github
/
mysql-audit
mirror of https://github.com/mcafee-enterprise/mysql-audit
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

More offsets for latest mysql versions upto 5.1.63 and 5.5.25. 

Automatic calculation of offsets seen used in Ubuntu/Debian builds based upon found version offsets when checksum validation is disabled.
Remove usage of strdup for delay_cmds, record_objs and record_cmds and use PLUGIN_VAR_MEMALOC instead.
pull/15/head
Guy Lichtman 2012-08-01 21:34:33 +03:00
parent 59f5b82cc9
commit 23259986a0
1 changed files with 1263 additions and 1195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

332
src/audit_plugin.cc
View File

@ -104,8 +104,10 @@ static const ThdOffsets thd_offsets_arr[] =
{"5.1.60-community","d9497964e8983a348538c0d05eaee7f0", 6328, 6392, 3688, 3960, 88, 2048},
//offsets for: /mysqlrpm/5.1.61/usr/sbin/mysqld (5.1.61-community)
{"5.1.61-community","bda6030d35e7fafa5b1e57154a53b804", 6328, 6392, 3688, 3960, 88, 2048},
//offsets for:
{"5.1.63","2a6d7c81179baf6bc6bbb807b8b54967", 6336, 6400, 3696, 3968, 88, 2048},
//offsets for: /mysqlrpm/5.1.62/usr/sbin/mysqld (5.1.62-community)
{"5.1.62-community","a4e8de89e0d9a353d09687d3b4560cb3", 6328, 6392, 3688, 3960, 88, 2048},
//offsets for: /mysqlrpm/5.1.63/usr/sbin/mysqld (5.1.63-community)
{"5.1.63-community","0f4d7e3b17eb36f17aafe4360993a769", 6328, 6392, 3688, 3960, 88, 2048},
//offsets for: mysqlrpm/5.5.8/usr/sbin/mysqld (5.5.8)
{"5.5.8","70a882693d54df8ab7c7d9f256e317bb", 6032, 6080, 3776, 4200, 88, 2560},
//offsets for: mysqlrpm/5.5.9/usr/sbin/mysqld (5.5.9)
@ -136,6 +138,16 @@ static const ThdOffsets thd_offsets_arr[] =
{"5.5.20","9f6122576930c5d09ca9244094c83f24", 6048, 6096, 3800, 4224, 88, 2560},
//offsets for: mysqlrpm/5.5.21/usr/sbin/mysqld (5.5.21)
{"5.5.21","4a03ad064ed393dabdde175f3ea05ff2", 6048, 6096, 3800, 4224, 88, 2560},
//offsets for: mysqlrpm/5.5.22/usr/sbin/mysqld (5.5.22)
{"5.5.22","f3592147108e65d92cb18fb4d900c4ab", 6048, 6096, 3800, 4224, 88, 2560},
//offsets for: mysqlrpm/5.5.23/usr/sbin/mysqld (5.5.23)
{"5.5.23","aac33433f75b9758e7f42fad6991fa9e", 6048, 6096, 3800, 4224, 88, 2568},
//offsets for: mysqlrpm/5.5.24/usr/sbin/mysqld (5.5.24)
{"5.5.24","2915a9dd079446149b17d0d1c478fb11", 6048, 6096, 3800, 4224, 88, 2568},
//offsets for: /mysqlrpm/5.5.25/usr/sbin/mysqld (5.5.25)
{"5.5.25","6043eff2cfa493d4e020cae65c41b030", 6056, 6104, 3808, 4232, 88, 2568},
//offsets for: mysqlrpm/5.5.25a/usr/sbin/mysqld (5.5.25a)
{"5.5.25a","b59c03244daf51d4327409288d8c889f", 6056, 6104, 3808, 4232, 88, 2568},
//DISTRIBUTION: tar.gz
//offsets for: /mysql/5.1.30/bin/mysqld (5.1.30)
@ -203,6 +215,12 @@ static const ThdOffsets thd_offsets_arr[] =
{"5.1.60","5407e492f802cca03eccb2211205632d", 6336, 6400, 3696, 3968, 88, 2048},
//offsets for: /mysql/5.1.61/bin/mysqld (5.1.61)
{"5.1.61","c2ce56446b33ee22c16160b3f8206541", 6336, 6400, 3696, 3968, 88, 2048},
//offsets for: /mysql/5.1.62/bin/mysqld (5.1.62)
