#
# This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.4 $
# $Date: 2018/07/24 $
#
# Description : This audit is based on the Security Configuration Benchmark For MySQL 5.6 Enterprise Editions
# Version 1.1.0 - 08-15-2016
# https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf
#
# NOTE :
#
#
#CIS MySQL 5.6 Enterprise Database L1 v1.1.0
#
# CIS
# MySQL 5.6 Enterprise Database L1
# 1.1.0
# https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf
#
#database,cis,mysql,mysql_5,mysql_5.6,mysql_5.6_enterprise
#LEVEL
#
#
#ADMIN_USER
#root
#MySQL Admin User
#This is your administrative user. Default is root.
#
#
#
type : SQL_POLICY
description : "MySQL 5.6 is installed"
sql_request : "show variables like 'version' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "version", regex:"5\.6"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "MySQL 5.6 Enterprise Edition is installed"
sql_request : "show variables like 'license' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "license", "Commercial"
check_option : CAN_NOT_BE_NULL
description : "MySQL 5.6 Enterprise Edition is installed"
type : SQL_POLICY
description : "1.1 Place Databases on Non-System Partitions"
info : "It is generally accepted that host operating systems should include different filesystem partitions for different purposes. One set of filesystems are typically called 'system partitions', and are generally reserved for host system/application operation. The other set of filesystems are typically called 'non-system partitions', and such locations are generally reserved for storing data."
solution : "Perform the following steps to remediate this setting:
1. Choose a non-system partition new location for the MySQL data
2. Stop mysqld using a command like: service mysql stop
3. Copy the data using a command like: cp -rp
4. Set the datadir location to the new location in the MySQL configuration file
5. Start mysqld using a command like: service mysql start
NOTE: On some Linux distributions you may need to additionally modify apparmor settings. For example, on a Ubuntu 14.04.1 system edit the file /etc/apparmor.d/usr.sbin.mysqld so that the datadir access is appropriate. The original might look like this:
# Allow data dir access
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,
Alter those two paths to be the new location you chose above. For example, if that new location were /media/mysql, then the /etc/apparmor.d/usr.sbin.mysqld file should include something like this:
# Allow data dir access
/media/mysql/ r,
/media/mysql/** rwk,"
reference : "800-53|SC-5,CSF|PR.DS-4,ITSG-33|SC-5,SWIFT-CSCv1|6.4,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "show variables like 'datadir' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "datadir", regex:"^([^C][:][\\].+|/.+)$"
description : "2.1.1 Backup policy in place"
info : "A backup policy should be in place.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Create a backup policy and backup schedule."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
description : "2.1.2 Verify backups are good"
info : "Backups should be validated on a regular basis.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Implement regular backup checks and document each check."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
description : "2.1.3 Secure backup credentials"
info : "The password, certificate and any other credentials should be protected.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Change file permissions."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
description : "2.1.4 The backups should be properly secured"
info : "The backup files will contain all data in the databases. ob体育system permissions and/or encryption should be used to prevent non authorized users from gaining access to the backups.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Implement encryption or use filesystem permissions."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
description : "2.1.6 Disaster recovery plan"
info : "A disaster recovery plan should be created. A slave in a different datacenter can be used or offsite backups. There should be information about what time a recovery will take and if the recovery site has the same capacity.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Create a disaster recovery plan."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
description : "2.1.7 Backup of configuration and related files"
info : "The following files should be included in the backup:
- Configuration files (my.cnf and included files)
- SSL files (certificates, keys)
- User Defined Functions (UDFs)
- Source code for customizations
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Add these files to the backup."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
description : "2.2 Dedicate Machine Running MySQL"
info : "It is recommended that MySQL Server software be installed on a dedicated server. This architectural consideration affords flexibility in that the database server can be placed on a separate zone allowing access only from particular hosts and over particular protocols.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Remove excess applications or services and/or remove unnecessary roles from the underlying operating system."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
description : "2.4 Do Not Reuse Usernames"
info : "Database user accounts should not be reused for multiple applications or users.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Add/Remove users so that each user is only used for one specific purpose."
