[MDEV-35522] MariaDB Audit does not detect all DCLs forms when masking password - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.5
Fix Version/s: 10.5.28, 10.6.21, 10.11.11, 11.4.5, 11.7.2
Component/s: Plugin - Audit
Labels:
None

Description

Simply based on what I see I report this as bug since MariaDB Audit masks the password from CREATE USER but fails to recognize different forms of the same command.

20241128 15:58:36,fedora,root,localhost,150,276260,QUERY,,'CREATE USER \'claudio\'@\'%\' IDENTIFIED BY *****',1396

20241128 15:56:42,fedora,root,localhost,149,276256,QUERY,,'CREATE OR REPLACE USER \'monty\'@\'%\' IDENTIFIED BY \'123\'',0

20241128 15:56:54,fedora,root,localhost,149,276257,QUERY,,'SET STATEMENT max_statement_time=10.000000 FOR CREATE USER \'sergio\'@\'%\' IDENTIFIED BY \'123\'',0

https://jira.mariadb.org/browse/MDEV-7134

So if it was decided to mask the password for the CREATE USER command imho it should be done so to detect the different forms of the same command.

I did not test for other types of DCLs.

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Claudio Nanni

Votes:: 1 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 1 week ago 15:14

Updated:: Yesterday 12:44

Resolved:: 2 days ago 13:49

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.