{"5.1.62","5ab9ae376d93b71120e1c9dc2129c580", 6336, 6400, 3696, 3968, 88, 2048},
//offsets for: /mysql/5.1.63/bin/mysqld (5.1.63)
{"5.1.63","ea56cc85859f146c42957177524492c3", 6336, 6400, 3696, 3968, 88, 2048},
//offsets set by https://github.com/creechy
{"5.1.63","2a6d7c81179baf6bc6bbb807b8b54967", 6336, 6400, 3696, 3968, 88, 2048},
//offsets for: mysql/5.5.8/bin/mysqld (5.5.8)
{"5.5.8","a32b163f08ca8bfd7486cd77200d9df3", 6032, 6080, 3776, 4200, 88, 2560},
//offsets for: mysql/5.5.9/bin/mysqld (5.5.9)
@ -233,8 +251,15 @@ static const ThdOffsets thd_offsets_arr[] =
//offsets for: /mysql/5.5.20/bin/mysqld (5.5.20)
{"5.5.20","8b68e84332b442d58a46ae4299380a99", 6048, 6096, 3800, 4224, 88, 2560},
//offsets for: mysql/5.5.21/bin/mysqld (5.5.21)
{"5.5.21","66d23cb577e2bcfe29da08833f5e7d8b", 6048, 6096, 3800, 4224, 88, 2560}
{"5.5.21","66d23cb577e2bcfe29da08833f5e7d8b", 6048, 6096, 3800, 4224, 88, 2560},
//offsets for: /mysql/5.5.22/bin/mysqld (5.5.22)
{"5.5.22","9152de65a0de0594f46e1db0d0c9a182", 6048, 6096, 3800, 4224, 88, 2560},
//offsets for: /mysql/5.5.23/bin/mysqld (5.5.23)
{"5.5.23","da3c9d8e3bf1c1235d283cbfad1631ab", 6048, 6096, 3800, 4224, 88, 2568},
//offsets for: /mysql/5.5.24/bin/mysqld (5.5.24)
{"5.5.24","5cb90eb8d4080f50fd7a432ad9eb75e0", 6048, 6096, 3800, 4224, 88, 2568},
//offsets for: /mysql/5.5.25/bin/mysqld (5.5.25)
{"5.5.25","3c19465f6b6f2daecb7a2d7ac1592824", 6056, 6104, 3808, 4232, 88, 2568}
};
#else
@ -309,6 +334,10 @@ static const ThdOffsets thd_offsets_arr[] =
{"5.1.60-community","bc2d74ea58d22d998f8f8c88139fc5f7", 4096, 4136, 2240, 2420, 44, 1176},
//offsets for: /mysqlrpm/5.1.61/usr/sbin/mysqld (5.1.61-community)
{"5.1.61-community","f73013eb2001a02c84ddd0ac42a307ac", 4096, 4136, 2240, 2420, 44, 1176},
//offsets for: /mysqlrpm/5.1.62/usr/sbin/mysqld (5.1.62-community)
{"5.1.62-community","f410638e7414c6cc709b7d5cda24669c", 4096, 4136, 2240, 2420, 44, 1176},
//offsets for: /mysqlrpm/5.1.63/usr/sbin/mysqld (5.1.63-community)
{"5.1.63-community","2b39264a67466c6f1dfa37c37a8a6bd0", 4096, 4136, 2240, 2420, 44, 1176},
//offsets for: mysqlrpm/5.5.8/usr/sbin/mysqld (5.5.8)
{"5.5.8","3132e8c883f72caf4c8eddb24fd005b4", 3792, 3820, 2336, 2668, 44, 1640},
//offsets for: mysqlrpm/5.5.9/usr/sbin/mysqld (5.5.9)
@ -337,6 +366,14 @@ static const ThdOffsets thd_offsets_arr[] =
{"5.5.20","c73100bcb0d967b627cad72e66503194", 3808, 3836, 2360, 2692, 44, 1640},
//offsets for: mysqlrpm/5.5.21/usr/sbin/mysqld (5.5.21)
{"5.5.21","18d78ced97227b83e62e9b43ba5b3883", 3808, 3836, 2360, 2692, 44, 1640},
//offsets for: /mysqlrpm/5.5.22/usr/sbin/mysqld (5.5.22)
{"5.5.22","9da3081f83069a2762831d0ead5a97c8", 3808, 3836, 2360, 2692, 44, 1640},
//offsets for: /mysqlrpm/5.5.23/usr/sbin/mysqld (5.5.23)
{"5.5.23","c94f20f31cfa674d5763da7d2344c219", 3808, 3836, 2360, 2692, 44, 1644},
//offsets for: /mysqlrpm/5.5.24/usr/sbin/mysqld (5.5.24)
{"5.5.24","10e0ced8d28daf6a9c16d2b57be7c6af", 3808, 3836, 2360, 2692, 44, 1644},
//offsets for: /mysqlrpm/5.5.25/usr/sbin/mysqld (5.5.25)
{"5.5.25","bd20af37978967a145724098e913eeda", 3812, 3840, 2364, 2696, 44, 1644},
//DISTRIBUTION: tar.gz
//offsets for: mysql/5.1.30/bin/mysqld (5.1.30)
@ -404,6 +441,10 @@ static const ThdOffsets thd_offsets_arr[] =
{"5.1.60","520270041d8c490d49233e88741c025c", 4104, 4144, 2248, 2428, 44, 1176},
//offsets for: /mysql/5.1.61/bin/mysqld (5.1.61)
{"5.1.61","1a7a0981d77f4d212e899efaa581bd42", 4104, 4144, 2248, 2428, 44, 1176},
//offsets for: /mysql/5.1.62/bin/mysqld (5.1.62)
{"5.1.62","4c5fd81faa9fe407c8a7fbd11b29351a", 4104, 4144, 2248, 2428, 44, 1176},
//offsets for: /mysql/5.1.63/bin/mysqld (5.1.63)
{"5.1.63","576124febe6310985e432f6346031ff4", 4104, 4144, 2248, 2428, 44, 1176},
//offsets for: /mysqlrpm/5.5.8/usr/sbin/mysqld (5.5.8)
{"5.5.8","3132e8c883f72caf4c8eddb24fd005b4", 3792, 3820, 2336, 2668, 44, 1640},
{"5.5.8","ad8a16d9bbfb783dab53f38cef757900", 3792, 3820, 2336, 2668, 44, 1640},
@ -434,7 +475,17 @@ static const ThdOffsets thd_offsets_arr[] =
//offsets for: /mysql/5.5.20/bin/mysqld (5.5.20)
{"5.5.20","cb9b6887ea525fe9965121d357163fe4", 3808, 3836, 2360, 2692, 44, 1640},
//offsets for: mysql/5.5.21/bin/mysqld (5.5.21)
{"5.5.21","a0762cee3ad5d4e77480956144900213", 3808, 3836, 2360, 2692, 44, 1640}
{"5.5.21","a0762cee3ad5d4e77480956144900213", 3808, 3836, 2360, 2692, 44, 1640},
//offsets for: /mysql/5.5.22/bin/mysqld (5.5.22)
{"5.5.22","f635047c7ddf74dcac98612a65e40fe1", 3808, 3836, 2360, 2692, 44, 1640},
//offsets for: /mysql-5.5_5.5.22-0ubuntu1_i386/bin/mysqld (5.5.22-0ubuntu1)
{"5.5.22-0ubuntu1","9cc7d4582b1fae0ebf43dbe5ffb56008", 3784, 3812, 2336, 2668, 44, 1640},
//offsets for: /mysql/5.5.23/bin/mysqld (5.5.23)
{"5.5.23","8f51987d3f0d0dc044adcf42937050f6", 3808, 3836, 2360, 2692, 44, 1644},
//offsets for: /mysql/5.5.24/bin/mysqld (5.5.24)
{"5.5.24","a3916dca234905bd49b3fefe5d6ad738", 3808, 3836, 2360, 2692, 44, 1644},
//offsets for: /mysql/5.5.25/bin/mysqld (5.5.25)
{"5.5.25","f16c3fa53f77e5f25fd25694b5a27c48", 3812, 3840, 2364, 2696, 44, 1644}
};
#endif
@ -460,38 +511,37 @@ static char *delay_cmds_string = NULL;
static char *record_cmds_string = NULL;
static char *record_objs_string = NULL;
static char delay_cmds_array [SQLCOM_END + 2][MAX_COMMAND_CHAR_NUMBERS];
static char record_cmds_array [SQLCOM_END + 2][MAX_COMMAND_CHAR_NUMBERS];
static char record_objs_array [MAX_NUM_OBJECT_ELEM + 2][MAX_OBJECT_CHAR_NUMBERS];
static char delay_cmds_array [SQLCOM_END + 2][MAX_COMMAND_CHAR_NUMBERS] = {0};
static char record_cmds_array [SQLCOM_END + 2][MAX_COMMAND_CHAR_NUMBERS] = {0};
static char record_objs_array [MAX_NUM_OBJECT_ELEM + 2][MAX_OBJECT_CHAR_NUMBERS] = {0};
static int num_delay_cmds = 0;
static int num_record_cmds = 0;
static int num_record_objs = 0;
static SHOW_VAR com_status_vars_array [MAX_COM_STATUS_VARS_RECORDS] = {0};
/**
* The trampoline function we use. Define it via a macro which simply fills it with nops.
