Check: MYS8-00-007800
Oracle MySQL 8.0 STIG:
MYS8-00-007800
(in versions v1 r5 through v1 r1)
Title
The MySQL Database Server 8.0 must initiate session auditing upon startup. (Cat II impact)
Discussion
Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it needs to be in operation for the whole time the Database Management System (DBMS) is running.
Check Content
Determine if an audit is configured and enabled. The my.cnf file will set the variable audit_file. Review the my.cnf file for the following entries: [mysqld] plugin-load-add=audit_log.so audit-log=FORCE_PLUS_PERMANENT If these entries are not present. This is a finding. Execute the following query: SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; The status of the "audit_log plugin" must be "active". If it is not "active", this is a finding. Review audit filters and associated users by running the following queries: SELECT `audit_log_filter`.`NAME`, `audit_log_filter`.`FILTER` FROM `mysql`.`audit_log_filter`; SELECT `audit_log_user`.`USER`, `audit_log_user`.`HOST`, `audit_log_user`.`FILTERNAME` FROM `mysql`.`audit_log_user`; All currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.
Fix Text
Configure the MySQL Audit to automatically start during system startup. Add to the my.cnf: [mysqld] plugin-load-add=audit_log.so audit-log=FORCE_PLUS_PERMANENT audit-log-format=JSON
Additional Identifiers
Rule ID: SV-235159r879562_rule
Vulnerability ID: V-235159
Group Title: SRG-APP-000092-DB-000208
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001464 |
The information system initiates session audits at system start-up. |
Controls
Number | Title |
---|---|
AU-14 (1) |
System Start-Up |