CIS Oracle MySQL Community Server 5.6 Benchmark v1.1.0 · This document, CIS Oracle MySQL Community...

CISOracleMySQLCommunityServer5.6Benchmarkv1.1.0-08-15-2016

1|P a g e

TheCISSecurityBenchmarksdivisionprovidesconsensus-orientedinformationsecurityproducts,services,tools,metrics,suggestions,andrecommendations(the“SBProducts”)asapublicservicetoInternetusersworldwide.DownloadingorusingSBProductsinanywaysignifiesandconfirmsyouracceptanceofandyourbindingagreementtotheseCISSecurityBenchmarksTermsofUse.

CISSECURITYBENCHMARKSTERMSOFUSE

BOTHCISSECURITYBENCHMARKSDIVISIONMEMBERSANDNON-MEMBERSMAY:• Download,install,anduseeachoftheSBProductsonasinglecomputer,and/or• PrintoneormorecopiesofanySBProductthatisina.txt,.pdf,.doc,.mcw,or.rtfformat,butonlyifeachsuchcopyisprintedin

itsentiretyandiskeptintact,includingwithoutlimitationthetextoftheseCISSecurityBenchmarksTermsofUse.

UNDERTHEFOLLOWINGTERMSANDCONDITIONS:• SBProductsProvidedAsIs.CISisprovidingtheSBProducts“asis”and“asavailable”without:(1)anyrepresentations,

warranties,orcovenantsofanykindwhatsoever(includingtheabsenceofanywarrantyregarding:(a)theeffectorlackofeffectofanySBProductontheoperationorthesecurityofanynetwork,system,software,hardware,oranycomponentofanyofthem,and(b)theaccuracy,utility,reliability,timeliness,orcompletenessofanySBProduct);or(2)theresponsibilitytomakeornotifyyouofanycorrections,updates,upgrades,orfixes.

• IntellectualPropertyandRightsReserved.YouarenotacquiringanytitleorownershiprightsinortoanySBProduct,andfulltitleandallownershiprightstotheSBProductsremaintheexclusivepropertyofCIS.AllrightstotheSBProductsnotexpresslygrantedintheseTermsofUseareherebyreserved.

• Restrictions.Youacknowledgeandagreethatyoumaynot:(1)decompile,dis-assemble,alter,reverseengineer,orotherwiseattempttoderivethesourcecodeforanysoftwareSBProductthatisnotalreadyintheformofsourcecode;(2)distribute,redistribute,sell,rent,lease,sublicenseorotherwisetransferorexploitanyrightstoanySBProductinanywayorforanypurpose;(3)postanySBProductonanywebsite,bulletinboard,ftpserver,newsgroup,orothersimilarmechanismordevice;(4)removefromoraltertheseCISSecurityBenchmarksTermsofUseonanySBProduct;(5)removeoralteranyproprietarynoticesonanySBProduct;(6)useanySBProductoranycomponentofanSBProductwithanyderivativeworksbaseddirectlyonanSBProductoranycomponentofanSBProduct;(7)useanySBProductoranycomponentofanSBProductwithotherproductsorapplicationsthataredirectlyandspecificallydependentonsuchSBProductoranycomponentforanypartoftheirfunctionality;(8)representorclaimaparticularlevelofcomplianceorconsistencywithanySBProduct;or(9)facilitateorotherwiseaidotherindividualsorentitiesinviolatingtheseCISSecurityBenchmarksTermsofUse.

• YourResponsibilitytoEvaluateRisks.Youacknowledgeandagreethat:(1)nonetwork,system,device,hardware,software,orcomponentcanbemadefullysecure;(2)youhavethesoleresponsibilitytoevaluatetherisksandbenefitsoftheSBProductstoyourparticularcircumstancesandrequirements;and(3)CISisnotassuminganyoftheliabilitiesassociatedwithyouruseofanyoralloftheSBProducts.

• CISLiability.YouacknowledgeandagreethatneitherCISnoranyofitsemployees,officers,directors,agentsorotherserviceprovidershasorwillhaveanyliabilitytoyouwhatsoever(whetherbasedincontract,tort,strictliabilityorotherwise)foranydirect,indirect,incidental,consequential,orspecialdamagesthatariseoutoforareconnectedinanywaywithyouruseofanySBProduct.

• Indemnification.Youagreetoindemnify,defend,andholdCISandallofCIS'semployees,officers,directors,agentsandotherserviceprovidersharmlessfromandagainstanyliabilities,costsandexpensesincurredbyanyoftheminconnectionwithyourviolationoftheseCISSecurityBenchmarksTermsofUse.

• Jurisdiction.Youacknowledgeandagreethat:(1)theseCISSecurityBenchmarksTermsofUsewillbegovernedbyandconstruedinaccordancewiththelawsoftheStateofMaryland;(2)anyactionatlaworinequityarisingoutoforrelatingtotheseCISSecurityBenchmarksTermsofUseshallbefiledonlyinthecourtslocatedintheStateofMaryland;and(3)youherebyconsentandsubmittothepersonaljurisdictionofsuchcourtsforthepurposesoflitigatinganysuchaction.

• U.S.ExportControlandSanctionslaws.RegardingyouruseoftheSBProductswithanynon-U.S.entityorcountry,youacknowledgethatitisyourresponsibilitytounderstandandabidebyallU.S.sanctionsandexportcontrollawsassetfromtimetotimebytheU.S.BureauofIndustryandSecurity(BIS)andtheU.S.OfficeofForeignAssetsControl(OFAC).

SPECIALRULESFORCISMEMBERORGANIZATIONS:CISreservestherighttocreatespecialrulesfor:(1)CISMembers;and(2)Non-MemberorganizationsandindividualswithwhichCIShasawrittencontractualrelationship.CISherebygrantstoeachCISMemberOrganizationingoodstandingtherighttodistributetheSBProductswithinsuchMember'sownorganization,whetherbymanualorelectronicmeans.EachsuchMemberOrganizationacknowledgesandagreesthattheforegoinggrantsinthisparagrapharesubjecttothetermsofsuchMember'smembershiparrangementwithCISandmay,therefore,bemodifiedorterminatedbyCISatanytime.