*/
static int trampoline_mysql_execute_command(THD *thd)
__attribute__ ((noinline)) static int trampoline_mysql_execute_command(THD *thd)
{
TRAMPOLINE_NOP_DEF;
return 0; //dummy return as this does a jump.
}
static unsigned int trampoline_mysql_execute_size =0;
static void trampoline_log_slow_statement(THD *thd)
__attribute__ ((noinline)) static void trampoline_log_slow_statement(THD *thd)
{
TRAMPOLINE_NOP_DEF
}
static unsigned int trampoline_log_slow_statement_size =0;
static int trampoline_check_user(THD *thd, enum enum_server_command command, const char *passwd, uint passwd_len, const char *db, bool check_count)
__attribute__ ((noinline)) static int trampoline_check_user(THD *thd, enum enum_server_command command, const char *passwd, uint passwd_len, const char *db, bool check_count)
{
TRAMPOLINE_NOP_DEF;
return 0; //dummy return as this does a jump.
}
static unsigned int trampoline_check_user_size =0;
static bool trampoline_acl_authenticate(THD *thd, uint connect_errors, uint com_change_user_pkt_len){
__attribute__ ((noinline)) static bool trampoline_acl_authenticate(THD *thd, uint connect_errors, uint com_change_user_pkt_len){
TRAMPOLINE_NOP_DEF;
return 0; //dummy return as this does a jump.
}
@ -517,8 +567,8 @@ THDPRINTED * GetThdPrintedList (THD *thd)
return NULL;
}
static int check_array(const char *cmds[], char *array, int length) {
for (int k=0; array[k * length + 0] !='\0';k++) {
static int check_array(const char *cmds[],const char *array, int length) {
for (int k=0; array[k * length] !='\0';k++) {
for (int q = 0; cmds[q] != NULL; q++) {
const char *cmd = cmds[q];
int j = 0;
@ -533,7 +583,6 @@ static int check_array(const char *cmds[], char *array, int length) {
}
return 0;
}
static void audit(ThdSesData *pThdData)
{
THDPRINTED *pThdPrintedList = GetThdPrintedList (pThdData->getTHD());
@ -546,7 +595,6 @@ static void audit(ThdSesData *pThdData)
return;
}
}
if (num_record_objs > 0) {
LEX *pLex = Audit_formatter::thd_lex(pThdData->getTHD());
TABLE_LIST * table = pLex->query_tables;
@ -554,27 +602,21 @@ static void audit(ThdSesData *pThdData)
while (table && !matched) {
char *name = table->get_table_name();
char *db = table->get_db_name();
char db_obj[MAX_OBJECT_CHAR_NUMBERS];
char wildcard_obj[MAX_OBJECT_CHAR_NUMBERS];
char db_wildcard[MAX_OBJECT_CHAR_NUMBERS];
strcpy(db_obj, db);
strcat(db_obj, ".");
strcat(db_obj, name);
strcpy(wildcard_obj, "*.");
strcat(wildcard_obj, name);
strcpy(db_wildcard, db);
strcat(db_wildcard, ".*");
const char *objects[4];
objects[0] = db_obj;
objects[1] = wildcard_obj;
objects[2] = db_wildcard;
objects[3] = NULL;
matched = check_array(objects, (char *) record_objs_array, MAX_OBJECT_CHAR_NUMBERS);
table = table->next_global;
}
@ -582,7 +624,6 @@ static void audit(ThdSesData *pThdData)
return;
}
}
if (pThdPrintedList && pThdPrintedList->cur_index < MAX_NUM_QUEUE_ELEM)
{
if (pThdPrintedList->is_thd_printed_queue[pThdPrintedList->cur_index] == 0)
@ -615,14 +656,14 @@ static void audit(ThdSesData *pThdData)
}
static int trampoline_send_result_to_client(Query_cache *pthis, THD *thd, char *sql, uint query_length)
__attribute__ ((noinline)) static int trampoline_send_result_to_client(Query_cache *pthis, THD *thd, char *sql, uint query_length)
{
TRAMPOLINE_NOP_DEF;
return 0 ; //dummy return as this does a jump.
