← Back to MariaDB Enterprise 10.x Security Technical Implementation Guide

V-253768

CAT II (Medium)

MariaDB must generate audit records showing starting and ending time for user access to the database(s).

Rule ID

SV-253768r961830_rule

STIG

MariaDB Enterprise 10.x Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-000172

Discussion

For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to MariaDB lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs. Disconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.

Check Content

Log in to and out of the MariaDB database server. Verify the connect and disconnect are logged in the audit logfile or syslog depending on how it is configured. 

If connect and disconnect are not logged, this is a finding.

Fix Text

Edit the necessary filters to include connect_events connect. Example:

MariaDB> DELETE FROM mysql.server_audit_filters WHERE filtername = 'default';

MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule)
   VALUES ('default',
      JSON_COMPACT(
         '{
            "connect_event": [
               "CONNECT",
               "DISCONNECT"
            ]
         }'
      ));