Percona Server moved to https://jira.percona.com/projects/PS

audit_log plugin filtering not working with audit_log_policy=ALL

Bug #1685290 reported by mark
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
New
Undecided
Unassigned

Bug Description

With audit_log_policy=ALL and audit_log_include_accounts='user@%' filtering doesn't work.

If audit_log_policy=LOGIN and audit_log_include_accounts='user@%' filtering does work.

mysql> select version();
+---------------+
| version() |
+---------------+
| 5.7.17-11-log |
+---------------+

mysql> select PLUGIN_NAME,PLUGIN_VERSION,LOAD_OPTION from information_schema.plugins where PLUGIN_NAME like 'audit%';
+-------------+----------------+-------------+
| PLUGIN_NAME | PLUGIN_VERSION | LOAD_OPTION |
+-------------+----------------+-------------+
| audit_log | 0.2 | ON |
+-------------+----------------+-------------+

Audit plugin configuration set for logging all logins without filtering

mysql> show global variables like 'audit%';
+-----------------------------+---------------------------+
| Variable_name | Value |
+-----------------------------+---------------------------+
| audit_log_buffer_size | 4096 |
| audit_log_exclude_accounts | |
| audit_log_exclude_commands | |
| audit_log_exclude_databases | |
| audit_log_file | /logs/auditlogs/audit.log |
| audit_log_flush | OFF |
| audit_log_format | JSON |
| audit_log_handler | FILE |
| audit_log_include_accounts | |
| audit_log_include_commands | |
| audit_log_include_databases | |
| audit_log_policy | LOGINS |
| audit_log_rotate_on_size | 5368709120 |
| audit_log_rotations | 10 |
| audit_log_strategy | ASYNCHRONOUS |
| audit_log_syslog_facility | LOG_USER |
| audit_log_syslog_ident | percona-audit |
| audit_log_syslog_priority | LOG_INFO |
+-----------------------------+---------------------------+

Tags: audit
Revision history for this message
Krunal Bauskar (krunal-bauskar) wrote :

1. PXC behavior is same as PS. Since PXC haven't changed anything in audit-log it is inheriting the same behavior as PS.

2. Said that, let's understand if PS behavior is correct:

CASE-a:

If audit_log_policy=ALL and audit_log_include_accounts='user@%'. Existing connections are not affected. Any commands coming from existing connections will continue to get logged.

New connections will respect the filtering rules.

CASE-b:

audit_log_policy=LOGINS and audit_log_include_accounts='user@%'. In this case existing connection commands are also affected. In short, new settings are applied to existing connection too.

But there is small semantics catch.

What is being enforced is audit_log_policy. In this case it is LOGINS and so only LOGINS command should be logged and since existing connection is not opening new logins there is no command to log.

As against this in CASE-a audit_log_policy=ALL. So existing connections will try to log all the commands and other setting of audit_log_include_accounts is not being enforced on existing connection.

---------------------------

To summarize:

a. Changes to audit-logs configuration are working as expected with new connection

b. Changes to audit-logs configuration is partially (audit_log_policy is respected but not audit_log_include_accounts) being used with existing connection.

---------------------------

I have validated the behavior with PS and PXC. Since PXC is only inheriting this issue I will let PS team decide on semantics. PXC will inherit it in due-course.

affects: percona-xtradb-cluster → percona-server
Laurynas Biveinis (laurynas-biveinis)
tags: added: audit
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3688

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.