Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5983

Auditing plugin v2.0

Details

    Description

      The set of desired features for the Auditing Plugin is big enough.
      And we need to recode the existing plugin significantly to make it all working.
      So v2.0

      Features planned to include in it:
      1. filter rules defined per user/role using a system table

      • this will make the parameters server_audit_events, server_audit_excl_users and server_audit_incl_users obsolete
      • thew default behavior without having filter rules defined will be to log all events and for all users
      • user should be user@host for different filtering per host

      2. Propagating Auditing Setting to log files
      For Auditing it is of value to know the settings an audit log is based on.
      When creating a new file, current settings should be added. A new event type could be used, like AUDIT_CONFIG and can be enabled via a system variable.

      In the same format current used for the auditing rows it could look like:

      20180307 22:57:20,,,,,,AUDIT_CONFIG,,'server_audit_syslog_priority=LOG_INFO',0

      3. Logging for changes of auditing settings
      As audit logging settings can be changed dynamically, should be possible to log changes to the audit settings itself, although events like QUERY are disabled ( a SET command used). The same format could be used as above, but just reporting the new value.

      4. Placeholders instead of the real values for Query Logging.
      That's needed usually for the security reasons. Particularly important for passwords.

      5. Log rotation based on days

      6. PRIVILEGES event type.

      Attachments

        Issue Links

          blocks

          Task - A task that needs to be done. MDEV-10040 Audit plugin, Add functionality to filter per table (or object)

          • Major - Major loss of function.
          • Closed
          includes

          Task - A task that needs to be done. MDEV-5245 Audit plugin reveals user lists to unprivileged users

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-10299 Make server_audit plugin support roles

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Task - A task that needs to be done. MDEV-12494 Include or exclude host names from auditing

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-13421 Improvement for Server Audit Plugin Output on QUERY

          • Major - Major loss of function.
          • Open
          is blocked by

          Task - A task that needs to be done. MDEV-5313 Improving audit api

          • Critical - Crashes, loss of data, severe memory leak.
          • Stalled
          relates to

          Task - A task that needs to be done. MDEV-5212 Role support for Audit Plugin API

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Task - A task that needs to be done. MDEV-11109 Make server_audit_excl_users have effect on connection logging

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Task - A task that needs to be done. MDEV-14713 MariaDB Audit Plugin audits SET GLOBAL

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19442 server_audit plugin doesn't consider proxy users in server_audit_excl_users/server_audit_incl_users

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19443 server_audit plugin doesn't log proxy users

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Task - A task that needs to be done. MDEV-19458 server_audit plugin should log when the server starts up and when the server shuts down

          • Major - Major loss of function.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            holyfoot Alexey Botchkov created issue -
            holyfoot Alexey Botchkov made changes -
            Field Original Value New Value
            Description The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0             		The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0

            Features to include in it:
            1. Placeholders instead of the real values for Query Logging.
                   That's needed usually for the security reasons. Particularly important for passwords.

            2. Log rotation based on days

            3. Filtering by ROLE-s.

            4. PRIVILEGES event type.
            serg Sergei Golubchik made changes -
            Workflow defaullt [ 37805 ] MariaDB v2 [ 43454 ]
            ratzpo Rasmus Johansson (Inactive) made changes -
            Workflow MariaDB v2 [ 43454 ] MariaDB v3 [ 62556 ]
            danblack Daniel Black made changes -
            Component/s Plugin - Audit [ 10131 ]
            ralf.gebhardt Ralf Gebhardt made changes -
            serg Sergei Golubchik made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            julien.fritsch Julien Fritsch made changes -
            Epic Link PT-73 [ 68549 ]
            ralf.gebhardt Ralf Gebhardt made changes -
            Rank Ranked higher
            ralf.gebhardt Ralf Gebhardt made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            holyfoot Alexey Botchkov made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            holyfoot Alexey Botchkov made changes -
            Fix Version/s 10.4 [ 22408 ]
            ralf.gebhardt Ralf Gebhardt made changes -
            Description The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0

            Features to include in it:
            1. Placeholders instead of the real values for Query Logging.
                   That's needed usually for the security reasons. Particularly important for passwords.

            2. Log rotation based on days

            3. Filtering by ROLE-s.

            4. PRIVILEGES event type.
            		 The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0

            Features planned to include in it:
            1. filter rules defined per user/role using a system table
            - this will make the parameters server_audit_events, server_audit_excl_users and server_audit_incl_users obsolete
            - thew default behavior without having filter rules defined will be to log all events and for all users

            2. Placeholders instead of the real values for Query Logging.
                   That's needed usually for the security reasons. Particularly important for passwords.

            3. Log rotation based on days

            4. PRIVILEGES event type.
            ralf.gebhardt Ralf Gebhardt made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            Description The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0

            Features planned to include in it:
            1. filter rules defined per user/role using a system table
            - this will make the parameters server_audit_events, server_audit_excl_users and server_audit_incl_users obsolete
            - thew default behavior without having filter rules defined will be to log all events and for all users

            2. Placeholders instead of the real values for Query Logging.
                   That's needed usually for the security reasons. Particularly important for passwords.

