Check: MADB-10-008000
MariaDB Enterprise 10.x STIG:
MADB-10-008000
(in versions v2 r2 through v1 r2)
Title
MariaDB must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s). (Cat II impact)
Discussion
Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
Check Content
To verify that system denies are logged when unprivileged users attempt to change database configuration, run the following commands using the database administrator, and a newly created user shown here as test_user: MariaDB> CREATE USER 'test_user'@'localhost' IDENTIFIED BY 'TEst_Password!2'; MariaDB> CREATE DATABASE myapp; MariaDB> CREATE TABLE myapp.mytable (a int, b char(10)); As the newly created test_user, alter the table: $ mariadb -u test_user -p Enter password: MariaDB> ALTER TABLE mytable ADD COLUMN (c int); Check the latest log to determine if the denial is logged. For example: $ tail -f /var/log/mysql/audit.log 20190909 12:14:29,osboxes,test_user9,localhost,21,0,CONNECT,,,0 20190909 12:14:29,osboxes,test_user9,localhost,21,10,QUERY,, alter table myapp.mytable add column (c int) ,1142 20190909 12:14:29,osboxes,test_user9,localhost,21,0,DISCONNECT,,,0 If the denial is not produced, this is a finding. By default MariaDB configuration files are owned by the OS Administrator user (here root) and cannot be edited by nonprivileged users: $ ls -la /etc | grep my.cnf -rw-r--r--. 1 root root 301 Aug 25 12:45 my.cnf If my.cnf is not owned by the OS administrator (chown here as root) and does not have read and write permissions for the owner, this is a finding.
Fix Text
The MariaDB Enterprise Audit plugin can be configured to audit these changes. Update necessary audit filters to include query_event ALL. Example: MariaDB> DELETE FROM mysql.server_audit_filters WHERE filtername = 'default'; MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule) VALUES ('default', JSON_COMPACT( '{ "connect_event": [ "CONNECT", "DISCONNECT" ], "query_event": [ "ALL" ] }' )); If the config files are not secured properly in the file system, change the ownership and permissions with operating system operations. Example: chown root:root /etc/my.cnf.d chmod 644 /etc/my.cnf.d
Additional Identifiers
Rule ID: SV-253733r1018602_rule
Vulnerability ID: V-253733
Group Title: SRG-APP-000381-DB-000361
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001814 |
The Information system supports auditing of the enforcement actions. |
CCI-003938 |
Automatically generate audit records of the enforcement actions. |
Controls
Number | Title |
---|---|
CM-5(1) |
Automated Access Enforcement / Auditing |