Title

MariaDB must utilize centralized management of the content captured in audit records generated by all components of the DBMS. (Cat II impact)

Discussion

MariaDB can be configured to use syslog or any OS system file to store audit records to designated disk directories. Review the server_audit_events to make sure that they include QUERY, and verify the server_audit_logging is set ON. Check the log file location: ---- As the database administrator, run the following SQL: mysql -u root -e show global variables like server_audit% Verify the server_audit_logging is set ON. ##To use system logs (syslog): From the query above verify the value of: server_audit_output_type=SYSLOG ##To use a OS file: From the query above verify the value of: server_audit_output_type=FILE The following values should also be checked: server_audit_file_rotate_now = ON server_audit_file_rotate_size x*1024. This is the size of the file (in bytes) that will cause file rotation. server_ audit_file_rotations =x This is the number of rotations to save. ------ Check with the security guide to verify that the central management system is getting the audit logs from the correct directories. If MariaDB audit records are not written directly to or systematically transferred to the centralized log management system in the security guide, this is a finding. If MariaDB does not have a continuous network connection to the centralized log management system, and MariaDB audit records are not transferred to the centralized log management system weekly or more often, this is a finding.

Check Content

Determine if the centralized log management system is pulling syslog. If so, verify MariaDB Enterprise Audit plugin is configured to write to syslog. If the centralized log management system is not pulling syslog, verify the MariaDB Enterprise Audit plugin is configured to write to a file which the centralized log management system can access. MariaDB> SHOW GLOBAL VARIABLES LIKE 'server_audit_output_type'; If not writing to syslog, AND the audit file is not being pulled by a central log management system, this is a finding.

Fix Text

Configure MariaDB or deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection. If server_audit_output_type is set to FILE, set the directory in the MariaDB configuration file to one that is managed by the centralized management system. [server] server_audit_file_path = /path/to/audit.log Restart MariaDB Enterprise Server. To set up the audit logs to write to sylog: Edit the mariadb-enterprise.cnf file. Add the following under the [mariadb] section: server_audit_output_type = 'syslog' After the .cnf file is updated and saved, the mariadb database service must be restarted. If audit logs are written to syslog, verify the central log management system is pulling the server's syslog.

Additional Identifiers

Rule ID: SV-253725r879729_rule

Vulnerability ID: V-253725

Group Title: SRG-APP-000356-DB-000314

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.