STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021: STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:SV-235105r638812_rule
V-235105
SRG-APP-000091-DB-000066
MYS8-00-001800
CAT II
10
If currently required, configure the MySQL Database Server to produce audit records when audit when privileges/permissions are retrieved.
See the supplemental file "MySQL80Audit.sql".
Review the system documentation to determine if MySQL Server is required to audit the retrieval of privilege/permission/role membership information.
Check if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.
To further check, execute the following query:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';
The status of the audit_log plugin must be "active". If it is not "active", this is a finding.
Review audit filters and associated users by running the following queries:
SELECT `audit_log_filter`.`NAME`,
`audit_log_filter`.`FILTER`
FROM `mysql`.`audit_log_filter`;
SELECT `audit_log_user`.`USER`,
`audit_log_user`.`HOST`,
`audit_log_user`.`FILTERNAME`
FROM `mysql`.`audit_log_user`;
All currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.
To check if the audit filters that are in place are generating records when privileges/permissions are retrieved, run the following query:
select * from mysql.proxies_priv;
Review the audit log by running the Linux command:
sudo cat <directory where audit log files are located>/audit.log|egrep proxies_prim
For example if the values returned by - "select @@datadir, @@audit_log_file;" are /usr/local/mysql/data/, audit.log
ls -l /usr/local/mysql/data/audit.log
The audit data will look similar to the example below:
{ "timestamp": "2020-08-19 21:03:39", "id": 13, "class": "general", "event": "status", "connection_id": 9, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "::1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "select", "query": "select * from mysql.proxies_priv\nLIMIT 0, 1000", "status": 0 } },
If the audit event is not present, this is a finding.
V-235105
False
MYS8-00-001800
Review the system documentation to determine if MySQL Server is required to audit the retrieval of privilege/permission/role membership information.
Check if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.
To further check, execute the following query:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';
The status of the audit_log plugin must be "active". If it is not "active", this is a finding.
Review audit filters and associated users by running the following queries:
SELECT `audit_log_filter`.`NAME`,
`audit_log_filter`.`FILTER`
FROM `mysql`.`audit_log_filter`;
SELECT `audit_log_user`.`USER`,
`audit_log_user`.`HOST`,
`audit_log_user`.`FILTERNAME`
FROM `mysql`.`audit_log_user`;
All currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.
To check if the audit filters that are in place are generating records when privileges/permissions are retrieved, run the following query:
select * from mysql.proxies_priv;
Review the audit log by running the Linux command:
sudo cat <directory where audit log files are located>/audit.log|egrep proxies_prim
For example if the values returned by - "select @@datadir, @@audit_log_file;" are /usr/local/mysql/data/, audit.log
ls -l /usr/local/mysql/data/audit.log
The audit data will look similar to the example below:
{ "timestamp": "2020-08-19 21:03:39", "id": 13, "class": "general", "event": "status", "connection_id": 9, "account": { "user": "root", "host": "localhost" }, "login": { "user": "root", "os": "", "ip": "::1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "select", "query": "select * from mysql.proxies_priv\nLIMIT 0, 1000", "status": 0 } },
If the audit event is not present, this is a finding.
M
5277