MYS8-00-000300 - MySQL Database Server 8.0 must produce audit records containing sufficient information to establish what type of events occurred

Information

Information system auditing capability is critical for accurate forensic analysis. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Audit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.

Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type to which an audit record refers. If event type information is not recorded and stored with the audit record, the record itself is of very limited use.

MySQL provides auditing using the MySQL Enterprise Audit Log Plugin. When installed, the audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access.

Solution

Configure DBMS auditing to audit standard and organization-defined auditable events, with the audit record to include what type of event occurred.

Use this process to ensure auditable events are captured:

Configure MySQL database server 8.0 for auditing and configure audit settings to include required events as part of the audit record.

To install MySQL Enterprise Audit:
Run the audit_log_filter_linux_install.sql script located in the sharedirectory of your MySQL installation. This can be determined by running - select @@basedir;
For example if the basedir is /usr/local/mysql
shell> bin/mysql -u root -p < /usr/local/mysql/share/audit_log_filter_linux_install.sql

Verify the plugin installation by running:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';
The value for audit_log should return ACTIVE.

To prevent the plugin from being removed at runtime, add the --audit-log option under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf) with a setting of FORCE_PLUS_PERMANENT.

audit-log=FORCE_PLUS_PERMANENT

Restart the server to apply the configuration change.

By default, rule-based audit log filtering logs no auditable events for any users. To produce log-everything behavior with rule-based filtering, create a filter to enable logging of all events and assign it to the audit all accounts.

Run the following statements to filter all activity for all users:
SELECT audit_log_filter_set_filter('log_all', '{ 'filter': { 'log': true } }');
SELECT audit_log_filter_set_user('%', 'log_all');
SELECT audit_log_filter_set_user('%', 'log_all');

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_MySQL_8-0_V1R4_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000130, Rule-ID|SV-235097r879563_rule, STIG-ID|MYS8-00-000300, Vuln-ID|V-235097

Plugin: Unix

Control ID: e01e5112c89072b57094ce9499d853f571bbe5df93befa960741eacc635ff65c