2|P a g e

TableofContents

Overview......................................................................................................................................................................5

IntendedAudience..............................................................................................................................................5

ConsensusGuidance...........................................................................................................................................5

TypographicalConventions............................................................................................................................6

ScoringInformation............................................................................................................................................6

ProfileDefinitions................................................................................................................................................7

Acknowledgements.............................................................................................................................................9

Recommendations.................................................................................................................................................10

1OperatingSystemLevelConfiguration................................................................................................10

1.1PlaceDatabasesonNon-SystemPartitions(Scored).......................................................10

1.2UseDedicatedLeastPrivilegedAccountforMySQLDaemon/Service(Scored).12

1.3DisableMySQLCommandHistory(Scored)........................................................................13

1.4VerifyThattheMYSQL_PWDEnvironmentVariablesIsNotInUse(Scored)......14

1.5DisableInteractiveLogin(Scored)..........................................................................................15

1.6VerifyThat'MYSQL_PWD'IsNotSetInUsers'Profiles(Scored)...............................16

2InstallationandPlanning...........................................................................................................................17

2.1BackupandDisasterRecovery.......................................................................................................18

2.1.1Backuppolicyinplace(NotScored)....................................................................................18

2.1.2Verifybackupsaregood(NotScored)................................................................................19

2.1.3Securebackupcredentials(NotScored)............................................................................20

2.1.4Thebackupsshouldbeproperlysecured(NotScored)..............................................21

2.1.5Pointintimerecovery(NotScored)....................................................................................22

2.1.6Disasterrecoveryplan(NotScored)...................................................................................23

2.1.7Backupofconfigurationandrelatedfiles(NotScored)..............................................24

2.2DedicateMachineRunningMySQL(NotScored)..............................................................25

2.3DoNotSpecifyPasswordsinCommandLine(NotScored)..........................................26

2.4DoNotReuseUsernames(NotScored).................................................................................27

3|P a g e

2.5DoNotUseDefaultorNon-MySQL-specificCryptographicKeys(NotScored)...28

3FileSystemPermissions............................................................................................................................29

3.1Ensure'datadir'HasAppropriatePermissions(Scored)...............................................29

3.2Ensure'log_bin_basename'FilesHaveAppropriatePermissions(Scored)...........30

3.3Ensure'log_error'HasAppropriatePermissions(Scored)...........................................32

3.4Ensure'slow_query_log'HasAppropriatePermissions(Scored)..............................33

3.5Ensure'relay_log_basename'FilesHaveAppropriatePermissions(Scored).......35

3.6Ensure'general_log_file'HasAppropriatePermissions(Scored)..............................37

3.7EnsureSSLKeyFilesHaveAppropriatePermissions(Scored)..................................38

3.8EnsurePluginDirectoryHasAppropriatePermissions(Scored)..............................40

4General...............................................................................................................................................................42

4.1EnsureLatestSecurityPatchesAreApplied(NotScored)............................................42

4.2Ensurethe'test'DatabaseIsNotInstalled(Scored)........................................................44

4.3Ensure'allow-suspicious-udfs'IsSetto'FALSE'(Scored)............................................45

4.4Ensure'local_infile'IsDisabled(Scored)..............................................................................46

4.5Ensure'mysqld'IsNotStartedwith'--skip-grant-tables'(Scored)..........................47

4.6Ensure'--skip-symbolic-links'IsEnabled(Scored)..........................................................48

4.7Ensurethe'daemon_memcached'PluginIsDisabled(Scored)...................................49

4.8Ensure'secure_file_priv'IsNotEmpty(Scored)................................................................50

4.9Ensure'sql_mode'Contains'STRICT_ALL_TABLES'(Scored)......................................51

5MySQLPermissions......................................................................................................................................52

5.1EnsureOnlyAdministrativeUsersHaveFullDatabaseAccess(Scored)................52

5.2Ensure'file_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)............54

5.3Ensure'process_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)...55

5.4Ensure'super_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored).......56

5.5Ensure'shutdown_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored).........................................................................................................................................................................58

5.6Ensure'create_user_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored).........................................................................................................................................................................59

5.7Ensure'grant_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)........60

5.8Ensure'repl_slave_priv'IsNotSetto'Y'forNon-SlaveUsers(Scored)..................61

4|P a g e

5.9EnsureDML/DDLGrantsAreLimitedtoSpecificDatabasesandUsers(Scored).........................................................................................................................................................................62

6AuditingandLogging..................................................................................................................................64

6.1Ensure'log_error'IsNotEmpty(Scored).............................................................................64

6.2EnsureLogFilesAreStoredonaNon-SystemPartition(Scored).............................65

6.3Ensure'log_warnings'IsSetto'2'(Scored).........................................................................66

6.4EnsureAuditLoggingIsEnabled(NotScored)..................................................................67

6.5Ensure'log-raw'IsSetto'OFF'(Scored)...............................................................................68

7Authentication................................................................................................................................................69

7.1Ensure'old_passwords'IsNotSetto'1'or'ON'(Scored).............................................69

7.2Ensure'secure_auth'issetto'ON'(Scored)........................................................................71

7.3EnsurePasswordsAreNotStoredintheGlobalConfiguration(Scored)...............73

7.4Ensure'sql_mode'Contains'NO_AUTO_CREATE_USER'(Scored).............................74

7.5EnsurePasswordsAreSetforAllMySQLAccounts(Scored)......................................75

7.6EnsurePasswordPolicyIsinPlace(Scored)......................................................................76

7.7EnsureNoUsersHaveWildcardHostnames(Scored)....................................................78

7.8EnsureNoAnonymousAccountsExist(Scored)...............................................................79

8Network.............................................................................................................................................................81

8.1Ensure'have_ssl'IsSetto'YES'(Scored)..............................................................................81

8.2Ensure'ssl_type'IsSetto'ANY','X509',or'SPECIFIED'forAllRemoteUsers(Scored).......................................................................................................................................................82

9Replication.......................................................................................................................................................84

9.1EnsureReplicationTrafficIsSecured(NotScored).........................................................84

9.2Ensure'master_info_repository'IsSetto'TABLE'(Scored).........................................85

9.3Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'or'1'(Scored)......86

9.4Ensure'super_priv'IsNotSetto'Y'forReplicationUsers(Scored).........................88

9.5EnsureNoReplicationUsersHaveWildcardHostnames(Scored)...........................90

Appendix:SummaryTable................................................................................................................................91

Appendix:ChangeHistory.................................................................................................................................94

5|P a g e

OverviewThisdocument,CISOracleMySQLCommunityServer5.6Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMySQLCommunityServer5.6.ThisguidewastestedagainstMySQLCommunityServer5.6runningonUbuntuLinux14.04,butappliestootherlinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

IntendedAudience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateOracleMySQLCommunityServer5.6.

ConsensusGuidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.

6|P a g e

TypographicalConventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

ScoringInformation

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

7|P a g e

ProfileDefinitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-MySQLRDBMSonLinux

ItemsinthisprofileapplytoMySQLCommunityServer5.6runningonLinuxandintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2-MySQLRDBMSonLinux

Thisprofileextendsthe"Level1-MySQLRDBMSonLinux"profile.ItemsinthisprofileapplytoMySQLCommunityServer5.6runningonLinuxandexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

• Level1-MySQLRDBMS

ItemsinthisprofileapplytoMySQLCommunityServer5.6andintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

Note:theintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoaMySQLRDBMS.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.

• Level2-MySQLRDBMS

Thisprofileextendsthe"Level1-MySQLRDBMS"profileandexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

8|P a g e

Note:theintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoaMySQLRDBMS.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.

9|P a g e

Acknowledgements

Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:

Editor(s)BinodBista DaniëlvanEeden

Contributor(s)AdamMontville,CenterforInternetSecurityTimothyHarrison,CenterforInternetSecuritySherylCoppenger,U.S.GovernmentAccountabilityOfficeKarenScarfoneRobertWarrenThomasNeilQuiogueDanWhite,CISCommunity

10|P a g e

Recommendations1OperatingSystemLevelConfiguration

ThissectioncontainsrecommendationsrelatedtotheOperatingSystemonwhichtheMySQLdatabaseserverisrunning.

1.1PlaceDatabasesonNon-SystemPartitions(Scored)

ProfileApplicability:

•Level1-MySQLRDBMSonLinux

Description:

Itisgenerallyacceptedthathostoperatingsystemsshouldincludedifferentfilesystempartitionsfordifferentpurposes.Onesetoffilesystemsaretypicallycalled"systempartitions",andaregenerallyreservedforhostsystem/applicationoperation.Theothersetoffilesystemsaretypicallycalled"non-systempartitions",andsuchlocationsaregenerallyreservedforstoringdata.

Rationale:

Movingthedatabaseoffthesystempartitionwillreducetheprobabilityofdenialofserviceviatheexhaustionofavailablediskspacetotheoperatingsystem.

Audit:

Executethefollowingstepstoassessthisrecommendation:

• DiscoverthedatadirbyexecutingthefollowingSQLstatement

show variables where variable_name = 'datadir';

• UsingthereturneddatadirValuefromtheabovequery,executethefollowinginasystemterminal

df -h <datadir Value>

Theoutputreturnedfromthedfcommandaboveshouldnotincluderoot('/'),"/var",or"/usr".

11|P a g e

Remediation:

Performthefollowingstepstoremediatethissetting:

1. Chooseanon-systempartitionnew locationfortheMySQLdata2. Stopmysqldusingacommandlike: service mysql stop3. Copythedatausingacommandlike:cp -rp <datadir Value> <new location>4. Setthedatadirlocationtothenew locationintheMySQLconfigurationfile5. Startmysqldusingacommandlike:servicemysqlstart

NOTE:OnsomeLinuxdistributionsyoumayneedtoadditionallymodifyapparmorsettings.Forexample,onaUbuntu14.04.1systemeditthefile/etc/apparmor.d/usr.sbin.mysqld sothatthedatadiraccessisappropriate.Theoriginalmightlooklikethis:

# Allow data dir access /var/lib/mysql/ r, /var/lib/mysql/** rwk,

Alterthosetwopathstobethenewlocationyouchoseabove.Forexample,ifthatnewlocationwere/media/mysql,thenthe/etc/apparmor.d/usr.sbin.mysqldfileshouldincludesomethinglikethis:

# Allow data dir access /media/mysql/ r, /media/mysql/** rwk,

Impact:

Movingthedatabasetoanon-systempartitionmaybedifficultdependingonwhethertherewasonlyasinglepartitionwhentheoperatingsystemwassetupandwhetherthereisadditionalstorageavailable.

12|P a g e

1.2UseDedicatedLeastPrivilegedAccountforMySQLDaemon/Service(Scored)



Description:

Aswithanyserviceinstalledonahost,itcanbeprovidedwithitsownusercontext.Providingadedicatedusertotheserviceprovidestheabilitytopreciselyconstraintheservicewithinthelargerhostcontext.

Rationale:

UtilizingaleastprivilegeaccountforMySQLtoexecuteasmayreducetheimpactofaMySQL-bornvulnerability.ArestrictedaccountwillbeunabletoaccessresourcesunrelatedtoMySQL,suchasoperatingsystemconfigurations.

Audit:

Executethefollowingcommandataterminalprompttoassessthisrecommendation:

ps -ef | egrep "^mysql.*$"

Ifnolinesarereturned,thenthisisafinding.

NOTE:ItisassumedthattheMySQLuserismysql.Additionally,youmayconsiderrunningsudo -lastheMySQLuserortocheckthesudoersfile.

Remediation:

CreateauserwhichisonlyusedforrunningMySQLanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/changing-mysql-user.html2. http://dev.mysql.com/doc/refman/5.6/en/server-

options.html#option_mysqld_user

13|P a g e

1.3DisableMySQLCommandHistory(Scored)



Description:

OnLinux/UNIX,theMySQLclientlogsstatementsexecutedinteractivelytoahistoryfile.Bydefault,thisfileisnamed.mysql_historyintheuser'shomedirectory.MostinteractivecommandsrunintheMySQLclientapplicationaresavedtoahistoryfile.TheMySQLcommandhistoryshouldbedisabled.

Rationale:

DisablingtheMySQLcommandhistoryreducestheprobabilityofexposingsensitiveinformation,suchaspasswordsandencryptionkeys.

Audit:

Executethefollowingcommandstoassessthisrecommendation:

find /home -name ".mysql_history" find /root -name ".mysql_history"

Foreachfilereturneddeterminewhetherthatfileissymbolicallylinkedto/dev/null.

Remediation:


1. Remove.mysql_historyifitexists.2. Useeitherofthetechniquesbelowtopreventitfrombeingcreatedagain:

1. SettheMYSQL_HISTFILEenvironmentvariableto/dev/null.Thiswillneedtobeplacedintheshell'sstartupscript.

2. Create$HOME/.mysql_historyasasymbolicto/dev/null.

> ln -s /dev/null $HOME/.mysql_history

DefaultValue:

Bydefault,theMySQLcommandhistoryfileislocatedin$HOME/.mysql_history.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html2. http://bugs.mysql.com/bug.php?id=72158

14|P a g e

1.4VerifyThattheMYSQL_PWDEnvironmentVariablesIsNotInUse(Scored)



Description:

MySQLcanreadadefaultdatabasepasswordfromanenvironmentvariablecalledMYSQL_PWD.

