#
# This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.11 $
# $Date: 2021/06/17 $
#
# Description : This audit is based on the Security Configuration Benchmark For MySQL 5.7 Enterprise Editions
# Version 1.0.0 March 28, 2016
# https://workbench.cisecurity.org/files/1619
#
#
#CIS MySQL 5.7 Enterprise Database L1 v1.0.0
#
# CIS
# MySQL 5.7 Enterprise Database L1
# 1.0.0
# https://workbench.cisecurity.org/files/1619
#
#database,cis,mysql,mysql_5,mysql_5.7,mysql_5.7_enterprise
#LEVEL,CIS_Recommendation
#
type : SQL_POLICY
description : "MySQL 5.7 is installed"
sql_request : "show variables like 'version' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "version", regex:"5\.7"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "MySQL 5.7 Enterprise Edition is installed"
sql_request : "show variables like 'license' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "license", "Commercial"
check_option : CAN_NOT_BE_NULL
description : "MySQL 5.7 Enterprise Edition is installed"
type : SQL_POLICY
description : "1.1 Place Databases on Non-System Partitions"
info : "Moving the database off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system."
solution : "Perform the following steps to remediate this setting: Choose a non-system partition new location for the MySQL data Stop mysqld using a command like: service mysql stop Copy the data using a command like: cp -rp Set the datadir location to the new location in the MySQL configuration file Start mysqld using a command like: service mysql start NOTE: On some Linux distributions you may need to additionally modify apparmor settings. For example, on a Ubuntu 14.04.1 system edit the file /etc/apparmor.d/usr.sbin.mysqld so that the datadir access is appropriate. The original might look like this: # Allow data dir access /var/lib/mysql/ r, /var/lib/mysql/** rwk, Alter those two paths to be the new location you chose above. For example, if that new location were /media/mysql, then the /etc/apparmor.d/usr.sbin.mysqld file should include something like this: # Allow data dir access /media/mysql/ r, /media/mysql/** rwk, Impact: Moving the database to a non-system partition may be difficult depending on whether there was only a single partition when the operating system was set up and whether there are additional storage available."
reference : "800-53|SC-5(2),CIS_Recommendation|1.1,CSF|PR.DS-4,ITSG-33|SC-5(2),LEVEL|1S,NESA|T3.3.1,NIAv2|GS8e,NIAv2|GS10c,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'datadir' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "datadir", regex:".+"
type : SQL_POLICY
description : "3.1 Ensure 'datadir' Has Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL database. If someone other than the MySQL user is allowed to read files from the data directory he or she might be able to read data from the mysql.user table which contains passwords. Additionally, the ability to create files can lead to denial of service, or might otherwise allow someone to gain access to specific data by manually creating a file with a view definition."
solution : "Execute the following commands at a terminal prompt: chmod 700 chown mysql:mysql "
reference : "800-53|SC-5(2),CIS_Recommendation|3.1,CSF|PR.DS-4,ITSG-33|SC-5(2),LEVEL|1S,NESA|T3.3.1,NIAv2|GS8e,NIAv2|GS10c,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'datadir';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.2 Ensure 'log_bin_basename' ob体育s Have Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL logs."
solution : "Execute the following command for each log file location requiring corrected permissions and ownership: chmod 660 chown mysql:mysql Impact: Changing the permissions and ownership of the log files might impact monitoring tools which use a logfile adapter. If the permissions on the binary log files are accidentally changed to exclude the user account which is used to run the MySQL service, then this might break replication. The binary log file can be used for point in time recovery so this can also affect backup, restore and disaster recovery procedures."
reference : "800-53|SC-5(2),CIS_Recommendation|3.2,CSF|PR.DS-4,ITSG-33|SC-5(2),LEVEL|1S,NESA|T3.3.1,NIAv2|GS8e,NIAv2|GS10c,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'log_bin_basename';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.3 Ensure 'log_error' Has Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL logs."
solution : "Execute the following command for each log file location requiring corrected permissions and ownership: chmod 660 chown mysql:mysql Impact: Changing the permissions of the log files might impact monitoring tools which use a logfile adapter."
reference : "800-171|3.3.8,800-171|3.3.9,800-53|AU-9(4),CIS_Recommendation|3.3,CN-L3|8.1.4.3(d),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1S,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SM5,NIAv2|SM6,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'log_error';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.4 Ensure 'slow_query_log' Has Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL logs."
solution : "Execute the following command for each log file location requiring corrected permissions: chmod 660 chown mysql:mysql Impact: Changing the permissions of the log files might impact monitoring tools which use a logfile adapter. Also the slow query log can be used for performance analysis by application developers."
reference : "800-171|3.3.8,800-171|3.3.9,800-53|AU-9(4),CIS_Recommendation|3.4,CN-L3|8.1.4.3(d),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1S,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SM5,NIAv2|SM6,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'slow_query_log_file';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.5 Ensure 'relay_log_basename' ob体育s Have Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL logs."