reference : "LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
type : SQL_POLICY
description : "4.1 Ensure Latest Security Patches Are Applied"
info : "Periodically, updates to MySQL server are released to resolve bugs, mitigate vulnerabilities, and provide new features. It is recommended that MySQL installations are up to date with the latest security updates."
solution : "Install the latest patches for your version or upgrade to the latest version."
reference : "800-53|SI-2,HIPAA|164.308(a)(5)(ii)(A),800-171|3.14.1,CSF|ID.RA-1,CSF|PR.IP-12,ITSG-33|SI-2,SWIFT-CSCv1|2.2,LEVEL|2NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "show variables like 'version' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "version", NULL
type : SQL_POLICY
description : "4.2 Ensure the 'test' Database Is Not Installed"
info : "The default MySQL installation comes with an unused database called test. It is recommended that the test database be dropped."
solution : "Execute the following SQL statement to drop the test database:
DROP DATABASE 'test';
Note: mysql_secure_installation performs this operation as well as other security-related activities."
reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,SWIFT-CSCv1|2.3,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "show databases like 'test' ;"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "4.4 Ensure 'local_infile' Is Disabled"
info : "The local_infile parameter dictates whether files located on the MySQL client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file."
solution : "Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:
local-infile=0"
reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,SWIFT-CSCv1|2.3,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "show variables like 'local_infile' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "local_infile", "OFF"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "4.6 Ensure '--skip-symbolic-links' Is Enabled"
info : "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database."
solution : "Perform the following actions to remediate this setting:
- Open the MySQL configuration file (my.cnf)
- Locate skip_symbolic_links in the configuration
- Set the skip_symbolic_links to YES
NOTE: If skip_symbolic_links does not exist, add it to the configuration file in the mysqld section."
reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "show variables like 'have_symlink' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "have_symlink", "DISABLED"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "4.7 Ensure the 'daemon_memcached' Plugin Is Disabled"
info : "The InnoDB memcached Plugin allows users to access data stored in InnoDB with the memcached protocol."
solution : "To remediate this setting, issue the following command in the MySQL command-line client:
uninstall plugin daemon_memcached;
This uninstalls the memcached plugin from the MySQL server."
reference : "800-53|CM-7,CIP|007-6-R1,CSCv6|9.1,PCI-DSSv3.1|2.2.2,PCI-DSSv3.1|2.2.3,PCI-DSSv3.2|2.2.2,PCI-DSSv3.2|2.2.3,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,SWIFT-CSCv1|2.3,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT PLUGIN_NAME, PLUGIN_STATUS FROM information_schema.plugins WHERE PLUGIN_NAME='daemon_memcached'"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "4.8 Ensure 'secure_file_priv' Is Not Empty"
info : "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL."
solution : "Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:
secure_file_priv="
reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW GLOBAL VARIABLES WHERE Variable_name = 'secure_file_priv' AND Value<>'';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "secure_file_priv", regex:".+"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.user'"
sql_request : "SELECT user, host FROM mysql.user WHERE (Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y');"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
sql_expect : NULL, NULL
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.user'"
info : "The mysql.user and mysql.db tables list a variety of privileges that can be granted (or denied) to MySQL users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only."
solution : "Perform the following actions to remediate this setting: 1. Enumerate non-administrative users resulting from the audit procedure 2. For each non-administrative user, use the REVOKE statement to remove privileges as appropriate"
reference : "LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.user'"
info : "The mysql.user and mysql.db tables list a variety of privileges that can be granted (or denied) to MySQL users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only."
solution : "Perform the following actions to remediate this setting: 1. Enumerate non-administrative users resulting from the audit procedure 2. For each non-administrative user, use the REVOKE statement to remove privileges as appropriate"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT user, host FROM mysql.user WHERE (Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y');"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.db'"
sql_request : "SELECT user, host FROM mysql.db WHERE db = 'mysql' AND ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
sql_expect : NULL, NULL
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.db'"
info : "The mysql.user and mysql.db tables list a variety of privileges that can be granted (or denied) to MySQL users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only."
