[Commits] a529188: MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces.

28 Apr 2019

revision-id: a529188e05da8060c95eeb4c8caef05adbd6cc6a (mariadb-10.2.23-88-ga529188)
parent(s): cd26cdcd974725031e30393ff165fb0dfb365c4d
committer: Alexey Botchkov
timestamp: 2019-04-29 01:25:17 +0400
message:

MDEV-17456 Malicious SUPER user can possibly change audit log configuration without leaving traces.

The 'SET server_audit_logging ' statements should be logged no matter
what.

---
 mysql-test/suite/plugins/r/server_audit.result | 3 +++
 mysql-test/suite/plugins/t/server_audit.test   | 3 +++
 plugin/server_audit/server_audit.c             | 7 ++++---
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result
index 0709444..b8d2986 100644
--- a/mysql-test/suite/plugins/r/server_audit.result
+++ b/mysql-test/suite/plugins/r/server_audit.result
@@ -212,6 +212,8 @@ select 2;
 2
 2
 drop table t1;
+set global server_audit_logging= off;
+set global server_audit_logging= on;
 set global server_audit_events='';
 set global server_audit_query_log_limit= 15;
 select (1), (2), (3), (4);
@@ -378,6 +380,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'insert into t1 values (1), (2)',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_logging= off',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global serv',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select (1), (2)',0
diff --git a/mysql-test/suite/plugins/t/server_audit.test b/mysql-test/suite/plugins/t/server_audit.test
index fa23dc5..f19c8f5 100644
--- a/mysql-test/suite/plugins/t/server_audit.test
+++ b/mysql-test/suite/plugins/t/server_audit.test
@@ -136,6 +136,9 @@ select * from t1;
 select 2;
 drop table t1;
 
+set global server_audit_logging= off;
+set global server_audit_logging= on;
+
 set global server_audit_events='';
 
 set global server_audit_query_log_limit= 15;
diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c
index 2f9cd99..f03564e 100644
--- a/plugin/server_audit/server_audit.c
+++ b/plugin/server_audit/server_audit.c
@@ -15,7 +15,7 @@
 
 
 #define PLUGIN_VERSION 0x104
-#define PLUGIN_STR_VERSION "1.4.4"
+#define PLUGIN_STR_VERSION "1.4.5"
 
 #define _my_thread_var loc_thread_var
 
@@ -1623,7 +1623,7 @@ static int log_statement_ex(const struct connection_info *cn,
   }
 
   if (query && !(events & EVENT_QUERY_ALL) &&
-      (events & EVENT_QUERY))
+      (events & EVENT_QUERY && !cn->log_always))
   {
     const char *orig_query= query;
 
@@ -2556,9 +2556,10 @@ static void log_current_query(MYSQL_THD thd)
   if (!ci_needs_setup(cn) && cn->query_length &&
       FILTER(EVENT_QUERY) && do_log_user(cn->user))
   {
+    cn->log_always= 1;
     log_statement_ex(cn, cn->query_time, thd_get_thread_id(thd),
         cn->query, cn->query_length, 0, "QUERY");
-    cn->log_always= 1;
+    cn->log_always= 0;
   }
 }

    

holyfoot＠askmonty.org

tags

participants (1)