}
#if MYSQL_VERSION_ID > 50505
static bool trampoline_open_tables(THD *thd, TABLE_LIST **start, uint *counter, uint flags,
__attribute__ ((noinline)) static bool trampoline_open_tables(THD *thd, TABLE_LIST **start, uint *counter, uint flags,
Prelocking_strategy *prelocking_strategy)
{
TRAMPOLINE_NOP_DEF;
@ -630,7 +671,7 @@ static bool trampoline_open_tables(THD *thd, TABLE_LIST **start, uint *counter,
return true ; //dummy return as this does a jump.
}
#else
static int trampoline_open_tables(THD *thd, TABLE_LIST **start, uint *counter, uint flags)
__attribute__ ((noinline)) static int trampoline_open_tables(THD *thd, TABLE_LIST **start, uint *counter, uint flags)
{
TRAMPOLINE_NOP_DEF;
TRAMPOLINE_NOP_DEF;
@ -656,7 +697,7 @@ QueryTableInf * Audit_formatter::getQueryCacheTableList1 (THD *thd)
return (QueryTableInf*) THDVAR(thd, query_cache_table_list);
}
static bool trampoline_check_table_access(THD *thd, ulong want_access,TABLE_LIST *tables, uint number, bool no_errors)
__attribute__ ((noinline)) static bool trampoline_check_table_access(THD *thd, ulong want_access,TABLE_LIST *tables, uint number, bool no_errors)
{
TRAMPOLINE_NOP_DEF
return true;
@ -997,6 +1038,31 @@ static bool parse_thd_offsets_string (char *poffsets_string)
return true;
}
static bool validate_offsets(const ThdOffsets * offset)
{
//check that offsets are actually correct. We use a buff of memory as a dummy THD (32K is high enough)
char buf[32*1024] = {0};
THD * thd = (THD *)buf;
//sanity check that offsets match
//we can also consider using secutiry context function to do some sanity checks
// char buffer[2048];
// thd_security_context(thd, buffer, 2048, 2000);
// fprintf(log_file, "info from security context: %s\n", buffer);
//we set the thread id to a value using the offset and then check that the value matches what thd_get_thread_id returns
const my_thread_id test_val = 123456;
(*(my_thread_id *) (((char *) thd)+ offset->thread_id)) = test_val;
my_thread_id res= thd_get_thread_id(thd);
bool retval = res == test_val;
if (!retval)
{
sql_print_error(
"%s Offsets version: %s match thread validation check fails with value: %lu. Skipping offest.",
log_prefix, offset->version, res);
}
return retval;
}
/**
* Setup the offsets needs to extract data from THD.
*
@ -1005,18 +1071,24 @@ static bool parse_thd_offsets_string (char *poffsets_string)
static int setup_offsets()
{
DBUG_ENTER("setup_offsets");
sql_print_information ("%s setup_offsets offsets_string %s",log_prefix, offsets_string);
sql_print_information ("%s setup_offsets audit_offsets: %s",log_prefix, offsets_string);
unsigned char digest[16] = {0};
char digest_str [128] = {0};
const ThdOffsets * offset;
//if present the offset_string specified in my.cnf
//[mysqld]
//audit_offsets=6200, 6264, 3672, 3944, 88, 2048
if (validate_checksum_enable)
//if present in my.cnf
//[mysqld]
//audit_validate_checksum=1
// or if
//audit_checksum=0f4d7e3b17eb36f17aafe4360993a769
//need to calculate digest
if (validate_checksum_enable || (checksum_string != NULL && strlen(checksum_string) > 0))
{
sql_print_information ("%s Audit validate checksum enabled. Mysqld %s ",log_prefix, my_progname);
//setup digest_str to contain the md5sum in hex
sql_print_information(
"%s Validate checksum enabled. Mysqld %s ",
log_prefix, my_progname);
my_MD5Context context;
my_MD5Init(&context);
unsigned char * file_buff;
@ -1024,39 +1096,48 @@ static int setup_offsets()
File fd;
if (my_stat(my_progname, &stat_arg, MYF(MY_WME)))
{
if ((fd = my_open(my_progname,O_RDONLY, MYF(MY_WME))) > 0)
if ((fd = my_open(my_progname, O_RDONLY,
MYF(MY_WME))) > 0)
{
file_buff = (unsigned char*) my_malloc ((uint) stat_arg.st_size, MYF (MY_WME));
if (read(fd,(char*) file_buff,(uint) stat_arg.st_size) >= 0L)
file_buff = (unsigned char*) my_malloc(
(uint) stat_arg.st_size, MYF (MY_WME));
if (read(fd, (char*) file_buff,
(uint) stat_arg.st_size) >= 0L)
{
my_MD5Update (&context, file_buff, stat_arg.st_size);
my_MD5Update(&context, file_buff,
stat_arg.st_size);
my_MD5Final(digest, &context);
}
(void) my_close(fd, MYF(0));
free (file_buff);
#if MYSQL_VERSION_ID > 50505
my_free(file_buff);
#else
my_free(file_buff, MYF(0));
#endif
}
}
for (int j = 0; j < 16; j++) {
for (int j = 0; j < 16; j++)
{
sprintf(&(digest_str[j * 2]), "%02x", digest[j]);
}
}
