CIS Oracle MySQL Community Server 5.6 Benchmark v1.1.0 · This document, CIS Oracle MySQL Community...
Transcript of CIS Oracle MySQL Community Server 5.6 Benchmark v1.1.0 · This document, CIS Oracle MySQL Community...
CISOracleMySQLCommunityServer5.6Benchmarkv1.1.0-08-15-2016
1|P a g e
TheCISSecurityBenchmarksdivisionprovidesconsensus-orientedinformationsecurityproducts,services,tools,metrics,suggestions,andrecommendations(the“SBProducts”)asapublicservicetoInternetusersworldwide.DownloadingorusingSBProductsinanywaysignifiesandconfirmsyouracceptanceofandyourbindingagreementtotheseCISSecurityBenchmarksTermsofUse.
CISSECURITYBENCHMARKSTERMSOFUSE
BOTHCISSECURITYBENCHMARKSDIVISIONMEMBERSANDNON-MEMBERSMAY:• Download,install,anduseeachoftheSBProductsonasinglecomputer,and/or• PrintoneormorecopiesofanySBProductthatisina.txt,.pdf,.doc,.mcw,or.rtfformat,butonlyifeachsuchcopyisprintedin
itsentiretyandiskeptintact,includingwithoutlimitationthetextoftheseCISSecurityBenchmarksTermsofUse.
UNDERTHEFOLLOWINGTERMSANDCONDITIONS:• SBProductsProvidedAsIs.CISisprovidingtheSBProducts“asis”and“asavailable”without:(1)anyrepresentations,
warranties,orcovenantsofanykindwhatsoever(includingtheabsenceofanywarrantyregarding:(a)theeffectorlackofeffectofanySBProductontheoperationorthesecurityofanynetwork,system,software,hardware,oranycomponentofanyofthem,and(b)theaccuracy,utility,reliability,timeliness,orcompletenessofanySBProduct);or(2)theresponsibilitytomakeornotifyyouofanycorrections,updates,upgrades,orfixes.
• IntellectualPropertyandRightsReserved.YouarenotacquiringanytitleorownershiprightsinortoanySBProduct,andfulltitleandallownershiprightstotheSBProductsremaintheexclusivepropertyofCIS.AllrightstotheSBProductsnotexpresslygrantedintheseTermsofUseareherebyreserved.
• Restrictions.Youacknowledgeandagreethatyoumaynot:(1)decompile,dis-assemble,alter,reverseengineer,orotherwiseattempttoderivethesourcecodeforanysoftwareSBProductthatisnotalreadyintheformofsourcecode;(2)distribute,redistribute,sell,rent,lease,sublicenseorotherwisetransferorexploitanyrightstoanySBProductinanywayorforanypurpose;(3)postanySBProductonanywebsite,bulletinboard,ftpserver,newsgroup,orothersimilarmechanismordevice;(4)removefromoraltertheseCISSecurityBenchmarksTermsofUseonanySBProduct;(5)removeoralteranyproprietarynoticesonanySBProduct;(6)useanySBProductoranycomponentofanSBProductwithanyderivativeworksbaseddirectlyonanSBProductoranycomponentofanSBProduct;(7)useanySBProductoranycomponentofanSBProductwithotherproductsorapplicationsthataredirectlyandspecificallydependentonsuchSBProductoranycomponentforanypartoftheirfunctionality;(8)representorclaimaparticularlevelofcomplianceorconsistencywithanySBProduct;or(9)facilitateorotherwiseaidotherindividualsorentitiesinviolatingtheseCISSecurityBenchmarksTermsofUse.
• YourResponsibilitytoEvaluateRisks.Youacknowledgeandagreethat:(1)nonetwork,system,device,hardware,software,orcomponentcanbemadefullysecure;(2)youhavethesoleresponsibilitytoevaluatetherisksandbenefitsoftheSBProductstoyourparticularcircumstancesandrequirements;and(3)CISisnotassuminganyoftheliabilitiesassociatedwithyouruseofanyoralloftheSBProducts.
• CISLiability.YouacknowledgeandagreethatneitherCISnoranyofitsemployees,officers,directors,agentsorotherserviceprovidershasorwillhaveanyliabilitytoyouwhatsoever(whetherbasedincontract,tort,strictliabilityorotherwise)foranydirect,indirect,incidental,consequential,orspecialdamagesthatariseoutoforareconnectedinanywaywithyouruseofanySBProduct.
• Indemnification.Youagreetoindemnify,defend,andholdCISandallofCIS'semployees,officers,directors,agentsandotherserviceprovidersharmlessfromandagainstanyliabilities,costsandexpensesincurredbyanyoftheminconnectionwithyourviolationoftheseCISSecurityBenchmarksTermsofUse.
• Jurisdiction.Youacknowledgeandagreethat:(1)theseCISSecurityBenchmarksTermsofUsewillbegovernedbyandconstruedinaccordancewiththelawsoftheStateofMaryland;(2)anyactionatlaworinequityarisingoutoforrelatingtotheseCISSecurityBenchmarksTermsofUseshallbefiledonlyinthecourtslocatedintheStateofMaryland;and(3)youherebyconsentandsubmittothepersonaljurisdictionofsuchcourtsforthepurposesoflitigatinganysuchaction.
• U.S.ExportControlandSanctionslaws.RegardingyouruseoftheSBProductswithanynon-U.S.entityorcountry,youacknowledgethatitisyourresponsibilitytounderstandandabidebyallU.S.sanctionsandexportcontrollawsassetfromtimetotimebytheU.S.BureauofIndustryandSecurity(BIS)andtheU.S.OfficeofForeignAssetsControl(OFAC).
SPECIALRULESFORCISMEMBERORGANIZATIONS:CISreservestherighttocreatespecialrulesfor:(1)CISMembers;and(2)Non-MemberorganizationsandindividualswithwhichCIShasawrittencontractualrelationship.CISherebygrantstoeachCISMemberOrganizationingoodstandingtherighttodistributetheSBProductswithinsuchMember'sownorganization,whetherbymanualorelectronicmeans.EachsuchMemberOrganizationacknowledgesandagreesthattheforegoinggrantsinthisparagrapharesubjecttothetermsofsuchMember'smembershiparrangementwithCISandmay,therefore,bemodifiedorterminatedbyCISatanytime.
2|P a g e
TableofContents
Overview......................................................................................................................................................................5
IntendedAudience..............................................................................................................................................5
ConsensusGuidance...........................................................................................................................................5
TypographicalConventions............................................................................................................................6
ScoringInformation............................................................................................................................................6
ProfileDefinitions................................................................................................................................................7
Acknowledgements.............................................................................................................................................9
Recommendations.................................................................................................................................................10
1OperatingSystemLevelConfiguration................................................................................................10
1.1PlaceDatabasesonNon-SystemPartitions(Scored).......................................................10
1.2UseDedicatedLeastPrivilegedAccountforMySQLDaemon/Service(Scored).12
1.3DisableMySQLCommandHistory(Scored)........................................................................13
1.4VerifyThattheMYSQL_PWDEnvironmentVariablesIsNotInUse(Scored)......14
1.5DisableInteractiveLogin(Scored)..........................................................................................15
1.6VerifyThat'MYSQL_PWD'IsNotSetInUsers'Profiles(Scored)...............................16
2InstallationandPlanning...........................................................................................................................17
2.1BackupandDisasterRecovery.......................................................................................................18
2.1.1Backuppolicyinplace(NotScored)....................................................................................18
2.1.2Verifybackupsaregood(NotScored)................................................................................19
2.1.3Securebackupcredentials(NotScored)............................................................................20
2.1.4Thebackupsshouldbeproperlysecured(NotScored)..............................................21
2.1.5Pointintimerecovery(NotScored)....................................................................................22
2.1.6Disasterrecoveryplan(NotScored)...................................................................................23
2.1.7Backupofconfigurationandrelatedfiles(NotScored)..............................................24
2.2DedicateMachineRunningMySQL(NotScored)..............................................................25
2.3DoNotSpecifyPasswordsinCommandLine(NotScored)..........................................26
2.4DoNotReuseUsernames(NotScored).................................................................................27
3|P a g e
2.5DoNotUseDefaultorNon-MySQL-specificCryptographicKeys(NotScored)...28
3FileSystemPermissions............................................................................................................................29
3.1Ensure'datadir'HasAppropriatePermissions(Scored)...............................................29
3.2Ensure'log_bin_basename'FilesHaveAppropriatePermissions(Scored)...........30
3.3Ensure'log_error'HasAppropriatePermissions(Scored)...........................................32
3.4Ensure'slow_query_log'HasAppropriatePermissions(Scored)..............................33
3.5Ensure'relay_log_basename'FilesHaveAppropriatePermissions(Scored).......35
3.6Ensure'general_log_file'HasAppropriatePermissions(Scored)..............................37
3.7EnsureSSLKeyFilesHaveAppropriatePermissions(Scored)..................................38
3.8EnsurePluginDirectoryHasAppropriatePermissions(Scored)..............................40
4General...............................................................................................................................................................42
4.1EnsureLatestSecurityPatchesAreApplied(NotScored)............................................42
4.2Ensurethe'test'DatabaseIsNotInstalled(Scored)........................................................44
4.3Ensure'allow-suspicious-udfs'IsSetto'FALSE'(Scored)............................................45
4.4Ensure'local_infile'IsDisabled(Scored)..............................................................................46
4.5Ensure'mysqld'IsNotStartedwith'--skip-grant-tables'(Scored)..........................47
4.6Ensure'--skip-symbolic-links'IsEnabled(Scored)..........................................................48
4.7Ensurethe'daemon_memcached'PluginIsDisabled(Scored)...................................49
4.8Ensure'secure_file_priv'IsNotEmpty(Scored)................................................................50
4.9Ensure'sql_mode'Contains'STRICT_ALL_TABLES'(Scored)......................................51
5MySQLPermissions......................................................................................................................................52
5.1EnsureOnlyAdministrativeUsersHaveFullDatabaseAccess(Scored)................52
5.2Ensure'file_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)............54
5.3Ensure'process_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)...55
5.4Ensure'super_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored).......56
5.5Ensure'shutdown_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored).........................................................................................................................................................................58
5.6Ensure'create_user_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored).........................................................................................................................................................................59
5.7Ensure'grant_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)........60
5.8Ensure'repl_slave_priv'IsNotSetto'Y'forNon-SlaveUsers(Scored)..................61
4|P a g e
5.9EnsureDML/DDLGrantsAreLimitedtoSpecificDatabasesandUsers(Scored).........................................................................................................................................................................62
6AuditingandLogging..................................................................................................................................64
6.1Ensure'log_error'IsNotEmpty(Scored).............................................................................64
6.2EnsureLogFilesAreStoredonaNon-SystemPartition(Scored).............................65
6.3Ensure'log_warnings'IsSetto'2'(Scored).........................................................................66
6.4EnsureAuditLoggingIsEnabled(NotScored)..................................................................67
6.5Ensure'log-raw'IsSetto'OFF'(Scored)...............................................................................68
7Authentication................................................................................................................................................69
7.1Ensure'old_passwords'IsNotSetto'1'or'ON'(Scored).............................................69
7.2Ensure'secure_auth'issetto'ON'(Scored)........................................................................71
7.3EnsurePasswordsAreNotStoredintheGlobalConfiguration(Scored)...............73
7.4Ensure'sql_mode'Contains'NO_AUTO_CREATE_USER'(Scored).............................74
7.5EnsurePasswordsAreSetforAllMySQLAccounts(Scored)......................................75
7.6EnsurePasswordPolicyIsinPlace(Scored)......................................................................76
7.7EnsureNoUsersHaveWildcardHostnames(Scored)....................................................78
7.8EnsureNoAnonymousAccountsExist(Scored)...............................................................79
8Network.............................................................................................................................................................81
8.1Ensure'have_ssl'IsSetto'YES'(Scored)..............................................................................81
8.2Ensure'ssl_type'IsSetto'ANY','X509',or'SPECIFIED'forAllRemoteUsers(Scored).......................................................................................................................................................82
9Replication.......................................................................................................................................................84
9.1EnsureReplicationTrafficIsSecured(NotScored).........................................................84
9.2Ensure'master_info_repository'IsSetto'TABLE'(Scored).........................................85
9.3Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'or'1'(Scored)......86
9.4Ensure'super_priv'IsNotSetto'Y'forReplicationUsers(Scored).........................88
9.5EnsureNoReplicationUsersHaveWildcardHostnames(Scored)...........................90
Appendix:SummaryTable................................................................................................................................91
Appendix:ChangeHistory.................................................................................................................................94
5|P a g e
OverviewThisdocument,CISOracleMySQLCommunityServer5.6Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMySQLCommunityServer5.6.ThisguidewastestedagainstMySQLCommunityServer5.6runningonUbuntuLinux14.04,butappliestootherlinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleMySQLCommunityServer5.6.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
6|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
7|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-MySQLRDBMSonLinux
ItemsinthisprofileapplytoMySQLCommunityServer5.6runningonLinuxandintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-MySQLRDBMSonLinux
Thisprofileextendsthe"Level1-MySQLRDBMSonLinux"profile.ItemsinthisprofileapplytoMySQLCommunityServer5.6runningonLinuxandexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
• Level1-MySQLRDBMS
ItemsinthisprofileapplytoMySQLCommunityServer5.6andintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
Note:theintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoaMySQLRDBMS.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.
