6.5 Ensure Audit Filters Capture Connection Attempts

Information

The functions audit_log_filter_set_filter() and audit_log_filter_set_user() are used to define rules for auditing. With this feature you can easily audit successful and/or failed connection events and write to the audit log file.

Rationale:

The audit_log_filter_set_filter function which defines auditing filters. The users for which filter(s) apply is defined by audit_log_filter_set_user. One or more filters can be created to log connections success and/or failure.

Impact:

If the audit rule and application of the rule to targeted or all users is not properly configured, it will not log failed connections, successful connections or any other connection related events.

Solution

To remediate this configuration setting, execute one of the following SQL statements:

Log All connections - Successful and Failed:

SET @f = '{ 'filter': { 'class': { 'name': 'connection' } } }';
SELECT audit_log_filter_set_filter('log__all_conn_events', @f);
SELECT audit_log_filter_set_user('%', 'log_all_conn_events');

Or

Log Only Failed Connections:

SET @f='
{
'filter': {
'log': false,
'class': {
'name': 'connection',
'event': [
{ 'name': 'connect', 'log' : { 'not': { 'field': { 'name': 'status', 'value': 0 } } } },
{ 'name': 'disconnect', 'log': false }
]
}
}
}';
select @f;
SELECT audit_log_filter_set_filter('log_conn_events', @f);
SELECT audit_log_filter_set_user('%', 'log_conn_events');

Default Value:

The default value for audit_log_connection_policy is ALL.

See Also

https://workbench.cisecurity.org/benchmarks/10139