From cd1b7d2d2d67c829e97ee357a469228eaabd75da Mon Sep 17 00:00:00 2001
From: Arnold Robbins <arnold@skeeve.com>
Date: Tue, 25 Oct 2016 16:14:03 +0300
Subject: [PATCH] Offsets for MySQL 5.5.53, 5.6.34, 5.7.16, MariaDB 5.5.53.
 Improvements for Issue 144. Fix logging of failed login for recent MySQL
 5.6.32+ and 5.7.14+.

---
 include/audit_handler.h |  1 +
 src/audit_handler.cc    |  3 +--
 src/audit_offsets.cc    | 16 ++++++++++++++++
 src/audit_plugin.cc     | 31 ++++++++++++++++++++++++++++++-
 4 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/include/audit_handler.h b/include/audit_handler.h
index 9012710..4df291f 100644
--- a/include/audit_handler.h
+++ b/include/audit_handler.h
@@ -113,6 +113,7 @@ public:
 	ThdSesData(THD *pTHD);
 	THD *getTHD() { return m_pThd;}
 	const char *getCmdName() { return m_CmdName; }
+	void setCmdName(const char *cmd) { m_CmdName = cmd; }
 	const char *getUserName() { return m_UserName; }
 	/**
 	 * Start fetching objects. Return true if there are objects available.
diff --git a/src/audit_handler.cc b/src/audit_handler.cc
index b1dadb6..5b46100 100644
--- a/src/audit_handler.cc
+++ b/src/audit_handler.cc
@@ -861,8 +861,7 @@ bool ThdSesData::startGetObjects()
 	// such as "show fields"
 	if (   pLex
 	    && (   command == COM_QUERY
-	        || command == COM_STMT_PREPARE
-	        || command == COM_STMT_EXECUTE)
+	        || (command == COM_STMT_EXECUTE && strcmp(cmd, "Execute") != 0))
 	    && pLex->query_tables)
 	{
 		m_tables = pLex->query_tables;
diff --git a/src/audit_offsets.cc b/src/audit_offsets.cc
index 746d9e3..7bb28df 100644
--- a/src/audit_offsets.cc
+++ b/src/audit_offsets.cc
@@ -22,6 +22,12 @@
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MYSQL 64 OFFSETS GO HERE +++ */
+	//offsets for: /mysqlrpm/5.5.53/usr/sbin/mysqld (5.5.53)
+	{"5.5.53","d5f027aa107b0947f102b362577e1f5b", 6144, 6192, 3816, 4312, 88, 2592, 96, 0, 32, 104, 120, 6264},
+	//offsets for: /mysqlrpm/5.6.34/usr/sbin/mysqld (5.6.34)
+	{"5.6.34","ce4e00cbac6928ab3f4a99564e34e08e", 6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128},
+	//offsets for: /mysqlrpm/5.7.16/usr/sbin/mysqld (5.7.16)
+	{"5.7.16","b9b6c3d10ea6109011a35ff1f491ce0b", 7800, 7848, 3624, 4776, 456, 360, 0, 32, 64, 160, 536, 7964},
 	//offsets for: /mysqlrpm/5.5.52/usr/sbin/mysqld (5.5.52)
 	{"5.5.52","efa4ce535b1ca81ce1bfdbe7ef3075e4", 6144, 6192, 3816, 4312, 88, 2592, 96, 0, 32, 104, 120, 6264},
 	//offsets for: /mysqlrpm/5.6.33/usr/sbin/mysqld (5.6.33)
@@ -449,6 +455,12 @@ const ThdOffsets thd_offsets_arr[] =
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MYSQL 32 OFFSETS GO HERE +++ */
+	//offsets for: /mysqlrpm/5.5.53/usr/sbin/mysqld (5.5.53)
+	{"5.5.53","be1d5887eaa3488dda02616be36cba48", 3872, 3900, 2368, 2748, 44, 1656, 60, 0, 20, 64, 60, 3956},
+	//offsets for: /mysqlrpm/5.6.34/usr/sbin/mysqld (5.6.34)
+	{"5.6.34","e3536958e1ca5c8368db1866dd97c5b3", 4676, 4704, 2660, 3052, 36, 1748, 60, 0, 20, 64, 72, 4776},
+	//offsets for: /mysqlrpm/5.7.16/usr/sbin/mysqld (5.7.16)
+	{"5.7.16","0c1de7d7c75e9c0a8cad40603f238067", 5072, 5100, 2208, 3028, 296, 200, 0, 20, 40, 100, 340, 5188},
 	//offsets for: /mysqlrpm/5.5.52/usr/sbin/mysqld (5.5.52)
 	{"5.5.52","ec79e228d8a428a7514986298d458876", 3872, 3900, 2368, 2748, 44, 1656, 60, 0, 20, 64, 60, 3956},
 	//offsets for: /mysqlrpm/5.6.33/usr/sbin/mysqld (5.6.33)