• Level2-MySQLRDBMS
Thisprofileextendsthe"Level1-MySQLRDBMS"profileandexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
8|P a g e
Note:theintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoaMySQLRDBMS.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.
9|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
Editor(s)BinodBista DaniëlvanEeden
Contributor(s)AdamMontville,CenterforInternetSecurityTimothyHarrison,CenterforInternetSecuritySherylCoppenger,U.S.GovernmentAccountabilityOfficeKarenScarfoneRobertWarrenThomasNeilQuiogueDanWhite,CISCommunity
10|P a g e
Recommendations1OperatingSystemLevelConfiguration
ThissectioncontainsrecommendationsrelatedtotheOperatingSystemonwhichtheMySQLdatabaseserverisrunning.
1.1PlaceDatabasesonNon-SystemPartitions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Itisgenerallyacceptedthathostoperatingsystemsshouldincludedifferentfilesystempartitionsfordifferentpurposes.Onesetoffilesystemsaretypicallycalled"systempartitions",andaregenerallyreservedforhostsystem/applicationoperation.Theothersetoffilesystemsaretypicallycalled"non-systempartitions",andsuchlocationsaregenerallyreservedforstoringdata.
Rationale:
Movingthedatabaseoffthesystempartitionwillreducetheprobabilityofdenialofserviceviatheexhaustionofavailablediskspacetotheoperatingsystem.
Audit:
Executethefollowingstepstoassessthisrecommendation:
• DiscoverthedatadirbyexecutingthefollowingSQLstatement
show variables where variable_name = 'datadir';
• UsingthereturneddatadirValuefromtheabovequery,executethefollowinginasystemterminal
df -h <datadir Value>
Theoutputreturnedfromthedfcommandaboveshouldnotincluderoot('/'),"/var",or"/usr".
11|P a g e
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Chooseanon-systempartitionnew locationfortheMySQLdata2. Stopmysqldusingacommandlike: service mysql stop3. Copythedatausingacommandlike:cp -rp <datadir Value> <new location>4. Setthedatadirlocationtothenew locationintheMySQLconfigurationfile5. Startmysqldusingacommandlike:servicemysqlstart
NOTE:OnsomeLinuxdistributionsyoumayneedtoadditionallymodifyapparmorsettings.Forexample,onaUbuntu14.04.1systemeditthefile/etc/apparmor.d/usr.sbin.mysqld sothatthedatadiraccessisappropriate.Theoriginalmightlooklikethis:
# Allow data dir access /var/lib/mysql/ r, /var/lib/mysql/** rwk,
Alterthosetwopathstobethenewlocationyouchoseabove.Forexample,ifthatnewlocationwere/media/mysql,thenthe/etc/apparmor.d/usr.sbin.mysqldfileshouldincludesomethinglikethis:
# Allow data dir access /media/mysql/ r, /media/mysql/** rwk,
Impact:
Movingthedatabasetoanon-systempartitionmaybedifficultdependingonwhethertherewasonlyasinglepartitionwhentheoperatingsystemwassetupandwhetherthereisadditionalstorageavailable.
12|P a g e
1.2UseDedicatedLeastPrivilegedAccountforMySQLDaemon/Service(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Aswithanyserviceinstalledonahost,itcanbeprovidedwithitsownusercontext.Providingadedicatedusertotheserviceprovidestheabilitytopreciselyconstraintheservicewithinthelargerhostcontext.
Rationale:
UtilizingaleastprivilegeaccountforMySQLtoexecuteasmayreducetheimpactofaMySQL-bornvulnerability.ArestrictedaccountwillbeunabletoaccessresourcesunrelatedtoMySQL,suchasoperatingsystemconfigurations.
Audit:
Executethefollowingcommandataterminalprompttoassessthisrecommendation:
ps -ef | egrep "^mysql.*$"
Ifnolinesarereturned,thenthisisafinding.
NOTE:ItisassumedthattheMySQLuserismysql.Additionally,youmayconsiderrunningsudo -lastheMySQLuserortocheckthesudoersfile.
Remediation:
CreateauserwhichisonlyusedforrunningMySQLanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/changing-mysql-user.html2. http://dev.mysql.com/doc/refman/5.6/en/server-
options.html#option_mysqld_user
13|P a g e
1.3DisableMySQLCommandHistory(Scored)
ProfileApplicability:
•Level2-MySQLRDBMSonLinux
Description:
OnLinux/UNIX,theMySQLclientlogsstatementsexecutedinteractivelytoahistoryfile.Bydefault,thisfileisnamed.mysql_historyintheuser'shomedirectory.MostinteractivecommandsrunintheMySQLclientapplicationaresavedtoahistoryfile.TheMySQLcommandhistoryshouldbedisabled.
Rationale:
DisablingtheMySQLcommandhistoryreducestheprobabilityofexposingsensitiveinformation,suchaspasswordsandencryptionkeys.
Audit:
Executethefollowingcommandstoassessthisrecommendation:
find /home -name ".mysql_history" find /root -name ".mysql_history"
Foreachfilereturneddeterminewhetherthatfileissymbolicallylinkedto/dev/null.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Remove.mysql_historyifitexists.2. Useeitherofthetechniquesbelowtopreventitfrombeingcreatedagain:
1. SettheMYSQL_HISTFILEenvironmentvariableto/dev/null.Thiswillneedtobeplacedintheshell'sstartupscript.
2. Create$HOME/.mysql_historyasasymbolicto/dev/null.
> ln -s /dev/null $HOME/.mysql_history
DefaultValue:
Bydefault,theMySQLcommandhistoryfileislocatedin$HOME/.mysql_history.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html2. http://bugs.mysql.com/bug.php?id=72158
14|P a g e
1.4VerifyThattheMYSQL_PWDEnvironmentVariablesIsNotInUse(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLcanreadadefaultdatabasepasswordfromanenvironmentvariablecalledMYSQL_PWD.
Rationale:
TheuseoftheMYSQL_PWDenvironmentvariableimpliesthecleartextstorageofMySQLcredentials.AvoidingthismayincreaseassurancethattheconfidentialityofMySQLcredentialsispreserved.
Audit:
Toassessthisrecommendation,usethe/procfilesystemtodetermineifMYSQL_PWDiscurrentlysetforanyprocess
grep MYSQL_PWD /proc/*/environ
Thismayreturnoneentryfortheprocesswhichisexecutingthegrepcommand.
Remediation:
Checkwhichusersand/orscriptsaresettingMYSQL_PWDandchangethemtouseamoresecuremethod.
DefaultValue:
Notset.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/environment-variables.html2. https://blogs.oracle.com/myoraclediary/entry/how_to_check_environment_variabl
es
15|P a g e
1.5DisableInteractiveLogin(Scored)
ProfileApplicability:
•Level2-MySQLRDBMSonLinux
Description:
Whencreated,theMySQLusermayhaveinteractiveaccesstotheoperatingsystem,whichmeansthattheMySQLusercouldlogintothehostasanyotheruserwould.
Rationale:
PreventingtheMySQLuserfromloggingininteractivelymayreducetheimpactofacompromisedMySQLaccount.ThereisalsomoreaccountabilityasaccessingtheoperatingsystemwheretheMySQLserverlieswillrequiretheuser'sownaccount.InteractiveaccessbytheMySQLuserisunnecessaryandshouldbedisabled.
Audit:
Executethefollowingcommandtoassessthisrecommendation
getent passwd mysql | egrep "^.*[\/bin\/false|\/sbin\/nologin]$"
Lackofoutputimpliesafinding.
Remediation:
Performthefollowingstepstoremediatethissetting:
• Executeoneofthefollowingcommandsinaterminal
usermod -s /bin/false mysql usermod -s /sbin/nologin mysql
Impact:
ThissettingwillpreventtheMySQLadministratorfrominteractivelyloggingintotheoperatingsystemusingtheMySQLuser.Instead,theadministratorwillneedtologinusingone'sownaccount.
16|P a g e
1.6VerifyThat'MYSQL_PWD'IsNotSetInUsers'Profiles(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLcanreadadefaultdatabasepasswordfromanenvironmentvariablecalledMYSQL_PWD.
Rationale:
TheuseoftheMYSQL_PWDenvironmentvariableimpliesthecleartextstorageofMySQLcredentials.AvoidingthismayincreaseassurancethattheconfidentialityofMySQLcredentialsispreserved.
Audit:
ToassessthisrecommendationcheckifMYSQL_PWDissetinloginscriptsusingthefollowingcommand:
grep MYSQL_PWD /home/*/.{bashrc,profile,bash_profile}
Remediation:
Checkwhichusersand/orscriptsaresettingMYSQL_PWDandchangethemtouseamoresecuremethod.
DefaultValue:
Notset.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/environment-variables.html2. https://blogs.oracle.com/myoraclediary/entry/how_to_check_environment_variabl
es
17|P a g e
2InstallationandPlanning
ThissectioncontainsimportantconsiderationswhendeployingMySQLservicestoyourproductionnetwork.Therecommendationsmadehereinarenotscoredfromabenchmarkperspectiveandgenerallyalignwithbestcurrentpracticesasconveyedinmostcontrolframeworks.
Notealsothatconfigurationoptionscanbeaddedtwoways.FirstisusingtheMySQLconfigurationfile(e.g.my.cnf)andplacingoptionsunderthepropersectionof[mysqld].Optionsplacedintheconfigurationfileshouldnotprefixwithadoubledash"--".OptionscanalsobeplacedonthecommandlinebymodifyingtheMySQLstartupscript.Thestartupscriptissystemdependentbasedonyouroperatingsystem.
18|P a g e
2.1BackupandDisasterRecovery
Thissectioncontainsrecommendationsrelatedtobackupandrecovery
2.1.1Backuppolicyinplace(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Abackuppolicyshouldbeinplace.
Rationale:
BackingupMySQLdatabases,including'mysql',willhelpensuretheavailabilityofdataintheeventofanincident.
Audit:
Checkwith"crontab -l"ifthereisabackupschedule.
Remediation:
Createabackuppolicyandbackupschedule.
Impact:
Withoutbackupsitmightbehardtorecoverfromanincident.
19|P a g e
2.1.2Verifybackupsaregood(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Backupsshouldbevalidatedonaregularbasis.
