Bug #82473 firewall plugin stops recording events when audit_log installed
Submitted: 5 Aug 2016 12:28 Modified: 6 Jan 2017 15:55
Reporter: Ramana Yeruva Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Firewall Severity:S3 (Non-critical)
Version:5.7.14 OS:Any
Assigned to: CPU Architecture:Any

[5 Aug 2016 12:28] Ramana Yeruva
Description:
when audit_log is loaded/installed then firewall plugin not recording any events with 5.7.14..this seems to be working fine.refer output as attached below

How to repeat:
(followed the instructions to setup firewal:http://dev.mysql.com/doc/refman/5.7/en/firewall-usage.html)

./mysqld -uroot --basedir=../ --datadir=./data --initialize-insecure
./mysqld -uroot --basedir=../ --datadir=./data --plugin-load=audit_log.so --gdb &
./mysql -uroot < ../share/linux_install_firewall.sql<--this file comes in package by default to setup firewal
./mysql -v -v -v -uroot -e "source fir.sql"<--events are recorded just after uninstalling audit_log plugin..

cat fir.sql
show variables like '%fire%';
use mysql;
CALL mysql.sp_set_firewall_mode('root@localhost', 'RECORDING');
select plugin_name,plugin_version,plugin_status,plugin_type,plugin_library,plugin_description,plugin_license,load_option from information_schema.plugins where plugin_type='AUDIT';
SELECT MODE FROM INFORMATION_SCHEMA.MYSQL_FIREWALL_USERS WHERE USERHOST = 'root@localhost';
SELECT RULE FROM INFORMATION_SCHEMA.MYSQL_FIREWALL_WHITELIST WHERE USERHOST = 'root@localhost';
select 2;
SELECT RULE FROM INFORMATION_SCHEMA.MYSQL_FIREWALL_WHITELIST WHERE USERHOST = 'root@localhost';
uninstall plugin audit_log;<--after audit_log uninstalled,events are recorded
select plugin_name,plugin_version,plugin_status,plugin_type,plugin_library,plugin_description,plugin_license,load_option from information_schema.plugins where plugin_type='AUDIT';
select user,host from mysql.user;
SELECT RULE FROM INFORMATION_SCHEMA.MYSQL_FIREWALL_WHITELIST WHERE USERHOST = 'root@localhost';
[26 Oct 2016 14:24] Ramana Yeruva
Posted by developer:
 
This issue seems to work with 5.7.12 and issue happening from 5.7.13 onwards where audit_log filtering feature introduced.There was 5.7.12 output attached in the bug report
just to compare the results of 5.7.12 and 5.7.14.and currently i don't see a workaround to make it to work if user wants to use both firewall and audit_log.
[6 Jan 2017 15:55] Paul Dubois
Posted by developer:
 
Noted in 5.7.18 changelog.

MySQL Enterprise Firewall did not record events if the audit_log
plugin was installed.
[26 Jan 2017 19:19] Erlend Dahl
Bug#84325 connection-control-plugin doesn't work if audit plugin is installed

was marked as a duplicate.