Rationale:

TheuseoftheMYSQL_PWDenvironmentvariableimpliesthecleartextstorageofMySQLcredentials.AvoidingthismayincreaseassurancethattheconfidentialityofMySQLcredentialsispreserved.

Audit:

Toassessthisrecommendation,usethe/procfilesystemtodetermineifMYSQL_PWDiscurrentlysetforanyprocess

grep MYSQL_PWD /proc/*/environ

Thismayreturnoneentryfortheprocesswhichisexecutingthegrepcommand.

Remediation:

Checkwhichusersand/orscriptsaresettingMYSQL_PWDandchangethemtouseamoresecuremethod.

DefaultValue:

Notset.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/environment-variables.html2. https://blogs.oracle.com/myoraclediary/entry/how_to_check_environment_variabl

es

15|P a g e

1.5DisableInteractiveLogin(Scored)



Description:

Whencreated,theMySQLusermayhaveinteractiveaccesstotheoperatingsystem,whichmeansthattheMySQLusercouldlogintothehostasanyotheruserwould.

Rationale:

PreventingtheMySQLuserfromloggingininteractivelymayreducetheimpactofacompromisedMySQLaccount.ThereisalsomoreaccountabilityasaccessingtheoperatingsystemwheretheMySQLserverlieswillrequiretheuser'sownaccount.InteractiveaccessbytheMySQLuserisunnecessaryandshouldbedisabled.

Audit:

Executethefollowingcommandtoassessthisrecommendation

getent passwd mysql | egrep "^.*[\/bin\/false|\/sbin\/nologin]$"

Lackofoutputimpliesafinding.

Remediation:


• Executeoneofthefollowingcommandsinaterminal

usermod -s /bin/false mysql usermod -s /sbin/nologin mysql

Impact:

ThissettingwillpreventtheMySQLadministratorfrominteractivelyloggingintotheoperatingsystemusingtheMySQLuser.Instead,theadministratorwillneedtologinusingone'sownaccount.

16|P a g e

1.6VerifyThat'MYSQL_PWD'IsNotSetInUsers'Profiles(Scored)



Description:

MySQLcanreadadefaultdatabasepasswordfromanenvironmentvariablecalledMYSQL_PWD.

Rationale:

TheuseoftheMYSQL_PWDenvironmentvariableimpliesthecleartextstorageofMySQLcredentials.AvoidingthismayincreaseassurancethattheconfidentialityofMySQLcredentialsispreserved.

Audit:

ToassessthisrecommendationcheckifMYSQL_PWDissetinloginscriptsusingthefollowingcommand:

grep MYSQL_PWD /home/*/.{bashrc,profile,bash_profile}

Remediation:

Checkwhichusersand/orscriptsaresettingMYSQL_PWDandchangethemtouseamoresecuremethod.

DefaultValue:

Notset.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/environment-variables.html2. https://blogs.oracle.com/myoraclediary/entry/how_to_check_environment_variabl

es

17|P a g e

2InstallationandPlanning

ThissectioncontainsimportantconsiderationswhendeployingMySQLservicestoyourproductionnetwork.Therecommendationsmadehereinarenotscoredfromabenchmarkperspectiveandgenerallyalignwithbestcurrentpracticesasconveyedinmostcontrolframeworks.

Notealsothatconfigurationoptionscanbeaddedtwoways.FirstisusingtheMySQLconfigurationfile(e.g.my.cnf)andplacingoptionsunderthepropersectionof[mysqld].Optionsplacedintheconfigurationfileshouldnotprefixwithadoubledash"--".OptionscanalsobeplacedonthecommandlinebymodifyingtheMySQLstartupscript.Thestartupscriptissystemdependentbasedonyouroperatingsystem.

18|P a g e

2.1BackupandDisasterRecovery

Thissectioncontainsrecommendationsrelatedtobackupandrecovery

2.1.1Backuppolicyinplace(NotScored)



Description:

Abackuppolicyshouldbeinplace.

Rationale:

BackingupMySQLdatabases,including'mysql',willhelpensuretheavailabilityofdataintheeventofanincident.

Audit:

Checkwith"crontab -l"ifthereisabackupschedule.

Remediation:

Createabackuppolicyandbackupschedule.

Impact:

Withoutbackupsitmightbehardtorecoverfromanincident.

19|P a g e

2.1.2Verifybackupsaregood(NotScored)



Description:

Backupsshouldbevalidatedonaregularbasis.

Rationale:

Verifyingthatbackupsareoccurringappropriatelywillhelpensuretheavailabilityofdataintheeventofanincident.

Audit:

Checkreportsofbackupvalidationtests.

Remediation:

Implementregularbackupchecksanddocumenteachcheck.

Impact:

Withoutawell-testedbackup,itmightbehardtorecoverfromanincidentifthebackupprocedurecontainserrorsordoesn'tincludeallrequireddata.

20|P a g e

2.1.3Securebackupcredentials(NotScored)



Description:

Thepassword,certificateandanyothercredentialsshouldbeprotected.

Rationale:

Adatabaseuserwiththeleastamountofprivilegesrequiredtoperformbackupisneededforbackup.Thecredentialsforthisusershouldbeprotected.

Audit:

Checkpermissionsoffilescontainingpasswordsand/orsslkeys.

Remediation:

Changefilepermissions

Impact:

Whenthebackupcredentialsarenotproperlysecuredthentheymightbeabusedtogainaccesstotheserver.Thebackupuserneedsanaccountwithmanyprivileges,sotheattackercangain(almost)completeaccesstotheserver.

21|P a g e

2.1.4Thebackupsshouldbeproperlysecured(NotScored)



Description:

Thebackupfileswillcontainalldatainthedatabases.Filesystempermissionsand/orencryptionshouldbeusedtopreventnonauthorizedusersfromgainingaccesstothebackups.

Rationale:

Backupsshouldbeconsideredsensitiveinformation.

Audit:

Checkwhohasaccesstothebackupfiles.

• Arethefilesworld-readable(e.g.rw-r--r-)o Aretheystoredinaworldreadabledirectory?

