Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.2.18, 10.3.10
-
None
Description
SET queries are only logged in the audit log when server_audit_events=QUERY is set, not with the more specific QUERY_* sub-modes.
So when e.g. using server_audit_events=QUERY_DCL queries that change the logging behavior, like e.g.:
SET global server_audit_logging=0;
|
This way a malicious user with SUPER privileges (but without file system level access to the server config files) could temporarily disable audit logging and then modify data without leaving a real trace.
IMHO queries changing the audit log configuration, so any SET operating on a server_audit_% variable, should appear in the log even if full QUERY mode is not set, or at least be included in QUERY_DCL mode.
Or, alternatively, there should be an option to outright ban any dynamic change of server_audit_% variables, e.g. something like
[mysqld]
|
server_audit_immutable=ON
|
that could be used to remove the DYNAMIC attribute from all audit plugin variables, and so to prevent runtime changes to audit log configuration.
Attachments
Issue Links
- relates to
-
MDEV-19459 Backport MDEV-17456 to server_audit plugin in 10.1
-
- Closed
-
-
-
- Closed
-
-
-
- Open
-