MySQL Forums
Forum List  »  Router & Proxy

Advanced Search
New Topic

Access logging
Posted by: Dan Gardner
Date: July 05, 2007 11:32AM

We (and presumably many other MySQL users) are currently struggling with requirement 10.1 of the Payment Card Industry Data Security Standard ("Is all access to cardholder data, including root/administration access, logged?") without spending large amounts on 3rd party solutions.

It would be of huge benefit to us if such logging were added in MySQL Proxy since there currently appear to be no plans to add it to MySQL itself. Adding the Lua hooks for read_auth and read_auth_result looks beyond my current Lua interface knowledge but I have included a proof-of-concept diff below for simply printing the auth request and result to stdout.

Index: network-mysqld-proxy.c
===================================================================
--- network-mysqld-proxy.c (revision 60)
+++ network-mysqld-proxy.c (working copy)
@@ -1744,6 +1744,17 @@

g_string_assign(con->default_db, auth.db_name ? auth.db_name : "");

+ printf(
+ "(%d.%d.%d.%d:%d) Authentication request for user '%s' to database '%s'\r\n",
+ (ntohl(recv_sock->addr.addr.ipv4.sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(recv_sock->addr.addr.ipv4.sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(recv_sock->addr.addr.ipv4.sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(recv_sock->addr.addr.ipv4.sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(recv_sock->addr.addr.ipv4.sin_port),
+ auth.user,
+ con->default_db->str
+ );
+
if (auth.user) g_free(auth.user);
if (auth.scramble_buf) g_free(auth.scramble_buf);
if (auth.db_name) g_free(auth.db_name);
@@ -1772,6 +1783,21 @@
/* we aren't finished yet */
if (packet->len != recv_sock->packet_len + NET_HEADER_SIZE) return RET_SUCCESS;

+ printf(
+ "(%d.%d.%d.%d:%d) Authentication ",
+ (ntohl(send_sock->addr.addr.ipv4.sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(send_sock->addr.addr.ipv4.sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(send_sock->addr.addr.ipv4.sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(send_sock->addr.addr.ipv4.sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(send_sock->addr.addr.ipv4.sin_port)
+ );
+
+ if (packet->str[4] != 0) {
+ printf("FAIL: %s\r\n", packet->str + 13);
+ } else {
+ printf("OK\r\n");
+ }
+
/* send the auth result to the client */

network_queue_append_chunk(send_sock->send_queue, packet);

Navigate: Previous MessageNext Message
Options: ReplyQuote


Subject
Views
Written By
Posted
Access logging
7307
Dan Gardner
July 05, 2007 11:32AM
Re: Access logging
3097
Jan Kneschke
July 07, 2007 03:27PM
Re: Access logging
3099
Dan Gardner
July 09, 2007 03:21AM
Re: Access logging
3227
Jan Kneschke
July 09, 2007 04:03AM
Re: Access logging
2810
Jan Kneschke
July 09, 2007 03:49PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.