solution : "Perform the following actions to remediate this setting: 1. Enumerate non-administrative users resulting from the audit procedure 2. For each non-administrative user, use the REVOKE statement to remove privileges as appropriate"
reference : "LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
type : SQL_POLICY
description : "5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.db'"
info : "The mysql.user and mysql.db tables list a variety of privileges that can be granted (or denied) to MySQL users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only."
solution : "Perform the following actions to remediate this setting: 1. Enumerate non-administrative users resulting from the audit procedure 2. For each non-administrative user, use the REVOKE statement to remove privileges as appropriate"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT user, host FROM mysql.db WHERE db = 'mysql' AND ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));"
sql_types : POLICY_VARCHAR,POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.2 Ensure 'file_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "The ob体育_priv privilege found in the mysql.user table is used to allow or disallow a user from reading and writing files on the server host. Any user with the ob体育_priv right granted has the ability to:
- Read files from the local file system that are readable by the MySQL server (this includes world-readable files)
- Write files to the local file system where the MySQL server has write access"
solution : "Perform the following steps to remediate this setting:
1. Enumerate the non-administrative users found in the result set of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the non- administrative user:
REVOKE FILE ON *.* FROM '';"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1NS"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user, host from mysql.user where ob体育_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.4 Ensure 'super_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "The SUPER privilege found in the mysql.user table governs the use of a variety of MySQL features. These features include, CHANGE MASTER TO, KILL, mysqladmin kill option, PURGE BINARY LOGS, SET GLOBAL, mysqladmin debug option, logging control, and more."
solution : "Perform the following steps to remediate this setting:
1. Enumerate the non-administrative users found in the result set of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the non- administrative user:
REVOKE SUPER ON *.* FROM '';"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user, host from mysql.user where Super_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.5 Ensure 'shutdown_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "The SHUTDOWN privilege simply enables use of the shutdown option to the mysqladmin command, which allows a user with the SHUTDOWN privilege the ability to shut down the MySQL server."
solution : "Perform the following steps to remediate this setting:
1. Enumerate the non-administrative users found in the result set of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the non- administrative user):
REVOKE SHUTDOWN ON *.* FROM '';"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user, host from mysql.user where Shutdown_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.6 Ensure 'create_user_priv' Is Not Set to 'Y' for Non-Administrative Users"
info : "The CREATE USER privilege governs the right of a given user to add or remove users, change existing users' names, or revoke existing users' privileges."
solution : "Perform the following steps to remediate this setting:
1. Enumerate the non-administrative users found in the result set of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the non- administrative user):
REVOKE CREATE USER ON *.* FROM '';"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user, host from mysql.user where Create_user_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.7 Ensure 'grant_priv' Is Not Set to 'Y' for Non-Administrative Users 'mysql.user'"
info : "The GRANT OPTION privilege exists in different contexts (mysql.user, mysql.db) for the purpose of governing the ability of a privileged user to manipulate the privileges of other users."
solution : "Perform the following steps to remediate this setting:
1. Enumerate the non-administrative users found in the result sets of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the non- administrative user:
REVOKE GRANT OPTION ON *.* FROM ;"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user, host from mysql.user where Grant_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.7 Ensure 'grant_priv' Is Not Set to 'Y' for Non-Administrative Users 'mysql.db'"
info : "The GRANT OPTION privilege exists in different contexts (mysql.user, mysql.db) for the purpose of governing the ability of a privileged user to manipulate the privileges of other users."
solution : "Perform the following steps to remediate this setting:
1. Enumerate the non-administrative users found in the result sets of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the non- administrative user:
REVOKE GRANT OPTION ON *.* FROM ;"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user, host from mysql.db where Grant_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.8 Ensure 'repl_slave_priv' Is Not Set to 'Y' for Non-Slave Users"
info : "The REPLICATION SLAVE privilege governs whether a given user (in the context of the master server) can request updates that have been made on the master server."
