Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.2.24, 10.1.40, 10.3.14, 10.4.4
-
None
Description
The server_audit plugin doesn't log proxy users. This means that it doesn't work well with PAM user mapping:
https://mariadb.com/kb/en/library/user-and-group-mapping-with-pam/
This seems to be true for all of the log functions:
https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1311
https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1333
https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1756
https://github.com/MariaDB/server/blob/mariadb-10.4.4/plugin/server_audit/server_audit.c#L1587
However, I see that the API already provides proxy_user in the mysql_event_connection and mysql_event_table classes.
https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L86
https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L127
But proxy_user seems to be missing from the mysql_event_general class:
https://github.com/MariaDB/server/blob/mariadb-10.4.4/include/mysql/plugin_audit.h#L52
For example, let's say that I log in as the bob PAM user who is mapped to the dba user:
[ec2-user@ip-172-30-0-249 ~]$ mysql -u bob
|
[mariadb] Password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 13
|
Server version: 10.1.39-MariaDB MariaDB Server
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
MariaDB [(none)]> SELECT USER(), CURRENT_USER();
|
+---------------+----------------+
|
| USER() | CURRENT_USER() |
|
+---------------+----------------+
|
| bob@localhost | dba@% |
|
+---------------+----------------+
|
1 row in set (0.00 sec)
|
|
MariaDB [(none)]> SELECT 1;
|
+---+
|
| 1 |
|
+---+
|
| 1 |
|
+---+
|
1 row in set (0.00 sec)
|
|
MariaDB [(none)]> \q
|
Bye
|
The audit log will only show the user name bob:
20190511 22:50:30,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,0,CONNECT,,,0
|
20190511 22:50:30,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,21,QUERY,,'select @@version_comment limit 1',0
|
20190511 22:50:32,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,22,QUERY,,'SELECT USER(), CURRENT_USER()',0
|
20190511 22:50:40,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,23,QUERY,,'SELECT 1',0
|
20190511 22:50:43,ip-172-30-0-249.us-west-2.compute.internal,bob,localhost,13,0,DISCONNECT,,,0
|
To have a more complete audit trail, shouldn't the plugin log both the original user and the proxy user?
Attachments
Issue Links
- relates to
-
MDEV-5313 Improving audit api
- Stalled
-
MDEV-5983 Auditing plugin v2.0
- Closed
-
MDEV-19442 server_audit plugin doesn't consider proxy users in server_audit_excl_users/server_audit_incl_users
- Closed