiMlfs4rxA7GeMnmp0ESZ6a6g8mz7jXNPt85mDwbN4ktIXf8XlcwkAuOAZF9GnZZYZeAmRm1NWuhtPpG3P5n\',\'RrBWOJXYy46WWkhG3JAQhw8QEpaH7f4QN7wfISCGOInuuK3qX5G41GM76wG5SCXrKKMWgan4kQrXmmL9rTDkmbskN8prLCaZYx3CNiH880XumsvTL8Dzbxbz6GiJTH\',\'k16n6TMFdWF8HtsCM6DRxoPZfNhEiAXQ4T5AyRPSyYS7PLJfJO6G5XpkuXycZLuTqsfhBw91Sd8lqSO9sXQx27apWOHweCPKw517t29EgHzMdGYMnyJhxlWS2gOgsp\',\'0gmunYwwmSEdrrtFDg5PE22cM4Gek0Kdg6XSWJGGoWuXEneJKjcQlf20jBeKBypkxK4RXKkBrWax9CGTvlvZOqZz13BC20orCsIcDunwGMtQa1vMmjn2ZKuaFxe9yR\')',0
    20161009 20:45:59,host.domain.com,root,localhost,6,0,DISCONNECT,sbtest,,0
    20161009 20:45:59,host.domain.com,root,localhost,7,0,CONNECT,,,0
    20161009 20:45:59,host.domain.com,root,localhost,7,1760,QUERY,,'select @@version_comment limit 1',0
    20161009 20:45:59,host.domain.com,root,localhost,7,1761,QUERY,,'SELECT CONCAT(table_schema,\'.\',table_name) AS \'Table Name\', CONCAT(ROUND(table_rows,2),\' Rows\') AS \'Number of Rows\',ENGINE AS \'Storage Engine\',CONCAT(ROUND(data_length/(1024*1024),2),\'MB\') AS \'Data Size\',CONCAT(ROUND(index_length/(1024*1024),2),\'MB\') AS \'Index Size\' ,CONCAT(ROUND((data_length+index_length)/(1024*1024),2),\'MB\') AS\'Total\'FROM information_schema.TABLES WHERE table_schema LIKE \'sbtest\'',0
    20161009 20:45:59,host.domain.com,root,localhost,7,0,DISCONNECT,,,0
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,961
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    8:50 PM
    Nginx 1.13.x
    MariaDB 5.5