STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must initiate session auditing upon startup.

DISA Rule

SV-235159r638812_rule

Vulnerability Number

V-235159

Group Title

SRG-APP-000092-DB-000208

Rule Version

MYS8-00-007800

Severity

CAT II

CCI(s)

• CCI-001464 - The information system initiates session audits at system start-up.

Weight

10

Fix Recommendation

Configure the MySQL Audit to automatically start during system startup.
Add to the my.cnf:

[mysqld]
plugin-load-add=audit_log.so
audit-log=FORCE_PLUS_PERMANENT
audit-log-format=JSON

Check Contents

Determine if an audit is configured and enabled.

The my.cnf file will set the variable audit_file.

Review the my.cnf file for the following entries:
[mysqld]
plugin-load-add=audit_log.so
audit-log=FORCE_PLUS_PERMANENT

If these entries are not present. This is a finding.

Execute the following query:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';

The status of the "audit_log plugin" must be "active". If it is not "active", this is a finding.

Review audit filters and associated users by running the following queries:
SELECT `audit_log_filter`.`NAME`,
`audit_log_filter`.`FILTER`
FROM `mysql`.`audit_log_filter`;

SELECT `audit_log_user`.`USER`,
`audit_log_user`.`HOST`,
`audit_log_user`.`FILTERNAME`
FROM `mysql`.`audit_log_user`;

All currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.

Vulnerability Number

V-235159

Documentable

False

Rule Version

MYS8-00-007800

Severity Override Guidance

Determine if an audit is configured and enabled.

The my.cnf file will set the variable audit_file.

Review the my.cnf file for the following entries:
[mysqld]
plugin-load-add=audit_log.so
audit-log=FORCE_PLUS_PERMANENT

If these entries are not present. This is a finding.

Execute the following query:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';

The status of the "audit_log plugin" must be "active". If it is not "active", this is a finding.

Review audit filters and associated users by running the following queries:
SELECT `audit_log_filter`.`NAME`,
`audit_log_filter`.`FILTER`
FROM `mysql`.`audit_log_filter`;

SELECT `audit_log_user`.`USER`,
`audit_log_user`.`HOST`,
`audit_log_user`.`FILTERNAME`
FROM `mysql`.`audit_log_user`;

All currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.

Check Content Reference

M

Target Key

5277

Comments