* Added support for:

MySQL 64-bit   8.0.28, 8.0.27, 8.0.26

MySQL 64-bit   5.7.37
MySQL 32-bit   5.7.37

MariaDB 64-bit  10.6.7, 10.6.5, 10.6.4, 10.6.3

MariaDB 64-bit  10.5.15, 10.4.24, 10.2.43
MariaDB 32-bit  10.2.43

CODE_OF_CONDUCT.md

@@ -22,14 +22,13 @@ include:
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
 * Trolling, insulting/derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
+ address, without explicit permission
 * Other conduct which could reasonably be considered inappropriate in a
-  professional setting
+ professional setting
 
 ## Our Responsibilities
 
@@ -55,8 +54,10 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at [email protected]. All
-complaints will be reviewed and investigated and will result in a response that
+
+reported by contacting the project team via **Github Issues**
+
+All complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
 Further details of specific enforcement policies may be posted separately.

README.md

@@ -2,7 +2,7 @@
 
 
 ## Overview
-A MySQL plugin from McAfee providing audit capabilities for MySQL, 
+A MySQL plugin from Trellix providing audit capabilities for MySQL, 
 designed with an emphasis on security and audit requirements. The plugin may be used 
 as a standalone audit solution or configured to feed data to external monitoring tools.
 
@@ -13,7 +13,7 @@ https://github.com/mcafee/mysql-audit/wiki
 
 
 ## Installation / Configuration
-Official McAfee plugin binary releases can be downloaded from the Releases page on GitHub: <br/>
+Official Trellix plugin binary releases can be downloaded from the Releases page on GitHub: <br/>
 https://github.com/mcafee/mysql-audit/releases
 
 Please check out our wiki on GitHub for detailed installation and configuration instructions: <br/>

compiling.txt

@@ -2,7 +2,7 @@ Compiling instructions
 =======================
 
 Make sure you have installed the following packages:
- 
+
 autoconf
 automake
 gcc-c++
@@ -96,5 +96,5 @@ http://dev.mysql.com/doc/refman/5.1/en/source-configuration-options.html
 10. cd ../..
 11. chmod +x bootstrap.sh
 12. ./bootstrap.sh
-13. CXX='gcc -static-libgcc' CC='gcc -static-libgcc' MYSQL_AUDIT_PLUGIN_VERSION=1.1.11 MYSQL_AUDIT_PLUGIN_REVISION=`svn info|grep ^Revision|awk -F ": " '{print $2}'` ./configure --enable-debug=no --with-mysql=mariadb-10.2.10 --with-mysql-libservices=mariadb-10.2.10/libservices/libmysqlservices.a
+13. CXX='gcc -static-libgcc' CC='gcc -static-libgcc' MYSQL_AUDIT_PLUGIN_VERSION=1.1.12 MYSQL_AUDIT_PLUGIN_REVISION=`svn info|grep ^Revision|awk -F ": " '{print $2}'` ./configure --enable-debug=no --with-mysql=mariadb-10.2.10 --with-mysql-libservices=mariadb-10.2.10/libservices/libmysqlservices.a
 14. gmake <======== This will create the plugin "libaudit_plugin.so"

configure.ac

@@ -16,10 +16,19 @@ AC_DEFUN([CHECK_DEBUG], [
         AC_MSG_CHECKING(whether to enable debugging)
 
         if test "x$enable_debug" = "xyes"; then
-        CPPFLAGS="$CPPFLAGS -g -D_DEBUG"
+# Note that SAFE_MUTEX is needed in debug plugin compilation, in order that
+# it aligns with MySQL at debug level. Specifically, in the MySQL source file
+# "include/thr_mutex.h", we need both the my_mutex_init() function and the
+# my_mutex_lock() function to use the same paradigm (i.e. both using
+# "safe_mutex_*" calls ... or both using "native_mutex_*" calls ... but
+# definitely NOT a mix of 'safe' and 'native').
+        CPPFLAGS="$CPPFLAGS -g -D_DEBUG -DSAFE_MUTEX"
                 AC_MSG_RESULT(yes)
         else
-        		CPPFLAGS="$CPPFLAGS -g -O2 -DDBUG_OFF"
+# We need to specify -DDBUG_OFF and -DNDEBUG in order to compile the plugin
+# without MySQL debug components. Later versions of MySQL ignore the DBUG_OFF
+# flag, but continue to respect the NDEBUG flag.
+        CPPFLAGS="$CPPFLAGS -g -O2 -DDBUG_OFF -DNDEBUG"
                 AC_MSG_RESULT(no)
 		fi
 

