Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.5
-
None
Description
Simply based on what I see I report this as bug since MariaDB Audit masks the password from CREATE USER but fails to recognize different forms of the same command.
20241128 15:58:36,fedora,root,localhost,150,276260,QUERY,,'CREATE USER \'claudio\'@\'%\' IDENTIFIED BY *****',1396
|
20241128 15:56:42,fedora,root,localhost,149,276256,QUERY,,'CREATE OR REPLACE USER \'monty\'@\'%\' IDENTIFIED BY \'123\'',0
|
20241128 15:56:54,fedora,root,localhost,149,276257,QUERY,,'SET STATEMENT max_statement_time=10.000000 FOR CREATE USER \'sergio\'@\'%\' IDENTIFIED BY \'123\'',0
|
https://jira.mariadb.org/browse/MDEV-7134
|
So if it was decided to mask the password for the CREATE USER command imho it should be done so to detect the different forms of the same command.
I did not test for other types of DCLs.
Attachments
Issue Links
- causes
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Oleksandr Byelkin [ sanja ] |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| Key |
|
|
| Project | MariaDB Enterprise [ 11500 ] | MariaDB Server [ 10000 ] |
| Priority | Critical [ 2 ] | Blocker [ 1 ] |
| Summary | Enterprise Audit does not detect all DCLs forms when masking password | MariaDB Audit does not detect all DCLs forms when masking password |
| Description |
I know it's a hot topic but I don't know which are the latest conclusions.
Simply based on what I see I report this as bug since Enteprise Audit masks the password from CREATE USER but fails to recognize different forms of the same command. {noformat} 20241128 15:58:36,fedora,root,localhost,150,276260,QUERY,,'CREATE USER \'claudio\'@\'%\' IDENTIFIED BY *****',1396 20241128 15:56:42,fedora,root,localhost,149,276256,QUERY,,'CREATE OR REPLACE USER \'monty\'@\'%\' IDENTIFIED BY \'123\'',0 20241128 15:56:54,fedora,root,localhost,149,276257,QUERY,,'SET STATEMENT max_statement_time=10.000000 FOR CREATE USER \'sergio\'@\'%\' IDENTIFIED BY \'123\'',0 https://jira.mariadb.org/browse/MDEV-7134 {noformat} So if it was decided to mask the password for the CREATE USER command imho it should be done so to detect the different forms of the same command. I did not test for other types of DCLs. |
Simply based on what I see I report this as bug since MariaDB Audit masks the password from CREATE USER but fails to recognize different forms of the same command. {noformat} 20241128 15:58:36,fedora,root,localhost,150,276260,QUERY,,'CREATE USER \'claudio\'@\'%\' IDENTIFIED BY *****',1396 20241128 15:56:42,fedora,root,localhost,149,276256,QUERY,,'CREATE OR REPLACE USER \'monty\'@\'%\' IDENTIFIED BY \'123\'',0 20241128 15:56:54,fedora,root,localhost,149,276257,QUERY,,'SET STATEMENT max_statement_time=10.000000 FOR CREATE USER \'sergio\'@\'%\' IDENTIFIED BY \'123\'',0 https://jira.mariadb.org/browse/MDEV-7134 {noformat} So if it was decided to mask the password for the CREATE USER command imho it should be done so to detect the different forms of the same command. I did not test for other types of DCLs. |
| Fix Version/s | 10.5 [ 23123 ] |
| Affects Version/s | 10.5 [ 23123 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Assignee | Oleksandr Byelkin [ sanja ] | Sergei Golubchik [ serg ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Assignee | Sergei Golubchik [ serg ] | Oleksandr Byelkin [ sanja ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Component/s | Plugin - Audit [ 10131 ] | |
| Fix Version/s | 10.5.28 [ 29952 ] | |
| Fix Version/s | 10.5 [ 23123 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Fix Version/s | 10.6.21 [ 29953 ] | |
| Fix Version/s | 10.11.11 [ 29954 ] | |
| Fix Version/s | 11.4.5 [ 29956 ] | |
| Fix Version/s | 11.7.2 [ 29914 ] |
| Link | This issue blocks MENT-2188 [ MENT-2188 ] |
| Link |
This issue causes |
| Link | This issue causes MENT-2192 [ MENT-2192 ] |
534dda1234b9 is ok to push, but see the email first