//if present the offset_string specified in my.cnf
//[mysqld]
//audit_offsets=6200, 6264, 3672, 3944, 88, 2048
if (offsets_string != NULL)
{
if (checksum_string != NULL && strlen(checksum_string) > 0) {
if (strncasecmp(checksum_string, digest_str, 32)) {
// Checksum failed
sql_print_information("%s checksum check failed for %s, but found %s", log_prefix, checksum_string, digest_str);
if (checksum_string != NULL && strlen(checksum_string) > 0)
{
if (strncasecmp(checksum_string, digest_str, 32))
{
sql_print_information(
"%s checksum check failed for %s, but found %s",
log_prefix, checksum_string, digest_str);
DBUG_RETURN(1);
}
}
char buf[32*1024] = {0};
THD * thd = (THD *)buf;
const my_thread_id test_val = 123456;
if (parse_thd_offsets_string (offsets_string))
{
sql_print_information ("%s setup_offsets Audit_formatter::thd_offsets values: %d %d %d %d %d %d ", log_prefix,
@ -1067,36 +1148,26 @@ static int setup_offsets()
Audit_formatter::thd_offsets.lex,
Audit_formatter::thd_offsets.lex_comment);
(*(my_thread_id *) (((char *) thd)+ Audit_formatter::thd_offsets.thread_id)) = test_val;
my_thread_id res= thd_get_thread_id(thd);
if (res != test_val)
if (!validate_offsets(&Audit_formatter::thd_offsets))
{
sql_print_error("%s thread id check fails with value: %lu. Skipping offest.", log_prefix, res);
sql_print_error("%s Offsets set didn't pass validation. audit_offsets: %s .", log_prefix, offsets_string);
DBUG_RETURN(1);
}
}
else
{
sql_print_error("%s Audit offsets parser error. Skipping offest.", log_prefix);
sql_print_error("%s Failed parsing audit_offsets: %s", log_prefix, offsets_string);
DBUG_RETURN(1);
}
sql_print_information ("%s Validation passed. Using offsets from audit_offsets: %s",log_prefix, offsets_string);
DBUG_RETURN(0);
//exit from function
}
size_t arr_size = (sizeof(thd_offsets_arr) / sizeof(thd_offsets_arr[0]));
//iterate and search for the first offset which matches the version
//if present in my.cnf
//[mysqld]
//audit_validate_checksum=1
//plugin-load=AUDIT=libaudit_plugin.so
bool bCheckSumValidation = false;
for(int i=0; i < arr_size; i++)
{
offset = thd_offsets_arr + i;
//if present in my.cnf
//[mysqld]
@ -1104,16 +1175,15 @@ static int setup_offsets()
//plugin-load=AUDIT=libaudit_plugin.so
if (validate_checksum_enable && strlen (offset->md5digest) >0)
{
bCheckSumValidation = true;
int kd=0;
if (!strncasecmp(digest_str, offset->md5digest, 32)) {
if (!strncasecmp(digest_str, offset->md5digest, 32))
{
sql_print_information ("%s Checksum is %s verified", log_prefix, digest_str);
sql_print_information("%s Using offsets from offset version: %s", log_prefix, offset->version);
Audit_formatter::thd_offsets = *offset;
DBUG_RETURN(0);
//return
}
}
//if present in my.cnf
@ -1122,34 +1192,35 @@ static int setup_offsets()
//plugin-load=AUDIT=libaudit_plugin.so
if(!validate_checksum_enable && (strstr(server_version, offset->version)))
{
//check that offsets are actually correct. We use a buff of memory as a dummy THD (32K is high enough)
char buf[32*1024] = {0};
THD * thd = (THD *)buf;
//sanity check that offsets match
//we can also consider using secutiry context function to do some sanity checks
// char buffer[2048];
// thd_security_context(thd, buffer, 2048, 2000);
// fprintf(log_file, "info from security context: %s\n", buffer);
//we set the thread id to a value using the offset and then check that the value matches what thd_get_thread_id returns
unsigned long inst_thread_id = Audit_formatter::thd_inst_thread_id(thd);
const my_thread_id test_val = 123456;
(*(my_thread_id *) (((char *) thd)+ offset->thread_id)) = test_val;
my_thread_id res= thd_get_thread_id(thd);
if (res != test_val)
if (validate_offsets(offset))
{
sql_print_error(
"%s Offsets version: %s match server version: %s but thread id check fails with value: %lu. Skipping offest.",
log_prefix, offset->version, server_version, res);
sql_print_information("%s Using offsets from offset version: %s, digest: %s", log_prefix, offset->version, offset->md5digest);
Audit_formatter::thd_offsets = *offset;
DBUG_RETURN(0);
}
else
{
sql_print_information("%s Using offsets from offset version: %s", log_prefix, offset->version);
Audit_formatter::thd_offsets = *offset;
//try doing 24 byte decrement on THD offsets. Seen that on Ubuntu/Debian this is valid.
