MySQL Forums
Forum List  »  Security

Re: Is it possible to audit Super user operations?
Posted by: Georgi Kodinov
Date: February 20, 2017 08:32AM

FYI MySQL does not bundle an audit plugin in the standard edition iirc (if by that you mean the community edition).
So I *hope* you're not using one of the clones and trying to get support for it here.

I will assume that you're using MySQL enterprise edition. In that case your best source for help is Oracle Support (which you also have in your subscription).

But I will try to answer your question here too.

We can't filter on privileges used at this point. So as a workaround you can filter on user accounts that you know have that privilege.
When it comes to SUPER, this is an very acceptable workaround since you'll need to keep this privilege under tight control anyways.

You can tune which users to log data for and even exactly what data to log. For the simple way check https://dev.mysql.com/doc/refman/5.7/en/audit-log-reference.html#sysvar_audit_log_include_accounts and https://dev.mysql.com/doc/refman/5.7/en/audit-log-reference.html#sysvar_audit_log_exclude_accounts.

This is a simple list of user accounts to log and not to log, a.k.a. "legacy mode audit filtering". List all of your super user accounts into --audit-log-include-accounts and you're set.

But you can do better than that too. You can define very complex filters using the JSON filtering language. With it you can e.g. be more flexible and not have to list all the accounts if they have common characteristics you can check on.

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: Is it possible to audit Super user operations?
743
February 20, 2017 08:32AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.