• IsthegroupMySQLand/orbackupspecific?o Ifnot:thefileanddirectorymustnotbegroupreadable

• Arethebackupsstoredoffsite?o Whohasaccesstothebackups?

• Arethebackupsencrypted?o Whereistheencryptionkeystored?o Doestheencryptionkeyconsistsofaguessablepassword?

Remediation:

Implementencryptionorusefilesystempermissions.

Impact:

Ifanunauthorizedusercanaccessbackupsthentheyhaveaccesstoallthedatathatisinthedatabase.Thisistrueforunencryptedbackupsandforencryptedbackupsiftheencryptionkeyisstoredalongwiththebackup.

22|P a g e

2.1.5Pointintimerecovery(NotScored)



Description:

Withbinlogsitispossibletoimplementpoint-in-timerecovery.Thismakesitpossibletorestorethechangesbetweenthelastfullbackupandthepoint-in-time.

Enablingbinlogsisnotsufficient,arestoreprocedureshouldbecreatedandhastobetested.

Rationale:

Thiscanreducetheamountofinformationlost.

Audit:

Checkifbinlogsareenabledandifthereisarestoreprocedure.

Remediation:

Enablebinlogsandcreateandtestarestoreprocedure.

Impact:

Withoutpoint-in-timerecoverythedatawhichwasstoredbetweenthelastbackupandthetimeofdisastermightnotberecoverable.

23|P a g e

2.1.6Disasterrecoveryplan(NotScored)



Description:

Adisasterrecoveryplanshouldbecreated.

Aslaveinadifferentdatacentercanbeusedoroffsitebackups.Thereshouldbeinformationaboutwhattimearecoverywilltakeandiftherecoverysitehasthesamecapacity.

Rationale:

Adisasterrecoveryshouldbeplanned.

Audit:

Checkifthereisadisasterrecoveryplan

Remediation:

Createadisasterrecoveryplan

Impact:

Withoutawell-testeddisasterrecoveryplanitmightnotbepossibletorecoverintime.

24|P a g e

2.1.7Backupofconfigurationandrelatedfiles(NotScored)



Description:

Thefollowingfilesshouldbeincludedinthebackup:

• Configurationfiles(my.cnfandincludedfiles)• SSLfiles(certificates,keys)• UserDefinedFunctions(UDFs)• Sourcecodeforcustomizations

Rationale:

Thesefilesarerequiredtobeabletofullyrestoreaninstance.

Audit:

Checkifthesefilesareinusedandaresavedinthebackup.

Remediation:

Addthesefilestothebackup

Impact:

Withoutacompletebackupitmightnotbepossibletofullyrecover.

25|P a g e

2.2DedicateMachineRunningMySQL(NotScored)



Description:

ItisrecommendedthatMySQLServersoftwarebeinstalledonadedicatedserver.Thisarchitecturalconsiderationaffordsflexibilityinthatthedatabaseservercanbeplacedonaseparatezoneallowingaccessonlyfromparticularhostsandoverparticularprotocols.

Rationale:

Theattacksurfaceisreducedonaserverwithonlytheunderlyingoperatingsystem,MySQLserversoftware,andanysecurityoroperationaltoolingthatmaybeadditionallyinstalled.AsmallerattacksurfacereducestheprobabilityofthedatawithinMySQLbeingcompromised.

Audit:

VerifytherearenootherrolesenabledfortheunderlyingoperatingsystemandthatnoadditionalapplicationsorservicesunrelatedtotheproperoperationoftheMySQLserversoftwareareinstalled.

Remediation:

Removeexcessapplicationsorservicesand/orremoveunnecessaryrolesfromtheunderlyingoperatingsystem.

Impact:

Caremustbetakenthatapplicationsorservicesthatarerequiredfortheproperoperationoftheoperatingsystemarenotremoved.

Customapplicationsmayneedtobemodifiedtoaccommodatedatabaseconnectionsoverthenetworkratherthanontheuse(e.g.,usingTCP/IPconnections).

Additionalhardwareandoperatingsystemlicensesmayberequiredtomakethearchitecturalchange.

26|P a g e

2.3DoNotSpecifyPasswordsinCommandLine(NotScored)



Description:

Whenacommandisexecutedonthecommandline,forexamplemysql -u admin -ppassword,thepasswordmaybevisibleintheuser'sshell/commandhistoryorintheprocesslist.

Rationale:

Ifthepasswordisvisibleintheprocesslistoruser'sshell/commandhistory,anattackerwillbeabletoaccesstheMySQLdatabaseusingthestolencredentials.

Audit:

Checktheprocessortasklistifthepasswordisvisible.

Checktheshellorcommandhistoryifthepasswordisvisible.

Remediation:

Use-pwithoutpasswordandthenenterthepasswordwhenprompted,useaproperlysecured.my.cnffile,orstoreauthenticationinformationinencryptedformatin.mylogin.cnf.

Impact:

Dependingontheremediationchosen,additionalstepsmayneedtobeundertakenlike:

• Enteringapasswordwhenprompted;• Ensuringthefilepermissionson.my.cnfisrestrictedyetaccessiblebytheuser;• Usingmysql_config_editortoencrypttheauthenticationcredentialsin

.mylogin.cnf.

Additionally,notallscripts/applicationsmaybeabletouse.mylogin.cnf.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html2. http://dev.mysql.com/doc/refman/5.6/en/password-security-user.html

27|P a g e

2.4DoNotReuseUsernames(NotScored)



Description:

Databaseuseraccountsshouldnotbereusedformultipleapplicationsorusers.

Rationale:

UtilizinguniquedatabaseaccountsacrossapplicationswillreducetheimpactofacompromisedMySQLaccount.

Audit:

Eachusershouldbelinkedtooneofthese

• systemaccounts• aperson• anapplication

Remediation:

Add/Removeuserssothateachuserisonlyusedforonespecificpurpose.

Impact:

Ifauserisreused,thenacompromiseofthisuserwillcompromisemultiplepartsofthesystemand/orapplication.

28|P a g e

2.5DoNotUseDefaultorNon-MySQL-specificCryptographicKeys(NotScored)



Description:

TheSSLcertificateandkeyusedbyMySQLshouldbeusedonlyforMySQLandonlyforoneinstance.

Rationale:

UseofdefaultcertificatescanallowanattackertoimpersonatetheMySQLserver.

Audit:

CheckifthecertificateisboundtooneinstanceofMySQL.

Remediation:

Generateanewcertificate/keyperMySQLinstance.

