Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33834

Add tls_version field for connection audit plugins

Details

    Description

      As part of an internal security audit plugin, we are looking to have the TLS version of the connection as an available field.

      This can bring some useful information to the audit plugin for security purpose.

      Ongoing PR: https://github.com/MariaDB/server/pull/3175

      Attachments

        Issue Links

          Activity

            serg Sergei Golubchik added a comment - - edited

            Here's another thought. We have MDEV-12182 — adding port number to the audit log — it doesn't require changing the log format at all, it can be added to the "hostname" field, as "hostname:port". Still, it needs adding the port number to audit API structures. And thus it is marked as blocked by MDEV-5313 — which should allow passing down more values to the audit plugin without constantly extending audit API structure.

            This MDEV also extends the audit API structure, so by the same logic it's blocked by MDEV-5313.

            Now the question is — MDEV-5313 has shown no progress in 11 years, perhaps we shall give up and just start extending the audit API structure as we see fit?

            ralf.gebhardt, holyfoot, thoughts?

            serg Sergei Golubchik added a comment - - edited Here's another thought. We have MDEV-12182 — adding port number to the audit log — it doesn't require changing the log format at all, it can be added to the "hostname" field, as "hostname:port". Still, it needs adding the port number to audit API structures. And thus it is marked as blocked by MDEV-5313 — which should allow passing down more values to the audit plugin without constantly extending audit API structure. This MDEV also extends the audit API structure, so by the same logic it's blocked by MDEV-5313 . Now the question is — MDEV-5313 has shown no progress in 11 years, perhaps we shall give up and just start extending the audit API structure as we see fit? ralf.gebhardt , holyfoot , thoughts?
            ralf.gebhardt Ralf Gebhardt added a comment -

            serg, I agree regarding MDEV-5313. We better extend the API when needed. It would be great to get MDEV-12182 added

            ralf.gebhardt Ralf Gebhardt added a comment - serg , I agree regarding MDEV-5313 . We better extend the API when needed. It would be great to get MDEV-12182 added
            otto Otto Kekäläinen added a comment - PR pending review at https://github.com/MariaDB/server/pull/3502
            otto Otto Kekäläinen added a comment - - edited

            ralf.gebhardt serg I think it is fairly rare for the audit plugin to add new fields. I understand the benefits for an "API", but seems the effort/benefit isn't there. Currently, https://github.com/MariaDB/server/pull/3502 is the only concrete suggestion to add a new field that is very relevant (TLS version) for rolling out MariaDB server security improvements in terms of closing down old TLS versions, which you can't do unless you know that few enough users use them.

            I think it would make more sense to just add that field as the PR has been ready since April, instead of aiming for a new API and forcing a dependency on 11 year old MDEV-5313 which is unlikely to happen.

            otto Otto Kekäläinen added a comment - - edited ralf.gebhardt serg I think it is fairly rare for the audit plugin to add new fields. I understand the benefits for an "API", but seems the effort/benefit isn't there. Currently, https://github.com/MariaDB/server/pull/3502 is the only concrete suggestion to add a new field that is very relevant (TLS version) for rolling out MariaDB server security improvements in terms of closing down old TLS versions, which you can't do unless you know that few enough users use them. I think it would make more sense to just add that field as the PR has been ready since April, instead of aiming for a new API and forcing a dependency on 11 year old MDEV-5313 which is unlikely to happen.

            I tend to agree, https://github.com/MariaDB/server/pull/3502 is not the only suggestion to add a new field, there's also https://github.com/MariaDB/server/pull/3324. But it's also from this year, so nothing was added in ten years since MDEV-5313 was created.

            It looks reasonable to assume that we won't need to extend the API again for quite a few years. And MDEV-5313 isn't exactly a small task, it'd be much simpler to accept these two PRs instead.

            serg Sergei Golubchik added a comment - I tend to agree, https://github.com/MariaDB/server/pull/3502 is not the only suggestion to add a new field, there's also https://github.com/MariaDB/server/pull/3324 . But it's also from this year, so nothing was added in ten years since MDEV-5313 was created. It looks reasonable to assume that we won't need to extend the API again for quite a few years. And MDEV-5313 isn't exactly a small task, it'd be much simpler to accept these two PRs instead.

            People

              serg Sergei Golubchik
              Chupsy Vincent Dufrasnes
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.