In environments with load balancers or proxies, the audit plugin logs
only the IP address, making it difficult to differentiate individual client
connections from the same IP.
Add a new 'port' field to the appropriate event objects to capture the
client's TCP port number. Populate the port field with thd->port in the
appropriate functions. The audit plugin receives and logs this port field
along with other connection information, enabling better identification
of individual client connections.
All new code of the whole pull request, including one or several files that
are either new files or modified ones, are contributed under the BSD-new license.
I am contributing on behalf of my employer Amazon Web Services, Inc.
Add tls_version and tls_version_length variables to the audit plugin so
they can be logged. This is useful to help identify suspicious or
malformed connections attempting to use unsupported TLS versions. A log
with this information will allow to detect and block more malicious
connection attempts.
Users with 'server_audit_events' empty will have these two new variables
automatically visible in their logs, but if users don't want them, they
can always configure what fields to include by listing the fields in
'server_audit_events'.
In connection event, The TLS version will be populated in `object` field
in key=value format, and the key-value pair will be omitted when the
value is empty.
To ensure the MTR test result matches in all environments, the TLS
version string is replaced with a general `TLS_VERSION` to avoid the MTR
test failing unexpectedly. It stores the version with query `SHOW STATUS
LIKE 'Ssl_version'` and replace the output with `replace_result` command.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
[1]: https://docs.openssl.org/3.2/man3/SSL_get_version/
This was done in, among other things:
- thd->db and thd->db_length
- TABLE_LIST tablename, db, alias and schema_name
- Audit plugin database name
- lex->db
- All db and table names in Alter_table_ctx
- st_select_lex db
Other things:
- Changed a lot of functions to take const LEX_CSTRING* as argument
for db, table_name and alias. See init_one_table() as an example.
- Changed some function arguments from LEX_CSTRING to const LEX_CSTRING
- Changed some lists from LEX_STRING to LEX_CSTRING
- threads_mysql.result changed because process list_db wasn't always
correctly updated
- New append_identifier() function that takes LEX_CSTRING* as arguments
- Added new element tmp_buff to Alter_table_ctx to separate temp name
handling from temporary space
- Ensure we store the length after my_casedn_str() of table/db names
- Removed not used version of rename_table_in_stat_tables()
- Changed Natural_join_column::table_name and db_name() to never return
NULL (used for print)
- thd->get_db() now returns db as a printable string (thd->db.str or "")
Compiler there is strict about the C/C++ call model
mixing in function variable assumptions.
Fixed by adding some 'extern "C"' and changing
'?' operator with 'if'.
Simplified audit event dispatching call chain from:
mysql_audit_notify_connection_connect() // can be inlined
mysql_audit_notify() // can't be inlined
connection_class_handler() // can't be inlined
event_class_dispatch() // can be inlined
plugins_dispatch() // can be inlined
plugin->event_notify() // can't be inlined
to:
mysql_audit_notify_connection_connect() // can be inlined
mysql_audit_notify() // can't be inlined
plugins_dispatch() // can be inlined
plugin->event_notify() // can't be inlined
file_logger became the service.
Data like query_id now are sent to the audit plugin.
Fix for MDEV-4770 ported from 10.0.
Fix added for the read_maria_plugin_info().
Log rotation can be disabled with 'set rotations=0'.
The types mysql_event_general/mysql_event_connection are
being cast to the incompatible type mysql_event. The way
mysql_event and the other types are designed are prone to
strict aliasing violations and can break things depending
on how compilers optimizes this code.
This patch fixes audit interface, so it confirms to strict-
aliasing rules. It introduces incompatible changes to audit
interface:
- mysql_event type has been removed;
- event_class has been removed from mysql_event_generic and
mysql_event_connection types;
- st_mysql_audit::event_notify() second argument is event_class;
- st_mysql_audit::event_notify() third argument is event of type
(const void *).