Impact:

Ifakeyisusedonmultiplesystemthenacompromiseofonesystemleadstocompromiseofthenetworktrafficofallserverswhichusethesamekey.

29|P a g e

3FileSystemPermissions

TheFileSystemPermissionsarecriticalforkeepingthedataandconfigurationoftheMySQLserversecure.

3.1Ensure'datadir'HasAppropriatePermissions(Scored)



Description:

ThedatadirectoryisthelocationoftheMySQLdatabases.

Rationale:

Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLdatabase.IfsomeoneotherthantheMySQLuserisallowedtoreadfilesfromthedatadirectoryheorshemightbeabletoreaddatafromthemysql.usertablewhichcontainspasswords.Additionally,theabilitytocreatefilescanleadtodenialofservice,ormightotherwiseallowsomeonetogainaccesstospecificdatabymanuallycreatingafilewithaviewdefinition.

Audit:

Performthefollowingstepstoassessthisrecommendation:

• ExecutethefollowingSQLstatementtodeterminetheValueofdatadir

show variables where variable_name = 'datadir';

• Executethefollowingcommandataterminalprompt

ls -l <datadir>/.. | egrep "^d[r|w|x]{3}------\s*.\s*mysql\s*mysql\s*\d*.*mysql"


Remediation:

Executethefollowingcommandsataterminalprompt:

chmod 700 <datadir> chown mysql:mysql <datadir>

30|P a g e

3.2Ensure'log_bin_basename'FilesHaveAppropriatePermissions(Scored)



Description:

MySQLcanoperateusingavarietyoflogfiles,eachusedfordifferentpurposes.Thesearethebinarylog,errorlog,slowquerylog,relaylog,andgenerallog.Becausethesearefilesonthehostoperatingsystem,theyaresubjecttothepermissionsstructureprovidedbythehostandmaybeaccessiblebyusersotherthantheMySQLuser.

Rationale:

Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLlogs.

Audit:


• Identifythebasenameofbinarylogfiles(log_bin_basename)byexecutingthefollowingstatement

show variables like 'log_bin_basename';

• Verifypermissionsare660formysql:mysqloneachlogfileoftheformlog_bin_basename.nnnnnn.

Remediation:

Executethefollowingcommandforeachlogfilelocationrequiringcorrectedpermissions:

chmod 660 <log file> chown mysql:mysql <log file>

31|P a g e

Impact:

Changingthepermissionsofthelogfilesmighthaveimpactonmonitoringtoolswhichusealogfileadapter.Alsotheslowquerylogcanbeusedforperformanceanalysisbyapplicationdevelopers.

IfthepermissionsontherelaylogsandbinarylogfilesareaccidentallychangedtoexcludetheuseraccountwhichisusedtoruntheMySQLservice,thenthismightbreakreplication.

Thebinarylogfilecanbeusedforpointintimerecoverysothiscanalsoaffectbackup,restoreanddisasterrecoveryprocedures.

32|P a g e

3.3Ensure'log_error'HasAppropriatePermissions(Scored)



Description:


Rationale:


Audit:


• Findthelog_errorvalue(<error_log_path>)byexecutingthefollowingstatement

show variables like 'log_error';

• Verifypermissionsare660formysql:mysqlfor<error_log_path>

Remediation:



Impact:




33|P a g e

3.4Ensure'slow_query_log'HasAppropriatePermissions(Scored)



Description:


Rationale:


Audit:


• Findtheslow_query_logvalue(<slow_query_log_path>)byexecutingthefollowingstatement

show variables like 'slow_query_log_file';

• Verifypermissionsare660formysql:mysqlfor<slow_query_log_path>

Remediation:



34|P a g e

Impact:




35|P a g e

3.5Ensure'relay_log_basename'FilesHaveAppropriatePermissions(Scored)



Description:


Rationale:


Audit:


Findtherelay_log_basenamevaluebyexecutingthefollowingstatement

show variables like 'relay_log_basename';

• Verifypermissionsare660formysql:mysqlforeachfileoftheform<relay_log_basename>

Remediation:



36|P a g e

Impact:




37|P a g e

3.6Ensure'general_log_file'HasAppropriatePermissions(Scored)



Description:


Rationale:


Audit:


• Findthegeneral_log_filevaluebyexecutingthefollowingstatement

show variables like 'general_log_file';

• Verifypermissionsare660formysql:mysqlfortheindicatedgeneral_log_file.

Remediation:



Impact:




38|P a g e

3.7EnsureSSLKeyFilesHaveAppropriatePermissions(Scored)



Description:

WhenconfiguredtouseSSL/TLS,MySQLreliesonkeyfiles,whicharestoredonthehost'sfilesystem.Thesekeyfilesaresubjecttothehost'spermissionsstructure.

Rationale:

Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLdatabaseandthecommunicationwiththeclient.

IfthecontentsoftheSSLkeyfileisknowntoanattackerheorshemightimpersonatetheserver.Thiscanbeusedforaman-in-the-middleattack.

DependingontheSSLciphersuitethekeymightalsobeusedtodecipherpreviouslycapturednetworktraffic.

Audit:

Toassessthisrecommendation,locatetheSSLkeyinusebyexecutingthefollowingSQLstatementtogettheValueofssl_key:

show variables where variable_name = 'ssl_key';

Then,executethefollowingcommandtoassessthepermissionsoftheValue:

ls -l <ssl_key Value> | egrep "^-r--------[ \t]*.[ \t]*mysql[ \t]*mysql.*$"

Lackofoutputfromtheabovecommandimpliesafinding.

Remediation:

ExecutethefollowingcommandsataterminalprompttoremediatethissettingusingtheValuefromtheauditprocedure:

chown mysql:mysql <ssl_key Value> chmod 400 <ssl_key Value>

39|P a g e

Impact:

IfthepermissionsforthekeyfilearechangedincorrectlythiscancauseSSLtobedisabledwhenMySQLisrestartedorcancauseMySQLnottostartatall.

Ifotherapplicationsareusingthesamekeypair,thenchangingthepermissionsofthekeyfilewillaffectthisapplication.Ifthisisthecase,thenanewkeypairmustbegeneratedforMySQL.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/ssl-connections.html

40|P a g e

3.8EnsurePluginDirectoryHasAppropriatePermissions(Scored)



Description:

TheplugindirectoryisthelocationoftheMySQLplugins.Pluginsarestorageenginesoruserdefinedfunctions(UDFs).