solution : "Perform the following steps to remediate this setting:
1. Enumerate the non-slave users found in the result set of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the non- slave user):
REVOKE REPLICATION SLAVE ON *.* FROM ;"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT user, host FROM mysql.user WHERE Repl_slave_priv = 'Y' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+"
type : SQL_POLICY
description : "5.9 Ensure DML/DDL Grants Are Limited to Specific Databases and Users"
info : "DML/DDL includes the set of privileges used to modify or create data structures. This includes INSERT, SELECT, UPDATE, DELETE, DROP, CREATE, and ALTER privileges."
solution : "Perform the following steps to remediate this setting:
1. Enumerate the unauthorized users, hosts, and databases returned in the result set of the audit procedure
2. For each user, issue the following SQL statement (replace '' with the unauthorized user, '' with host name, and '' with the database name):
REVOKE SELECT ON . FROM ;
REVOKE INSERT ON . FROM ;
REVOKE UPDATE ON . FROM ;
REVOKE DELETE ON . FROM ;
REVOKE CREATE ON . FROM ;
REVOKE DROP ON . FROM ;
REVOKE ALTER ON . FROM ;"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT User,Host,Db FROM mysql.db WHERE Select_priv='Y' OR Insert_priv='Y' OR Update_priv='Y' OR Delete_priv='Y' OR Create_priv='Y' OR Drop_priv='Y' OR Alter_priv='Y';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
# Note: Variable @ADMIN_USER@ replaced with "root" in field "sql_expect".
sql_expect : "root", regex:".+", regex:".+"
type : SQL_POLICY
description : "6.1 Ensure 'log_error' Is Not Empty"
info : "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails."
solution : "Perform the following actions to remediate this setting:
1. Open the MySQL configuration file (my.cnf or my.ini)
2. Set the log-error option to the path for the error log"
reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW variables LIKE 'log_error';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "log_error", regex:".+"
type : SQL_POLICY
description : "6.2 Ensure Log ob体育s Are Stored on a Non-System Partition"
info : "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr."
solution : "Perform the following actions to remediate this setting:
1. Open the MySQL configuration file (my.cnf)
2. Locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr"
reference : "800-53|SC-5,CSF|PR.DS-4,ITSG-33|SC-5,SWIFT-CSCv1|6.4,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "show GLOBAL VARIABLES WHERE Variable_Name = 'log_bin_basename' AND Value LIKE 'C:%' OR Variable_Name = 'log_bin_basename' AND Value = '/' OR Variable_Name = 'log_bin_basename' AND Value = '/var%' OR Variable_Name = 'log_bin_basename' AND Value = '/usr%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "6.5 Ensure audit_log_connection_policy is not set to 'NONE'"
info : "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file."
solution : "To remediate this configuration setting, execute one of the following SQL statements:
set global audit_log_connection_policy = ERRORS
Or set global audit_log_connection_policy = ALL
To ensure this remediation remains indefinite for the life of the MySQL Server, set audit_log_connection_policy in the server's assigned MySQL configuration file (usually named my.cnf, but not always)."
reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW variables LIKE '%audit_log_connection_policy%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*audit_log_connection_policy.*", regex:"(ALL|ERRORS)"
type : SQL_POLICY
description : "6.6 Ensure audit_log_exclude_accounts is set to NULL"
info : "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log."
solution : "To remediate this configuration setting, execute the following SQL statement
SET GLOBAL audit_log_exclude_accounts = NULL
Or set audit_log_exclude_accounts=NULL in my.cnf."
reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW variables LIKE '%audit_log_exclude_accounts%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*audit_log_exclude_accounts.*", NULL
type : SQL_POLICY
description : "6.7 Ensure audit_log_include_accounts is set to NULL"
info : "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log."
solution : "To remediate this configuration setting, execute the following SQL statement
SET GLOBAL audit_log_include_accounts = NULL
Or set audit_log_include_accounts=NULL in my.cnf."
reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW variables LIKE '%audit_log_include_accounts%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex:".*audit_log_include_accounts.*", NULL
type : SQL_POLICY
description : "6.8 Ensure audit_log_policy is set to log logins"
info : "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled. It must be set to log logins."
