MADB-10-000900 - MariaDB must initiate session auditing upon startup.

Information

Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it must be in operation for the whole time MariaDB is running.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If not already exists, create a named filter with the required auditing for the user in question. Example:

MariaDB> INSERT INTO mysql.server_audit_filters (filtername, rule)
VALUES ('session_auditing',
JSON_COMPACT(
'{
'connect_event': [
'CONNECT',
'DISCONNECT'
],
'table_event':[
'WRITE',
'CREATE',
'DROP',
'RENAME',
'ALTER'
]
}'
));

Then assign the named filter to the user. Example:

MariaDB> INSERT INTO mysql.server_audit_users (host, user, filtername) VALUES ('%', 'username', 'session_auditing');

Reload filters.

MariaDB> SET GLOBAL server_audit_reload_filters = ON;

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MariaDB_Enterprise_10-x_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-14(1), CAT|II, CCI|CCI-001464, Rule-ID|SV-253674r960888_rule, STIG-ID|MADB-10-000900, Vuln-ID|V-253674

Plugin: MySQLDB

Control ID: 576f0b248f2f3f508390b8d14e4283166d4f9fea0b290fccdf40466a0d33e23c