Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19458

server_audit plugin should log when the server starts up and when the server shuts down

Details

    • Task
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • None
    • Plugin - Audit
    • None

    Description

      The server_audit plugin does not currently log any audit events when the server starts up or shuts down.

      It does not look like the audit plugin API has any hooks for start up or shut down events either.

      Should we log startup events in mysql_audit_initialize() and shutdown events in mysql_audit_finalize(), so that the API can stay the same?

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-5313 Improving audit api

          • Critical - Crashes, loss of data, severe memory leak.
          • Stalled

          Task - A task that needs to be done. MDEV-5983 Auditing plugin v2.0

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-8491 On shutdown, report the user and the host executed that.

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            holyfoot Alexey Botchkov added a comment -

            > Should we log startup events in mysql_audit_initialize() and shutdown events in mysql_audit_finalize(), so that the API can
            > stay the same?

            It makes sence to me.

            holyfoot Alexey Botchkov added a comment - > Should we log startup events in mysql_audit_initialize() and shutdown events in mysql_audit_finalize(), so that the API can > stay the same? It makes sence to me.
            ralf.gebhardt Ralf Gebhardt added a comment -

            Hi holyfoot, GeoffMontee. Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases. Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?

            ralf.gebhardt Ralf Gebhardt added a comment - Hi holyfoot , GeoffMontee . Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases. Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?
            GeoffMontee Geoff Montee (Inactive) added a comment -

            Hi ralf.gebhardt@mariadb.com,

            Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases.

            I would personally consider issuing a shutdown/startup request to be a form of "accessing the server" as well as performing an activity that can potentially affect all "database objects".

            Shutdowns and startups could definitely be relevant in an audit. Especially if the auditors suspect a rogue DBA of adding options to my.cnf or other configuration files as a way to bypass security mechanisms.

            Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?

            Yeah, it does appear so.

            https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L5630

            https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L1932

            GeoffMontee Geoff Montee (Inactive) added a comment - Hi ralf.gebhardt@mariadb.com , Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases. I would personally consider issuing a shutdown/startup request to be a form of "accessing the server" as well as performing an activity that can potentially affect all "database objects". Shutdowns and startups could definitely be relevant in an audit. Especially if the auditors suspect a rogue DBA of adding options to my.cnf or other configuration files as a way to bypass security mechanisms. Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown? Yeah, it does appear so. https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L5630 https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L1932
            holyfoot Alexey Botchkov added a comment -

            Hi, GeoffMontee, ralf.gebhardt@mariadb.com!
            To me logging the server shutdowns/startups seems like a different level. User with such capabilities can do a lot more than just modify the .my.cnf file. Server can be started without the plugins for instance.
            So it's difficult to rely on what's in the audit plugin log in this case.

            holyfoot Alexey Botchkov added a comment - Hi, GeoffMontee , ralf.gebhardt@mariadb.com ! To me logging the server shutdowns/startups seems like a different level. User with such capabilities can do a lot more than just modify the .my.cnf file. Server can be started without the plugins for instance. So it's difficult to rely on what's in the audit plugin log in this case.

            People

              Unassigned Unassigned
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.