solution : "Set audit_log_policy='ALL' or audit_log_policy='LOGINS' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL'; or SET GLOBAL audit_log_policy='LOGINS';"
reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW variables LIKE 'audit_log_policy';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "audit_log_policy", regex:"(ALL|LOGINS)"
type : SQL_POLICY
description : "6.12 Make sure the audit plugin can't be unloaded"
info : "Set audit_log to FORCE_PLUS_PERMANENT"
solution : "To remediate this setting, follow these steps:
1. Open the MySQL configuration file (my.cnf)
2. Ensure the following line is found in the mysqld section
audit_log = 'FORCE_PLUS_PERMANENT'"
reference : "800-53|AU-9,800-171|3.3.8,CN-L3|7.1.2.3(d),CN-L3|7.1.3.3(f),CSF|PR.PT-1,ISO/IEC-27001|A.12.4.2,ITSG-33|AU-9,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT LOAD_OPTION FROM information_schema.plugins WHERE PLUGIN_NAME='audit_log';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "audit_log", "FORCE_PLUS_PERMANENT"
type : SQL_POLICY
description : "7.1 Ensure 'old_passwords' Is Not Set to '1' or 'ON'"
info : "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following:
- 0 - authenticate with the mysql_native_password plugin
- 1 - authenticate with the mysql_old_password plugin
- 2 - authenticate with the sha256_password plugin"
solution : "Configure mysql to leverage the mysql_native_password or sha256_password plugin. For more information, see:
- http://dev.mysql.com/doc/refman/5.6/en/password-hashing.html
- http://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html"
reference : "800-53|IA-5,800-53|SC-13,CSCv6|16.13,CSCv6|16.14,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,800-171|3.13.11,800-171|3.5.10,CSF|PR.AC-1,CSF|PR.DS-5,ITSG-33|IA-5,ITSG-33|SC-13,SWIFT-CSCv1|4.1,TBA-FIISB|26.1,CVE|CVE-2003-1480,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW VARIABLES WHERE Variable_name = 'old_passwords';"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "old_passwords", "0" || "2"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "7.2 Ensure 'secure_auth' is set to 'ON'"
info : "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format."
solution : "Add the following line to [mysqld] portions of the MySQL option file to establish the recommended state:
secure_auth=ON"
reference : "800-53|IA-5,800-53|SC-13,CSCv6|16.13,CSCv6|16.14,PCI-DSSv3.1|8.2.1,PCI-DSSv3.2|8.2.1,800-171|3.13.11,800-171|3.5.10,CSF|PR.AC-1,CSF|PR.DS-5,ITSG-33|IA-5,ITSG-33|SC-13,SWIFT-CSCv1|4.1,TBA-FIISB|26.1,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW VARIABLES WHERE Variable_name = 'secure_auth';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "secure_auth","ON"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@global.sql_mode'"
info : "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided."
solution : "Perform the following actions to remediate this setting:
1. Open the MySQL configuration file (my.cnf)
2. Find the sql_mode setting in the [mysqld] area
3. Add the NO_AUTO_CREATE_USER to the sql_mode setting"
reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,SWIFT-CSCv1|5.1,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select @@global.sql_mode ;"
sql_types : POLICY_VARCHAR
sql_expect : regex:"NO_AUTO_CREATE_USER"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@session.sql_mode'"
info : "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided."
solution : "Perform the following actions to remediate this setting:
1. Open the MySQL configuration file (my.cnf)
2. Find the sql_mode setting in the [mysqld] area
3. Add the NO_AUTO_CREATE_USER to the sql_mode setting"
reference : "800-53|AC-6,PCI-DSSv3.1|7.1.2,PCI-DSSv3.2|7.1.2,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,SWIFT-CSCv1|5.1,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select @@session.sql_mode ;"
sql_types : POLICY_VARCHAR
sql_expect : regex:"NO_AUTO_CREATE_USER"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "7.5 Ensure Passwords Are Set for All MySQL Accounts"
info : "Blank passwords allow a user to login without using a password."