Rationale:

Limitingtheaccessibilityoftheseobjectswillprotecttheconfidentiality,integrity,andavailabilityoftheMySQLdatabase.Ifsomeonecanmodifypluginsthenthesepluginsmightbeloadedwhentheserverstartsandthecodewillgetexecuted.

Audit:

Toassessthisrecommendation,executethefollowingSQLstatementtodiscovertheValueofplugin_dir:

show variables where variable_name = 'plugin_dir';

Then,executethefollowingcommandataterminalprompt(usingthediscoveredplugin_dir Value)todeterminethepermissions.

ls -l <plugin_dir Value>/.. | egrep "^drwxr[-w]xr[-w]x[ \t]*[0-9][ \t]*mysql[ \t]*mysql.*plugin.*$"


NOTE:Permissionsareintendedtobeeither775or755.

Remediation:

Toremediatethissetting,executethefollowingcommandsataterminalpromptusingtheplugin_dir Valuefromtheauditprocedure.

chmod 775 <plugin_dir Value> (or use 755) chown mysql:mysql <plugin_dir Value>

Impact:

Usersotherthanthemysqluserwillnolongerbeabletoupdateandadd/removepluginsunlessthey'reabletoswitchtothemysqluser;

41|P a g e

References:

1. http://dev.mysql.com/doc/refman/5.6/en/install-plugin.html

42|P a g e

4General

Thissectioncontainsrecommendationsrelatedtovariouspartsofthedatabaseserver.

4.1EnsureLatestSecurityPatchesAreApplied(NotScored)



Description:

Periodically,updatestoMySQLserverarereleasedtoresolvebugs,mitigatevulnerabilities,andprovidenewfeatures.ItisrecommendedthatMySQLinstallationsareuptodatewiththelatestsecurityupdates.

Rationale:

MaintainingcurrencywithMySQLpatcheswillhelpreduceriskassociatedwithknownvulnerabilitiespresentintheMySQLserver.

WithoutthelatestsecuritypatchesMySQLmighthaveknownvulnerabilitieswhichmightbeusedbyanattackertogainaccess.

Audit:

ExecutethefollowingSQLstatementtoidentifytheMySQLserverversion:

SHOW VARIABLES WHERE Variable_name LIKE "version";

NowcomparetheversionwiththesecurityannouncementsfromOracleand/ortheOSiftheOSpackagesareused.

Remediation:

Installthelatestpatchesforyourversionorupgradetothelatestversion.

Impact:

ToupdatetheMySQLserverarestartisrequired.

43|P a g e

References:

1. http://www.oracle.com/technetwork/topics/security/alerts-086861.html2. http://dev.mysql.com/doc/relnotes/mysql/5.6/en/3. http://web.nvd.nist.gov/view/vuln/search-

results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aoracle&cpe_product=cpe%3a%2f%3aoracle%3amysql&cpe_version=cpe%3a%2f%3aoracle%3amysql%3a5.6.0

44|P a g e

4.2Ensurethe'test'DatabaseIsNotInstalled(Scored)


•Level1-MySQLRDBMS

Description:

ThedefaultMySQLinstallationcomeswithanunuseddatabasecalledtest.Itisrecommendedthatthetestdatabasebedropped.

Rationale:

Thetestdatabasecanbeaccessedbyallusersandcanbeusedtoconsumesystemresources.DroppingthetestdatabasewillreducetheattacksurfaceoftheMySQLserver.

Audit:

ExecutethefollowingSQLstatementtodetermineifthetestdatabaseispresent:

SHOW DATABASES LIKE 'test';

TheaboveSQLstatementwillreturnzerorows

Remediation:

ExecutethefollowingSQLstatementtodropthetest database:

DROP DATABASE "test";

Note:mysql_secure_installationperformsthisoperationaswellasothersecurity-relatedactivities.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/mysql-secure-installation.html

45|P a g e

4.3Ensure'allow-suspicious-udfs'IsSetto'FALSE'(Scored)



Description:

Thisoptionpreventsattachingarbitrarysharedlibraryfunctionsasuser-definedfunctionsbycheckingforatleastonecorrespondingmethodnamed_init, _deinit,_reset,_clear,or_add.

Rationale:

Preventingsharedlibrariesthatdonotcontainuser-definedfunctionsfromloadingwillreducetheattacksurfaceoftheserver.

Audit:

Performthefollowingtodetermineiftherecommendedstateisinplace:

• Ensure--allow-suspicious-udfsisnotspecifiedinthethemysqld startupcommandline.

• Ensureallow-suspicious-udfsissettoFALSEintheMySQLconfiguration:• my_print_defaults mysqld | grep allow-suspicious-udfs

Noresultsreturnedwouldbeapass.

Remediation:

Performthefollowingtoestablishtherecommendedstate:

• Remove--allow-suspicious-udfsfromthemysqld startupcommandline.• Removeallow-suspicious-udfsfromtheMySQLoptionfile.

DefaultValue:

FALSE

References:

1. http://dev.mysql.com/doc/refman/5.6/en/udf-security.html2. http://dev.mysql.com/doc/refman/5.6/en/server-

options.html#option_mysqld_allow-suspicious-udfs

46|P a g e

4.4Ensure'local_infile'IsDisabled(Scored)



Description:

Thelocal_infileparameterdictateswhetherfileslocatedontheMySQLclient'scomputercanbeloadedorselectedviaLOAD DATA INFILEorSELECT local_file.

Rationale:

Disablinglocal_infilereducesanattacker'sabilitytoreadsensitivefilesofftheaffectedserverviaaSQLinjectionvulnerability.

Audit:

ExecutethefollowingSQLstatementandensuretheValuefieldissettoOFF:

SHOW VARIABLES WHERE Variable_name = 'local_infile';

Remediation:

Addthefollowinglinetothe[mysqld]sectionoftheMySQLconfigurationfileandrestarttheMySQLservice:

local-infile=0

Impact:

Disablinglocal_infilewillimpactthefunctionalityofsolutionsthatrelyonit.

DefaultValue:

ON

References:

1. http://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file2. http://dev.mysql.com/doc/refman/5.6/en/load-data.html

47|P a g e

4.5Ensure'mysqld'IsNotStartedwith'--skip-grant-tables'(Scored)



Description:

Thisoptioncausesmysqld tostartwithoutusingtheprivilegesystem.

Rationale:

Ifthisoptionisused,allclientsoftheaffectedserverwillhaveunrestrictedaccesstoalldatabases.