            3. Log rotation based on days

            4. PRIVILEGES event type.
            		The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0

            Features planned to include in it:
            1. filter rules defined per user/role using a system table
            - this will make the parameters server_audit_events, server_audit_excl_users and server_audit_incl_users obsolete
            - thew default behavior without having filter rules defined will be to log all events and for all users

            2. Propagating Auditing Setting to log files
            For Auditing it is of value to know the settings an audit log is based on.
            When creating a new file, current settings should be added. A new event type could be used, like AUDIT_CONFIG and can be enabled via a system variable.

            In the same format current used for the auditing rows it could look like:

            20180307 22:57:20,,,,,,AUDIT_CONFIG,,'server_audit_syslog_priority=LOG_INFO',0

            3. Logging for changes of auditing settings
            As audit logging settings can be changed dynamically, should be possible to log changes to the audit settings itself, although events like QUERY are disabled ( a SET command used). The same format could be used as above, but just reporting the new value.

            4. Placeholders instead of the real values for Query Logging.
                   That's needed usually for the security reasons. Particularly important for passwords.

            5. Log rotation based on days

            6. PRIVILEGES event type.
            ralf.gebhardt Ralf Gebhardt made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            Description The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0

            Features planned to include in it:
            1. filter rules defined per user/role using a system table
            - this will make the parameters server_audit_events, server_audit_excl_users and server_audit_incl_users obsolete
            - thew default behavior without having filter rules defined will be to log all events and for all users

            2. Propagating Auditing Setting to log files
            For Auditing it is of value to know the settings an audit log is based on.
            When creating a new file, current settings should be added. A new event type could be used, like AUDIT_CONFIG and can be enabled via a system variable.

            In the same format current used for the auditing rows it could look like:

            20180307 22:57:20,,,,,,AUDIT_CONFIG,,'server_audit_syslog_priority=LOG_INFO',0

            3. Logging for changes of auditing settings
            As audit logging settings can be changed dynamically, should be possible to log changes to the audit settings itself, although events like QUERY are disabled ( a SET command used). The same format could be used as above, but just reporting the new value.

            4. Placeholders instead of the real values for Query Logging.
                   That's needed usually for the security reasons. Particularly important for passwords.

            5. Log rotation based on days

            6. PRIVILEGES event type.
            		The set of desired features for the Auditing Plugin is big enough.
            And we need to recode the existing plugin significantly to make it all working.
            So v2.0

            Features planned to include in it:
            1. filter rules defined per user/role using a system table
            - this will make the parameters server_audit_events, server_audit_excl_users and server_audit_incl_users obsolete
            - thew default behavior without having filter rules defined will be to log all events and for all users
            - user should be user@host for different filtering per host

            2. Propagating Auditing Setting to log files
            For Auditing it is of value to know the settings an audit log is based on.
            When creating a new file, current settings should be added. A new event type could be used, like AUDIT_CONFIG and can be enabled via a system variable.

            In the same format current used for the auditing rows it could look like:

            20180307 22:57:20,,,,,,AUDIT_CONFIG,,'server_audit_syslog_priority=LOG_INFO',0

            3. Logging for changes of auditing settings
            As audit logging settings can be changed dynamically, should be possible to log changes to the audit settings itself, although events like QUERY are disabled ( a SET command used). The same format could be used as above, but just reporting the new value.

            4. Placeholders instead of the real values for Query Logging.
                   That's needed usually for the security reasons. Particularly important for passwords.

            5. Log rotation based on days

            6. PRIVILEGES event type.
            ralf.gebhardt Ralf Gebhardt made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            holyfoot Alexey Botchkov made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            NRE Projects RM_104_security RM_104_security RM_104_postRC
            julien.fritsch Julien Fritsch made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            Fix Version/s 10.4 [ 22408 ]
            ralf.gebhardt Ralf Gebhardt made changes -
            Epic Link PT-73 [ 68549 ]
            holyfoot Alexey Botchkov made changes -
            Status In Progress [ 3 ] Stalled [ 10000 ]
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 62556 ] MariaDB v4 [ 131633 ]
            julien.fritsch Julien Fritsch made changes -
            Assignee Alexey Botchkov [ holyfoot ] Dmitry Shulga [ JIRAUSER47315 ]
            ralf.gebhardt Ralf Gebhardt made changes -
            Fix Version/s N/A [ 14700 ]
            Assignee Dmitry Shulga [ JIRAUSER47315 ]
            Resolution Won't Do [ 10201 ]
            Status Stalled [ 10000 ] Closed [ 6 ]

            People

              Unassigned Unassigned
              holyfoot Alexey Botchkov
              Votes:
              8 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.