include/audit_handler.h

@@ -17,7 +17,7 @@
 
 #include <pcre.h>
 
-#define AUDIT_LOG_PREFIX "McAfee Audit Plugin:"
+#define AUDIT_LOG_PREFIX "Trellix Audit Plugin:"
 #define AUDIT_PROTOCOL_VERSION "1.0"
 
 #if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50709

include/mysql_inc.h

@@ -166,7 +166,7 @@ static inline bool vio_socket_connect(MYSQL_VIO vio, struct sockaddr *addr, sock
 #else
 /*********************************************/
 /*                                           */
-/*  resolve the symbols manualy to permit    */
+/*  resolve the symbols manually to permit   */
 /*  loading of the plugin in their absence   */
 /*                                           */
 /*********************************************/
@@ -181,6 +181,7 @@ static inline bool vio_socket_connect(MYSQL_VIO vio, struct sockaddr *addr, sock
     if (_vio_socket_connect_80020) return _vio_socket_connect_80020(vio, addr, len, false, timeout, nullptr);
     return true;
 }
+
 static inline bool init_vio_socket_connect()
 {
     void* handle = dlopen(NULL, RTLD_LAZY);
@@ -192,6 +193,27 @@ static inline bool init_vio_socket_connect()
     dlclose(handle);
     return _vio_socket_connect || _vio_socket_connect_80016 || _vio_socket_connect_80020;
 }
+
+extern const std::string & (*_str_session_80026)(int cmd);
+extern const LEX_STRING *_command_name;
+
+static inline const char* str_session(int cmd)
+{
+    if (_str_session_80026) return _str_session_80026(cmd).c_str();
+    if (_command_name) return _command_name[cmd].str;
+    return "";
+}
+
+static inline bool init_str_session()
+{
+    void* handle = dlopen(NULL, RTLD_LAZY);
+    if (!handle)
+        return false;
+    _command_name = (decltype(_command_name))dlsym(handle, "command_name");
+    _str_session_80026 = (decltype(_str_session_80026))dlsym(handle, "_ZN13Command_names11str_sessionE19enum_server_command");
+    dlclose(handle);
+    return _command_name || _str_session_80026;
+}
 #endif
 #endif
 
@@ -238,7 +260,7 @@ static inline const ::PFS_thread* get_current_thread()
 static inline bool init()
 {
 #if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000
-    return init_vio_socket_connect();
+    return init_vio_socket_connect() && init_str_session();
 #elif defined(HAVE_SESS_CONNECT_ATTRS) && defined(MARIADB_BASE_VERSION)
     return init_PFS_thread_get_current_thread();
 #else

plugin-name.txt

@@ -1,7 +1,7 @@
-Tue, Jun 27, 2017 10:48:38 AM
+Mon, Apr 11, 2022 10:48:38 AM
 =============================
 
-By default, the McAfee AUDIT plugin for MySQL* is named "AUDIT" and
+By default, the Trellix AUDIT plugin for MySQL* is named "AUDIT" and
 that is the name you should use when installing the plugin with the SQL
 "INSTALL PLUGIN" command.
 
@@ -10,10 +10,10 @@ various configuration variables.
 
 In order to avoid conflict with other vendors' auditing plugins whose
 names may start with "audit" (such as MySQL's "audit_log" plugin) it
-is possible to change the name of the McAfee plugin.  The steps are
+is possible to change the name of the Trellix plugin.  The steps are
 as follows:
 
-1. If you're currently using the McAfee plugin, unload it.
+1. If you're currently using the Trellix plugin, unload it.
 
 2. Edit the /usr/bin/mysqld_safe shell script (using the correct location
 for your system). For MySQL 5.7.9, look for the eval_log_error() function.
@@ -23,26 +23,26 @@ Before the line that says:
 
 add a line like this:
 
-	export MCAFEE_AUDIT_PLUGIN_NAME=MCAFEE # use any name you want
+	export MCAFEE_AUDIT_PLUGIN_NAME=TRELLIX # use any name you want
 
-You can use any name you like, "MCAFEE" is just an example.
+You can use any name you like, "TRELLIX" is just an example.
 