@@ -855,6 +867,8 @@ const ThdOffsets thd_offsets_arr[] =
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MARIADB 64 OFFSETS GO HERE +++ */
+	//offsets for: /mariadb/5.5.53/bin/mysqld (5.5.53-MariaDB)
+	{"5.5.53-MariaDB","eb0c1556c2f8eccc09b630c65376ee58", 12032, 12096, 5800, 6904, 88, 2920, 8, 0, 16, 24, 152, 12168},
 	//offsets for: /mariadb/10.1.18/bin/mysqld (10.1.18-MariaDB)
 	{"10.1.18-MariaDB","fa401704df1eabec593f85cdc022d0e4", 13640, 13704, 6416, 8024, 88, 2976, 8, 0, 16, 24, 152, 13796},
 	//offsets for: /mariadb/5.5.52/bin/mysqld (5.5.52-MariaDB)
@@ -972,6 +986,8 @@ const ThdOffsets thd_offsets_arr[] =
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MARIADB 32 OFFSETS GO HERE +++ */
+	//offsets for: /mariadb/5.5.53/bin/mysqld (5.5.53-MariaDB)
+	{"5.5.53-MariaDB","9c258d940562df99ed869bc32e93e98f", 7276, 7312, 3460, 4468, 44, 1856, 4, 0, 8, 12, 84, 7372},
 	//offsets for: /mariadb/10.1.18/bin/mysqld (10.1.18-MariaDB)
 	{"10.1.18-MariaDB","c1f42e4cc9dc7d04dff76566970d584c", 8496, 8532, 3840, 5300, 44, 1892, 4, 0, 8, 12, 84, 8608},
 	//offsets for: /mariadb/5.5.52/bin/mysqld (5.5.52-MariaDB)
diff --git a/src/audit_plugin.cc b/src/audit_plugin.cc
index ecc89f3..48ef978 100644
--- a/src/audit_plugin.cc
+++ b/src/audit_plugin.cc
@@ -511,6 +511,33 @@ static int audit_notify(THD *thd, mysql_event_class_t event_class,
 		{
 			audit_post_execute(thd);
 		}
+		else if (MYSQL_AUDIT_GENERAL_ERROR == event_general->event_subclass)
+		{
+			ThdSesData ThdData(thd);
+
+			// Prior to MySQL 5.6.32 and 5.7.14, we could detect failed
+			// logins for existing users with bad passwords in the code
+			// for MYSQL_AUDIT_CONNECTION class (in the retrive_command
+			// function, called from the ThdSesData constructor).
+			//
+			// From those versions, we only get access denied indications in
+			// this auditing class with MYSQL_AUDIT_GENERAL_ERROR.  Therefore
+			// we build the failed login message here for all cases, since
+			// we get such an indication for both non-existant users and
+			// existing users but with a bad password.
+			switch (event_general->general_error_code) {
+			case ER_ACCESS_DENIED_ERROR:
+			case ER_ACCESS_DENIED_NO_PASSWORD_ERROR:
+#ifdef ER_ACCOUNT_HAS_BEEN_LOCKED
+			case ER_ACCOUNT_HAS_BEEN_LOCKED:
+#endif
+				ThdData.setCmdName("Failed Login");
+				audit(&ThdData);
+				break;
+			default:
+				break;
+			}
+		}
 	}
 	else if (MYSQL_AUDIT_CONNECTION_CLASS == event_class)
 	{
@@ -1183,7 +1210,7 @@ const char *retrieve_command(THD *thd, bool &is_sql_cmd)
 #if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100108
 	if (command == COM_QUERY && sql_command >= 0 && sql_command < SQLCOM_END)
 #else
-	if (sql_command >= 0 && sql_command < MAX_COM_STATUS_VARS_RECORDS)
+	if (command != COM_STMT_PREPARE && sql_command >= 0 && sql_command < MAX_COM_STATUS_VARS_RECORDS)
 #endif
 	{
 		is_sql_cmd = true;
@@ -1195,6 +1222,7 @@ const char *retrieve_command(THD *thd, bool &is_sql_cmd)
 		cmd = command_name[command].str;
 	}
 
+#if MYSQL_VERSION_ID < 50600
 	const char *user = Audit_formatter::thd_inst_main_security_ctx_user(thd);
 	const char *priv_user = Audit_formatter::thd_inst_main_security_ctx_priv_user(thd);
 	if (strcmp(cmd, "Connect") == 0 &&
@@ -1203,6 +1231,7 @@ const char *retrieve_command(THD *thd, bool &is_sql_cmd)
 	{
 		cmd = "Failed Login";
 	}
+#endif
 	return cmd;
 }