3.9 Ensure 'audit_log_file' Has Appropriate Permissions

Information

MySQL can operate using a variety of log files, each used for different purposes. These are the binary log, error log, slow query log, relay log, audit log and general log. Because these are files on the host operating system, they are subject to the permissions and ownership structure provided by the host and may be accessible by users other than the MySQL user.

Rationale:

Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL logs.

Impact:

Changing the permissions and ownership of the audit log file may have an impact on who can access and edit the audit log. Such changes can affect monitoring tools which maybe using a log file adapter or scripted alternatives. Also, the audit log may be used for alerting by infrastructure teams which can affect real-time audit capability.

Solution

Execute the following commands for the audit_log_file discovered in the audit procedure:

chmod 660 <audit_log_file>
chown mysql:mysql <audit_log_file>

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 0c718c2a8d0f3e2bcc524c1757795c70ff30fd05db0832a49e807af7004ed6e4