solution : "Execute the following command for each log file location requiring corrected permissions and ownership: chmod 660 chown mysql:mysql Impact: Changing the permissions of the log files might impact monitoring tools which use a logfile adapter. If the permissions on the relay logs are accidentally changed to exclude the user account which is used to run the MySQL service then this might break replication."
reference : "800-171|3.3.8,800-171|3.3.9,800-53|AU-9(4),CIS_Recommendation|3.5,CN-L3|8.1.4.3(d),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1S,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SM5,NIAv2|SM6,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'relay_log_basename';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.6 Ensure 'general_log_file' Has Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL logs."
solution : "Execute the following command for each log file location requiring corrected permissions and ownership: chmod 660 chown mysql:mysql Impact: Changing the permissions of the log files might impact monitoring tools which use a logfile adapter."
reference : "800-171|3.3.8,800-171|3.3.9,800-53|AU-9(4),CIS_Recommendation|3.6,CN-L3|8.1.4.3(d),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1S,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SM5,NIAv2|SM6,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'general_log_file';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.7 Ensure SSL Key ob体育s Have Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL database and the communication with the client. If the contents of the SSL key file is known to an attacker he or she might impersonate the server. This can be used for a man-in-the-midddle attack. Depending on the SSL ciphersuite the key might also be used to decipher previously captured network traffic."
solution : "Execute the following commands at a terminal prompt to remediate these settings using the Value from the audit procedure: chown mysql:mysql chmod 400 Impact: If the permissions or ownership for the key file are changed incorrectly this can cause SSL to be disabled when MySQL is restarted or can cause MySQL not to start at all. If other applications are using the same keypair then changing the permissions or ownership of the key file will affect this application. If this is the case then a new keypair must be generated for MySQL."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|3.7,CN-L3|8.1.10.6(d),CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1S,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'ssl_key';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.8 Ensure Plugin Directory Has Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL database. If someone can modify plugins then these plugins might be loaded when the server starts and the code will get executed."
solution : "To remediate these settings, execute the following commands at a terminal prompt using the plugin_dir Value from the audit procedure. chmod 775 (or use 755) chown mysql:mysql Impact: Users other than the mysql user will no longer be able to update and add/remove plugins unless they're able to switch to the mysql user;"
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|3.8,CN-L3|8.1.10.6(d),CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1S,NESA|T3.2.1,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'plugin_dir';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "3.9 Ensure 'audit_log_file' has Appropriate Permissions and Ownership"
info : "Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL logs."
solution : "Execute the following commands for the audit_log_file discovered in the audit procedure: chmod 660 chown mysql:mysql Impact: Changing the permissions and ownership of the audit log file may have impact on who can access and edit the the audit log. Such changes can affect monitoring tools which maybe using a logfile adapter or scripted alternatives. Also the audit log may be used by alerting by infrastructure teams which can affect real-time audit capability."
reference : "800-171|3.3.8,800-171|3.3.9,800-53|AU-9(4),CIS_Recommendation|3.9,CN-L3|8.1.4.3(d),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1S,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NIAv2|SM5,NIAv2|SM6,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|5.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'audit_log_file';"
sql_types : POLICY_VARCHAR
sql_expect : regex :".+"
type : SQL_POLICY
description : "4.1 Ensure Latest Security Patches Are Applied"
info : "Maintaining currency with MySQL patches will help reduce risk associated with known vulnerabilities present in the MySQL server. Without the latest security patches MySQL might have known vulnerabilities which might be used by an attacker to gain access."
solution : "Install the latest patches for your version or upgrade to the latest version. Impact: To update the MySQL server a restart is required."
reference : "800-171|3.14.1,800-53|SI-2.,CIS_Recommendation|4.1,CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSF|ID.RA-1,CSF|PR.IP-12,HIPAA|164.308(a)(5)(ii)(A),ITSG-33|SI-2,LEVEL|1NS,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,QCSC-v1|11.2,SWIFT-CSCv1|2.2"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'version' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "version", regex :".+"
type : SQL_POLICY
description : "4.2 Ensure the 'test' Database Is Not Installed"
info : "The test database can be accessed by all users and can be used to consume system resources. Dropping the test database will reduce the attack surface of the MySQL server."
solution : "Execute the following SQL statement to drop the test database: DROP DATABASE 'test'; Note: mysql_secure_installation performs this operation as well as other security-related activities."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|4.2,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show databases like 'test';"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "4.4 Ensure 'local_infile' Is Disabled"
info : "Disabling local_infile reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability."
solution : "Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service: local-infile=0 Impact: Disabling local_infile will impact the functionality of solutions that rely on it."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|4.4,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'local_infile';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "local_infile", "OFF"
type : SQL_POLICY
description : "4.6 Ensure '--skip-symbolic-links' Is Enabled"
info : "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories."
