[MDEV-19458] server_audit plugin should log when the server starts up and when the server shuts down - Jira

Details

Type: Task
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Fix Version/s: None
Component/s: Plugin - Audit
Labels:
None

Description

The server_audit plugin does not currently log any audit events when the server starts up or shuts down.

It does not look like the audit plugin API has any hooks for start up or shut down events either.

Should we log startup events in mysql_audit_initialize() and shutdown events in mysql_audit_finalize(), so that the API can stay the same?

Attachments

Issue Links

relates to

MDEV-5313 Improving audit api

Stalled

MDEV-5983 Auditing plugin v2.0

Closed

MDEV-8491 On shutdown, report the user and the host executed that.

Closed

Activity

Ascending order - Click to sort in descending order

Geoff Montee (Inactive) created issue - 2019-05-13 18:13

Geoff Montee (Inactive) made changes - 2019-05-13 18:13

Field	Original Value	New Value
Link		This issue relates to ~~MDEV-8491~~ [ ~~MDEV-8491~~ ]

Geoff Montee (Inactive) made changes - 2019-05-14 17:38

Link

This issue relates to MDEV-5313 [ MDEV-5313 ]

Geoff Montee (Inactive) made changes - 2019-05-14 17:42

Link

This issue relates to ~~MDEV-5983~~ [ ~~MDEV-5983~~ ]

Alexey Botchkov added a comment - 2019-05-16 13:20

> Should we log startup events in mysql_audit_initialize() and shutdown events in mysql_audit_finalize(), so that the API can
> stay the same?

It makes sence to me.

Alexey Botchkov added a comment - 2019-05-16 13:20 > Should we log startup events in mysql_audit_initialize() and shutdown events in mysql_audit_finalize(), so that the API can > stay the same? It makes sence to me.

Ralf Gebhardt added a comment - 2019-05-28 22:45

Hi holyfoot, GeoffMontee. Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases. Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?

Ralf Gebhardt added a comment - 2019-05-28 22:45 Hi holyfoot , GeoffMontee . Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases. Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?

Geoff Montee (Inactive) added a comment - 2019-05-28 22:52

Hi ralf.gebhardt@mariadb.com,

Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases.

I would personally consider issuing a shutdown/startup request to be a form of "accessing the server" as well as performing an activity that can potentially affect all "database objects".

Shutdowns and startups could definitely be relevant in an audit. Especially if the auditors suspect a rogue DBA of adding options to my.cnf or other configuration files as a way to bypass security mechanisms.

Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown?

Yeah, it does appear so.

https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L5630

https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L1932

Geoff Montee (Inactive) added a comment - 2019-05-28 22:52 Hi ralf.gebhardt@mariadb.com , Audits are typically about user activities on database objects and on accessing the server as such. A server startup or shutdown is more about monitoring a server instance. I would not mix these use cases. I would personally consider issuing a shutdown/startup request to be a form of "accessing the server" as well as performing an activity that can potentially affect all "database objects". Shutdowns and startups could definitely be relevant in an audit. Especially if the auditors suspect a rogue DBA of adding options to my.cnf or other configuration files as a way to bypass security mechanisms. Also, are mysql_audit_initialize() and mysql_audit_finalize() really only called on Server startup and shutdown? Yeah, it does appear so. https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L5630 https://github.com/MariaDB/server/blob/mariadb-10.4.5/sql/mysqld.cc#L1932

Alexey Botchkov added a comment - 2019-05-31 11:48

Hi, GeoffMontee, ralf.gebhardt@mariadb.com!
To me logging the server shutdowns/startups seems like a different level. User with such capabilities can do a lot more than just modify the .my.cnf file. Server can be started without the plugins for instance.
So it's difficult to rely on what's in the audit plugin log in this case.

Alexey Botchkov added a comment - 2019-05-31 11:48 Hi, GeoffMontee , ralf.gebhardt@mariadb.com ! To me logging the server shutdowns/startups seems like a different level. User with such capabilities can do a lot more than just modify the .my.cnf file. Server can be started without the plugins for instance. So it's difficult to rely on what's in the audit plugin log in this case.

Julien Fritsch made changes - 2020-11-06 16:10

Fix Version/s

10.1 [ 16100 ]

Sergei Golubchik made changes - 2021-12-06 21:21

Workflow

MariaDB v3 [ 96706 ]

MariaDB v4 [ 131084 ]

Ralf Gebhardt made changes - 2022-08-04 08:41

Fix Version/s

10.2 [ 14601 ]

Ralf Gebhardt made changes - 2022-11-07 09:06

Assignee

Alexey Botchkov [ holyfoot ]

Ralf Gebhardt made changes - 2022-11-07 09:06

Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]

Jira Automation (IT) made changes - 2024-07-04 03:52

Zendesk Related Tickets

150922

People

Assignee:: Unassigned

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-05-13 18:13

Updated:: 2024-07-07 22:49

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server