6.6 Ensure 'audit_log_exclude_accounts' is Set to 'NULL'

Information

The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log.

Rationale:

The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable.

Impact:

If a user or a list of users are set as the values for audit_log_exclude_accounts, these user(s) will evade being logged in the audit log. This may allow malicious connections or query activity to go unnoticed in the audit log.

Solution

To remediate this configuration setting, execute the following SQL statement

SET GLOBAL audit_log_exclude_accounts = NULL;

Or set audit_log_exclude_accounts=NULL in my.cnf.

Default Value:

audit_log_exclude_accounts is set to NULL by default.

See Also

https://workbench.cisecurity.org/files/3848