 For other MySQL versions, determine where the mysqld daemon is actually
 started, and set the environment variable right before that.
 
 3. After restarting MySQL, you will need to load the plugin using the
 new name. From the MySQL client:
 
-	install plugin MCAFEE soname 'libaudit_plugin.so';
+	install plugin TRELLIX soname 'libaudit_plugin.so';
 
 and/or from /etc/my.cnf:
 
 	[mysqld]
-	plugin-load=MCAFEE=libaudit_plugin.so
+	plugin-load=TRELLIX=libaudit_plugin.so
 
 Once you've done that, you must remember that the names of ALL the
 configuration variables will start with the lowercase version of the
-name you've chosen. For example, "mcafee_json_log_file" instead of
+name you've chosen. For example, "trellix_json_log_file" instead of
 "audit_json_log_file".
 
 If you previously had various "audit_XXX" variables set in your

src/audit_handler.cc

@@ -1073,7 +1073,11 @@ ssize_t Audit_json_formatter::event_format(ThdSesData *pThdData, IWriter *writer
 		const char *query_text = query;
 		size_t query_len = qlen;
 
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100603
+		if (strcmp(col_connection->cs_name.str, "utf8") != 0)
+#else
 		if (strcmp(col_connection->csname, "utf8") != 0)
+#endif
 		{
 			// max UTF-8 bytes per char is 4.
 			size_t to_amount = (qlen * 4) + 1;