"Writing Audit Plugins" section of manual should be updated:
http://dev.mysql.com/doc/refman/5.5/en/writing-audit-plugins.html
include/mysql/plugin_audit.h:
event_class has been moved out of mysql_event types.
include/mysql/plugin_audit.h.pp:
event_class has been moved out of mysql_event types.
plugin/audit_null/audit_null.c:
event_class has been moved out of mysql_event types.
sql/sql_audit.cc:
event_class has been moved out of mysql_event types.
include/mysql/plugin_audit.h:
Connection auditing class.
include/mysql/plugin_audit.h.pp:
Connection auditing class.
sql/mysqld.cc:
Notify disconnect to auditing.
sql/sql_audit.cc:
Connection class event dispatcher.
sql/sql_audit.h:
mysql_audit_notify() is not available in embedded.
sql/sql_connect.cc:
Notify connect to auditing.
sql/sql_parse.cc:
Notify user change to auditing.
e.g.MYSQL_AUDIT_GENERAL_ERROR
General audit API (MYSQL_AUDIT_GENERAL_CLASS) didn't expose event
subclass to plugins.
This patch exposes event subclass to plugins via
struct mysql_event_general::event_subclass.
This change is not compatible with existing general audit plugins.
Audit interface major version has been incremented.
include/mysql/plugin_audit.h:
Expose event subclass to audit general plugins.
plugin/audit_null/audit_null.c:
Added distinct counters for general event sub-classes.
Removed printf() from deinit(). One can easily see number of
calls via status variables.
To make code nicer, modified class mask to use macro instead
of hardcoded number.
Incremented audit plugin minor version.
sql/sql_audit.cc:
Expose event subclass to audit general plugins.
Bug #36098 Audit plugin (wl 3771) feature disabled in 6.0
avoid recusrive locking of LOCK_plugin
include/mysql/plugin_audit.h:
fix incorrect version
sql/log.cc:
move the common code to a shared header
sql/mysqld.cc:
restore the deleted functionality
sql/set_var.cc:
remove unused parameter
sql/sql_audit.h:
two inline convenience functions
sql/sql_parse.cc:
use a simplified convenience call
sql/sql_plugin.cc:
unlock LOCK_plugin for plugin->init() call, add missing OOM check,
issue "unknown variable" error in find_sys_var, not down the stack
WL#3771
"Audit Plugin Interface"
Implement new plug-in type - AUDIT
New plug-in: audit_null
simply increments counter for how many times it was called.
include/Makefile.am:
wl3771
add new headers to distribution
include/mysql/plugin.h:
wl3771
define new AUDIT plugin type
Split out fulltext plugin type into its own header
include/mysql/plugin.h.pp:
wl3771
no real API change, just re-arranged some code
include/mysql/plugin_audit.h:
wl3771
pluggable audit interface
include/mysql/plugin_ftparser.h:
wl3771
Split out fulltext plugin type into its own header
libmysqld/CMakeLists.txt:
wl3771
add sql_audit.cc to build
libmysqld/Makefile.am:
wl3771
add sql_audit.cc to build
plugin/audit_null:
wl3771
an example plugin for testing pluggable audit interface
plugin/audit_null/Makefile.am:
wl3771
an example plugin for testing pluggable audit interface
plugin/audit_null/audit_null.c:
wl3771
an example plugin for testing pluggable audit interface
plugin/audit_null/plug.in:
wl3771
an example plugin for testing pluggable audit interface
sql/CMakeLists.txt:
wl3771
add sql_audit.cc to build
sql/Makefile.am:
wl3771
add sql_audit.cc to build
sql/event_queue.cc:
wl3771
release audit resources before waiting
sql/log.cc:
wl3771
add general audit call for log
sql/mysqld.cc:
wl3771
add audit initialize/finalize
add general audit call for error
sql/sql_audit.cc:
wl3771
pluggable audit interface implementation
sql/sql_audit.h:
wl3771
pluggable audit interface implementation
sql/sql_class.cc:
wl3771
add thd audit init/deinit calls
sql/sql_class.h:
wl3771
add required data structures for audit to THD
sql/sql_connect.cc:
wl3771
release audit resources before waiting
sql/sql_insert.cc:
wl3771
release audit plugins before waiting
sql/sql_parse.cc:
wl3771
add general audit call for results
sql/sql_plugin.cc:
wl3771
add declarations for audit plugin type