Rationale:
Verifyingthatbackupsareoccurringappropriatelywillhelpensuretheavailabilityofdataintheeventofanincident.
Audit:
Checkreportsofbackupvalidationtests.
Remediation:
Implementregularbackupchecksanddocumenteachcheck.
Impact:
Withoutawell-testedbackup,itmightbehardtorecoverfromanincidentifthebackupprocedurecontainserrorsordoesn'tincludeallrequireddata.
20|P a g e
2.1.3Securebackupcredentials(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Thepassword,certificateandanyothercredentialsshouldbeprotected.
Rationale:
Adatabaseuserwiththeleastamountofprivilegesrequiredtoperformbackupisneededforbackup.Thecredentialsforthisusershouldbeprotected.
Audit:
Checkpermissionsoffilescontainingpasswordsand/orsslkeys.
Remediation:
Changefilepermissions
Impact:
Whenthebackupcredentialsarenotproperlysecuredthentheymightbeabusedtogainaccesstotheserver.Thebackupuserneedsanaccountwithmanyprivileges,sotheattackercangain(almost)completeaccesstotheserver.
21|P a g e
2.1.4Thebackupsshouldbeproperlysecured(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Thebackupfileswillcontainalldatainthedatabases.Filesystempermissionsand/orencryptionshouldbeusedtopreventnonauthorizedusersfromgainingaccesstothebackups.
Rationale:
Backupsshouldbeconsideredsensitiveinformation.
Audit:
Checkwhohasaccesstothebackupfiles.
• Arethefilesworld-readable(e.g.rw-r--r-)o Aretheystoredinaworldreadabledirectory?
• IsthegroupMySQLand/orbackupspecific?o Ifnot:thefileanddirectorymustnotbegroupreadable
• Arethebackupsstoredoffsite?o Whohasaccesstothebackups?
• Arethebackupsencrypted?o Whereistheencryptionkeystored?o Doestheencryptionkeyconsistsofaguessablepassword?
Remediation:
Implementencryptionorusefilesystempermissions.
Impact:
Ifanunauthorizedusercanaccessbackupsthentheyhaveaccesstoallthedatathatisinthedatabase.Thisistrueforunencryptedbackupsandforencryptedbackupsiftheencryptionkeyisstoredalongwiththebackup.
22|P a g e
2.1.5Pointintimerecovery(NotScored)
ProfileApplicability:
•Level2-MySQLRDBMSonLinux
Description:
Withbinlogsitispossibletoimplementpoint-in-timerecovery.Thismakesitpossibletorestorethechangesbetweenthelastfullbackupandthepoint-in-time.
Enablingbinlogsisnotsufficient,arestoreprocedureshouldbecreatedandhastobetested.
Rationale:
Thiscanreducetheamountofinformationlost.
Audit:
Checkifbinlogsareenabledandifthereisarestoreprocedure.
Remediation:
Enablebinlogsandcreateandtestarestoreprocedure.
Impact:
Withoutpoint-in-timerecoverythedatawhichwasstoredbetweenthelastbackupandthetimeofdisastermightnotberecoverable.
23|P a g e
2.1.6Disasterrecoveryplan(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Adisasterrecoveryplanshouldbecreated.
Aslaveinadifferentdatacentercanbeusedoroffsitebackups.Thereshouldbeinformationaboutwhattimearecoverywilltakeandiftherecoverysitehasthesamecapacity.
Rationale:
Adisasterrecoveryshouldbeplanned.
Audit:
Checkifthereisadisasterrecoveryplan
Remediation:
Createadisasterrecoveryplan
Impact:
Withoutawell-testeddisasterrecoveryplanitmightnotbepossibletorecoverintime.
24|P a g e
2.1.7Backupofconfigurationandrelatedfiles(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Thefollowingfilesshouldbeincludedinthebackup:
• Configurationfiles(my.cnfandincludedfiles)• SSLfiles(certificates,keys)• UserDefinedFunctions(UDFs)• Sourcecodeforcustomizations
Rationale:
Thesefilesarerequiredtobeabletofullyrestoreaninstance.
Audit:
Checkifthesefilesareinusedandaresavedinthebackup.
Remediation:
Addthesefilestothebackup
Impact:
Withoutacompletebackupitmightnotbepossibletofullyrecover.
25|P a g e
2.2DedicateMachineRunningMySQL(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
ItisrecommendedthatMySQLServersoftwarebeinstalledonadedicatedserver.Thisarchitecturalconsiderationaffordsflexibilityinthatthedatabaseservercanbeplacedonaseparatezoneallowingaccessonlyfromparticularhostsandoverparticularprotocols.
Rationale:
Theattacksurfaceisreducedonaserverwithonlytheunderlyingoperatingsystem,MySQLserversoftware,andanysecurityoroperationaltoolingthatmaybeadditionallyinstalled.AsmallerattacksurfacereducestheprobabilityofthedatawithinMySQLbeingcompromised.
Audit:
VerifytherearenootherrolesenabledfortheunderlyingoperatingsystemandthatnoadditionalapplicationsorservicesunrelatedtotheproperoperationoftheMySQLserversoftwareareinstalled.
Remediation:
Removeexcessapplicationsorservicesand/orremoveunnecessaryrolesfromtheunderlyingoperatingsystem.
Impact:
Caremustbetakenthatapplicationsorservicesthatarerequiredfortheproperoperationoftheoperatingsystemarenotremoved.
Customapplicationsmayneedtobemodifiedtoaccommodatedatabaseconnectionsoverthenetworkratherthanontheuse(e.g.,usingTCP/IPconnections).
Additionalhardwareandoperatingsystemlicensesmayberequiredtomakethearchitecturalchange.
26|P a g e
2.3DoNotSpecifyPasswordsinCommandLine(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Whenacommandisexecutedonthecommandline,forexamplemysql -u admin -ppassword,thepasswordmaybevisibleintheuser'sshell/commandhistoryorintheprocesslist.
Rationale:
Ifthepasswordisvisibleintheprocesslistoruser'sshell/commandhistory,anattackerwillbeabletoaccesstheMySQLdatabaseusingthestolencredentials.
Audit:
Checktheprocessortasklistifthepasswordisvisible.
Checktheshellorcommandhistoryifthepasswordisvisible.
Remediation:
Use-pwithoutpasswordandthenenterthepasswordwhenprompted,useaproperlysecured.my.cnffile,orstoreauthenticationinformationinencryptedformatin.mylogin.cnf.
Impact:
Dependingontheremediationchosen,additionalstepsmayneedtobeundertakenlike:
• Enteringapasswordwhenprompted;• Ensuringthefilepermissionson.my.cnfisrestrictedyetaccessiblebytheuser;• Usingmysql_config_editortoencrypttheauthenticationcredentialsin
.mylogin.cnf.
Additionally,notallscripts/applicationsmaybeabletouse.mylogin.cnf.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html2. http://dev.mysql.com/doc/refman/5.6/en/password-security-user.html
27|P a g e
2.4DoNotReuseUsernames(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Databaseuseraccountsshouldnotbereusedformultipleapplicationsorusers.
Rationale:
UtilizinguniquedatabaseaccountsacrossapplicationswillreducetheimpactofacompromisedMySQLaccount.
Audit:
Eachusershouldbelinkedtooneofthese
• systemaccounts• aperson• anapplication
Remediation:
Add/Removeuserssothateachuserisonlyusedforonespecificpurpose.
Impact:
Ifauserisreused,thenacompromiseofthisuserwillcompromisemultiplepartsofthesystemand/orapplication.
28|P a g e
2.5DoNotUseDefaultorNon-MySQL-specificCryptographicKeys(NotScored)
ProfileApplicability:
•Level2-MySQLRDBMSonLinux
Description:
TheSSLcertificateandkeyusedbyMySQLshouldbeusedonlyforMySQLandonlyforoneinstance.
Rationale:
UseofdefaultcertificatescanallowanattackertoimpersonatetheMySQLserver.
Audit:
CheckifthecertificateisboundtooneinstanceofMySQL.
Remediation:
Generateanewcertificate/keyperMySQLinstance.
Impact:
Ifakeyisusedonmultiplesystemthenacompromiseofonesystemleadstocompromiseofthenetworktrafficofallserverswhichusethesamekey.
29|P a g e
3FileSystemPermissions
TheFileSystemPermissionsarecriticalforkeepingthedataandconfigurationoftheMySQLserversecure.
3.1Ensure'datadir'HasAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
ThedatadirectoryisthelocationoftheMySQLdatabases.
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLdatabase.IfsomeoneotherthantheMySQLuserisallowedtoreadfilesfromthedatadirectoryheorshemightbeabletoreaddatafromthemysql.usertablewhichcontainspasswords.Additionally,theabilitytocreatefilescanleadtodenialofservice,ormightotherwiseallowsomeonetogainaccesstospecificdatabymanuallycreatingafilewithaviewdefinition.
Audit:
Performthefollowingstepstoassessthisrecommendation:
• ExecutethefollowingSQLstatementtodeterminetheValueofdatadir
show variables where variable_name = 'datadir';
• Executethefollowingcommandataterminalprompt
ls -l <datadir>/.. | egrep "^d[r|w|x]{3}------\s*.\s*mysql\s*mysql\s*\d*.*mysql"
Lackofoutputimpliesafinding.
Remediation:
Executethefollowingcommandsataterminalprompt:
chmod 700 <datadir> chown mysql:mysql <datadir>
30|P a g e
3.2Ensure'log_bin_basename'FilesHaveAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLcanoperateusingavarietyoflogfiles,eachusedfordifferentpurposes.Thesearethebinarylog,errorlog,slowquerylog,relaylog,andgenerallog.Becausethesearefilesonthehostoperatingsystem,theyaresubjecttothepermissionsstructureprovidedbythehostandmaybeaccessiblebyusersotherthantheMySQLuser.
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLlogs.
Audit:
Performthefollowingstepstoassessthisrecommendation:
• Identifythebasenameofbinarylogfiles(log_bin_basename)byexecutingthefollowingstatement
show variables like 'log_bin_basename';
• Verifypermissionsare660formysql:mysqloneachlogfileoftheformlog_bin_basename.nnnnnn.
Remediation:
Executethefollowingcommandforeachlogfilelocationrequiringcorrectedpermissions:
chmod 660 <log file> chown mysql:mysql <log file>
31|P a g e
Impact:
Changingthepermissionsofthelogfilesmighthaveimpactonmonitoringtoolswhichusealogfileadapter.Alsotheslowquerylogcanbeusedforperformanceanalysisbyapplicationdevelopers.
IfthepermissionsontherelaylogsandbinarylogfilesareaccidentallychangedtoexcludetheuseraccountwhichisusedtoruntheMySQLservice,thenthismightbreakreplication.
Thebinarylogfilecanbeusedforpointintimerecoverysothiscanalsoaffectbackup,restoreanddisasterrecoveryprocedures.
32|P a g e
3.3Ensure'log_error'HasAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLcanoperateusingavarietyoflogfiles,eachusedfordifferentpurposes.Thesearethebinarylog,errorlog,slowquerylog,relaylog,andgenerallog.Becausethesearefilesonthehostoperatingsystem,theyaresubjecttothepermissionsstructureprovidedbythehostandmaybeaccessiblebyusersotherthantheMySQLuser.
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLlogs.
Audit:
Performthefollowingstepstoassessthisrecommendation:
• Findthelog_errorvalue(<error_log_path>)byexecutingthefollowingstatement
show variables like 'log_error';
• Verifypermissionsare660formysql:mysqlfor<error_log_path>
Remediation:
Executethefollowingcommandforeachlogfilelocationrequiringcorrectedpermissions:
chmod 660 <log file> chown mysql:mysql <log file>
Impact:
Changingthepermissionsofthelogfilesmighthaveimpactonmonitoringtoolswhichusealogfileadapter.Alsotheslowquerylogcanbeusedforperformanceanalysisbyapplicationdevelopers.
