Linux's Viewpoint
You should run this Linux command
history | grep mysqladmin
This will let you see if anyone ran a shutdown from within the server. Note that this will not let you see remote mysqladmin shutdowns. Perhaps running tcpdump
and locating the word mysqladmin
or shutdown
might help.
MySQL's Viewpoint
Shutdown commands do not exist from command line utilities. Therefore, binary logs will not have shutdowns recorded. You are on the right track when you said;
One possibility I'm thinking is someone (who has SUPER privilege) turned off the binary log then run SHUTDOWN and turned it on again.
Look over the users with that privilege. Run this query:
SELECT user,host FROM mysql.user WHERE shutdown_priv='Y';
You may see something like this:
mysql> select user,host from mysql.user where shutdown_priv='Y';
+-------+--------------+
| user | host |
+-------+--------------+
| root | localhost |
| root | 127.0.0.1 |
| root | ::1 |
| root | 10.240.163.% |
| root | 10.48.19.% |
| user1 | % |
+-------+--------------+
6 rows in set (0.00 sec)
mysql>
You will see all the users that have shutdown privilege. SUPER privilege does not have the shutdown privilege. There is a separate privilege called SHUTDOWN.
You can quickly revoke that privilege. For example, note the user user1@'%'
. It has remote shutdown privileges. You can yank it with
REVOKE SHUTDOWN ON *.* FROM user1.'%';
or
UPDATE mysql.user SET shutdown_priv='N'
WHERE user='user1' AND host='%';
FLUSH PRIVILEGES;
That takes care of the remote shutdown privileges.
You should also address securing user connections by removing SHUTDOWN privilege from every user that does not need to have it. Perhaps you can do this:
UPDATE mysql.user SET shutdown_priv='N'
WHERE CONCAT(user,'@',host) NOT IN
('root@localhost','root@127.0.0.1');
FLUSH PRIVILEGES;
That way, only root@localhost
and root@127.0.0.1
can do mysqladmin shutdown
within the localhost. I would definitely have the root@127.0.0.1
on hand because there are times when mysqld loses connection to the mysql.sock
file and prevents root@localhost
from connecting to issue a shutdown. With the root@127.0.0.1
, you can issue this:
mysqladmin -uroot -p -h127.0.0.1 --protocol=tcp
to issue a mysqladmin shutdown without needed the socket file.
Give it a Try !!!
Best Answer
A)
Different methods of auditing MySQL server:
The error log
The slow query log
The binary log
Custom made triggers
Using MySQL Proxy
The general log - You can change general log file path to other path by editing value for this General log file variable in
my.cnf
You can refer this blog post: http://serge.frezefond.com/2013/04/how-can-we-audit-a-mysql-server/
B)
Using MySQL audit plugins
There are audit plugins released by MySQL and some of the forks, you can try them if you are concerned about security on your MySQL server
1) MySQL Enterprise Audit
Enterprise Audit uses the open MySQL Audit API to enable standard, policy-based monitoring and logging of connection and query activity executed on specific MySQL servers.
2) McAfee Audit Plugin - Open source
designed with an emphasis on security and audit requirements. The plugin may be used as a standalone audit solution or configured to feed data to external monitoring tools.
3) MariaDB Audit plugin
Auditing regulations are used by many enterprises to ensure they comply with laws and industry standards. Such regulations often require processes for tracking user access to data in databases.