Check: MADB-10-001700
MariaDB Enterprise 10.x STIG:
MADB-10-001700
(in versions v2 r2 through v1 r2)
Title
MariaDB must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure. (Cat II impact)
Discussion
It is critical that when MariaDB is at risk of failing to process audit logs as required, an action is taken to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When the need for system availability does not outweigh the need for a complete audit trail, the DBMS should shut down immediately, rolling back all in-flight transactions. Systems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.
Check Content
If the application owner has determined that the need for system availability outweighs the need for a complete audit trail, this is not applicable (NA). Otherwise, review the procedures, manual and/or automated, for monitoring the space used by audit trail(s) and for off-loading audit records to a centralized log management system. If the procedures do not exist, this is a finding. If the procedures exist, request evidence that they are followed. If the evidence indicates that the procedures are not followed, this is a finding. If the procedures exist, inquire if the system has ever run out of audit trail space in the last two years or since the last system upgrade, whichever is more recent. If it has run out of space in this period, and the procedures have not been updated to compensate, this is a finding.
Fix Text
Modify DBMS, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached.
Additional Identifiers
Rule ID: SV-253677r960915_rule
Vulnerability ID: V-253677
Group Title: SRG-APP-000109-DB-000049
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000140 |
Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records. |
Controls
Number | Title |
---|---|
AU-5 |
Response to Audit Processing Failures |