IfthepermissionsontherelaylogsandbinarylogfilesareaccidentallychangedtoexcludetheuseraccountwhichisusedtoruntheMySQLservice,thenthismightbreakreplication.
Thebinarylogfilecanbeusedforpointintimerecoverysothiscanalsoaffectbackup,restoreanddisasterrecoveryprocedures.
33|P a g e
3.4Ensure'slow_query_log'HasAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLcanoperateusingavarietyoflogfiles,eachusedfordifferentpurposes.Thesearethebinarylog,errorlog,slowquerylog,relaylog,andgenerallog.Becausethesearefilesonthehostoperatingsystem,theyaresubjecttothepermissionsstructureprovidedbythehostandmaybeaccessiblebyusersotherthantheMySQLuser.
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLlogs.
Audit:
Performthefollowingstepstoassessthisrecommendation:
• Findtheslow_query_logvalue(<slow_query_log_path>)byexecutingthefollowingstatement
show variables like 'slow_query_log_file';
• Verifypermissionsare660formysql:mysqlfor<slow_query_log_path>
Remediation:
Executethefollowingcommandforeachlogfilelocationrequiringcorrectedpermissions:
chmod 660 <log file> chown mysql:mysql <log file>
34|P a g e
Impact:
Changingthepermissionsofthelogfilesmighthaveimpactonmonitoringtoolswhichusealogfileadapter.Alsotheslowquerylogcanbeusedforperformanceanalysisbyapplicationdevelopers.
IfthepermissionsontherelaylogsandbinarylogfilesareaccidentallychangedtoexcludetheuseraccountwhichisusedtoruntheMySQLservice,thenthismightbreakreplication.
Thebinarylogfilecanbeusedforpointintimerecoverysothiscanalsoaffectbackup,restoreanddisasterrecoveryprocedures.
35|P a g e
3.5Ensure'relay_log_basename'FilesHaveAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLcanoperateusingavarietyoflogfiles,eachusedfordifferentpurposes.Thesearethebinarylog,errorlog,slowquerylog,relaylog,andgenerallog.Becausethesearefilesonthehostoperatingsystem,theyaresubjecttothepermissionsstructureprovidedbythehostandmaybeaccessiblebyusersotherthantheMySQLuser.
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLlogs.
Audit:
Performthefollowingstepstoassessthisrecommendation:
Findtherelay_log_basenamevaluebyexecutingthefollowingstatement
show variables like 'relay_log_basename';
• Verifypermissionsare660formysql:mysqlforeachfileoftheform<relay_log_basename>
Remediation:
Executethefollowingcommandforeachlogfilelocationrequiringcorrectedpermissions:
chmod 660 <log file> chown mysql:mysql <log file>
36|P a g e
Impact:
Changingthepermissionsofthelogfilesmighthaveimpactonmonitoringtoolswhichusealogfileadapter.Alsotheslowquerylogcanbeusedforperformanceanalysisbyapplicationdevelopers.
IfthepermissionsontherelaylogsandbinarylogfilesareaccidentallychangedtoexcludetheuseraccountwhichisusedtoruntheMySQLservice,thenthismightbreakreplication.
Thebinarylogfilecanbeusedforpointintimerecoverysothiscanalsoaffectbackup,restoreanddisasterrecoveryprocedures.
37|P a g e
3.6Ensure'general_log_file'HasAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLcanoperateusingavarietyoflogfiles,eachusedfordifferentpurposes.Thesearethebinarylog,errorlog,slowquerylog,relaylog,andgenerallog.Becausethesearefilesonthehostoperatingsystem,theyaresubjecttothepermissionsstructureprovidedbythehostandmaybeaccessiblebyusersotherthantheMySQLuser.
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLlogs.
Audit:
Performthefollowingstepstoassessthisrecommendation:
• Findthegeneral_log_filevaluebyexecutingthefollowingstatement
show variables like 'general_log_file';
• Verifypermissionsare660formysql:mysqlfortheindicatedgeneral_log_file.
Remediation:
Executethefollowingcommandforeachlogfilelocationrequiringcorrectedpermissions:
chmod 660 <log file> chown mysql:mysql <log file>
Impact:
Changingthepermissionsofthelogfilesmighthaveimpactonmonitoringtoolswhichusealogfileadapter.Alsotheslowquerylogcanbeusedforperformanceanalysisbyapplicationdevelopers.
IfthepermissionsontherelaylogsandbinarylogfilesareaccidentallychangedtoexcludetheuseraccountwhichisusedtoruntheMySQLservice,thenthismightbreakreplication.
Thebinarylogfilecanbeusedforpointintimerecoverysothiscanalsoaffectbackup,restoreanddisasterrecoveryprocedures.
38|P a g e
3.7EnsureSSLKeyFilesHaveAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
WhenconfiguredtouseSSL/TLS,MySQLreliesonkeyfiles,whicharestoredonthehost'sfilesystem.Thesekeyfilesaresubjecttothehost'spermissionsstructure.
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLdatabaseandthecommunicationwiththeclient.
IfthecontentsoftheSSLkeyfileisknowntoanattackerheorshemightimpersonatetheserver.Thiscanbeusedforaman-in-the-middleattack.
DependingontheSSLciphersuitethekeymightalsobeusedtodecipherpreviouslycapturednetworktraffic.
Audit:
Toassessthisrecommendation,locatetheSSLkeyinusebyexecutingthefollowingSQLstatementtogettheValueofssl_key:
show variables where variable_name = 'ssl_key';
Then,executethefollowingcommandtoassessthepermissionsoftheValue:
ls -l <ssl_key Value> | egrep "^-r--------[ \t]*.[ \t]*mysql[ \t]*mysql.*$"
Lackofoutputfromtheabovecommandimpliesafinding.
Remediation:
ExecutethefollowingcommandsataterminalprompttoremediatethissettingusingtheValuefromtheauditprocedure:
chown mysql:mysql <ssl_key Value> chmod 400 <ssl_key Value>
39|P a g e
Impact:
IfthepermissionsforthekeyfilearechangedincorrectlythiscancauseSSLtobedisabledwhenMySQLisrestartedorcancauseMySQLnottostartatall.
Ifotherapplicationsareusingthesamekeypair,thenchangingthepermissionsofthekeyfilewillaffectthisapplication.Ifthisisthecase,thenanewkeypairmustbegeneratedforMySQL.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/ssl-connections.html
40|P a g e
3.8EnsurePluginDirectoryHasAppropriatePermissions(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
TheplugindirectoryisthelocationoftheMySQLplugins.Pluginsarestorageenginesoruserdefinedfunctions(UDFs).
Rationale:
Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLdatabase.Ifsomeonecanmodifypluginsthenthesepluginsmightbeloadedwhentheserverstartsandthecodewillgetexecuted.
Audit:
Toassessthisrecommendation,executethefollowingSQLstatementtodiscovertheValueofplugin_dir:
show variables where variable_name = 'plugin_dir';
Then,executethefollowingcommandataterminalprompt(usingthediscoveredplugin_dir Value)todeterminethepermissions.
ls -l <plugin_dir Value>/.. | egrep "^drwxr[-w]xr[-w]x[ \t]*[0-9][ \t]*mysql[ \t]*mysql.*plugin.*$"
Lackofoutputimpliesafinding.
NOTE:Permissionsareintendedtobeeither775or755.
Remediation:
Toremediatethissetting,executethefollowingcommandsataterminalpromptusingtheplugin_dir Valuefromtheauditprocedure.
chmod 775 <plugin_dir Value> (or use 755) chown mysql:mysql <plugin_dir Value>
Impact:
Usersotherthanthemysqluserwillnolongerbeabletoupdateandadd/removepluginsunlessthey'reabletoswitchtothemysqluser;
41|P a g e
References:
1. http://dev.mysql.com/doc/refman/5.6/en/install-plugin.html
42|P a g e
4General
Thissectioncontainsrecommendationsrelatedtovariouspartsofthedatabaseserver.
4.1EnsureLatestSecurityPatchesAreApplied(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
Periodically,updatestoMySQLserverarereleasedtoresolvebugs,mitigatevulnerabilities,andprovidenewfeatures.ItisrecommendedthatMySQLinstallationsareuptodatewiththelatestsecurityupdates.
Rationale:
MaintainingcurrencywithMySQLpatcheswillhelpreduceriskassociatedwithknownvulnerabilitiespresentintheMySQLserver.
WithoutthelatestsecuritypatchesMySQLmighthaveknownvulnerabilitieswhichmightbeusedbyanattackertogainaccess.
Audit:
ExecutethefollowingSQLstatementtoidentifytheMySQLserverversion:
SHOW VARIABLES WHERE Variable_name LIKE "version";
NowcomparetheversionwiththesecurityannouncementsfromOracleand/ortheOSiftheOSpackagesareused.
Remediation:
Installthelatestpatchesforyourversionorupgradetothelatestversion.
Impact:
ToupdatetheMySQLserverarestartisrequired.
43|P a g e
References:
1. http://www.oracle.com/technetwork/topics/security/alerts-086861.html2. http://dev.mysql.com/doc/relnotes/mysql/5.6/en/3. http://web.nvd.nist.gov/view/vuln/search-
results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aoracle&cpe_product=cpe%3a%2f%3aoracle%3amysql&cpe_version=cpe%3a%2f%3aoracle%3amysql%3a5.6.0
44|P a g e
4.2Ensurethe'test'DatabaseIsNotInstalled(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
ThedefaultMySQLinstallationcomeswithanunuseddatabasecalledtest.Itisrecommendedthatthetestdatabasebedropped.
Rationale:
Thetestdatabasecanbeaccessedbyallusersandcanbeusedtoconsumesystemresources.DroppingthetestdatabasewillreducetheattacksurfaceoftheMySQLserver.
Audit:
ExecutethefollowingSQLstatementtodetermineifthetestdatabaseispresent:
SHOW DATABASES LIKE 'test';
TheaboveSQLstatementwillreturnzerorows
Remediation:
ExecutethefollowingSQLstatementtodropthetest database:
DROP DATABASE "test";
Note:mysql_secure_installationperformsthisoperationaswellasothersecurity-relatedactivities.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/mysql-secure-installation.html
45|P a g e
4.3Ensure'allow-suspicious-udfs'IsSetto'FALSE'(Scored)
ProfileApplicability:
•Level2-MySQLRDBMS
Description:
Thisoptionpreventsattachingarbitrarysharedlibraryfunctionsasuser-definedfunctionsbycheckingforatleastonecorrespondingmethodnamed_init, _deinit,_reset,_clear,or_add.
Rationale:
Preventingsharedlibrariesthatdonotcontainuser-definedfunctionsfromloadingwillreducetheattacksurfaceoftheserver.
Audit:
Performthefollowingtodetermineiftherecommendedstateisinplace:
• Ensure--allow-suspicious-udfsisnotspecifiedinthethemysqld startupcommandline.
• Ensureallow-suspicious-udfsissettoFALSEintheMySQLconfiguration:• my_print_defaults mysqld | grep allow-suspicious-udfs
Noresultsreturnedwouldbeapass.
Remediation:
Performthefollowingtoestablishtherecommendedstate:
• Remove--allow-suspicious-udfsfromthemysqld startupcommandline.• Removeallow-suspicious-udfsfromtheMySQLoptionfile.
DefaultValue:
FALSE
References:
1. http://dev.mysql.com/doc/refman/5.6/en/udf-security.html2. http://dev.mysql.com/doc/refman/5.6/en/server-
options.html#option_mysqld_allow-suspicious-udfs
46|P a g e
4.4Ensure'local_infile'IsDisabled(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Thelocal_infileparameterdictateswhetherfileslocatedontheMySQLclient'scomputercanbeloadedorselectedviaLOAD DATA INFILEorSELECT local_file.
