[MDEV-19442] server_audit plugin doesn't consider proxy users in server_audit_excl_users/server_audit_incl_users - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.2.24, 10.1.40, 10.3.14, 10.4.4
Fix Version/s: 10.2.37, 10.3.28, 10.4.18, 10.5.9
Component/s: Authentication and Privilege System, Plugin - Audit
Labels:
None

Description

The server_audit plugin doesn't consider proxy users when deciding whether to log an event based on server_audit_excl_users/server_audit_incl_users. This means that it doesn't work well with PAM user mapping:

https://mariadb.com/kb/en/library/user-and-group-mapping-with-pam/

It looks like the do_log_user() function might need to be extended to have two arguments--an original user and a proxy user.

https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1479

https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L2025

https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L2041

https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L2555

For example, let's say that we are excluding the dba user from auditing:

MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'server_audit_%_users';

+-------------------------+-------+

| Variable_name           | Value |

+-------------------------+-------+

| server_audit_excl_users | dba   |

| server_audit_incl_users |       |

+-------------------------+-------+

2 rows in set (0.00 sec)

And let's say that I log in as the bob PAM user who is mapped to the dba user:

[ec2-user@ip-172-30-0-249 ~]$ mysql -u bob

[mariadb] Password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 16

Server version: 10.1.39-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT USER(), CURRENT_USER();

+---------------+----------------+

| USER()        | CURRENT_USER() |

+---------------+----------------+

| bob@localhost | dba@%          |

+---------------+----------------+

1 row in set (0.00 sec)

MariaDB [(none)]> SELECT 1;

+---+

| 1 |

+---+

| 1 |

+---+

1 row in set (0.00 sec)

MariaDB [(none)]> \q

Bye

This user's events will still be logged to the audit log:

20190511 22:57:01,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,16,0,CONNECT,,,0

20190511 22:57:01,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,16,36,QUERY,,'select @@version_comment limit 1',0

20190511 22:57:03,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,16,37,QUERY,,'SELECT USER(), CURRENT_USER()',0

20190511 22:57:08,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,16,38,QUERY,,'SELECT 1',0

20190511 22:57:10,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,16,0,DISCONNECT,,,0

This is because the server_audit plugin doesn't check the proxy user name against server_audit_excl_users/server_audit_incl_users. The plugin only checks the original user name.

To actually exclude this user from auditing, we would have to add the "bob" user name to server_audit_excl_users.

Attachments

Issue Links

relates to

MDEV-19443 server_audit plugin doesn't log proxy users

Closed

MDEV-5313 Improving audit api

Stalled

MDEV-5983 Auditing plugin v2.0

Closed

Activity

People

Assignee:: Alexey Botchkov

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Due:: 2019-11-19

Created:: 2019-05-11 19:45

Updated:: 2024-07-07 22:49

Resolved:: 2020-12-29 11:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.