Description:
If audit_log plugin is already installed on the Instance, CONNECTION_CONTROL plugin doesn't work.
root@localhost [mysql]> SELECT @@hostname,PLUGIN_NAME,PLUGIN_TYPE,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS where PLUGIN_TYPE = 'AUDIT';
+------------+--------------------+-------------+---------------+
| @@hostname | PLUGIN_NAME | PLUGIN_TYPE | PLUGIN_STATUS |
+------------+--------------------+-------------+---------------+
| misc01 | audit_log | AUDIT | DELETED |
| misc01 | CONNECTION_CONTROL | AUDIT | ACTIVE |
| misc01 | MYSQL_FIREWALL | AUDIT | ACTIVE |
+------------+--------------------+-------------+---------------+
3 rows in set (0.01 sec)
root@localhost [mysql]>
How to repeat:
1) Status
root@localhost [(none)]> SELECT @@hostname,PLUGIN_NAME,PLUGIN_TYPE,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS where PLUGIN_TYPE = 'AUDIT';
+------------+--------------------+-------------+---------------+
| @@hostname | PLUGIN_NAME | PLUGIN_TYPE | PLUGIN_STATUS |
+------------+--------------------+-------------+---------------+
| misc01 | audit_log | AUDIT | ACTIVE |
| misc01 | CONNECTION_CONTROL | AUDIT | ACTIVE |
| misc01 | MYSQL_FIREWALL | AUDIT | ACTIVE |
+------------+--------------------+-------------+---------------+
3 rows in set (0.00 sec)
2) Try CONNECTION_CONTROL plugin
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.023s
user 0m0.015s
sys 0m0.006s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.020s
user 0m0.009s
sys 0m0.008s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.022s
user 0m0.011s
sys 0m0.008s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.018s
user 0m0.011s
sys 0m0.005s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.022s
user 0m0.012s
sys 0m0.006s
[admin@misc01 ~]$
root@localhost [(none)]> select * from information_schema.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS;
Empty set (0.00 sec)
root@localhost [(none)]> SHOW GLOBAL STATUS LIKE 'connection_control%';
+------------------------------------+-------+
| Variable_name | Value |
+------------------------------------+-------+
| Connection_control_delay_generated | 0 |
+------------------------------------+-------+
1 row in set (0.01 sec)
root@localhost [(none)]>
3) Even Delete the rule, CONNECTION_CONTROL doesn't work.
Then Uninstall Audit_log Plugin.
root@localhost [mysql]> select * from audit_log_filter;
+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| NAME | FILTER |
+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| log_confidential | {"filter": {"class": {"name": "table_access", "event": {"log": {"field": {"name": "table_name.str", "value": "confidential"}}, "name": "read"}}}} |
+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
root@localhost [mysql]> select * from audit_log_user;
+--------------+------+------------------+
| USER | HOST | FILTERNAME |
+--------------+------+------------------+
| audit_target | % | log_confidential |
+--------------+------+------------------+
1 row in set (0.00 sec)
root@localhost [mysql]>
root@localhost [mysql]> delete from audit_log_filter;delete from audit_log_user;
Query OK, 1 row affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
root@localhost [mysql]> SELECT audit_log_filter_flush();
+--------------------------+
| audit_log_filter_flush() |
+--------------------------+
| OK |
+--------------------------+
1 row in set (0.00 sec)
root@localhost [mysql]> DROP TABLE IF EXISTS mysql.audit_log_filter;
Query OK, 0 rows affected (0.00 sec)
root@localhost [mysql]> DROP TABLE IF EXISTS mysql.audit_log_user;
Query OK, 0 rows affected (0.00 sec)
root@localhost [mysql]> UNINSTALL PLUGIN audit_log;
Query OK, 0 rows affected, 1 warning (0.00 sec)
root@localhost [mysql]> DROP FUNCTION audit_log_filter_set_filter;
Query OK, 0 rows affected (0.00 sec)
root@localhost [mysql]> DROP FUNCTION audit_log_filter_remove_filter;
Query OK, 0 rows affected (0.00 sec)
root@localhost [mysql]> DROP FUNCTION audit_log_filter_set_user;
Query OK, 0 rows affected (0.00 sec)
root@localhost [mysql]> DROP FUNCTION audit_log_filter_remove_user;
Query OK, 0 rows affected (0.00 sec)
root@localhost [mysql]> DROP FUNCTION audit_log_filter_flush;
Query OK, 0 rows affected (0.00 sec)
root@localhost [mysql]>
root@localhost [mysql]> SELECT @@hostname,PLUGIN_NAME,PLUGIN_TYPE,PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS where PLUGIN_TYPE = 'AUDIT';
+------------+--------------------+-------------+---------------+
| @@hostname | PLUGIN_NAME | PLUGIN_TYPE | PLUGIN_STATUS |
+------------+--------------------+-------------+---------------+
| misc01 | audit_log | AUDIT | DELETED |
| misc01 | CONNECTION_CONTROL | AUDIT | ACTIVE |
| misc01 | MYSQL_FIREWALL | AUDIT | ACTIVE |
+------------+--------------------+-------------+---------------+
3 rows in set (0.01 sec)
root@localhost [mysql]>
4) Re-Try CONNECTION_CONTROL Plugin.
Then I could confirm CONNECTION_CONTROL function successfully.
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.022s
user 0m0.010s
sys 0m0.008s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.016s
user 0m0.007s
sys 0m0.008s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m0.018s
user 0m0.011s
sys 0m0.004s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m1.017s <--- + 1000ms
user 0m0.011s
sys 0m0.004s
[admin@misc01 ~]$ time mysql -u admin -ppassword
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)
real 0m2.018s <--- + 1000ms
user 0m0.008s
sys 0m0.008s
[admin@misc01 ~]$
root@localhost [mysql]> select * from information_schema.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS;
+-------------+-----------------+
| USERHOST | FAILED_ATTEMPTS |
+-------------+-----------------+
| 'admin'@'%' | 5 | <--- Count Up successfully
+-------------+-----------------+
1 row in set (0.00 sec)
root@localhost [mysql]>
root@localhost [mysql]> SHOW GLOBAL STATUS LIKE 'connection_control%';
+------------------------------------+-------+
| Variable_name | Value |
+------------------------------------+-------+
| Connection_control_delay_generated | 2 | <--- Count Up successfully
+------------------------------------+-------+
1 row in set (0.01 sec)
root@localhost [mysql]>
Suggested fix:
Please enable CONNECTION_CONTROL Plugin even audit_log plugin is installed.