Detections
Analytics
MYS8-00-000300 - MySQL Database Server 8.0 must produce audit records containing sufficient information to establish what type of events occurred - data directory
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Information system auditing capability is critical for accurate forensic analysis. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.Audit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.
Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type to which an audit record refers. If event type information is not recorded and stored with the audit record, the record itself is of very limited use.
MySQL provides auditing using the MySQL Enterprise Audit Log Plugin. When installed, the audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access.
Solution
Configure DBMS auditing to audit standard and organization-defined auditable events, with the audit record to include what type of event occurred.Use this process to ensure auditable events are captured:
Configure MySQL database server 8.0 for auditing and configure audit settings to include required events as part of the audit record.
To install MySQL Enterprise Audit:
Run the audit_log_filter_linux_install.sql script located in the sharedirectory of your MySQL installation. This can be determined by running - select @@basedir;
For example if the basedir is /usr/local/mysql
shell> bin/mysql -u root -p < /usr/local/mysql/share/audit_log_filter_linux_install.sql
Verify the plugin installation by running:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';
The value for audit_log should return ACTIVE.
To prevent the plugin from being removed at runtime, add the --audit-log option under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf) with a setting of FORCE_PLUS_PERMANENT.
audit-log=FORCE_PLUS_PERMANENT
Restart the server to apply the configuration change.
By default, rule-based audit log filtering logs no auditable events for any users. To produce log-everything behavior with rule-based filtering, create a filter to enable logging of all events and assign it to the audit all accounts.
Run the following statements to filter all activity for all users:
SELECT audit_log_filter_set_filter('log_all', '{ 'filter': { 'log': true } }');
SELECT audit_log_filter_set_user('%', 'log_all');
SELECT audit_log_filter_set_user('%', 'log_all');
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_MySQL_8-0_V1R2_STIG.zip
Item Details
Audit Name: DISA Oracle MySQL 8.0 v1r2 OS Linux
References: CAT|II, CCI|CCI-000130, Rule-ID|SV-235097r623413_rule, STIG-ID|MYS8-00-000300, Vuln-ID|V-235097
Plugin: Unix
Control ID: 721505006a401059f112e7edae6f2be62ef5074540a81b47cd7ba9b3290489bc