solution : "For each row returned from the audit procedure, set a password for the given user using the following statement (as an example):
SET PASSWORD FOR @'' = PASSWORD('')
NOTE: Replace , , and with appropriate values."
reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT User,host FROM mysql.user WHERE (plugin IN('mysql_native_password', 'mysql_old_password') AND (LENGTH(Password) = 0 OR Password IS NULL)) OR (plugin='sha256_password' AND LENGTH(authentication_string) = 0);"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_length'"
info : "Password complexity includes password characteristics such as length, case, length, and character sets."
solution : "Add to the global configuration:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=8
validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1
validate_password_policy=MEDIUM
And change passwords for users which have passwords which are identical to their username."
reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW VARIABLES LIKE 'validate_password_length'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_length", regex:"(1[4-9]|[2-9][0-9])"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_mixed_case_count'"
info : "Password complexity includes password characteristics such as length, case, length, and character sets."
solution : "Add to the global configuration:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=8
validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1
validate_password_policy=MEDIUM
And change passwords for users which have passwords which are identical to their username."
reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW VARIABLES LIKE 'validate_password_mixed_case_count'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_mixed_case_count", regex:"[1-9]"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_number_count'"
info : "Password complexity includes password characteristics such as length, case, length, and character sets."
solution : "Add to the global configuration:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=8
validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1
validate_password_policy=MEDIUM
And change passwords for users which have passwords which are identical to their username."
reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW VARIABLES LIKE 'validate_password_number_count'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_number_count", regex:"[1-9]"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_special_char_count'"
info : "Password complexity includes password characteristics such as length, case, length, and character sets."
solution : "Add to the global configuration:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=8
validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1
validate_password_policy=MEDIUM
And change passwords for users which have passwords which are identical to their username."
reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW VARIABLES LIKE 'validate_password_special_char_count'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_special_char_count", regex:"[1-9]"
type : SQL_POLICY
description : "7.6 Ensure Password Policy Is in Place - 'validate_password_policy'"
info : "Password complexity includes password characteristics such as length, case, length, and character sets."
solution : "Add to the global configuration:
plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=8
validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1
validate_password_policy=MEDIUM
And change passwords for users which have passwords which are identical to their username."
reference : "800-53|IA-5,CIP|007-6-R5,HIPAA|164.308(a)(5)(ii)(D),PCI-DSSv3.1|8.2.3,PCI-DSSv3.2|8.2.3,800-171|3.5.7,CN-L3|7.1.2.7(e),CN-L3|7.1.3.1(b),CSF|PR.AC-1,ISO/IEC-27001|A.9.4.3,ITSG-33|IA-5,SWIFT-CSCv1|4.1,TBA-FIISB|26.2.1,TBA-FIISB|26.2.4,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW VARIABLES LIKE 'validate_password_policy'"
sql_types : POLICY_VARCHAR, POLICY_INTEGER
sql_expect : "validate_password_policy", regex:"(MEDIUM|STRONG)"
type : SQL_POLICY
description : "7.7 Ensure No Users Have Wildcard Hostnames"
info : "MySQL can make use of host wildcards when granting permissions to users on specific databases. For example, you may grant a given privilege to ''@'%'."
solution : "Perform the following actions to remediate this setting:
1. Enumerate all users returned after running the audit procedure
2. Either ALTER the user's host to be specific or DROP the user"
reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ITSG-33|AC-3,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user,host from mysql.user where host = '%' ;"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "7.8 Ensure No Anonymous Accounts Exist"
info : "Anonymous accounts are users with empty usernames (''). Anonymous accounts have no passwords, so anyone can use them to connect to the MySQL server."
solution : "Perform the following actions to remediate this setting:
1. Enumerate the anonymous users returned from executing the audit procedure
2. For each anonymous user, DROP or assign them a name
NOTE: As an alternative, you may execute the mysql_secure_installation utility."
