Detections
Analytics
MADB-10-007100 - MariaDB must utilize centralized management of the content captured in audit records generated by all components of the DBMS.
Information
MariaDB can be configured to use syslog or any OS system file to store audit records to designated disk directories.Review the server_audit_events to make sure that they include QUERY, and verify the server_audit_logging is set ON.
Check the log file location:
----
As the database administrator, run the following SQL:
mysql -u root -e show global variables like server_audit%
Verify the server_audit_logging is set ON.
##To use system logs (syslog):
From the query above verify the value of:
server_audit_output_type=SYSLOG
##To use a OS file:
From the query above verify the value of:
server_audit_output_type=FILE
The following values should also be checked:
server_audit_file_rotate_now = ON
server_audit_file_rotate_size x*1024. This is the size of the file (in bytes) that will cause file rotation.
server_ audit_file_rotations =x This is the number of rotations to save.
------
Check with the security guide to verify that the central management system is getting the audit logs from the correct directories.
If MariaDB audit records are not written directly to or systematically transferred to the centralized log management system in the security guide, this is a finding.
If MariaDB does not have a continuous network connection to the centralized log management system, and MariaDB audit records are not transferred to the centralized log management system weekly or more often, this is a finding.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure MariaDB or deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection.If server_audit_output_type is set to FILE, set the directory in the MariaDB configuration file to one that is managed by the centralized management system.
[server]
server_audit_file_path = /path/to/audit.log
Restart MariaDB Enterprise Server.
To set up the audit logs to write to sylog:
Edit the mariadb-enterprise.cnf file. Add the following under the [mariadb] section:
server_audit_output_type = 'syslog'
After the .cnf file is updated and saved, the mariadb database service must be restarted.
If audit logs are written to syslog, verify the central log management system is pulling the server's syslog.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MariaDB_Enterprise_10-x_V2R1_STIG.zip
Item Details
Audit Name: DISA MariaDB Enterprise 10.x v2r1 DB
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-3(2), CAT|II, CCI|CCI-001844, Rule-ID|SV-253725r879729_rule, STIG-ID|MADB-10-007100, Vuln-ID|V-253725
Plugin: MySQLDB
Control ID: 056dbbef6bd012b0fbaaa05272d3a424edee3c3528e5004c85f42ee1fd4a5558