Check: MADB-10-000900
MariaDB Enterprise 10.x STIG:
MADB-10-000900
(in versions v2 r2 through v1 r2)
Title
MariaDB must initiate session auditing upon startup. (Cat II impact)
Discussion
Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it must be in operation for the whole time MariaDB is running.
Check Content
Verify the MariaDB Enterprise Audit plugin is loaded and actively logging: MariaDB> SHOW GLOBAL STATUS LIKE 'Server_audit_active'; If the MariaDB Enterprise Audit is not active, this is a finding. Check what filters are in place for user by running the following as an administrative user: MariaDB> SELECT sau.host, sau.user, saf.filtername, JSON_DETAILED(saf.rule) FROM mysql.server_audit_filters saf JOIN mysql.server_audit_users sau ON saf.filtername = sau.filtername WHERE saf.filtername != 'default'\G Verify the corresponding audit filters are in place. If not, this is a finding.
Fix Text
If not already exists, create a named filter with the required auditing for the user in question. Example: MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule) VALUES ('session_auditing', JSON_COMPACT( '{ "connect_event": [ "CONNECT", "DISCONNECT" ], "table_event":[ "WRITE", "CREATE", "DROP", "RENAME", "ALTER" ] }' )); Then assign the named filter to the user. Example: MariaDB> INSERT INTO mysql.server_audit_users (host, user, filtername) VALUES ("%", "username", "session_auditing"); Reload filters. MariaDB> SET GLOBAL server_audit_reload_filters = ON;
Additional Identifiers
Rule ID: SV-253674r960888_rule
Vulnerability ID: V-253674
Group Title: SRG-APP-000092-DB-000208
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001464 |
Initiates session audits automatically at system start-up. |
Controls
Number | Title |
---|---|
AU-14(1) |
System Start-up |