6.1 Ensure 'log_error' is configured correctly

Information

The error log contains information about events such as mariadbd starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mariadbd fails.

Rationale:

Enabling error logging can increase the ability to detect malicious attempts against MariaDB, and other critical messages. For example, if the error log is not enabled then a connection error could go unnoticed.

When configured to stderr MariaDB will send log data to the console. Logging to the console is useful, but remember it is ephemeral. This is not recommended due to the fact that logging to console does not provide a means to force restricted access via permissions strictly to MariaDB and dedicated MariaDB audit accounts. This may compromise the confidentiality of the MariaDB log data. Furthermore use caution if co-mingling log data from multiple sources as that can complicate log inspection. Additionally from a security auditing perspective, it's difficult and error prone to verify logging is correct using stderr or redirected stderr.

Solution

Perform the following actions to remediate this setting:

Open the MariaDB configuration file (mariadb.cnf).

Set the log_error option to the path for the error log.

Default Value:

./stderr.err

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: MySQLDB

Control ID: c7e6211b38b4ea34af1fd979ad41b2785901d376512ad16ffedd296a45d2cdaa