Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17456

Malicious SUPER user can possibly change audit log configuration without leaving traces

    XMLWordPrintable

Details

    Description

      SET queries are only logged in the audit log when server_audit_events=QUERY is set, not with the more specific QUERY_* sub-modes.

      So when e.g. using server_audit_events=QUERY_DCL queries that change the logging behavior, like e.g.:

      SET global server_audit_logging=0;
      

      This way a malicious user with SUPER privileges (but without file system level access to the server config files) could temporarily disable audit logging and then modify data without leaving a real trace.

      IMHO queries changing the audit log configuration, so any SET operating on a server_audit_% variable, should appear in the log even if full QUERY mode is not set, or at least be included in QUERY_DCL mode.

      Or, alternatively, there should be an option to outright ban any dynamic change of server_audit_% variables, e.g. something like

      [mysqld]
      server_audit_immutable=ON
      

      that could be used to remove the DYNAMIC attribute from all audit plugin variables, and so to prevent runtime changes to audit log configuration.

      Attachments

        Issue Links

          Activity

            People

              holyfoot Alexey Botchkov
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.