New in MySQL Enterprise Edition: Policy-based Auditing!
- by Rob Young
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
For those with an interest in MySQL, this weekend's MySQL
Connect conference in San Francisco has gotten off to a great start. On
Saturday Tomas announced the feature complete MySQL 5.6 Release Candidate that is now available for Community adoption and testing. This announcement marks the sprint to GA that
should be ready for release within the next 90 days. You can get a quick summary of the key 5.6
features here or better
yet download the 5.6 RC (under “Development Releases”), review what's new and try it out for yourself! There were
also product related announcements around MySQL Cluster 7.3
and MySQL Enterprise Edition . This latter announcement is of particular
interest if you are faced with internal and regulatory
compliance requirements as it addresses and solves a pain point that is shared
by most developers and DBAs; new, out of the box compliance for MySQL
applications via policy-based audit logging of user and query level activity.
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
One of the most common requests we get for the MySQL
roadmap is for quick and easy logging of audit events. This is mainly due to how web-based
applications have evolved from nice-to-have enablers to mission-critical
revenue generation and the important role MySQL plays in the new dynamic. In today’s virtual marketplace, PCI
compliance guidelines ensure credit card data is secure within e-commerce apps;
from a corporate standpoint, Sarbanes-Oxely, HIPAA and other regulations
guard the medical, financial, public sector and other personal data centric industries. For supporting applications audit policies and
controls that monitor the eyes and hands that have viewed and acted upon
the most sensitive of data is most commonly implemented on the back-end
database.
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
With this in mind, MySQL 5.5 introduced an open audit
plugin API that enables all MySQL users to write their own auditing plugins based on application specific requirements. While the supporting docs are very complete and provide working code
samples, writing an audit plugin requires time and low-level expertise to
develop, test, implement and maintain. To help those who don't have the time
and/or expertise to develop such a plugin, Oracle now ships MySQL 5.5.28
and higher with an easy to use, out-of-the-box auditing solution; MySQL
Enterprise Audit.
MySQL
Enterprise Audit
The premise behind MySQL Enterprise Audit is simple; we
wanted to provide an easy to use, policy-based auditing solution that enables you to quickly and seamlessly add compliance to their MySQL
applications. MySQL Enterprise Audit
meets this requirement by enabling you to:
1. Easily
install the needed components.
Installation requires an upgrade to MySQL 5.5.28
(Enterprise edition), which can be downloaded from the My Oracle Support portal or the Oracle Software Delivery
Cloud. After installation, you simply add
the following to your my.cnf file to register and enable the audit plugin:
[mysqld]
plugin-load=audit_log.so (keep in mind the audit_log
suffix is platform dependent, so .dll on Windows, etc.)
or alternatively you can load the plugin at runtime:
mysql> INSTALL PLUGIN audit_log SONAME
'audit_log.so';
2.
Dynamically enable and disable the audit stream for a specific MySQL server.
A new global variable called audit_log_policy
allows you to dynamically enable and disable audit stream logging for a
specific MySQL server. The variable
parameters are described below.
3. Define audit policy based on what needs to
be logged (everything, logins, queries, or nothing), by server.
The new audit_log_policy variable uses the
following valid, descriptively named values to enable, disable audit stream
logging and to filter the audit events that are logged to the audit stream:
"ALL" - enable audit stream and
log all events
"LOGINS" - enable audit
stream and log only login events
"QUERIES" - enable audit
stream and log only querie events
"NONE" - disable audit stream
4.
Manage audit log files using basic MySQL log rotation features.
A new global variable, audit_log_rotate_on_size,
allows you to automate the rotation and archival of audit stream log files
based on size with archived log files renamed and appended with datetime stamp
when a new file is opened for logging.
5.
Integrate the MySQL audit stream with MySQL, Oracle tools and other third-party
solutions.
The MySQL audit stream is written as XML, using UFT-8 and
can be easily formatted for viewing using a standard XML parser. This enables you to leverage tools from
MySQL and others to view the contents. The audit stream was also developed to
meet the Oracle database audit stream specification so combined Oracle/MySQL
shops can import and manage MySQL audit images using the same Oracle
tools they use for their Oracle databases.
So assuming a successful MySQL 5.5.28 upgrade or
installation, a common set up and use case scenario might look something like
this:
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
It should be noted that MySQL Enterprise Audit was
designed to be transparent at the application layer by allowing you to control
the mix of log output buffering and asynchronous or synchronous disk writes to
minimize the associated overhead that comes when the audit stream is
enabled. The net result is that, depending
on the chosen audit stream log stream options, most application users will see
little to no difference in response times when the audit stream is enabled.
So what are your next steps?
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Get all of the grainy details on
MySQL Enterprise Audit, including all of the additional configuration options from the MySQL documentation.
MySQL Enterprise Edition customers can
download MySQL 5.5.28 with the Audit extension for production use from the My
Oracle Support portal.
Everyone can download MySQL 5.5.28 with the
Audit extension for evaluation from the Oracle Software Delivery Cloud.
Learn more about MySQL Enterprise Edition.
As always, thanks for your continued support of MySQL!