Rationale:
Disablinglocal_infilereducesanattacker'sabilitytoreadsensitivefilesofftheaffectedserverviaaSQLinjectionvulnerability.
Audit:
ExecutethefollowingSQLstatementandensuretheValuefieldissettoOFF:
SHOW VARIABLES WHERE Variable_name = 'local_infile';
Remediation:
Addthefollowinglinetothe[mysqld]sectionoftheMySQLconfigurationfileandrestarttheMySQLservice:
local-infile=0
Impact:
Disablinglocal_infilewillimpactthefunctionalityofsolutionsthatrelyonit.
DefaultValue:
ON
References:
1. http://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file2. http://dev.mysql.com/doc/refman/5.6/en/load-data.html
47|P a g e
4.5Ensure'mysqld'IsNotStartedwith'--skip-grant-tables'(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Thisoptioncausesmysqld tostartwithoutusingtheprivilegesystem.
Rationale:
Ifthisoptionisused,allclientsoftheaffectedserverwillhaveunrestrictedaccesstoalldatabases.
Audit:
Performthefollowingtodetermineiftherecommendedstateisinplace:
• OpentheMySQLconfiguration(e.g.my.cnf)fileandsearchforskip-grant-tables• Ensureskip-grant-tablesissettoFALSE
Remediation:
Performthefollowingtoestablishtherecommendedstate:
• OpentheMySQLconfiguration(e.g.my.cnf)fileandset:
skip-grant-tables = FALSE
References:
1. http://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables
48|P a g e
4.6Ensure'--skip-symbolic-links'IsEnabled(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Thesymbolic-linksandskip-symbolic-linksoptionsforMySQLdeterminewhethersymboliclinksupportisavailable.Whenuseofsymboliclinksareenabled,theyhavedifferenteffectsdependingonthehostplatform.Whensymboliclinksaredisabled,thensymboliclinksstoredinfilesorentriesintablesarenotusedbythedatabase.
Rationale:
Preventssymlinksbeingusedfordatabasefiles.ThisisespeciallyimportantwhenMySQLisexecutingasrootasarbitraryfilesmaybeoverwritten.Thesymbolic-linksoptionmightallowsomeonetodirectactionsbytoMySQLservertootherfilesand/ordirectories.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SHOW variables LIKE 'have_symlink';
EnsuretheValuereturnedisDISABLED.
Remediation:
Performthefollowingactionstoremediatethissetting:
• OpentheMySQLconfigurationfile(my.cnf)• Locateskip_symbolic_linksintheconfiguration• Settheskip_symbolic_linkstoYES
NOTE:Ifskip_symbolic_linksdoesnotexist,addittotheconfigurationfileinthemysqldsection.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html2. http://dev.mysql.com/doc/refman/5.6/en/server-
options.html#option_mysqld_symbolic-links
49|P a g e
4.7Ensurethe'daemon_memcached'PluginIsDisabled(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheInnoDBmemcachedPluginallowsuserstoaccessdatastoredinInnoDBwiththememcachedprotocol.
Rationale:
Bydefaulttheplugindoesn'tdoauthentication,whichmeansthatanyonewithaccesstotheTCP/IPportoftheplugincanaccessandmodifythedata.However,notalldataisexposedbydefault.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SELECT * FROM information_schema.plugins WHERE PLUGIN_NAME='daemon_memcached'
Ensurethatnorowsarereturned.
Remediation:
Toremediatethissetting,issuethefollowingcommandintheMySQLcommand-lineclient:
uninstall plugin daemon_memcached;
ThisuninstallsthememcachedpluginfromtheMySQLserver.
DefaultValue:
disabled
References:
1. http://dev.mysql.com/doc/refman/5.6/en/innodb-memcached-security.html
50|P a g e
4.8Ensure'secure_file_priv'IsNotEmpty(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Thesecure_file_privoptionrestrictstopathsusedbyLOAD DATA INFILEorSELECT local_file.ItisrecommendedthatthisoptionbesettoafilesystemlocationthatcontainsonlyresourcesexpectedtobeloadedbyMySQL.
Rationale:
Settingsecure_file_privreducesanattacker'sabilitytoreadsensitivefilesofftheaffectedserverviaaSQLinjectionvulnerability.
Audit:
ExecutethefollowingSQLstatementandensureonerowisreturned:
SHOW GLOBAL VARIABLES WHERE Variable_name = 'secure_file_priv' AND Value<>'';
Note:TheValueshouldcontainavalidpath.
Remediation:
Addthefollowinglinetothe[mysqld]sectionoftheMySQLconfigurationfileandrestarttheMySQLservice:
secure_file_priv=<path_to_load_directory>
Impact:
Solutionsthatrelyonloadingdatafromvarioussub-directoriesmaybenegativelyimpactedbythischange.Considerconsolidatingloaddirectoriesunderacommonparentdirectory.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv
51|P a g e
4.9Ensure'sql_mode'Contains'STRICT_ALL_TABLES'(Scored)
ProfileApplicability:
•Level2-MySQLRDBMS
Description:
Whendatachangingstatementsaremade(i.e.INSERT,UPDATE),MySQLcanhandleinvalidormissingvaluesdifferentlydependingonwhetherstrictSQLmodeisenabled.WhenstrictSQLmodeisenabled,datamaynotbetruncatedorotherwise"adjusted"tomakethedatachangingstatementwork.
Rationale:
Withoutstrictmodetheservertriestodoproceedwiththeactionwhenanerrormighthavebeenamoresecurechoice.Forexample,bydefaultMySQLwilltruncatedataifitdoesnotfitinafield,whichcanleadtounknownbehavior,orbeleveragedbyanattackertocircumventdatavalidation.
Audit:
Toauditforthisrecommendationexecutethefollowingquery:
SHOW VARIABLES LIKE 'sql_mode';
EnsurethatSTRICT_ALL_TABLESisinthelistreturned.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. AddSTRICT_ALL_TABLEStothesql_modeintheserver'sconfigurationfile
Impact:
ApplicationsrelyingontheMySQLdatabaseshouldbeawarethatSTRICT_ALL_TABLES isinuse,suchthaterrorconditionsarehandledappropriately.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/server-sql-mode.html
52|P a g e
5MySQLPermissions
Thissectioncontainsrecommendationsaboutuserprivileges.
5.1EnsureOnlyAdministrativeUsersHaveFullDatabaseAccess(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Themysql.userandmysql.dbtableslistavarietyofprivilegesthatcanbegranted(ordenied)toMySQLusers.Someoftheprivilegesofconcerninclude:Select_priv,Insert_priv,Update_priv,Delete_priv,Drop_priv,andsoon.Typically,theseprivilegesshouldnotbeavailabletoeveryMySQLuserandoftenarereservedforadministrativeuseonly.
Rationale:
Limitingtheaccessibilityofthe'mysql'databasewillprotecttheconfidentiality,integrity,andavailabilityofthedatahousedwithinMySQL.Auserwhichhasdirectaccesstomysql.*mightviewpasswordhashes,changepermissions,oralterordestroyinformationintentionallyorunintentionally.
Audit:
ExecutethefollowingSQLstatement(s)toassessthisrecommendation:
SELECT user, host FROM mysql.user WHERE (Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y');
SELECT user, host FROM mysql.db WHERE db = 'mysql' AND ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));
Ensureallusersreturnedareadministrativeusers.
53|P a g e
Remediation:
Performthefollowingactionstoremediatethissetting:
1. Enumeratenon-administrativeusersresultingfromtheauditprocedure2. Foreachnon-administrativeuser,usetheREVOKEstatementtoremoveprivilegesas
appropriate
Impact:
Considerationshouldbemadeforwhichprivilegesarerequiredbyeachuserrequiringinteractivedatabaseaccess.
54|P a g e
5.2Ensure'file_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheFile_privprivilegefoundinthemysql.usertableisusedtoallowordisallowauserfromreadingandwritingfilesontheserverhost.AnyuserwiththeFile_privrightgrantedhastheabilityto:
• ReadfilesfromthelocalfilesystemthatarereadablebytheMySQLserver(thisincludesworld-readablefiles)
• WritefilestothelocalfilesystemwheretheMySQLserverhaswriteaccess
Rationale:
TheFile_privrightallowsmysql userstoreadfilesfromdiskandtowritefilestodisk.ThismaybeleveragedbyanattackertofurthercompromiseMySQL.ItshouldbenotedthattheMySQLservershouldnotoverwriteexistingfiles.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting
select user, host from mysql.user where File_priv = 'Y';
Ensureonlyadministrativeusersarereturnedintheresultset.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratethenon-administrativeusersfoundintheresultsetoftheauditprocedure
2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser:
REVOKE FILE ON *.* FROM '<user>';
References:
1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_file
55|P a g e
5.3Ensure'process_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)
ProfileApplicability:
•Level2-MySQLRDBMS
Description:
ThePROCESSprivilegefoundinthemysql.usertabledetermineswhetheragivenusercanseestatementexecutioninformationforallsessions.
Rationale:
ThePROCESS privilegeallowsprincipalstoviewcurrentlyexecutingMySQLstatementsbeyondtheirown,includingstatementsusedtomanagepasswords.ThismaybeleveragedbyanattackertocompromiseMySQLortogainaccesstopotentiallysensitivedata.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
select user, host from mysql.user where Process_priv = 'Y';
Ensureonlyadministrativeusersarereturnedintheresultset.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratethenon-administrativeusersfoundintheresultsetoftheauditprocedure
2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser:
REVOKE PROCESS ON *.* FROM '<user>';
Impact:
UsersdeniedthePROCESSprivilegemayalsobedenieduseofSHOW ENGINE.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_process
56|P a g e
5.4Ensure'super_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheSUPERprivilegefoundinthemysql.usertablegovernstheuseofavarietyofMySQLfeatures.Thesefeaturesinclude,CHANGE MASTER TO,KILL,mysqladminkilloption,PURGE BINARY LOGS,SET GLOBAL,mysqladmindebugoption,loggingcontrol,andmore.
Rationale:
TheSUPERprivilegeallowsprincipalstoperformmanyactions,includingviewandterminatecurrentlyexecutingMySQLstatements(includingstatementsusedtomanagepasswords).ThisprivilegealsoprovidestheabilitytoconfigureMySQL,suchasenable/disablelogging,alterdata,disable/enablefeatures.LimitingtheaccountsthathavetheSUPERprivilegereducesthechancesthatanattackercanexploitthesecapabilities.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
select user, host from mysql.user where Super_priv = 'Y';
Ensureonlyadministrativeusersarereturnedintheresultset.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratethenon-administrativeusersfoundintheresultsetoftheauditprocedure
2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser:
REVOKE SUPER ON *.* FROM '<user>';
Impact:
WhentheSUPERprivilegeisdeniedtoagivenuser,thatuserwillbeunabletotakeadvantageofcertaincapabilities,suchascertainmysqladminoptions.
57|P a g e
References:
1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_super
58|P a g e
5.5Ensure'shutdown_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheSHUTDOWNprivilegesimplyenablesuseoftheshutdownoptiontothemysqladmincommand,whichallowsauserwiththeSHUTDOWNprivilegetheabilitytoshutdowntheMySQLserver.
Rationale:
TheSHUTDOWN privilegeallowsprincipalstoshutdownMySQL.ThismaybeleveragedbyanattackertonegativelyimpacttheavailabilityofMySQL.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
SELECT user, host FROM mysql.user WHERE Shutdown_priv = 'Y';
Ensureonlyadministrativeusersarereturnedintheresultset.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratethenon-administrativeusersfoundintheresultsetoftheauditprocedure
2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser):
REVOKE SHUTDOWN ON *.* FROM '<user>';
References:
1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_shutdown
59|P a g e
5.6Ensure'create_user_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheCREATEUSERprivilegegovernstherightofagivenusertoaddorremoveusers,changeexistingusers'names,orrevokeexistingusers'privileges.
