MariaDB – Auditing User Account Privileges

auditmariadbpermissionsSecurity

I'm looking to improve the security of my MariaDB installation by better auditing the user accounts and the privileges of each user account.

This database is being provided as a service out to many other users within the enterprise, and in some cases people leave the company or didn't actually need the level of privileges they requested. I'd like to audit the user accounts and see when they last logged in (to make sure users are logging in at least once every 90 days) and auditing the privileges their account has been granted.

Specifically, if possible, I'd like to look which privileges haven't been used within the past 90 days so that I can either alert our service team or (in the future) automatically revoke privileges which are not being used (with the exception of some of the disaster recovery accounts or security teams).

Any guidance on how to proceed with identifying account usage either in the general account access or in the more detailed privilege usage would be greatly appreciated.

Best Answer

The audit plugin, when enabled, will provide the access information associated with users accounts.

There are also authentication plugins to centrally manage authentication.

Related Solutions

Sql-server – How to configure SQL Server 2012 so that it can restore and see files in the user account

For reference "Denali" is SQL Server 2012. With regards to "end user confusion", I am not all that concerned with whether a end user is confused or not with regards to SSMS. Microsoft did not develop this tool for the normal end user, but for the database administrator and/or a user that had to manage a database. Therefore there will be a learning curve with the tools provided and how they function. The file dialog box has been that way in SSMS since SSMS came out with SQL Server 2005. This is why you will general see most stick with T-SQL statements for backing up, restoring, or attaching a database that have been using it since then.

To configure file system permissions with SQL Server you can follow the instructions from MSDN here.

The way service accounts are handled did not come with or because of SQL Server, it was due to the change on the operating system level. Window Server 2008 R2 put a bit more of a security layer around service accounts. The advantage you have is that the service account can more easily access resources on a domain even if installed with the default settings. This link provides a pretty detailed look at how service account permissions are handled with SQL Server 2012. Excerpt from the link is below on the Virtual Accounts used by default in SQL Server 2012. There is also a link provided in the article that goes into more discussion on the Service Account concept with Windows, here. It is from Window Server 2008 R2 but I believe still holds true on Window Server 2012, and likely Window Server 2012 R2.

Virtual Accounts

Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the following features to simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account using the instance name as the service name is used, in the format NT SERVICE\. Services that run as virtual accounts access network resources by using the credentials of the computer account in the format \$. When specifying a virtual account to start SQL Server, leave the password blank. If the virtual account fails to register the Service Principal Name (SPN), register the SPN manually. For more information on registering a SPN manually, see Register a Service Principal Name for Kerberos Connections. Note Note Virtual accounts cannot be used for SQL Server Failover Cluster Instance, because the virtual account would not have the same SID on each node of the cluster.

The following table lists examples of virtual account names.

Default instance of the Database Engine service: NT SERVICE\MSSQLSERVER Named instance of a Database Engine service named PAYROLL: NT SERVICE\MSSQL$PAYROLL SQL Server Agent service on the default instance of SQL Server: NT SERVICE\SQLSERVERAGENT SQL Server Agent service on an instance of SQL Server named PAYROLL: NT SERVICE\SQLAGENT$PAYROLL

MySQL Mistake with GRANT OPTION

There is no "mass revoke" statement so you best option to change this is to update the users table:

UPDATE mysql.user SET Grant_priv = 'N' WHERE user != 'root';

Not that occasionally, there are users that should have grant privileges (and should have that) which are not named root. On my system, for example, I have debian-sys-maint (which I actually wonder if they should have grant privileges, but that's how it's installed).

Do not forget to reload the privileges after changing the user table:

FLUSH PRIVILEGES;

You can find more information on http://dev.mysql.com/doc/refman/5.5/en/privilege-changes.html.

Best Answer

Related Solutions

Sql-server – How to configure SQL Server 2012 so that it can restore and see files in the user account

MySQL Mistake with GRANT OPTION

Related Question