We are setting up password rotation policy to rotate account/password quarterly. We are also planning to use MySQL/Maria/Percona Auditing. Need to figure out the most efficient and feasible way to achieve both with minimum intervention while at password rotation.
Explanation: I don't want to edit/add/change audit filter rule every
quarter once we rotate user accounts.
Possible tried solutions:
- Tried auditing ROLE with permissions which is attached to application
accounts (subject to rotation) with NO LUCK as auditing filter based
on login accounts. - Configuring exclude_account to (MySQL_schema@localhost) hence logging
for all other FUTURE user accounts by default DOESN'T work as some
process and port monitoring (which runs without mysql user account)
continuously fills up audit logs which is again Problem. - Workable solution is to pre-configure some x accounts with passwords
and enable ALL of them in auditing from Day1. Activate/Deactivate one
account every quarter one-by-one. Reusing same accounts with
different passwords once all accounts have been used.
Looking for More efficient solution or if someone has managed to work out similar issue using audit filtering rules?
Best Answer
Assuming you can find a way for your monitoring software to use an actual account, and further assuming your list of trusted/non-audited users is more static, then using the "exclude user" options should mean less maintenance.
To exclude a list of trusted users from being logged, the MariaDB audit plugin has a
server_audit_excl_users
option, and similarly the Percona audit log plugin has aaudit_log_exclude_accounts
.BTW, regarding rotating users/passwords, you might be interested to know that MariaDB 10.4+ has an expiring password feature.