MADB-10-008000 - MariaDB must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s).

Information

Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions.

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The MariaDB Enterprise Audit plugin can be configured to audit these changes.

Update necessary audit filters to include query_event ALL. Example:

MariaDB> DELETE FROM mysql.server_audit_filters WHERE filtername = 'default';

MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule)
VALUES ('default',
JSON_COMPACT(
'{
'connect_event': [
'CONNECT',
'DISCONNECT'
],
'query_event': [
'ALL'
]
}'
));

If the config files are not secured properly in the file system, change the ownership and permissions with operating system operations.

Example:

chown root:root /etc/my.cnf.d
chmod 644 /etc/my.cnf.d

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MariaDB_Enterprise_10-x_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-5(1), CAT|II, CCI|CCI-003938, Rule-ID|SV-253733r998228_rule, STIG-ID|MADB-10-008000, Vuln-ID|V-253733

Plugin: MySQLDB

Control ID: 1844e0551797a07a5510617c3d9b272033010e8bb0d001c320f8bd5566de05d7