Title

The MySQL Server must provide the capability for authorized users to capture, record, and log all content related to a user session. (Cat II impact)

Discussion

Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered. Typically, this DBMS capability would be used in conjunction with comparable monitoring of a user's online session, involving other software components such as operating systems, web servers and front-end user applications. The current requirement, however, deals specifically with the DBMS.

Check Content

If Audit Log Components are installed and running in the MySQL Server, the log files capture, record, and log all content related to a user session. Verify the audit_log plugin is installed and active: mysql> SHOW PLUGINS; If the audit_log plugin is not found or is disabled, this is a finding. Verify the audit log components are set in the system variables: mysql> SHOW VARIABLES LIKE 'audit_log%'; If the audit_log variables are not configured, this is a finding.

Fix Text

Install and activate the audit log component for MySQL and configure the variables required for logging.

Additional Identifiers

Rule ID:

Vulnerability ID: V-32366

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.