[MDEV-17456] Malicious SUPER user can possibly change audit log configuration without leaving traces Created: 2018-10-15 Updated: 2020-08-25 Resolved: 2019-05-19 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Plugin - Audit |
| Affects Version/s: | 10.2.18, 10.3.10 |
| Fix Version/s: | 10.2.25, 10.3.16, 10.4.6 |
| Type: | Bug | Priority: | Major |
| Reporter: | Hartmut Holzgraefe | Assignee: | Alexey Botchkov |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||||||
| Description |
|
SET queries are only logged in the audit log when server_audit_events=QUERY is set, not with the more specific QUERY_* sub-modes. So when e.g. using server_audit_events=QUERY_DCL queries that change the logging behavior, like e.g.:
This way a malicious user with SUPER privileges (but without file system level access to the server config files) could temporarily disable audit logging and then modify data without leaving a real trace. IMHO queries changing the audit log configuration, so any SET operating on a server_audit_% variable, should appear in the log even if full QUERY mode is not set, or at least be included in QUERY_DCL mode. Or, alternatively, there should be an option to outright ban any dynamic change of server_audit_% variables, e.g. something like
that could be used to remove the DYNAMIC attribute from all audit plugin variables, and so to prevent runtime changes to audit log configuration. |
| Comments |
| Comment by Elena Stepanova [ 2018-10-15 ] | ||||||||||||||||||||||||||||||||
|
Assigned to serg to decide how we conceptually deal with the idea of "malicious SUPER user" from the security point of view. After that it will probably go to holyfoot. | ||||||||||||||||||||||||||||||||
| Comment by Alexey Botchkov [ 2019-04-28 ] | ||||||||||||||||||||||||||||||||
|
http://lists.askmonty.org/pipermail/commits/2019-April/013696.html The SET server_audit_logging=off statement has to be logged always. | ||||||||||||||||||||||||||||||||
| Comment by Geoff Montee (Inactive) [ 2019-05-16 ] | ||||||||||||||||||||||||||||||||
|
Since the server_audit_% system variables can affect the audit logging configuration, it may be a good idea to make "SET GLOBAL" followed by any server_audit_% system variable a special case that is always logged, regardless of the value of server_audit_events. See also MDEV-14713 for a related request. | ||||||||||||||||||||||||||||||||
| Comment by Julien Fritsch [ 2019-05-17 ] | ||||||||||||||||||||||||||||||||
|
holyfoot See the last inputs from Support, this is unfortunately not fixed yet for customers. | ||||||||||||||||||||||||||||||||
| Comment by Alexey Botchkov [ 2019-05-19 ] | ||||||||||||||||||||||||||||||||
|
http://lists.askmonty.org/pipermail/commits/2019-May/013791.html | ||||||||||||||||||||||||||||||||
| Comment by Geoff Montee (Inactive) [ 2019-06-21 ] | ||||||||||||||||||||||||||||||||
|
I executed the following queries in MariaDB 10.2.25:
The audit log only contains the following:
So it does not look like this has been fixed yet. |