Control: 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server

Description

Enable audit_log_enabled on MySQL Servers.

Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

Remediation

From Azure Portal

Login to Azure Portal using https://portal.azure.com.
Select Azure Database for MySQL Servers.
Select a database.
Under Settings, select Server parameters.
Update audit_log_enabled parameter to ON.
Under Monitoring, select Diagnostic settings.
Select + Add diagnostic setting.
Provide a diagnostic setting name.
Under Categories, select MySQL Audit Logs.
Specify destination details.
Click Save.

It may take up to 10 minutes for the logs to appear in the configured destination.

Default Value

audit_log_enabled is set to OFF by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v210_4_4_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v210_4_4_3 --share

SQL

This control uses a named query:

select
  s.id as resource,
  case
    when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'
    else 'ok'
  end as status,
  case
    when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter audit_log_enabled off.'
    else s.name || ' server parameter audit_log_enabled on.'
  end as reason
  
  , s.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_mysql_server as s,
  jsonb_array_elements(server_configurations) config,
  azure_subscription sub
where
  config ->> 'Name' = 'audit_log_enabled'
  and sub.subscription_id = s.subscription_id;