Rule ID
SV-253674r960888_rule
Version
V2R5
CCIs
Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it must be in operation for the whole time MariaDB is running.
Verify the MariaDB Enterprise Audit plugin is loaded and actively logging: MariaDB> SHOW GLOBAL STATUS LIKE 'Server_audit_active'; If the MariaDB Enterprise Audit is not active, this is a finding. Check what filters are in place for user by running the following as an administrative user: MariaDB> SELECT sau.host, sau.user, saf.filtername, JSON_DETAILED(saf.rule) FROM mysql.server_audit_filters saf JOIN mysql.server_audit_users sau ON saf.filtername = sau.filtername WHERE saf.filtername != 'default'\G Verify the corresponding audit filters are in place. If not, this is a finding.
If not already exists, create a named filter with the required auditing for the user in question. Example:
MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule)
VALUES ('session_auditing',
JSON_COMPACT(
'{
"connect_event": [
"CONNECT",
"DISCONNECT"
],
"table_event":[
"WRITE",
"CREATE",
"DROP",
"RENAME",
"ALTER"
]
}'
));
Then assign the named filter to the user. Example:
MariaDB> INSERT INTO mysql.server_audit_users (host, user, filtername) VALUES ("%", "username", "session_auditing");
Reload filters.
MariaDB> SET GLOBAL server_audit_reload_filters = ON;