Rationale:
ReducingthenumberofusersgrantedtheCREATE USERrightminimizesthenumberofusersabletoadd/dropusers,alterexistingusers'names,andmanipulateexistingusers'privileges.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
SELECT user, host FROM mysql.user WHERE Create_user_priv = 'Y';
Ensureonlyadministrativeusersarereturnedintheresultset.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratethenon-administrativeusersfoundintheresultsetoftheauditprocedure
2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser):
REVOKE CREATE USER ON *.* FROM '<user>';
Impact:
UsersthataredeniedtheCREATEUSERprivilegewillnotonlybeunabletocreateauser,buttheymaybeunabletodropauser,renameauser,orotherwiserevokeagivenuser'sprivileges.
60|P a g e
5.7Ensure'grant_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheGRANT OPTION privilegeexistsindifferentcontexts(mysql.user,mysql.db)forthepurposeofgoverningtheabilityofaprivilegedusertomanipulatetheprivilegesofotherusers.
Rationale:
TheGRANT privilegeallowsaprincipaltograntotherprincipalsadditionalprivileges.ThismaybeusedbyanattackertocompromiseMySQL.
Audit:
ExecutethefollowingSQLstatementstoauditthissetting:
SELECT user, host FROM mysql.user WHERE Grant_priv = 'Y'; SELECT user, host FROM mysql.db WHERE Grant_priv = 'Y';
Ensureonlyadministrativeusersarereturnedintheresultset.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratethenon-administrativeusersfoundintheresultsetsoftheauditprocedure
2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser:
REVOKE GRANT OPTION ON *.* FROM <user>;
References:
1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_grant-option
61|P a g e
5.8Ensure'repl_slave_priv'IsNotSetto'Y'forNon-SlaveUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheREPLICATION SLAVEprivilegegovernswhetheragivenuser(inthecontextofthemasterserver)canrequestupdatesthathavebeenmadeonthemasterserver.
Rationale:
TheREPLICATION SLAVE privilegeallowsaprincipaltofetchbinlogfilescontainingalldatachangingstatementsand/orchangesintabledatafromthemaster.Thismaybeusedbyanattackertoread/fetchsensitivedatafromMySQL.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
SELECT user, host FROM mysql.user WHERE Repl_slave_priv = 'Y';
Ensureonlyaccountsdesignatedforslaveusersaregrantedthisprivilege.
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratethenon-slaveusersfoundintheresultsetoftheauditprocedure2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-
slaveuser):
REVOKE REPLICATION SLAVE ON *.* FROM <user>;
UsetheREVOKEstatementtoremovetheSUPERprivilegefromuserswhoshouldn'thaveit.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_replication-slave
62|P a g e
5.9EnsureDML/DDLGrantsAreLimitedtoSpecificDatabasesandUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
DML/DDLincludesthesetofprivilegesusedtomodifyorcreatedatastructures.ThisincludesINSERT,SELECT,UPDATE,DELETE,DROP,CREATE,andALTERprivileges.
Rationale:
INSERT,SELECT,UPDATE,DELETE,DROP,CREATE,andALTERarepowerfulprivilegesinanydatabase.Suchprivilegesshouldbelimitedonlytothoseusersrequiringsuchrights.Bylimitingtheuserswiththeserightsandensuringthattheyarelimitedtospecificdatabases,theattacksurfaceofthedatabaseisreduced.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
SELECT User,Host,Db FROM mysql.db WHERE Select_priv='Y' OR Insert_priv='Y' OR Update_priv='Y' OR Delete_priv='Y' OR Create_priv='Y' OR Drop_priv='Y' OR Alter_priv='Y';
Ensureallusersreturnedshouldhavetheseprivilegesontheindicateddatabases.
NOTE:GlobalgrantsarecoveredinRecommendation4.1.
63|P a g e
Remediation:
Performthefollowingstepstoremediatethissetting:
1. Enumeratetheunauthorizedusers,hosts,anddatabasesreturnedintheresultsetoftheauditprocedure
2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withtheunauthorizeduser,"<host>"withhostname,and"<database>"withthedatabasename):
REVOKE SELECT ON <host>.<database> FROM <user>; REVOKE INSERT ON <host>.<database> FROM <user>; REVOKE UPDATE ON <host>.<database> FROM <user>; REVOKE DELETE ON <host>.<database> FROM <user>; REVOKE CREATE ON <host>.<database> FROM <user>; REVOKE DROP ON <host>.<database> FROM <user>; REVOKE ALTER ON <host>.<database> FROM <user>;
64|P a g e
6AuditingandLogging
ThissectionprovidesguidancewithrespecttoMySQL'sloggingbehavior.
6.1Ensure'log_error'IsNotEmpty(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Theerrorlogcontainsinformationabouteventssuchasmysqldstartingandstopping,whenatableneedstobecheckedorrepaired,and,dependingonthehostoperatingsystem,stacktraceswhenmysqldfails.
Rationale:
EnablingerrorloggingmayincreasetheabilitytodetectmaliciousattemptsagainstMySQL,andothercriticalmessages,suchasiftheerrorlogisnotenabledthenconnectionerrormightgounnoticed.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
SHOW variables LIKE 'log_error';
EnsuretheValuereturnedisnotempty.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. OpentheMySQLconfigurationfile(my.cnformy.ini)2. Setthelog-erroroptiontothepathfortheerrorlog
References:
1. http://dev.mysql.com/doc/refman/5.6/en/error-log.html
65|P a g e
6.2EnsureLogFilesAreStoredonaNon-SystemPartition(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
MySQLlogfilescanbesetintheMySQLconfigurationtoexistanywhereonthefilesystem.Itiscommonpracticetoensurethatthesystemfilesystemisleftunclutteredbyapplicationlogs.Systemfilesystemsincludetheroot,/var,or/usr.
Rationale:
MovingtheMySQLlogsoffthesystempartitionwillreducetheprobabilityofdenialofserviceviatheexhaustionofavailablediskspacetotheoperatingsystem.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SELECT @@global.log_bin_basename;
Ensurethevaluereturneddoesnotindicateroot('/'),/var,or/usr.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. OpentheMySQLconfigurationfile(my.cnf)2. Locatethelog-binentryandsetittoafilenotonroot('/'),/var,or/usr
References:
1. http://dev.mysql.com/doc/refman/5.6/en/binary-log.html2. http://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html
66|P a g e
6.3Ensure'log_warnings'IsSetto'2'(Scored)
ProfileApplicability:
•Level2-MySQLRDBMS
Description:
Thelog_warningssystemvariable,enabledbydefault,providesadditionalinformationtotheMySQLlog.Avalueof1enablesloggingofwarningmessages,andhigherintegervaluestendtoenablemorelogging.
NOTE:Thevariablescopefor5.6.3andearlierisglobalandsession,butfor5.6.4andgreateritsscopeisglobal.
Rationale:
Thismighthelptodetectmaliciousbehaviorbyloggingcommunicationerrorsandabortedconnections.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SHOW GLOBAL VARIABLES LIKE 'log_warnings';
EnsuretheValuereturnedequals2.
Remediation:
Performthefollowingactionstoremediatethissetting:
• OpentheMySQLconfigurationfile(my.cnf)• Ensurethefollowinglineisfoundinthemysqldsection
log-warnings = 2
DefaultValue:
Theoptionisenabled(1)bydefault.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings
67|P a g e
6.4EnsureAuditLoggingIsEnabled(NotScored)
ProfileApplicability:
•Level2-MySQLRDBMS
Description:
AuditloggingisnotreallyincludedintheCommunityEditionofMySQL-onlythegenerallog.Usingthegenerallogispossible,butnotpractical,becauseitgrowsquicklyandhasanadverseimpactonserverperformance.
Nevertheless,enablingauditloggingisanimportantconsiderationforaproductionenvironment,andthird-partytoolsdoexisttohelpwiththis.Enableauditloggingfor
• Interactiveusersessions• Applicationsessions(optional)
Rationale:
Auditlogginghelpstoidentifywhochangedwhatandwhen.Theauditlogmightbeusedasevidenceininvestigations.Itmightalsohelptoidentifywhatanattackerwasabletoaccomplish.
Audit:
Verifythatathird-partytoolisinstalledandconfiguredtoenableloggingforinteractiveusersessionsand(optionally)applicationssessions.
Remediation:
Acquireathird-partyMySQLloggingsolutionasavailablefromavarietyofsourcesincluding,butnotnecessarilylimitedto,thefollowing:
• TheGeneralQueryLog• MySQLEnterpriseAudit• MariaDBAuditPluginforMySQL• McAfeeMySQLAudit
References:
1. http://dev.mysql.com/doc/refman/5.6/en/query-log.html2. http://dev.mysql.com/doc/refman/5.6/en/mysql-enterprise-audit.html3. https://mariadb.com/kb/en/server_audit-mariadb-audit-plugin/4. https://github.com/mcafee/mysql-audit
68|P a g e
6.5Ensure'log-raw'IsSetto'OFF'(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Thelog-rawMySQLoptiondetermineswhetherpasswordsarerewrittenbytheserversoasnottoappearinlogfilesasplaintext.Iflog-rawisenabled,thenpasswordsarewrittentothevariouslogfiles(generalquerylog,slowquerylog,andbinarylog)inplaintext.
Rationale:
Withrawloggingofpasswordsenabledsomeonewithaccesstothelogfilesmightseeplaintextpasswords.
Audit:
Performthefollowingactionstoassessthisrecommendation:
• OpentheMySQLconfigurationfile(my.cnf)• Ensurethelog-rawentryispresent• Ensurethelog-rawentryissettoOFF
Remediation:
Performthefollowingactionstoremediatethissetting:
• OpentheMySQLconfigurationfile(my.cnf)• Findthelog-rawentryandsetitasfollows
log-raw = OFF
DefaultValue:
OFF
References:
1. http://dev.mysql.com/doc/refman/5.6/en/password-logging.html2. http://dev.mysql.com/doc/refman/5.6/en/server-
options.html#option_mysqld_log-raw
69|P a g e
7Authentication
ThissectioncontainsconfigurationrecommendationsthatpertaintotheauthenticationmechanismsofMySQL.
7.1Ensure'old_passwords'IsNotSetto'1'or'ON'(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
Description:
ThisvariablecontrolsthepasswordhashingmethodusedbythePASSWORD()functionandfortheIDENTIFIED BYclauseoftheCREATE USERandGRANTstatements.Before5.6.6,thevaluecanbe0(orOFF),or1(orON).Asof5.6.6,thefollowingvaluecanbeoneofthefollowing:
• 0-authenticatewiththemysql_native_password plugin• 1-authenticatewiththemysql_old_password plugin• 2-authenticatewiththesha256_passwordplugin
Rationale:
Themysql_old_passwordpluginleveragesanalgorithmthatcanbequicklybruteforcedusinganofflinedictionaryattack.SeeCVE-2003-1480foradditionaldetails.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SHOW VARIABLES WHERE Variable_name = 'old_passwords';
EnsuretheValue fieldisnotsetto1orON.
Remediation:
Configuremysqltoleveragethemysql_native_passwordorsha256_passwordplugin.Formoreinformation,see:
• http://dev.mysql.com/doc/refman/5.6/en/password-hashing.html• http://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html
70|P a g e
Impact:
Whenold_passwordsissetto1thePASSWORD()functionwillcreatepasswordhasheswithaveryweakhashingalgorithmwhichmightbeeasytobreakifcapturedbyanattacker.
