Percona audit plugin and maximum length of system variable audit_log_exclude_accounts

malmi · August 5, 2022, 9:51am

Hi,
I’m using Percona-Server-server-57-5.7.33-36.1.el7.x86_64
and audit plugin is in the following version

mysql> SELECT * FROM information_schema.PLUGINS WHERE PLUGIN_NAME LIKE '%audit%'\G
*************************** 1. row ***************************
           PLUGIN_NAME: audit_log
        PLUGIN_VERSION: 0.2
         PLUGIN_STATUS: ACTIVE
           PLUGIN_TYPE: AUDIT
   PLUGIN_TYPE_VERSION: 4.1
        PLUGIN_LIBRARY: audit_log.so
PLUGIN_LIBRARY_VERSION: 1.7
         PLUGIN_AUTHOR: Percona LLC and/or its affiliates.
    PLUGIN_DESCRIPTION: Audit log
        PLUGIN_LICENSE: GPL
           LOAD_OPTION: ON
1 row in set (0.02 sec)

I have around 20 application users and around 15 application servers where each application(user) may run and connect to a database. Thus the list is quite long.
I don’t want to audit those users so I put the list in audit_log_exclude_accounts in /etc/my.cnf file
Unfortunately mysql server is not starting, the following error is raised

[ERROR] unknown option '--56.68.27 [and more users (subsequent entries in audit_log_exclude_accounts) listed afterwards]

What I was able to spot is that if line size with audit_log_exclude_accounts (in /etc/my.cnf) is up to 4094 characters, the server starts properly.

Are there any limitations on audit_log_exclude_accounts maximum length?
Maybe it’s a general mysql system variable limitation?
Anyone had such an issue?

Regards,
Michał

matthewb · August 5, 2022, 3:34pm

Can you do the inverse?

audit_log_include_accounts: The accounts to include in audit logging. If this variable is set, only these accounts are audited.

malmi · August 6, 2022, 5:37am

I know this option but it would cause other difficulties: each time new employee joins a company, an administrator must remember to add his/her account to auditing.
From security point of view this is error prone and I don’t want to use it.
I prefer to find a solution (or at least understand) why there is a limit on the variable length.

Regards,
Michał

malmi · August 9, 2022, 11:33am

It looks like it’s rather a general issue: if there is a line more than 4094 characters long, the server won’t start.
You can try add the following as a comment (use # at the beginning)

tr -dc A-Za-z0-9 </dev/urandom | head -c 4093 ; echo 'This will cause overflow'

and when starting mysql you will receive

[ERROR] unknown option '--This will cause overflow'

Any ideas how to solve it?
Can someone help me identify entry point for reading my.cnf configuration file in the source code?

Regards,
Michał

Topic		Replies	Views
Audit plugin excluded accounts still being logged Other MySQL® Questions mysql , percona	1	800	September 26, 2022
audit plugin audit_log_exclude_accounts not working in 5.7.24-27 Other MySQL® Questions	11	2154	December 8, 2020
About the user filtering of mysql percona audit plugin Percona Server for MySQL 5.7	0	1006	January 14, 2019
Audit plugin include/exclude accounts doesn't seem to work Percona Monitoring Plugins	9	2233	December 10, 2020
Audit plugin include/exclude accounts doesn't seem to work Percona Monitoring Plugins	8	1589	December 11, 2020

Percona audit plugin and maximum length of system variable audit_log_exclude_accounts

Related topics