OFFSET dec = 24;
ThdOffsets decoffsets = *offset;
decoffsets.query_id -= dec;
decoffsets.thread_id -= dec;
decoffsets.main_security_ctx -= dec;
decoffsets.command -= dec;
if (validate_offsets(&decoffsets))
{
Audit_formatter::thd_offsets = decoffsets;
sql_print_information("%s Using decrement (%d) offsets from offset version: %s, digest: %s values: %d %d %d %d %d %d", log_prefix, dec, offset->version, offset->md5digest,
Audit_formatter::thd_offsets.query_id,
Audit_formatter::thd_offsets.thread_id,
Audit_formatter::thd_offsets.main_security_ctx,
Audit_formatter::thd_offsets.command,
Audit_formatter::thd_offsets.lex,
Audit_formatter::thd_offsets.lex_comment);
DBUG_RETURN(0);
}
}
}
}
@ -1225,50 +1296,48 @@ static int set_com_status_vars_array ()
}
DBUG_RETURN (0);
}
static int string_to_array (const void *save, void *array, int rows, int length)
static int string_to_array(const void *save, void *array,
int rows, int length)
{
const char* save_string;
save_string = *static_cast<const char* const *> (save);
char* string_array;
string_array = (char *) array;
int r = 0;
if (save_string !=NULL) {
if (save_string != NULL)
{
int p = 0;
for (int i = 0; save_string[i] != '\0'; i++) {
// consider space and tab and comma to be separators
// strings of multiple of them will be only a single separator
if (save_string[i] == ' ' || save_string[i] == '\t' || save_string[i] == ',') {
if (p > 0) {
for (int i = 0; save_string[i] != '\0'; i++)
{
if (save_string[i] == ' ' || save_string[i] == '\t'
|| save_string[i] == ',')
{
if (p > 0)
{
string_array[r * length + p] = '\0';
p = 0;
r++;
if (r == (rows - 1)) {
if (r == (rows - 1))
{
break;
}
}
}
// otherwise copy the character over
else {
else
{
string_array[r * length + p] = tolower(save_string[i]);
p++;
}
}
// if we have copied chars to the current row, then terminate the string and
// go to the next row.
if (p > 0) {
if (p > 0)
{
string_array[r * length + p] = '\0';
r++;
}
// now terminate the list
string_array[r * length + 0] = '\0';
}
return r;
}
/*
Initialize the daemon plugin installation.
@ -1285,18 +1354,22 @@ static int audit_plugin_init(void *p)
DBUG_ENTER("audit_plugin_init");
#ifdef __x86_64__
const char * arch = "64bit";
#else
const char * arch = "32bit";
#endif
sql_print_information(
"%s starting up. Version: %s, Revision: %s. AUDIT plugin interface version: %d. MySQL Server version: %s.",
"%s starting up. Version: %s , Revision: %s (%s). AUDIT plugin interface version: %d. MySQL Server version: %s.",
log_prefix, MYSQL_AUDIT_PLUGIN_VERSION,
MYSQL_AUDIT_PLUGIN_REVISION, audit_plugin.interface_version >> 8,
MYSQL_AUDIT_PLUGIN_REVISION, arch, audit_plugin.interface_version >> 8,
server_version);
//setup our offsets.