DefaultValue:
0
References:
1. http://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords
2. CVE-2003-1480
71|P a g e
7.2Ensure'secure_auth'issetto'ON'(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
•Level2-MySQLRDBMS
Description:
Thisoptiondictateswhethertheserverwilldenyconnectionsbyclientsthatattempttouseaccountsthathavetheirpasswordstoredinthemysql_old_passwordformat.
Rationale:
Enablingthisoptionwillpreventalluseofpasswordsemployingtheoldformat(andhenceinsecurecommunicationoverthenetwork).
Audit:
ExecutethefollowingSQLstatementandensuretheValue fieldisnotsettoON:
SHOWVARIABLESWHEREVariable_name='secure_auth';
Remediation:
Addthefollowinglineto[mysqld]portionsoftheMySQLoptionfiletoestablishtherecommendedstate:
secure_auth=ON
Impact:
Accountshavingcredentialsstoredusingtheoldpasswordformatwillbeunabletologin.Executethefollowingcommandtoidentifyaccountsthatwillbeimpactedbyimplementingthissetting:
SELECT User,Host FROM mysql.user WHERE plugin='mysql_old_password';
DefaultValue:
BeforeMySQL5.6.5,thisoptionisdisabledbydefault.AsofMySQL5.6.5,itisenabledbydefault;todisableit,use--skip-secure-auth.
72|P a g e
References:
1. http://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth
73|P a g e
7.3EnsurePasswordsAreNotStoredintheGlobalConfiguration(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
•Level2-MySQLRDBMSonLinux
Description:
The[client]sectionoftheMySQLconfigurationfileallowssettingauserandpasswordtobeused.Verifythepasswordoptionisnotusedintheglobalconfigurationfile(my.cnf).
Rationale:
Theuseofthepasswordparametermaynegativelyimpacttheconfidentialityoftheuser'spassword.
Audit:
Toassessthisrecommendation,performthefollowingsteps:
• OpentheMySQLconfigurationfile(e.g.my.cnf)• Examinethe[client]sectionoftheMySQLconfigurationfileandensurepassword
isnotemployed.
Remediation:
Usethemysql_config_editortostoreauthenticationcredentialsin.mylogin.cnfinencryptedform.
Ifnotpossible,usetheuser-specificoptionsfile,.my.cnf.,andrestrictingfileaccesspermissionstotheuseridentity.
Impact:
Theglobalconfigurationisbydefaultreadableforallusersonthesystem.Thisisneededforglobaldefaults(prompt,port,socket,etc).Ifapasswordispresentinthisfilethenallusersonthesystemmaybeabletoaccessit.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html
74|P a g e
7.4Ensure'sql_mode'Contains'NO_AUTO_CREATE_USER'(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
•Level2-MySQLRDBMSonLinux
•Level1-MySQLRDBMS
•Level2-MySQLRDBMS
Description:
NO_AUTO_CREATE_USERisanoptionforsql_modethatpreventsaGRANTstatementfromautomaticallycreatingauserwhenauthenticationinformationisnotprovided.
Rationale:
Blankpasswordsnegatethebenefitsprovidedbyauthenticationmechanisms.Withoutthissettinganadministrativeusermightaccidentallycreateauserwithoutapassword.
Audit:
ExecutethefollowingSQLstatementstoassessthisrecommendation:
SELECT @@global.sql_mode; SELECT @@session.sql_mode;
EnsurethateachresultcontainsNO_AUTO_CREATE_USER.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. OpentheMySQLconfigurationfile(my.cnf)2. Findthesql_modesettinginthe[mysqld]area3. AddtheNO_AUTO_CREATE_USERtothesql_modesetting
75|P a g e
7.5EnsurePasswordsAreSetforAllMySQLAccounts(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
•Level2-MySQLRDBMS
Description:
Blankpasswordsallowausertologinwithoutusingapassword.
Rationale:
Withoutapasswordonlyknowingtheusernameandthelistofallowedhostswillallowsomeonetoconnecttotheserverandassumetheidentityoftheuser.This,ineffect,bypassesauthenticationmechanisms.
Audit:
ExecutethefollowingSQLquerytodetermineifanyusershaveablankpassword:
SELECT User,host FROM mysql.user WHERE (plugin IN('mysql_native_password', 'mysql_old_password','') AND (LENGTH(Password) = 0 OR Password IS NULL)) OR (plugin='sha256_password' AND LENGTH(authentication_string) = 0);
Norowswillbereturnedifallaccountshaveapasswordset.
Remediation:
Foreachrowreturnedfromtheauditprocedure,setapasswordforthegivenuserusingthefollowingstatement(asanexample):
SET PASSWORD FOR <user>@'<host>' = PASSWORD('<clear password>')
NOTE:Replace<user>,<host>,and<clear password>withappropriatevalues.
76|P a g e
7.6EnsurePasswordPolicyIsinPlace(Scored)
ProfileApplicability:
•Level1-MySQLRDBMSonLinux
•Level1-MySQLRDBMS
Description:
Passwordcomplexityincludespasswordcharacteristicssuchaslength,case,length,andcharactersets.
Rationale:
Complexpasswordshelpmitigatedictionary,bruteforcing,andotherpasswordattacks.Thisrecommendationpreventsusersfromchoosingweakpasswordswhichcaneasilybeguessed.
Audit:
ExecutethefollowingSQLstatementstoassessthisrecommendation:
SHOW VARIABLES LIKE 'validate_password%';
Theresultsetfromtheabovestatementshouldshow:
• validate_password_length shouldbe14ormore• validate_password_mixed_case_countshouldbe1ormore• validate_password_number_countshouldbe1ormore• validate_password_special_char_countshouldbe1ormore• validate_password_policyshouldbeMEDIUMorSTRONG
Thefollowinglinesshouldbepresentintheglobalconfiguration:
plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT
Checkifusershaveapasswordwhichisidenticaltotheusername:
SELECT User,Password,Host FROM mysql.user WHERE password=CONCAT('*', UPPER(SHA1(UNHEX(SHA1(user)))));
NOTE:Thismethodisonlycapableofcheckingthepost-4.1passwordformatwhichisalsoknownasmysql_native_password.
77|P a g e
Remediation:
Addtotheglobalconfiguration:
plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM
Andchangepasswordsforuserswhichhavepasswordswhichareidenticaltotheirusername.
Impact:
Remediationforthisrecommendationrequiresaserverrestart.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html
78|P a g e
7.7EnsureNoUsersHaveWildcardHostnames(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
•Level2-MySQLRDBMS
Description:
MySQLcanmakeuseofhostwildcardswhengrantingpermissionstousersonspecificdatabases.Forexample,youmaygrantagivenprivilegeto'<user>'@'%'.
Rationale:
Avoidingtheuseofwildcardswithinhostnameshelpscontrolthespecificlocationsfromwhichagivenusermayconnecttoandinteractwiththedatabase.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SELECT user, host FROM mysql.user WHERE host = '%';
Ensurenorowsarereturned.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. Enumerateallusersreturnedafterrunningtheauditprocedure2. EitherALTERtheuser'shosttobespecificorDROPtheuser
79|P a g e
7.8EnsureNoAnonymousAccountsExist(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
•Level2-MySQLRDBMS
Description:
Anonymousaccountsareuserswithemptyusernames('').Anonymousaccountshavenopasswords,soanyonecanusethemtoconnecttotheMySQLserver.
Rationale:
RemovinganonymousaccountswillhelpensurethatonlyidentifiedandtrustedprincipalsarecapableofinteractingwithMySQL.
Audit:
ExecutethefollowingSQLquerytoidentifyanonymousaccounts:
SELECT user,host FROM mysql.user WHERE user = '';
Theabovequerywillreturnzerorowsifnoanonymousaccountsarepresent.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. Enumeratetheanonymoususersreturnedfromexecutingtheauditprocedure2. Foreachanonymoususer,DROPorassignthemaname
NOTE:Asanalternative,youmayexecutethemysql_secure_installationutility.
Impact:
Anyapplicationsrelyingonanonymousdatabaseaccesswillbeadverselyaffectedbythischange.
DefaultValue:
Usingthestandardinstallationscript,mysql_install_db,itwillcreatetwoanonymousaccounts:oneforthehost'localhost'andtheotherforthenetworkinterface'sIPaddress.
80|P a g e
References:
1. http://dev.mysql.com/doc/refman/5.6/en/mysql-secure-installation.html2. https://dev.mysql.com/doc/refman/5.6/en/default-privileges.html
81|P a g e
8Network
ThissectioncontainsrecommendationsrelatedtohowtheMySQLserverusesthenetwork.
8.1Ensure'have_ssl'IsSetto'YES'(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
AllnetworktrafficmustuseSSL/TLSwhentravelingoveruntrustednetworks.
Rationale:
TheSSL/TLS-protectedMySQLprotocolhelpstopreventeavesdroppingandman-in-the-middleattacks.
Audit:
ExecutethefollowingSQLstatementstoassessthisrecommendation:
SHOW variables WHERE variable_name = 'have_ssl';
EnsuretheValuereturnedisYES.
NOTE:have_openssl isanaliasforhave_ssl asofMySQL5.0.38.MySQLcanbebuildwithOpenSSLorYaSSL.
Remediation:
FollowtheproceduresasdocumentedintheMySQL5.6ReferenceManualtosetupSSL.
Impact:
EnablingSSLwillallowclientstoencryptnetworktrafficandverifytheidentityoftheserver.Thiscouldhaveimpactonnetworktrafficinspection.
DefaultValue:
DISABLED
References:
1. http://dev.mysql.com/doc/refman/5.6/en/ssl-connections.html2. http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html
82|P a g e
8.2Ensure'ssl_type'IsSetto'ANY','X509',or'SPECIFIED'forAllRemoteUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
AllnetworktrafficmustuseSSL/TLSwhentravelingoveruntrustednetworks.
SSL/TLSshouldbeenforcedonaper-userbasisforuserswhichenterthesystemthroughthenetwork.
Rationale:
TheSSL/TLS-protectedMySQLprotocolhelpstopreventeavesdroppingandman-in-the-middleattacks.
Audit:
ExecutethefollowingSQLstatementstoassessthisrecommendation:
SELECT user, host, ssl_type FROM mysql.user WHERE NOT HOST IN ('::1', '127.0.0.1', 'localhost');
Ensurethessl_typeforeachuserreturnedisequaltoANY,X509,orSPECIFIED.
NOTE:have_openssl isanaliasforhave_ssl asofMySQL5.0.38.MySQLcanbebuiltwithOpenSSLorYaSSL.
Remediation:
UsetheGRANTstatementtorequiretheuseofSSL:
GRANT USAGE ON *.* TO 'my_user'@'app1.example.com' REQUIRE SSL;
NotethatREQUIRESSLonlyenforcesSSL.ThereareoptionslikeREQUIREX509,REQUIREISSUER,REQUIRESUBJECTwhichcanbeusedtofurtherrestrictconnectionoptions.
Impact:
WhenSSL/TLSisenforcedthenclientswhichdonotuseSSLwillnotbeabletoconnect.IftheserverisnotconfiguredforSSL/TLSthenaccountsforwhichSSL/TLSismandatorywillnotbeabletoconnect
83|P a g e
DefaultValue:
Notenforced(ssl_typeisempty)
References:
1. http://dev.mysql.com/doc/refman/5.6/en/ssl-connections.html2. http://dev.mysql.com/doc/refman/5.6/en/grant.html
84|P a g e
9Replication
Everythingrelatedtoreplicatingdatafromoneservertoanother.
9.1EnsureReplicationTrafficIsSecured(NotScored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
Thereplicationtrafficbetweenserversshouldbesecured.
Rationale:
Thereplicationtrafficshouldbesecuredasitgivesaccesstoalltransferredinformationandmightleakpasswords.
Audit:
Checkifthereplicationtrafficisusing
• Aprivatenetwork• AVPN• SSL/TLS• ASSHTunnel
Remediation:
Securethenetworktraffic
Impact:
Whenthereplicationtrafficisnotsecuredsomeonemightbeabletocapturepasswordsandothersensitiveinformationwhensenttotheslave.
