3.3 Ensure 'log_error' Has Appropriate Permissions

Information

MariaDB can operate using a variety of log files, each used for different purposes. These are the binary log (which can be encrypted), error log, slow query log, relay log, general log, and in the enterprise edition, the audit log (which can be encrypted). Because these are files on the host operating system, they are subject to the permissions and ownership structure provided by the host and may be accessible by users other than the MariaDB user. Additionally, using secure key management and at rest MariaDB encryption can further protect data from OS users.

Much of the information about the state of MariaDB exists in MariaDB, the MariaDB performance_schema or informations_schema. In cases where the information you need is within a running MariaDB, use these methods as they are more secure as they do not require OS login and access.

Rationale:

Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MariaDB logs.

Impact:

Changing the permissions of the error log files might have impact on monitoring tools which use an error log file adapter.

Solution

Execute the following command for each log file location requiring corrected permissions and ownership:

chmod 600 <log file>
chown mysql:mysql <log file>

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.6

Plugin: Unix

Control ID: c4a199d5b69bb43565dc211e776d8c94aade01625b98d1be4c563eb50320ffcc