Bug #68936 Server does not expose --log-raw in SHOW VARIABLES
Submitted: 11 Apr 2013 21:17 Modified: 4 Nov 2019 14:31
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Logging Severity:S2 (Serious)
Version:5.6.10 OS:Any
Assigned to: CPU Architecture:Any

[11 Apr 2013 21:17] Todd Farmer 
Description:
MySQL 5.6 added the ability to mask passwords in logs, controlled by the --log-raw option.  This option is not exposed in global variables, so it's not possible to determine whether a running server is configured to mask these passwords (default behavior) or has overridden it.  This makes it impossible to audit for security compliance.

How to repeat:
Using a 5.6 server execute SHOW GLOBAL VARIABLES LIKE '%raw%';

Suggested fix:
Add a global variable for log_raw.  Ideally, this would be something that can be changed with SUPER privileges, but read-only access to current state is bare minimum.
[4 Nov 2019 14:31] Paul DuBois 
Posted by developer:
 
Fixed in 8.0.19.

The --log-raw option is now available at runtime as the log_raw
system variable. The system variable is set at startup to the option
value, and may be set at runtime to change password masking behavior.