src/audit_offsets.cc

@@ -75,6 +75,14 @@ const ThdOffsets thd_offsets_arr[] =
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MYSQL 64 OFFSETS GO HERE +++ */
+	//offsets for: /mysqlrpm/8.0.26/usr/sbin/mysqld (8.0.26)
+	{"8.0.26","0ae5395a4978c024e809b744a799cd3a", 8504, 8544, 4048, 5520, 496, 0, 0, 32, 64, 160, 584, 8644, 5144, 4208, 4216, 4220, 6800, 1608, 32, 7760, 7800, 7784, 11528, 140, 664, 328},
+	//offsets for: /mysqlrpm/8.0.27/usr/sbin/mysqld (8.0.27)
+	{"8.0.27","fb324bdef2d133735ba69c7223c849c9", 8512, 8552, 4048, 5528, 496, 0, 0, 32, 64, 160, 584, 8652, 5152, 4224, 4232, 4236, 6808, 1608, 32, 7768, 7808, 7792, 11536, 140, 664, 328},
+	//offsets for: /mysqlrpm/8.0.28/usr/sbin/mysqld (8.0.28)
+	{"8.0.28","83a37cda5966f156ec4ac742517db37e", 8584, 8624, 4120, 5600, 496, 0, 0, 32, 64, 160, 584, 8724, 5224, 4232, 4240, 4244, 6880, 1608, 32, 7840, 7880, 7864, 11608, 140, 664, 328},
+	//offsets for: /mysqlrpm/5.7.37/usr/sbin/mysqld (5.7.37)
+	{"5.7.37","fb0b3075cb05807123b68567607fd325", 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0},
 	//offsets for: /mysqlrpm/5.7.36/usr/sbin/mysqld (5.7.36)
 	{"5.7.36","a510b439fd43a666e34b5e670bb5da86", 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0},
 	//offsets for: /mysqlrpm/5.7.35/usr/sbin/mysqld (5.7.35)
@@ -436,6 +444,32 @@ const ThdOffsets thd_offsets_arr[] =
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MARIADB 64 OFFSETS GO HERE +++ */
+	//offsets for: /mariadb/10.6.3/bin/mysqld (10.6.3-MariaDB)
+	{"10.6.3-MariaDB","fa61914d3b3a334d3ba5a8d019bafb50", 15688, 15848, 7768, 9928, 88, 3512, 8, 0, 16, 24, 152, 15956, 9560, 5672, 5680, 5684, 656, 0, 0, 14944, 14968, 14952, 24528, 564, 8, 0},
+	//offsets for: /mariadb/10.6.4/bin/mysqld (10.6.4-MariaDB)
+	{"10.6.4-MariaDB","f41f007042e929ca5b00de57536b3dec", 15664, 15824, 7744, 9904, 88, 3512, 8, 0, 16, 24, 152, 15940, 9536, 5672, 5680, 5684, 656, 0, 0, 14920, 14944, 14928, 24512, 564, 8, 0},
+	//offsets for: /mariadb/10.6.5/bin/mysqld (10.6.5-MariaDB)
+	{"10.6.5-MariaDB","82682c5e05878c8c0fcdc8a0ae945483", 15664, 15824, 7744, 9904, 88, 3512, 8, 0, 16, 24, 152, 15940, 9536, 5672, 5680, 5684, 656, 0, 0, 14920, 14944, 14928, 24512, 564, 8, 0},
+	//offsets for: /mariadb/10.6.7/bin/mysqld (10.6.7-MariaDB)
+	{"10.6.7-MariaDB","50d6d050b7ce0e882e385c328c20927b", 15664, 15824, 7744, 9904, 88, 3512, 8, 0, 16, 24, 152, 15940, 9536, 5672, 5680, 5684, 656, 0, 0, 14920, 14944, 14928, 24512, 564, 8, 0},
+	//offsets for: /mariadbrpm/10.6.3/usr/sbin/mariadbd (10.6.3-MariaDB)
+	{"10.6.3-MariaDB","ebfdcf0f950b82351005a05db08de352", 15688, 15848, 7768, 9928, 88, 3512, 8, 0, 16, 24, 152, 15956, 9560, 5672, 5680, 5684, 656, 0, 0, 14944, 14968, 14952, 24528, 564, 8, 0},
+	//offsets for: /mariadbrpm/10.6.4/usr/sbin/mariadbd (10.6.4-MariaDB)
+	{"10.6.4-MariaDB","9a2b4ae4f0b6d6dd9aaae8cd149add2e", 15664, 15824, 7744, 9904, 88, 3512, 8, 0, 16, 24, 152, 15940, 9536, 5672, 5680, 5684, 656, 0, 0, 14920, 14944, 14928, 24512, 564, 8, 0},
+	//offsets for: /mariadbrpm/10.6.5/usr/sbin/mariadbd (10.6.5-MariaDB)
+	{"10.6.5-MariaDB","90cfc8ff0ed2aef04154b503bbd5f2f2", 15664, 15824, 7744, 9904, 88, 3512, 8, 0, 16, 24, 152, 15940, 9536, 5672, 5680, 5684, 656, 0, 0, 14920, 14944, 14928, 24512, 564, 8, 0},
+	//offsets for: /mariadbrpm/10.6.7/usr/sbin/mariadbd (10.6.7-MariaDB)
