3.4 Ensure 'slow_query_log' Has Appropriate Permissions

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


MariaDB can operate using a variety of log files, each used for different purposes. These are the binary log (which can be encrypted), error log, slow query log, relay log, general log, and in the enterprise edition, the audit log (which can be encrypted). Because these are files on the host operating system, they are subject to the permissions and ownership structure provided by the host and may be accessible by users other than the MariaDB user. Additionally, using secure key management and at rest MariaDB encryption can further protect data from OS users.

Much of the information about the state of MariaDB exists in MariaDB, the MariaDB performance_schema or informations_schema. If you can get the information you need from within MariaDB that is more secure as it does not require OS access. If you are not going to use log files it is best to first disable (don't enable) and remove any prior logs.


Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MariaDB logs.


Changing the permissions of the log files may impact monitoring tools which use a log file adapter. Also, the slow query log can be used for performance analysis by application developers.

The information about the performance exists in MariaDB performance_schema or sys schema views. In cases where the information you need is within a running MariaDB, disable the slow query log and instead use these methods as they are more secure and do not require OS login and access.


Set slow query log to OFF (instead use SYS schema views or query Performance_Schema)

SET PERSIST slow_query_log = OFF;

If slow query is enabled, execute the following command to correct permissions and ownership:

chmod 660 <log file>
chown mysql:mysql <log file>

Default Value:

Slow query log is off by default.

See Also