Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17456

Malicious SUPER user can possibly change audit log configuration without leaving traces

    Details

      Description

      SET queries are only logged in the audit log when server_audit_events=QUERY is set, not with the more specific QUERY_* sub-modes.

      So when e.g. using server_audit_events=QUERY_DCL queries that change the logging behavior, like e.g.:

      SET global server_audit_logging=0;
      

      This way a malicious user with SUPER privileges (but without file system level access to the server config files) could temporarily disable audit logging and then modify data without leaving a real trace.

      IMHO queries changing the audit log configuration, so any SET operating on a server_audit_% variable, should appear in the log even if full QUERY mode is not set, or at least be included in QUERY_DCL mode.

      Or, alternatively, there should be an option to outright ban any dynamic change of server_audit_% variables, e.g. something like

      [mysqld]
      server_audit_immutable=ON
      

      that could be used to remove the DYNAMIC attribute from all audit plugin variables, and so to prevent runtime changes to audit log configuration.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                holyfoot Alexey Botchkov
                Reporter:
                hholzgra Hartmut Holzgraefe
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: