3.6 Ensure 'general_log_file' Has Appropriate Permissions

Information

MariaDB can operate using a variety of log files, each used for different purposes. These are the binary log (which can be encrypted), error log, slow query log, relay log (which can be encrypted), general log, and in the enterprise edition, the audit log (which can be encrypted). Because these are files on the host operating system, they are subject to the permissions and ownership structure provided by the host and may be accessible by users other than the MariaDB user. Additionally, using secure key management and at rest MariaDB encryption can further protect data from OS users.

Much of the information about the state of MariaDB exists in MariaDB, the MariaDB performance_schema or informations_schema. If you can get the information you need from within MySQL that is more secure as it does not require OS access. If you are not going to use log files it is best to first disable (don't enable) and remove any prior logs.

Rationale:

Limiting the accessibility, or existence, of these log files will protect the confidentiality, integrity, and availability of the MariaDB logs.

Impact:

Changing the permissions of the general log files may impact monitoring tools which use a log file adapter.

Solution

If you can, use MariaDB SYS, PERFORMANCE_SCHEMA, or MariaDBL Auditing as these are more secure options.
By default the general_log is disabled (0 or OFF). It's most secure to disable the general_log.
To disable the general_log_file:

SET PERSIST @@GENERAL_LOG=OFF;

If you must use general_log then assure the permissions are correct. Execute the following command for each log file location requiring corrected permissions and ownership:

chmod 600 <general_log_file>
chown mysql:mysql <general_log_file>

Default Value:

The variable general_log is set to OFF by default. The variable general_log_file is set to <host_name>.log by default.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 695e1a54e5031dce3ff67c562f225f30d9d1b8661d41c706dd57fe72c396bd16