reference : "800-53|AC-14,ITSG-33|AC-14,LEVEL|1S,LEVEL|2S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT user,host FROM mysql.user WHERE user = '';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL,NULL
type : SQL_POLICY
description : "8.1 Ensure 'have_ssl' Is Set to 'YES'"
info : "All network traffic must use SSL/TLS when traveling over untrusted networks."
solution : "Follow the procedures as documented in the MySQL 5.6 Reference Manual to setup SSL."
reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,SWIFT-CSCv1|2.1,TBA-FIISB|29.1,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SHOW variables WHERE variable_name = 'have_ssl';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : "have_ssl", "YES"
type : SQL_POLICY
description : "8.2 Ensure 'ssl_type' Is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users"
info : "All network traffic must use SSL/TLS when traveling over untrusted networks. SSL/TLS should be enforced on a per-user basis for users which enter the system through the network."
solution : "Use the GRANT statement to require the use of SSL:
GRANT USAGE ON *.* TO 'my_user'@'app1.example.com' REQUIRE SSL;
Note that REQUIRE SSL only enforces SSL. There are options like REQUIRE X509, REQUIRE ISSUER, REQUIRE SUBJECT which can be used to further restrict connection options."
reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,ISO/IEC-27001|A.13.2.3,ITSG-33|SC-8,SWIFT-CSCv1|2.1,TBA-FIISB|29.1,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT user, host, ssl_type FROM mysql.user WHERE NOT HOST IN ('::1', '127.0.0.1', 'localhost');"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : regex: ".+", regex:".+", regex:"(ANY|X509|SPECIFIED)"
check_option : CAN_NOT_BE_NULL
description : "9.1 Ensure Replication Traffic Is Secured"
info : "The replication traffic between servers should be secured.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Secure the network traffic"
reference : "LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
type : SQL_POLICY
description : "9.3 Ensure 'MASTER_SSL_VERIFY_SERVER_CERT' Is Set to 'YES' or '1'"
info : "In the MySQL slave context the setting MASTER_SSL_VERIFY_SERVER_CERT indicates whether the slave should verify the master's certificate. This configuration item may be set to Yes or No, and unless SSL has been enabled on the slave, the value will be ignored."
solution : "To remediate this setting you must use the CHANGE MASTER TO command.
STOP SLAVE; -- required if replication was already running
CHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=1;
START SLAVE; -- required if you want to restart replication"
reference : "800-53|IA-5,CSF|PR.AC-1,ITSG-33|IA-5,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select ssl_verify_server_cert from mysql.slave_master_info;"
sql_types : POLICY_INTEGER
sql_expect : "1"
check_option : CAN_NOT_BE_NULL
type : SQL_POLICY
description : "9.4 Ensure 'super_priv' Is Not Set to 'Y' for Replication Users"
info : "The SUPER privilege found in the mysql.user table governs the use of a variety of MySQL features. These features include, CHANGE MASTER TO, KILL, mysqladmin kill option, PURGE BINARY LOGS, SET GLOBAL, mysqladmin debug option, logging control, and more."
solution : "Execute the following steps to remediate this setting:
1. Enumerate the replication users found in the result set of the audit procedure
2. For each replication user, issue the following SQL statement (replace 'repl' with your replication user's name):
REVOKE SUPER ON *.* FROM 'repl';"
reference : "800-53|AC-6,CSCv6|5.1,800-171|3.1.5,CSF|PR.AC-4,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6,SWIFT-CSCv1|1.2,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "select user, host from mysql.user where user='repl' and Super_priv = 'Y';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "9.5 Ensure No Replication Users Have Wildcard Hostnames"
info : "MySQL can make use of host wildcards when granting permissions to users on specific databases. For example, you may grant a given privilege to ''@'%'."
solution : "Perform the following actions to remediate this setting:
1. Enumerate all users returned after running the audit procedure
2. Either ALTER the user's host to be specific or DROP the user"
reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,ISO/IEC-27001|A.9.4.1,ITSG-33|AC-3,LEVEL|1S"
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"
sql_request : "SELECT user, host FROM mysql.user WHERE user='repl' AND host = '%';"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
description : "MySQL 5.6 Enterprise Edition is installed"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf"