MariaDB must be able to generate audit records when privileges/permissions are retrieved.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253672	MADB-10-000700	SV-253672r841541_rule		Medium

Description
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. MariaDB makes such information available through an audit log file. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that MariaDB continually performs to determine if any and every action on the database is permitted.

Description

Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. MariaDB makes such information available through an audit log file. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that MariaDB continually performs to determine if any and every action on the database is permitted.

STIG	Date
MariaDB Enterprise 10.x Security Technical Implementation Guide	2022-08-24

Details

Check Text ( C-57124r841539_chk )
Verify the MariaDB Enterprise Audit plugin is loaded and actively logging: MariaDB> SHOW GLOBAL STATUS LIKE 'Server_audit_active'; If the MariaDB Enterprise Audit is not active, this is a finding. Check what filters are in place by running the following as an administrative user: MariaDB> SELECT * FROM mysql.server_audit_filters; Verify query_events ALL is included in corresponding audit filters. If not, this is a finding. MariaDB> SHOW GLOBAL VARIABLES LIKE 'server_audit_file_path'; As a Linux user with sufficient privileges to view logs, tail the audit log file. $ tail -f /var/log/mysql/server_audit.log (default location) In another terminal run: MariaDB> SHOW GRANTS; If an audit record is not produced in the first terminal, this is a finding.

Check Text ( C-57124r841539_chk )

Verify the MariaDB Enterprise Audit plugin is loaded and actively logging:

MariaDB> SHOW GLOBAL STATUS LIKE 'Server_audit_active';

If the MariaDB Enterprise Audit is not active, this is a finding.

Check what filters are in place by running the following as an administrative user:

MariaDB> SELECT * FROM mysql.server_audit_filters;

Verify query_events ALL is included in corresponding audit filters. If not, this is a finding.

MariaDB> SHOW GLOBAL VARIABLES LIKE 'server_audit_file_path';

As a Linux user with sufficient privileges to view logs, tail the audit log file.

$ tail -f /var/log/mysql/server_audit.log (default location)

In another terminal run:

MariaDB> SHOW GRANTS;

If an audit record is not produced in the first terminal, this is a finding.

Fix Text (F-57075r841540_fix)
The MariaDB Enterprise Audit plugin can be configured to audit these changes. Update necessary audit filters to include query_event ALL. Example: MariaDB> DELETE FROM mysql.server_audit_filters WHERE filtername = 'default'; MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule) VALUES ('default', JSON_COMPACT( '{ "connect_event": [ "CONNECT", "DISCONNECT" ], "query_event": [ "ALL" ] }' ));

Fix Text (F-57075r841540_fix)

The MariaDB Enterprise Audit plugin can be configured to audit these changes.

Update necessary audit filters to include query_event ALL. Example:

MariaDB> DELETE FROM mysql.server_audit_filters WHERE filtername = 'default';

MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule)
VALUES ('default',
JSON_COMPACT(
'{
"connect_event": [
"CONNECT",
"DISCONNECT"
],
"query_event": [
"ALL"
]
}'
));