Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33834

Add tls_version field for connection audit plugins

Details

    Description

      As part of an internal security audit plugin, we are looking to have the TLS version of the connection as an available field.

      This can bring some useful information to the audit plugin for security purpose.

      Ongoing PR: https://github.com/MariaDB/server/pull/3502

      Attachments

        Issue Links

          relates to

          New Feature - A new feature of the product, which has yet to be developed. MDEV-12182 audit plugin should log HOST:PORT of incoming connection

          • Major - Major loss of function.
          • In Testing

          New Feature - A new feature of the product, which has yet to be developed. MDEV-17879 Add support for MariaDB audit plugin to produce JSON format

          • Major - Major loss of function.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            View 6 older comments
            ralf.gebhardt Ralf Gebhardt added a comment -

            serg, I agree regarding MDEV-5313. We better extend the API when needed. It would be great to get MDEV-12182 added

            ralf.gebhardt Ralf Gebhardt added a comment - serg , I agree regarding MDEV-5313 . We better extend the API when needed. It would be great to get MDEV-12182 added
            otto Otto Kekäläinen added a comment -

            PR pending review at https://github.com/MariaDB/server/pull/3502

            otto Otto Kekäläinen added a comment - PR pending review at https://github.com/MariaDB/server/pull/3502
            otto Otto Kekäläinen added a comment - - edited

            ralf.gebhardt serg I think it is fairly rare for the audit plugin to add new fields. I understand the benefits for an "API", but seems the effort/benefit isn't there. Currently, https://github.com/MariaDB/server/pull/3502 is the only concrete suggestion to add a new field that is very relevant (TLS version) for rolling out MariaDB server security improvements in terms of closing down old TLS versions, which you can't do unless you know that few enough users use them.

            I think it would make more sense to just add that field as the PR has been ready since April, instead of aiming for a new API and forcing a dependency on 11 year old MDEV-5313 which is unlikely to happen.

            otto Otto Kekäläinen added a comment - - edited ralf.gebhardt serg I think it is fairly rare for the audit plugin to add new fields. I understand the benefits for an "API", but seems the effort/benefit isn't there. Currently, https://github.com/MariaDB/server/pull/3502 is the only concrete suggestion to add a new field that is very relevant (TLS version) for rolling out MariaDB server security improvements in terms of closing down old TLS versions, which you can't do unless you know that few enough users use them. I think it would make more sense to just add that field as the PR has been ready since April, instead of aiming for a new API and forcing a dependency on 11 year old MDEV-5313 which is unlikely to happen.
            serg Sergei Golubchik added a comment -

            I tend to agree, https://github.com/MariaDB/server/pull/3502 is not the only suggestion to add a new field, there's also https://github.com/MariaDB/server/pull/3324. But it's also from this year, so nothing was added in ten years since MDEV-5313 was created.

            It looks reasonable to assume that we won't need to extend the API again for quite a few years. And MDEV-5313 isn't exactly a small task, it'd be much simpler to accept these two PRs instead.

            serg Sergei Golubchik added a comment - I tend to agree, https://github.com/MariaDB/server/pull/3502 is not the only suggestion to add a new field, there's also https://github.com/MariaDB/server/pull/3324 . But it's also from this year, so nothing was added in ten years since MDEV-5313 was created. It looks reasonable to assume that we won't need to extend the API again for quite a few years. And MDEV-5313 isn't exactly a small task, it'd be much simpler to accept these two PRs instead.
            serg Sergei Golubchik added a comment -

            please use bb-12.0-MDEV-33834-audit branch (it also includes MDEV-12182)

            serg Sergei Golubchik added a comment - please use bb-12.0- MDEV-33834 -audit branch (it also includes MDEV-12182 )

            People

              alice Alice Sherepa
              Chupsy Vincent Dufrasnes
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.