+	{"10.6.7-MariaDB","9163361e728a4cfcd20d1d18928fda63", 15664, 15824, 7744, 9904, 88, 3512, 8, 0, 16, 24, 152, 15940, 9536, 5672, 5680, 5684, 656, 0, 0, 14920, 14944, 14928, 24512, 564, 8, 0},
+	//offsets for: /mariadb/10.4.24/bin/mysqld (10.4.24-MariaDB)
+	{"10.4.24-MariaDB","d0709b66f85f1d6dbd97f49eec72a30d", 14616, 14768, 7272, 9008, 88, 3536, 8, 0, 16, 24, 152, 14876, 8664, 2984, 2992, 2996, 640, 0, 0, 13992, 14016, 14000, 23408, 564, 8, 0},
+	//offsets for: /mariadb/10.5.15/bin/mysqld (10.5.15-MariaDB)
+	{"10.5.15-MariaDB","6cf2a099ba5a317561f42ae66aa9c9f2", 15216, 15376, 7704, 9472, 88, 3552, 8, 0, 16, 24, 152, 15492, 9104, 5480, 5488, 5492, 640, 0, 0, 14472, 14496, 14480, 24072, 564, 8, 0},
+	//offsets for: /mariadbrpm/10.4.24/usr/sbin/mariadbd (10.4.24-MariaDB)
+	{"10.4.24-MariaDB","6625d0e2ff924708b83edeb4f2ddd338", 14616, 14768, 7272, 9008, 88, 3536, 8, 0, 16, 24, 152, 14876, 8664, 2984, 2992, 2996, 640, 0, 0, 13992, 14016, 14000, 23408, 564, 8, 0},
+	//offsets for: /mariadbrpm/10.5.15/usr/sbin/mariadbd (10.5.15-MariaDB)
+	{"10.5.15-MariaDB","21072edb0f9245ec94cbcfca439f8713", 15216, 15376, 7704, 9472, 88, 3552, 8, 0, 16, 24, 152, 15492, 9104, 5480, 5488, 5492, 640, 0, 0, 14472, 14496, 14480, 24072, 564, 8, 0},
+	//offsets for: /mariadb/10.2.43/bin/mysqld (10.2.43-MariaDB)
+	{"10.2.43-MariaDB","3536787cd3635724bc47286f5ffc298e", 13880, 13944, 6672, 8288, 88, 3224, 8, 0, 16, 24, 152, 14044, 8048, 2984, 2992, 2996, 608, 0, 0, 13256, 13280, 13264, 21232, 548, 516, 0},
 	//offsets for: /mariadb/10.4.22/bin/mysqld (10.4.22-MariaDB)
 	{"10.4.22-MariaDB","52891aee2583ecc6e1ae386379db035e", 14616, 14768, 7272, 9008, 88, 3536, 8, 0, 16, 24, 152, 14876, 8664, 2984, 2992, 2996, 640, 0, 0, 13992, 14016, 14000, 23408, 564, 8, 0},
 	//offsets for: /mariadb/10.5.13/bin/mysqld (10.5.13-MariaDB)
@@ -1147,6 +1181,10 @@ const ThdOffsets thd_offsets_arr[] =
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MYSQL 32 OFFSETS GO HERE +++ */
+	//offsets for: /mysqlrpm/8.0.26/usr/sbin/mysqld (8.0.26)
+	{"8.0.26","39a33a3c2a3f6c076e21fabb10be7ab5", 5668, 5692, 2492, 3636, 320, 0, 0, 20, 40, 100, 368, 5772, 3420, 3652, 3656, 3660, 4324, 928, 16, 5124, 5160, 5144, 8108, 72, 596, 176},
+	//offsets for: /mysqlrpm/5.7.37/usr/sbin/mysqld (5.7.37)
+	{"5.7.37","6af07772eef15eb7e47de7749fa429ae", 5088, 5116, 2216, 3040, 296, 200, 0, 20, 40, 100, 344, 5204, 2780, 3108, 3112, 3116, 3724, 1152, 4, 4540, 4576, 4560, 9052, 80, 604, 0},
 	//offsets for: /mysqlrpm/5.7.36/usr/sbin/mysqld (5.7.36)
 	{"5.7.36","d6f5b24c443e3c0a340580fdc1eb4879", 5088, 5116, 2216, 3040, 296, 200, 0, 20, 40, 100, 344, 5204, 2780, 3108, 3112, 3116, 3724, 1152, 4, 4540, 4576, 4560, 9052, 80, 604, 0},
 	//offsets for: /mysqlrpm/5.7.35/usr/sbin/mysqld (5.7.35)
@@ -1478,6 +1516,8 @@ const ThdOffsets thd_offsets_arr[] =
 const ThdOffsets thd_offsets_arr[] =
 {
 	/* +++ MARIADB 32 OFFSETS GO HERE +++ */
+	//offsets for: /mariadb/10.2.43/bin/mysqld (10.2.43-MariaDB)
+	{"10.2.43-MariaDB","6fc47e535a86f0b6864a461eb817e2f7", 8612, 8648, 3960, 5428, 44, 2044, 4, 0, 8, 12, 84, 8732, 5288, 2604, 2608, 2612, 376, 0, 0, 8136, 8160, 8144, 13476, 548, 516, 0},
 	//offsets for: /mariadb/10.2.41/bin/mysqld (10.2.41-MariaDB)
 	{"10.2.41-MariaDB","918d2a72191fd6d43114aceffd859edc", 8612, 8648, 3960, 5428, 44, 2044, 4, 0, 8, 12, 84, 8732, 5288, 2604, 2608, 2612, 376, 0, 0, 8136, 8160, 8144, 13476, 548, 516, 0},
 	//offsets for: /mariadb/10.2.40/bin/mysqld (10.2.40-MariaDB)