if(setup_offsets() != 0)
{
DBUG_RETURN(1);
}
// setup any values from my.cnf
if (delay_cmds_string != NULL) {
num_delay_cmds = string_to_array(&delay_cmds_string, delay_cmds_array, SQLCOM_END + 2, MAX_COMMAND_CHAR_NUMBERS);
sql_print_information("%s Set num_delay_cmds: %d", log_prefix, num_delay_cmds);
@ -1448,7 +1521,7 @@ static int audit_plugin_init(void *p)
DBUG_RETURN(1);
}
sql_print_information(
"%s hot patch open_tables address %p. Trampoline size: %ud.",
"%s hot patch open_tables address %p. Trampoline size: %u.",
log_prefix, *(bool (*)(THD *thd, TABLE_LIST **start, uint *counter, uint flags,
Prelocking_strategy *prelocking_strategy)) &open_tables,
trampoline_open_tables_size);
@ -1474,6 +1547,7 @@ static int audit_plugin_init(void *p)
{
DBUG_RETURN(1);
}
sql_print_information("%s Init completed successfully.", log_prefix);
DBUG_RETURN(0);
}
@ -1493,6 +1567,7 @@ static int audit_plugin_init(void *p)
static int audit_plugin_deinit(void *p)
{
DBUG_ENTER("audit_plugin_deinit");
sql_print_information("%s deinit", log_prefix);
remove_hot_functions();
//disable handlers
DBUG_RETURN(0);
@ -1536,30 +1611,26 @@ static void json_log_socket_enable(THD *thd, struct st_mysql_sys_var *var,
}
}
static void delay_cmds_string_update (THD *thd, struct st_mysql_sys_var *var,
void *tgt, const void *save)
static void delay_cmds_string_update(THD *thd,
struct st_mysql_sys_var *var, void *tgt,
const void *save)
{
// FIXME: This might leak memory for each update, but prevents a crash when original settings were in my.cnf
*(char **)tgt= my_strdup(*(char **) save, MYF(0));
num_delay_cmds = string_to_array(save, delay_cmds_array, SQLCOM_END + 2, MAX_COMMAND_CHAR_NUMBERS);
sql_print_information("%s Set num_delay_cmds: %d", log_prefix, num_delay_cmds);
}
static void record_cmds_string_update (THD *thd, struct st_mysql_sys_var *var,
void *tgt, const void *save)
static void record_cmds_string_update(THD *thd,
struct st_mysql_sys_var *var, void *tgt,
const void *save)
{
// FIXME: This might leak memory for each update, but prevents a crash when original settings were in my.cnf
*(char **)tgt= my_strdup(*(char **) save, MYF(0));
num_record_cmds = string_to_array(save, record_cmds_array, SQLCOM_END + 2, MAX_COMMAND_CHAR_NUMBERS);
sql_print_information("%s Set num_record_cmds: %d", log_prefix, num_record_cmds);
}
static void record_objs_string_update (THD *thd, struct st_mysql_sys_var *var,
void *tgt, const void *save)
static void record_objs_string_update(THD *thd,
struct st_mysql_sys_var *var, void *tgt,
const void *save)
{
// FIXME: This might leak memory for each update, but prevents a crash when original settings were in my.cnf
*(char **)tgt= my_strdup(*(char **) save, MYF(0));
num_record_objs = string_to_array(save, record_objs_array, MAX_NUM_OBJECT_ELEM + 2, MAX_OBJECT_CHAR_NUMBERS);
sql_print_information("%s Set num_record_objs: %d", log_prefix, num_record_objs);
}
@ -1596,7 +1667,6 @@ static MYSQL_SYSVAR_STR(checksum, checksum_string,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY | PLUGIN_VAR_MEMALLOC,
"AUDIT plugin checksum. Checksum for mysqld corresponding to offsets",
NULL, NULL, "");
static MYSQL_SYSVAR_BOOL(uninstall_plugin, uninstall_plugin_enable,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY ,
"AUDIT uninstall plugin Enable|Disable. Default disabled. If disabled attempts to uninstall the AUDIT plugin via the sql UNINSTALL command will fail.", NULL, NULL, 0);
@ -1616,17 +1686,15 @@ static MYSQL_SYSVAR_INT(delay_ms, delay_ms_val,
NULL, NULL, 0, 0, INT_MAX32, 0);
static MYSQL_SYSVAR_STR(delay_cmds, delay_cmds_string,
PLUGIN_VAR_RQCMDARG,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC,
"AUDIT plugin delay commands to match against comma separated. If empty then delay is disabled.",
NULL, delay_cmds_string_update, NULL);
static MYSQL_SYSVAR_STR(record_cmds, record_cmds_string,
PLUGIN_VAR_RQCMDARG,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC,
"AUDIT plugin commands to record, comma separated",
NULL, record_cmds_string_update, NULL);
static MYSQL_SYSVAR_STR(record_objs, record_objs_string,
PLUGIN_VAR_RQCMDARG,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC,
"AUDIT plugin objects to record, comma separated",
NULL, record_objs_string_update, NULL);