85|P a g e
9.2Ensure'master_info_repository'IsSetto'TABLE'(Scored)
ProfileApplicability:
•Level2-MySQLRDBMS
Description:
Themaster_info_repositorysettingdeterminestowhereaslavelogsmasterstatusandconnectioninformation.TheoptionsareFILEorTABLE.Notealsothatthissettingisassociatedwiththesync_master_infosettingaswell.
Rationale:
Thepasswordwhichtheclientusesisstoredinthemasterinforepository,whichbydefaultisaplaintextfile.TheTABLEmasterinforepositoryisabitsafer,butwithfilesystemaccessit'sstillpossibletogainaccesstothepasswordtheslaveisusing.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SHOW GLOBAL VARIABLES LIKE 'master_info_repository';
TheresultshouldbeTABLEinsteadofFILE.
NOTE:Therealsoshouldnotbeamaster.infofileinthedatadir.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. OpentheMySQLconfigurationfile(my.cnf)2. Locatemaster_info_repository3. Setthemaster_info_repositoryvaluetoTABLE
NOTE:Ifmaster_info_repositorydoesnotexist,addittotheconfigurationfile.
DefaultValue:
FILE
References:
1. http://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository
86|P a g e
9.3Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'or'1'(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
IntheMySQLslavecontextthesettingMASTER_SSL_VERIFY_SERVER_CERTindicateswhethertheslaveshouldverifythemaster'scertificate.ThisconfigurationitemmaybesettoYesorNo,andunlessSSLhasbeenenabledontheslave,thevaluewillbeignored.
Rationale:
WhenSSLisinusecertificateverificationisimportanttoauthenticatethepartytowhichaconnectionisbeingmade.Inthiscase,theslave(client)shouldverifythemaster's(server's)certificatetoauthenticatethemasterpriortocontinuingtheconnection.
Audit:
Toassessthisrecommendation,issuethefollowingstatement:
select ssl_verify_server_cert from mysql.slave_master_info;
Verifythevalueofssl_verify_server_certis1.
Remediation:
ToremediatethissettingyoumustusetheCHANGE MASTER TOcommand.
STOP SLAVE; -- required if replication was already running CHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=1; START SLAVE; -- required if you want to restart replication
Impact:
WhenusingCHANGE MASTER TO,beawareofthefollowing:
• SlaveprocessesneedtobestoppedpriortoexecutingCHANGE MASTER TO• UseofCHANGE MASTER TOstartsnewrelaylogswithoutkeepingtheoldonesunless
explicitlytoldtokeepthem• WhenCHANGE MASTER TOisinvoked,someinformationisdumpedtotheerrorlog
(previousvaluesforMASTER_HOST, MASTER_PORT, MASTER_LOG_FILE,andMASTER_LOG_POS)
• InvokingCHANGE MASTER TOwillimplicitlycommitanyongoingtransactions
87|P a g e
References:
1. https://dev.mysql.com/doc/refman/5.6/en/change-master-to.html
88|P a g e
9.4Ensure'super_priv'IsNotSetto'Y'forReplicationUsers(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
TheSUPERprivilegefoundinthemysql.usertablegovernstheuseofavarietyofMySQLfeatures.Thesefeaturesinclude,CHANGE MASTER TO,KILL,mysqladminkilloption,PURGE BINARY LOGS,SET GLOBAL,mysqladmindebugoption,loggingcontrol,andmore.
Rationale:
TheSUPERprivilegeallowsprincipalstoperformmanyactions,includingviewandterminatecurrentlyexecutingMySQLstatements(includingstatementsusedtomanagepasswords).ThisprivilegealsoprovidestheabilitytoconfigureMySQL,suchasenable/disablelogging,alterdata,disable/enablefeatures.LimitingtheaccountsthathavetheSUPERprivilegereducesthechancesthatanattackercanexploitthesecapabilities.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
select user, host from mysql.user where user='repl' and Super_priv = 'Y';
Norowsshouldbereturned.
NOTE:Substituteyourreplicationuser'snameforreplintheabovequery.
The'repl'usercanbefoundinSHOWSLAVESTATUSbylookingfor:Master_User:
Remediation:
Executethefollowingstepstoremediatethissetting:
1. Enumeratethereplicationusersfoundintheresultsetoftheauditprocedure2. Foreachreplicationuser,issuethefollowingSQLstatement(replace"repl"with
yourreplicationuser'sname):
REVOKE SUPER ON *.* FROM 'repl';
89|P a g e
Impact:
WhentheSUPERprivilegeisdeniedtoagivenuser,thatuserwillbeunabletotakeadvantageofcertaincapabilities,suchascertainmysqladminoptions.
References:
1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_super2. https://dev.mysql.com/doc/refman/5.6/en/show-slave-status.html
90|P a g e
9.5EnsureNoReplicationUsersHaveWildcardHostnames(Scored)
ProfileApplicability:
•Level1-MySQLRDBMS
Description:
MySQLcanmakeuseofhostwildcardswhengrantingpermissionstousersonspecificdatabases.Forexample,youmaygrantagivenprivilegeto'<user>'@'%'.
Rationale:
Avoidingtheuseofwildcardswithinhostnameshelpscontrolthespecificlocationsfromwhichagivenusermayconnecttoandinteractwiththedatabase.
Audit:
ExecutethefollowingSQLstatementtoassessthisrecommendation:
SELECT user, host FROM mysql.user WHERE user='repl' AND host = '%';
Ensurenorowsarereturned.
Remediation:
Performthefollowingactionstoremediatethissetting:
1. Enumerateallusersreturnedafterrunningtheauditprocedure2. EitherALTERtheuser'shosttobespecificorDROPtheuser
91|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 OperatingSystemLevelConfiguration1.1 PlaceDatabasesonNon-SystemPartitions(Scored) o o1.2 UseDedicatedLeastPrivilegedAccountforMySQL
Daemon/Service(Scored) o o
1.3 DisableMySQLCommandHistory(Scored) o o1.4 VerifyThattheMYSQL_PWDEnvironmentVariablesIsNotIn
Use(Scored) o o
1.5 DisableInteractiveLogin(Scored) o o1.6 VerifyThat'MYSQL_PWD'IsNotSetInUsers'Profiles
(Scored) o o
2 InstallationandPlanning2.1 BackupandDisasterRecovery2.1.1 Backuppolicyinplace(NotScored) o o2.1.2 Verifybackupsaregood(NotScored) o o2.1.3 Securebackupcredentials(NotScored) o o2.1.4 Thebackupsshouldbeproperlysecured(NotScored) o o2.1.5 Pointintimerecovery(NotScored) o o2.1.6 Disasterrecoveryplan(NotScored) o o2.1.7 Backupofconfigurationandrelatedfiles(NotScored) o o2.2 DedicateMachineRunningMySQL(NotScored) o o2.3 DoNotSpecifyPasswordsinCommandLine(NotScored) o o2.4 DoNotReuseUsernames(NotScored) o o2.5 DoNotUseDefaultorNon-MySQL-specificCryptographic
Keys(NotScored) o o
3 FileSystemPermissions3.1 Ensure'datadir'HasAppropriatePermissions(Scored) o o3.2 Ensure'log_bin_basename'FilesHaveAppropriate
Permissions(Scored) o o
3.3 Ensure'log_error'HasAppropriatePermissions(Scored) o o3.4 Ensure'slow_query_log'HasAppropriatePermissions
(Scored) o o
3.5 Ensure'relay_log_basename'FilesHaveAppropriatePermissions(Scored) o o
3.6 Ensure'general_log_file'HasAppropriatePermissions(Scored) o o
3.7 EnsureSSLKeyFilesHaveAppropriatePermissions(Scored) o o3.8 EnsurePluginDirectoryHasAppropriatePermissions o o
92|P a g e
(Scored)4 General4.1 EnsureLatestSecurityPatchesAreApplied(NotScored) o o4.2 Ensurethe'test'DatabaseIsNotInstalled(Scored) o o4.3 Ensure'allow-suspicious-udfs'IsSetto'FALSE'(Scored) o o4.4 Ensure'local_infile'IsDisabled(Scored) o o4.5 Ensure'mysqld'IsNotStartedwith'--skip-grant-tables'
(Scored) o o
4.6 Ensure'--skip-symbolic-links'IsEnabled(Scored) o o4.7 Ensurethe'daemon_memcached'PluginIsDisabled(Scored) o o4.8 Ensure'secure_file_priv'IsNotEmpty(Scored) o o4.9 Ensure'sql_mode'Contains'STRICT_ALL_TABLES'(Scored) o o5 MySQLPermissions5.1 EnsureOnlyAdministrativeUsersHaveFullDatabaseAccess
(Scored) o o
5.2 Ensure'file_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o
5.3 Ensure'process_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o
5.4 Ensure'super_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o
5.5 Ensure'shutdown_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o
5.6 Ensure'create_user_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o
5.7 Ensure'grant_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o
5.8 Ensure'repl_slave_priv'IsNotSetto'Y'forNon-SlaveUsers(Scored) o o
5.9 EnsureDML/DDLGrantsAreLimitedtoSpecificDatabasesandUsers(Scored) o o
6 AuditingandLogging6.1 Ensure'log_error'IsNotEmpty(Scored) o o6.2 EnsureLogFilesAreStoredonaNon-SystemPartition
(Scored) o o
6.3 Ensure'log_warnings'IsSetto'2'(Scored) o o6.4 EnsureAuditLoggingIsEnabled(NotScored) o o6.5 Ensure'log-raw'IsSetto'OFF'(Scored) o o7 Authentication7.1 Ensure'old_passwords'IsNotSetto'1'or'ON'(Scored) o o7.2 Ensure'secure_auth'issetto'ON'(Scored) o o7.3 EnsurePasswordsAreNotStoredintheGlobalConfiguration
(Scored) o o
93|P a g e
7.4 Ensure'sql_mode'Contains'NO_AUTO_CREATE_USER'(Scored) o o
7.5 EnsurePasswordsAreSetforAllMySQLAccounts(Scored) o o7.6 EnsurePasswordPolicyIsinPlace(Scored) o o7.7 EnsureNoUsersHaveWildcardHostnames(Scored) o o7.8 EnsureNoAnonymousAccountsExist(Scored) o o8 Network8.1 Ensure'have_ssl'IsSetto'YES'(Scored) o o8.2 Ensure'ssl_type'IsSetto'ANY','X509',or'SPECIFIED'forAll
RemoteUsers(Scored) o o
9 Replication9.1 EnsureReplicationTrafficIsSecured(NotScored) o o9.2 Ensure'master_info_repository'IsSetto'TABLE'(Scored) o o9.3 Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'
or'1'(Scored) o o
9.4 Ensure'super_priv'IsNotSetto'Y'forReplicationUsers(Scored) o o
9.5 EnsureNoReplicationUsersHaveWildcardHostnames(Scored) o o
94|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
01-28-2015 1.0.0 InitialPublicRelease
07-07-2016 1.1.0 Ticket#240:Incorporated“root”intotheartifact
07-07-2016 1.1.0 Ticket#241:Resolvedincompleteremediationprocedure
07-07-2016 1.1.0 Ticket#243:Revisedaudittoincludemorepluginconfigurationoptions
07-07-2016 1.1.0 Ticket#275:Clarifiedthemeaningof“fullprivileges”
07-18-2016 1.1.0 Ticket#247:Addednoteclarifying‘repl’inqueryistobesubstituted
07-21-2016 1.1.0 Ticket#242:Addedimprovedauditprocedure
07-21-2016 1.1.0 Ticket#245:Revisedtheorderof“Ensure'master_info_repository'IsSetto'TABLE'”and“Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'or'1'”