solution : "Perform the following actions to remediate this setting: Open the MySQL configuration file (my.cnf) Locate skip_symbolic_links in the configuration Set the skip_symbolic_links to YES NOTE: If skip_symbolic_links does not exist, add it to the configuration file in the mysqld section."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|4.6,CN-L3|8.1.10.6(d),CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show variables like 'have_symlink';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "have_symlink", "disabled"
type : SQL_POLICY
description : "4.7 Ensure the 'daemon_memcached' Plugin Is Disabled"
info : "By default the plugin doesn't do authentication, which means that anyone with access to the TCP/IP port of the plugin can access and modify the data. However, not all data is exposed by default."
solution : "To remediate this setting, issue the following command in the MySQL command-line client: uninstall plugin daemon_memcached; This uninstalls the memcached plugin from the MySQL server."
reference : "800-171|3.4.6,800-171|3.4.7,800-53|CM-7b.,CIP|007-6-R1,CIS_Recommendation|4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CN-L3|8.1.4.4(b),CSCv6|9.1,CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7a.,LEVEL|1S,NIAv2|SS13b,NIAv2|SS14a,NIAv2|SS14c,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,QCSC-v1|3.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT PLUGIN_NAME, PLUGIN_STATUS FROM information_schema.plugins WHERE PLUGIN_NAME='daemon_memcached'"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "4.8 Ensure 'secure_file_priv' Is Not Empty"
info : "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability."
solution : "Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service: secure_file_priv= Impact: Solutions that rely on loading data from various sub-directories may be negatively impacted by this change. Consider consolidating load directories under a common parent directory."
reference : "800-171|3.4.2,800-53|CM-6b.,CIS_Recommendation|4.8,CN-L3|8.1.10.6(d),CSCv6|3.1,CSF|PR.IP-1,ITSG-33|CM-6b.,LEVEL|1S,NESA|T3.2.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW GLOBAL VARIABLES WHERE Variable_name = 'secure_file_priv';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "secure_file_priv", regex:".+"
type : SQL_POLICY
description : "4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'"
info : "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation."
solution : "Perform the following actions to remediate this setting: Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file Impact: Applications relying on the MySQL database should be aware that STRICT_ALL_TABLES is in use, such that error conditions are handled appropriately."
reference : "800-53|SI-10(3),CIS_Recommendation|4.9,CN-L3|8.1.4.4(d),ITSG-33|SI-10,ITSG-33|SI-10a.,LEVEL|1S,NESA|T7.3.1,NIAv2|SS6e"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES LIKE 'sql_mode';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "sql_mode", regex:"STRICT_ALL_TABLES"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.db'"
sql_request : "SELECT user, host FROM mysql.db WHERE db = 'mysql' AND ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
sql_expect : NULL, NULL
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.db'"
info : "Limiting the accessibility of the 'mysql' database will protect the confidentiality, integrity, and availability of the data housed within MySQL. A user which has direct access to mysql.* might view password hashes, change permissions, or alter or destroy information intentionally or unintentionally."
solution : "Perform the following actions to remediate this setting: Enumerate non-administrative users resulting from the audit procedure For each non-administrative user, use the REVOKE statement to remove privileges as appropriate Impact: Consideration should be made for which privileges are required by each user requiring interactive database access."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.1,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.db'"
info : "Limiting the accessibility of the 'mysql' database will protect the confidentiality, integrity, and availability of the data housed within MySQL. A user which has direct access to mysql.* might view password hashes, change permissions, or alter or destroy information intentionally or unintentionally."
solution : "Perform the following actions to remediate this setting: Enumerate non-administrative users resulting from the audit procedure For each non-administrative user, use the REVOKE statement to remove privileges as appropriate Impact: Consideration should be made for which privileges are required by each user requiring interactive database access."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.1,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT user, host FROM mysql.db WHERE db = 'mysql' AND ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.user'"
sql_request : "SELECT user, host FROM mysql.user WHERE ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
sql_expect : NULL, NULL
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.user'"
info : "Limiting the accessibility of the 'mysql' database will protect the confidentiality, integrity, and availability of the data housed within MySQL. A user which has direct access to mysql.* might view password hashes, change permissions, or alter or destroy information intentionally or unintentionally."
solution : "Perform the following actions to remediate this setting: Enumerate non-administrative users resulting from the audit procedure For each non-administrative user, use the REVOKE statement to remove privileges as appropriate Impact: Consideration should be made for which privileges are required by each user requiring interactive database access."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.1,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.user'"
info : "Limiting the accessibility of the 'mysql' database will protect the confidentiality, integrity, and availability of the data housed within MySQL. A user which has direct access to mysql.* might view password hashes, change permissions, or alter or destroy information intentionally or unintentionally."
solution : "Perform the following actions to remediate this setting: Enumerate non-administrative users resulting from the audit procedure For each non-administrative user, use the REVOKE statement to remove privileges as appropriate Impact: Consideration should be made for which privileges are required by each user requiring interactive database access."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.1,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT user, host FROM mysql.user WHERE ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.2 Ensure 'file_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "The ob体育_priv right allows mysql users to read files from disk and to write files to disk. This may be leveraged by an attacker to further compromise MySQL. It should be noted that the MySQL server should not overwrite existing files."
solution : "Perform the following steps to remediate this setting: Enumerate the non-administrative users found in the result set of the audit procedure For each user, issue the following SQL statement (replace '' with the non-administrative user: REVOKE FILE ON *.* FROM '';"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.2,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user, host from mysql.user where ob体育_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.4 Ensure 'super_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "The SUPER privilege allows principals to perform many actions, including view and terminate currently executing MySQL statements (including statements used to manage passwords). This privilege also provides the ability to configure MySQL, such as enable/disable logging, alter data, disable/enable features. Limiting the accounts that have the SUPER privilege reduces the chances that an attacker can exploit these capabilities."
solution : "Perform the following steps to remediate this setting: Enumerate the non-administrative users found in the result set of the audit procedure For each user, issue the following SQL statement (replace '' with the non-administrative user: REVOKE SUPER ON *.* FROM ''; Impact: When the SUPER privilege is denied to a given user, that user will be unable to take advantage of certain capabilities, such as certain mysqladmin options."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.4,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user, host from mysql.user where Super_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.5 Ensure 'shutdown_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "The SHUTDOWN privilege allows principals to shutdown MySQL. This may be leveraged by an attacker to negatively impact the availability of MySQL."
solution : "Perform the following steps to remediate this setting: Enumerate the non-administrative users found in the result set of the audit procedure For each user, issue the following SQL statement (replace '' with the non-administrative user): REVOKE SHUTDOWN ON *.* FROM '';"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.5,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user, host from mysql.user where Shutdown_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.6 Ensure 'create_user_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "Reducing the number of users granted the CREATE USER right minimizes the number of users able to add/drop users, alter existing users' names, and manipulate existing users' privileges."
solution : "Perform the following steps to remediate this setting: Enumerate the non-administrative users found in the result set of the audit procedure For each user, issue the following SQL statement (replace '' with the non-administrative user): REVOKE CREATE USER ON *.* FROM ''; Impact: Users that are denied the CREATE USER privilege will not only be unable to create a user, but they may be unable to drop a user, rename a user, or otherwise revoke a given user's privileges."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.6,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user, host from mysql.user where Create_user_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.7 Ensure 'grant_priv' Is Not Set to 'Y' for Non-Administrative Users 'mysql.user'"
info : "The GRANT privilege allows a principal to grant other principals additional privileges. This may be used by an attacker to compromise MySQL."
solution : "Perform the following steps to remediate this setting: Enumerate the non-administrative users found in the result sets of the audit procedure For each user, issue the following SQL statement (replace '' with the non-administrative user: REVOKE GRANT OPTION ON *.* FROM ;"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.7,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user, host from mysql.user where Grant_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.7 Ensure 'grant_priv' Is Not Set to 'Y' for Non-Administrative Users 'mysql.db'"
info : "The GRANT privilege allows a principal to grant other principals additional privileges. This may be used by an attacker to compromise MySQL."
solution : "Perform the following steps to remediate this setting: Enumerate the non-administrative users found in the result sets of the audit procedure For each user, issue the following SQL statement (replace '' with the non-administrative user: REVOKE GRANT OPTION ON *.* FROM ;"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.7,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user, host from mysql.db where Grant_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.8 Ensure 'repl_slave_priv' Is Not Set to 'Y' for Non-Slave Users"
info : "The REPLICATION SLAVE privilege allows a principal to fetch binlog files containing all data changing statements and/or changes in table data from the master. This may be used by an attacker to read/fetch sensitive data from MySQL."
solution : "Perform the following steps to remediate this setting: Enumerate the non-slave users found in the result set of the audit procedure For each user, issue the following SQL statement (replace '' with the non-slave user): REVOKE REPLICATION SLAVE ON *.* FROM ; Use the REVOKE statement to remove the SUPER privilege from users who shouldn't have it."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.8,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT user, host FROM mysql.user WHERE Repl_slave_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.9 Ensure DML/DDL Grants Are Limited to Specific Databases and Users"
info : "INSERT, SELECT, UPDATE, DELETE, DROP, CREATE, and ALTER are powerful privileges in any database. Such privileges should be limited only to those users requiring such rights. By limiting the users with these rights and ensuring that they are limited to specific databases, the attack surface of the database is reduced."
solution : "Perform the following steps to remediate this setting: Enumerate the unauthorized users, hosts, and databases returned in the result set of the audit procedure For each user, issue the following SQL statement (replace '' with the unauthorized user, '' with host name, and '' with the database name): REVOKE SELECT ON . FROM ; REVOKE INSERT ON . FROM ; REVOKE UPDATE ON . FROM ; REVOKE DELETE ON . FROM ; REVOKE CREATE ON . FROM ; REVOKE DROP ON . FROM ; REVOKE ALTER ON . FROM ;"
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|5.9,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT User,Host,Db FROM mysql.db WHERE Select_priv='Y' OR Insert_priv='Y' OR Update_priv='Y' OR Delete_priv='Y' OR Create_priv='Y' OR Drop_priv='Y' OR Alter_priv='Y';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "root", regex:".+", regex:".+"
type : SQL_POLICY
description : "6.1 Ensure 'log_error' Is Not Empty"
info : "Enabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed."
solution : "Perform the following actions to remediate this setting: Open the MySQL configuration file (my.cnf or my.ini) Set the log-error option to the path for the error log"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.1,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW variables LIKE 'log_error';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "log_error", regex:".+"
type : SQL_POLICY
description : "6.2 Ensure Log ob体育s Are Stored on a Non-System Partition"
info : "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system."
solution : "Perform the following actions to remediate this setting: Open the MySQL configuration file (my.cnf) Locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr"
reference : "800-53|SC-5(2),CIS_Recommendation|6.2,CSF|PR.DS-4,ITSG-33|SC-5(2),LEVEL|1S,NESA|T3.3.1,NIAv2|GS8e,NIAv2|GS10c,QCSC-v1|8.2.1,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "show GLOBAL VARIABLES WHERE Variable_Name = 'log_bin_basename' AND Value LIKE 'C:%' OR Variable_Name = 'log_bin_basename' AND Value = '/' OR Variable_Name = 'log_bin_basename' AND Value = '/var%' OR Variable_Name = 'log_bin_basename' AND Value = '/usr%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "6.5 Ensure audit_log_connection_policy is not set to 'NONE'"
info : "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation."
solution : "To remediate this configuration setting, execute one of the following SQL statements: set global audit_log_connection_policy = ERRORS Or set global audit_log_connection_policy = ALL To ensure this remediation remains indefinite for the life of the MySQL Server, set audit_log_connection_policy in the server's assigned MySQL configuration file (usually named my.cnf, but not always). Impact: If audit_log_connection_policy is set to NONE, the MySQL server will not log failed connections, successful connections or any other connection related events."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.5,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW variables LIKE '%audit_log_connection_policy%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*audit_log_connection_policy.*", regex:"(ALL|ERRORS)"
type : SQL_POLICY
description : "6.6 Ensure audit_log_exclude_accounts is set to NULL"
info : "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable."
solution : "To remediate this configuration setting, execute the following SQL statement SET GLOBAL audit_log_exclude_accounts = NULL Or set audit_log_exclude_accounts=NULL in my.cnf. Impact: If a user or a list of users are set as the values for audit_log_exclude_accounts, these user(s) will evade being logged in the audit log. This may allow malicious connections or query activity to go unnoticed in the audit log."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.6,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW variables LIKE '%audit_log_exclude_accounts%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*audit_log_exclude_accounts.*", ""
type : SQL_POLICY
description : "6.7 Ensure audit_log_include_accounts is set to NULL"
info : "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log."
solution : "To remediate this configuration setting, execute the following SQL statement SET GLOBAL audit_log_include_accounts = NULL Or set audit_log_include_accounts=NULL in my.cnf. Impact: If a user or a list of users are set as the values for audit_log_include_accounts, these user(s) will ONLY be logged. Other users permitted to access the MySQL Server but not listed under the audit_log_include_accounts variable will avoid being logged in the audit log. Setting audit_log_include_accounts to NULL ensures no MySQL users excluded from the audit log."
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.7,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW variables LIKE '%audit_log_include_accounts%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*audit_log_include_accounts.*", ""
type : SQL_POLICY
description : "6.8 Ensure audit_log_policy is set to log logins"
info : "If this setting is set to QUERIES or NONE then connections are not written to the audit log file."
solution : "Set audit_log_policy='ALL' or audit_log_policy='LOGINS' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL'; or SET GLOBAL audit_log_policy='LOGINS';"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,CIS_Recommendation|6.8,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1S,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW variables LIKE 'audit_log_policy';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "audit_log_policy", regex:"(ALL|LOGINS)"
type : SQL_POLICY
description : "6.12 Make sure the audit plugin can't be unloaded"
info : "This makes disables unloading on the plugin."
solution : "To remediate this setting, follow these steps: Open the MySQL configuration file (my.cnf) Ensure the following line is found in the mysqld section audit_log = 'FORCE_PLUS_PERMANENT' Impact: If someone can unload the plugin it would be possible to perform actions on the database without audit events being logged to the audit log. If the audit log plugin can be unloaded the audit log can be temporarily or permanently disabled."
reference : "800-171|3.3.8,800-53|AU-9.,CIS_Recommendation|6.12,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CN-L3|8.1.3.5(c),CN-L3|8.1.4.3(c),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,LEVEL|1S,NESA|M5.2.3,NESA|M5.5.2,NESA|T3.6.4,NESA|T8.2.9,NIAv2|SM5,NIAv2|SM6,QCSC-v1|8.2.1,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT LOAD_OPTION FROM information_schema.plugins WHERE PLUGIN_NAME='audit_log';"
sql_types : POLICY_VARCHAR
sql_expect : "FORCE_PLUS_PERMANENT"
type : SQL_POLICY
description : "7.1 Ensure 'old_passwords' Is Not Set to '1'"
info : "The mysql_old_password plugin leverages a very weak hashing algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details."
solution : "Configure mysql to leverage the mysql_native_password or sha256_password plugin. For more information, see: http://dev.mysql.com/doc/refman/5.6/en/password-hashing.html http://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html"
reference : "800-171|3.5.10,800-171|3.13.11,800-53|IA-5(1)(c),800-53|SC-13.,CIS_Recommendation|7.1,CSCv6|16.13,CSCv6|16.14,CSF|PR.AC-1,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ITSG-33|IA-5(1)(c),ITSG-33|SC-13,ITSG-33|SC-13a.,LEVEL|1S,NESA|M5.2.6,NESA|T5.2.3,NESA|T7.4.1,NIAv2|CY3,NIAv2|CY4,NIAv2|CY5b,NIAv2|CY5c,NIAv2|CY5d,NIAv2|CY6,NIAv2|CY7,NIAv2|NS5e,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES WHERE Variable_name = 'old_passwords';"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "old_passwords", "0" || "2"
type : SQL_POLICY
description : "7.2 Ensure 'secure_auth' is set to 'ON'"
info : "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)."
solution : "Add the following line to [mysqld] portions of the MySQL option file to establish the recommended state: secure_auth=ON Impact: Accounts having credentials stored using the old password format will be unable to login. Execute the following command to identify accounts that will be impacted by implementing this setting: SELECT User,Host FROM mysql.user WHERE plugin='mysql_old_password';"
reference : "800-171|3.5.10,800-171|3.13.11,800-53|IA-5(1)(c),800-53|SC-13.,CIS_Recommendation|7.2,CSCv6|16.13,CSCv6|16.14,CSF|PR.AC-1,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ITSG-33|IA-5(1)(c),ITSG-33|SC-13,ITSG-33|SC-13a.,LEVEL|1S,NESA|M5.2.6,NESA|T5.2.3,NESA|T7.4.1,NIAv2|CY3,NIAv2|CY4,NIAv2|CY5b,NIAv2|CY5c,NIAv2|CY5d,NIAv2|CY6,NIAv2|CY7,NIAv2|NS5e,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES WHERE Variable_name = 'secure_auth';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "secure_auth","ON"
type : SQL_POLICY
description : "7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@global.sql_mode'"
info : "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password."
solution : "Perform the following actions to remediate this setting: Open the MySQL configuration file (my.cnf) Find the sql_mode setting in the [mysqld] area Add the NO_AUTO_CREATE_USER to the sql_mode setting"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|7.4,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select @@global.sql_mode ;"
sql_types : POLICY_VARCHAR
sql_expect : regex:"NO_AUTO_CREATE_USER"
type : SQL_POLICY
description : "7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@session.sql_mode'"
info : "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password."
solution : "Perform the following actions to remediate this setting: Open the MySQL configuration file (my.cnf) Find the sql_mode setting in the [mysqld] area Add the NO_AUTO_CREATE_USER to the sql_mode setting"
reference : "800-171|3.1.5,800-53|AC-6.,CIS_Recommendation|7.4,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select @@session.sql_mode ;"
sql_types : POLICY_VARCHAR
sql_expect : regex:"NO_AUTO_CREATE_USER"
type : SQL_POLICY
description : "7.5 Ensure Passwords Are Set for All MySQL Accounts"
info : "Without a password only knowing the username and the list of allowed hosts will allow someone to connect to the server and assume the identity of the user. This, in effect, bypasses authentication mechanisms."
solution : "For each row returned from the audit procedure, set a password for the given user using the following statement (as an example): SET PASSWORD FOR @'' = PASSWORD('') NOTE: Replace , , and with appropriate values."
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIP|007-6-R5.5,CIS_Recommendation|7.5,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT User,host FROM mysql.user WHERE authentication_string='';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_length'"
info : "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
solution : "Add to the global configuration: plugin-load=validate_password.sovalidate-password=FORCE_PLUS_PERMANENTvalidate_password_length=14validate_password_mixed_case_count=1validate_password_number_count=1validate_password_special_char_count=1validate_password_policy=MEDIUM And change passwords for users which have passwords which are identical to their username. Impact: Remediation for this recommendation requires a server restart."
