MariaDB must initiate session auditing upon startup.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253674 | MADB-10-000900 | SV-253674r960888_rule | CCI-001464 | medium |
| Description | ||||
| Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it must be in operation for the whole time MariaDB is running. | ||||
| STIG | Date | |||
| MariaDB Enterprise 10.x Security Technical Implementation Guide | 2024-12-05 | |||
Details
Check Text (C-253674r960888_chk)
Verify the MariaDB Enterprise Audit plugin is loaded and actively logging:
MariaDB> SHOW GLOBAL STATUS LIKE 'Server_audit_active';
If the MariaDB Enterprise Audit is not active, this is a finding.
Check what filters are in place for user by running the following as an administrative user:
MariaDB> SELECT sau.host, sau.user, saf.filtername,
JSON_DETAILED(saf.rule)
FROM mysql.server_audit_filters saf
JOIN mysql.server_audit_users sau
ON saf.filtername = sau.filtername
WHERE saf.filtername != 'default'\G
Verify the corresponding audit filters are in place. If not, this is a finding.
Fix Text (F-57077r841546_fix)
If not already exists, create a named filter with the required auditing for the user in question. Example:
MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule)
VALUES ('session_auditing',
JSON_COMPACT(
'{
"connect_event": [
"CONNECT",
"DISCONNECT"
],
"table_event":[
"WRITE",
"CREATE",
"DROP",
"RENAME",
"ALTER"
]
}'
));
Then assign the named filter to the user. Example:
MariaDB> INSERT INTO mysql.server_audit_users (host, user, filtername) VALUES ("%", "username", "session_auditing");
Reload filters.
MariaDB> SET GLOBAL server_audit_reload_filters = ON;