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIP|007-6-R5.5,CIS_Recommendation|7.6,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES LIKE 'validate_password_length'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_length", regex:"(1[4-9]|[2-9][0-9])"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_mixed_case_count'"
info : "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
solution : "Add to the global configuration: plugin-load=validate_password.sovalidate-password=FORCE_PLUS_PERMANENTvalidate_password_length=14validate_password_mixed_case_count=1validate_password_number_count=1validate_password_special_char_count=1validate_password_policy=MEDIUM And change passwords for users which have passwords which are identical to their username. Impact: Remediation for this recommendation requires a server restart."
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIP|007-6-R5.5,CIS_Recommendation|7.6,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES LIKE 'validate_password_mixed_case_count'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_mixed_case_count", regex:"[1-9]"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_number_count'"
info : "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
solution : "Add to the global configuration: plugin-load=validate_password.sovalidate-password=FORCE_PLUS_PERMANENTvalidate_password_length=14validate_password_mixed_case_count=1validate_password_number_count=1validate_password_special_char_count=1validate_password_policy=MEDIUM And change passwords for users which have passwords which are identical to their username. Impact: Remediation for this recommendation requires a server restart."
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIP|007-6-R5.5,CIS_Recommendation|7.6,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES LIKE 'validate_password_number_count'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_number_count", regex:"[1-9]"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_special_char_count'"
info : "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
solution : "Add to the global configuration: plugin-load=validate_password.sovalidate-password=FORCE_PLUS_PERMANENTvalidate_password_length=14validate_password_mixed_case_count=1validate_password_number_count=1validate_password_special_char_count=1validate_password_policy=MEDIUM And change passwords for users which have passwords which are identical to their username. Impact: Remediation for this recommendation requires a server restart."
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIP|007-6-R5.5,CIS_Recommendation|7.6,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES LIKE 'validate_password_special_char_count'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_special_char_count", regex:"[1-9]"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_policy'"
info : "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
solution : "Add to the global configuration: plugin-load=validate_password.sovalidate-password=FORCE_PLUS_PERMANENTvalidate_password_length=14validate_password_mixed_case_count=1validate_password_number_count=1validate_password_special_char_count=1validate_password_policy=MEDIUM And change passwords for users which have passwords which are identical to their username. Impact: Remediation for this recommendation requires a server restart."
reference : "800-171|3.5.7,800-53|IA-5(1)(a),CIP|007-6-R5.5,CIS_Recommendation|7.6,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,HIPAA|164.308(a)(5)(ii)(D),ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5(1)(a),LEVEL|1S,NESA|T5.2.3,NIAv2|AM19a,NIAv2|AM19b,NIAv2|AM19c,NIAv2|AM19d,NIAv2|AM22a,PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW VARIABLES LIKE 'validate_password_policy'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_policy", regex:"(MEDIUM|STRONG)"
type : SQL_POLICY
description : "7.7 Ensure No Users Have Wildcard Hostnames"
info : "Avoiding the use of wildcards within hostnames helps control the specific locations from which a given user may connect to and interact with the database."
solution : "Perform the following actions to remediate this setting: Enumerate all users returned after running the audit procedure Either ALTER the user's host to be specific or DROP the user"
reference : "800-171|3.1.1,800-53|AC-3.,CIS_Recommendation|7.7,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1S,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user,host from mysql.user where host = '%' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "7.8 Ensure No Anonymous Accounts Exist"
info : "Removing anonymous accounts will help ensure that only identified and trusted principals are capable of interacting with MySQL."
solution : "Perform the following actions to remediate this setting: Enumerate the anonymous users returned from executing the audit procedure For each anonymous user, DROP or assign them a name NOTE: As an alternative, you may execute the mysql_secure_installation utility. Impact: Any applications relying on anonymous database access will be adversely affected by this change."
reference : "800-53|AC-14a.,CIS_Recommendation|7.8,ITSG-33|AC-14a.,LEVEL|1S,NESA|T5.6.1,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT user,host FROM mysql.user WHERE user = '';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL,NULL
type : SQL_POLICY
description : "8.1 Ensure 'have_ssl' Is Set to 'YES'"
info : "The SSL/TLS-protected MySQL protocol helps to prevent eavesdropping and man-in-the-middle attacks."
solution : "Follow the procedures as documented in the MySQL 5.6 Reference Manual to setup SSL. Impact: Enabling SSL will allow clients to encrypt network traffic and verify the identity of the server. This could have impact on network traffic inspection."
reference : "800-171|3.13.8,800-53|SC-8(1),CIS_Recommendation|8.1,CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8(1),LEVEL|1S,NESA|T7.4.1,NIAv2|NS5d,NIAv2|NS6b,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|2.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SHOW variables WHERE variable_name = 'have_ssl';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "have_ssl", "YES"
type : SQL_POLICY
description : "8.2 Ensure 'ssl_type' Is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users"
info : "The SSL/TLS-protected MySQL protocol helps to prevent eavesdropping and man-in-the-middle attacks."
solution : "Use the GRANT statement to require the use of SSL: GRANT USAGE ON *.* TO 'my_user'@'app1.example.com' REQUIRE SSL; Note that REQUIRE SSL only enforces SSL. There are options like REQUIRE X509, REQUIRE ISSUER, REQUIRE SUBJECT which can be used to further restrict connection options. Impact: When SSL/TLS is enforced then clients which do not use SSL will not be able to connect. If the server is not configured for SSL/TLS then accounts for which SSL/TLS is mandatory will not be able to connect"
reference : "800-171|3.13.8,800-53|SC-8(1),CIS_Recommendation|8.2,CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8(1),LEVEL|1S,NESA|T7.4.1,NIAv2|NS5d,NIAv2|NS6b,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|2.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT user, host, ssl_type FROM mysql.user WHERE NOT HOST IN ('::1', '127.0.0.1', 'localhost');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex: ".+", regex:".+", regex:"(ANY|X509|SPECIFIED)"
description : "9.1 Ensure Replication Traffic Is Secured"
info : "The replication traffic should be secured as it gives access to all transfered information and might leak passwords.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Secure the network traffic using one or more technologies to provide confidentiality and integrity for the traffic, and mutual authentication for the servers."
reference : "LEVEL|1NS,CIS_Recommendation|9.1"
see_also : "https://workbench.cisecurity.org/files/1619"
type : SQL_POLICY
description : "9.2 Ensure 'MASTER_SSL_VERIFY_SERVER_CERT' Is Set to 'YES' or '1'"
info : "When SSL is in use certificate verification is important to authenticate the party to which a connection is being made. In this case, the slave (client) should verify the master's (server's) certificate to authenticate the master prior to continuing the connection."
solution : "To remediate this setting you must use the CHANGE MASTER TO command. STOP SLAVE; -- required if replication was already runningCHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=1;START SLAVE; -- required if you want to restart replication Impact: When using CHANGE MASTER TO, be aware of the following: Slave processes need to be stopped prior to executing CHANGE MASTER TO Use of CHANGE MASTER TO starts new relay logs without keeping the old ones unless explicitly told to keep them When CHANGE MASTER TO is invoked, some information is dumped to the error log (previous values for MASTER_HOST, MASTER_PORT, MASTER_LOG_FILE, and MASTER_LOG_POS) Invoking CHANGE MASTER TO will implicitly commit any ongoing transactions"
reference : "800-171|3.5.2,800-53|IA-5(2)(a),CIS_Recommendation|9.2,CSF|PR.AC-1,ITSG-33|IA-5(2)(a),LEVEL|1S,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select ssl_verify_server_cert from mysql.slave_master_info;"
sql_types : POLICY_INTEGER
sql_expect : "1"
type : SQL_POLICY
description : "9.4 Ensure 'super_priv' Is Not Set to 'Y' for Replication Users"
info : "The SUPER privilege allows principals to perform many actions, including view and terminate currently executing MySQL statements (including statements used to manage passwords). This privilege also provides the ability to configure MySQL, such as enable/disable logging, alter data, disable/enable features. Limiting the accounts that have the SUPER privilege reduces the chances that an attacker can exploit these capabilities."
solution : "Execute the following steps to remediate this setting: Enumerate the replication users found in the result set of the audit procedure For each replication user, issue the following SQL statement (replace 'repl' with your replication user's name): REVOKE SUPER ON *.* FROM 'repl'; Impact: When the SUPER privilege is denied to a given user, that user will be unable to take advantage of certain capabilities, such as certain mysqladmin options."
reference : "800-171|3.1.5,800-53|AC-6(5),CIS_Recommendation|9.4,CN-L3|8.1.10.6(a),CSCv6|5.1,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(5),LEVEL|1S,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM32,NIAv2|AM33,NIAv2|VL3a,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "select user, host from mysql.user where user='repl' and Super_priv = 'Y';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "9.5 Ensure No Replication Users Have Wildcard Hostnames"
info : "Avoiding the use of wildcards within hostnames helps control the specific locations from which a given user may connect to and interact with the database."
solution : "Perform the following actions to remediate this setting: Enumerate all users returned after running the audit procedure Either ALTER the user's host to be specific or DROP the user"
reference : "800-171|3.1.1,800-53|AC-3.,CIS_Recommendation|9.5,CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,LEVEL|1S,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|13.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/files/1619"
sql_request : "SELECT user, host FROM mysql.user WHERE user='repl' AND host = '%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
description : "MySQL 5.7 Enterprise Edition is installed"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/files/1619"