Audit:

Performthefollowingtodetermineiftherecommendedstateisinplace:

• OpentheMySQLconfiguration(e.g.my.cnf)fileandsearchforskip-grant-tables• Ensureskip-grant-tablesissettoFALSE

Remediation:

Performthefollowingtoestablishtherecommendedstate:

• OpentheMySQLconfiguration(e.g.my.cnf)fileandset:

skip-grant-tables = FALSE

References:

1. http://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables

48|P a g e

4.6Ensure'--skip-symbolic-links'IsEnabled(Scored)



Description:

Thesymbolic-linksandskip-symbolic-linksoptionsforMySQLdeterminewhethersymboliclinksupportisavailable.Whenuseofsymboliclinksareenabled,theyhavedifferenteffectsdependingonthehostplatform.Whensymboliclinksaredisabled,thensymboliclinksstoredinfilesorentriesintablesarenotusedbythedatabase.

Rationale:

Preventssymlinksbeingusedfordatabasefiles.ThisisespeciallyimportantwhenMySQLisexecutingasrootasarbitraryfilesmaybeoverwritten.Thesymbolic-linksoptionmightallowsomeonetodirectactionsbytoMySQLservertootherfilesand/ordirectories.

Audit:

ExecutethefollowingSQLstatementtoassessthisrecommendation:

SHOW variables LIKE 'have_symlink';

EnsuretheValuereturnedisDISABLED.

Remediation:

Performthefollowingactionstoremediatethissetting:

• OpentheMySQLconfigurationfile(my.cnf)• Locateskip_symbolic_linksintheconfiguration• Settheskip_symbolic_linkstoYES

NOTE:Ifskip_symbolic_linksdoesnotexist,addittotheconfigurationfileinthemysqldsection.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html2. http://dev.mysql.com/doc/refman/5.6/en/server-

options.html#option_mysqld_symbolic-links

49|P a g e

4.7Ensurethe'daemon_memcached'PluginIsDisabled(Scored)



Description:

TheInnoDBmemcachedPluginallowsuserstoaccessdatastoredinInnoDBwiththememcachedprotocol.

Rationale:

Bydefaulttheplugindoesn'tdoauthentication,whichmeansthatanyonewithaccesstotheTCP/IPportoftheplugincanaccessandmodifythedata.However,notalldataisexposedbydefault.

Audit:


SELECT * FROM information_schema.plugins WHERE PLUGIN_NAME='daemon_memcached'

Ensurethatnorowsarereturned.

Remediation:

Toremediatethissetting,issuethefollowingcommandintheMySQLcommand-lineclient:

uninstall plugin daemon_memcached;

ThisuninstallsthememcachedpluginfromtheMySQLserver.

DefaultValue:

disabled

References:

1. http://dev.mysql.com/doc/refman/5.6/en/innodb-memcached-security.html

50|P a g e

4.8Ensure'secure_file_priv'IsNotEmpty(Scored)



Description:

Thesecure_file_privoptionrestrictstopathsusedbyLOAD DATA INFILEorSELECT local_file.ItisrecommendedthatthisoptionbesettoafilesystemlocationthatcontainsonlyresourcesexpectedtobeloadedbyMySQL.

Rationale:

Settingsecure_file_privreducesanattacker'sabilitytoreadsensitivefilesofftheaffectedserverviaaSQLinjectionvulnerability.

Audit:

ExecutethefollowingSQLstatementandensureonerowisreturned:

SHOW GLOBAL VARIABLES WHERE Variable_name = 'secure_file_priv' AND Value<>'';

Note:TheValueshouldcontainavalidpath.

Remediation:

Addthefollowinglinetothe[mysqld]sectionoftheMySQLconfigurationfileandrestarttheMySQLservice:

secure_file_priv=<path_to_load_directory>

Impact:

Solutionsthatrelyonloadingdatafromvarioussub-directoriesmaybenegativelyimpactedbythischange.Considerconsolidatingloaddirectoriesunderacommonparentdirectory.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv

51|P a g e

4.9Ensure'sql_mode'Contains'STRICT_ALL_TABLES'(Scored)



Description:

Whendatachangingstatementsaremade(i.e.INSERT,UPDATE),MySQLcanhandleinvalidormissingvaluesdifferentlydependingonwhetherstrictSQLmodeisenabled.WhenstrictSQLmodeisenabled,datamaynotbetruncatedorotherwise"adjusted"tomakethedatachangingstatementwork.

Rationale:

Withoutstrictmodetheservertriestodoproceedwiththeactionwhenanerrormighthavebeenamoresecurechoice.Forexample,bydefaultMySQLwilltruncatedataifitdoesnotfitinafield,whichcanleadtounknownbehavior,orbeleveragedbyanattackertocircumventdatavalidation.

Audit:

Toauditforthisrecommendationexecutethefollowingquery:

SHOW VARIABLES LIKE 'sql_mode';

EnsurethatSTRICT_ALL_TABLESisinthelistreturned.

Remediation:


1. AddSTRICT_ALL_TABLEStothesql_modeintheserver'sconfigurationfile

Impact:

ApplicationsrelyingontheMySQLdatabaseshouldbeawarethatSTRICT_ALL_TABLES isinuse,suchthaterrorconditionsarehandledappropriately.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/server-sql-mode.html

52|P a g e

5MySQLPermissions

Thissectioncontainsrecommendationsaboutuserprivileges.

5.1EnsureOnlyAdministrativeUsersHaveFullDatabaseAccess(Scored)



Description:

Themysql.userandmysql.dbtableslistavarietyofprivilegesthatcanbegranted(ordenied)toMySQLusers.Someoftheprivilegesofconcerninclude:Select_priv,Insert_priv,Update_priv,Delete_priv,Drop_priv,andsoon.Typically,theseprivilegesshouldnotbeavailabletoeveryMySQLuserandoftenarereservedforadministrativeuseonly.

Rationale:

Limitingtheaccessibilityofthe'mysql'databasewillprotecttheconfidentiality,integrity,andavailabilityofthedatahousedwithinMySQL.Auserwhichhasdirectaccesstomysql.*mightviewpasswordhashes,changepermissions,oralterordestroyinformationintentionallyorunintentionally.

Audit:

ExecutethefollowingSQLstatement(s)toassessthisrecommendation:

SELECT user, host FROM mysql.user WHERE (Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y');

SELECT user, host FROM mysql.db WHERE db = 'mysql' AND ((Select_priv = 'Y') OR (Insert_priv = 'Y') OR (Update_priv = 'Y') OR (Delete_priv = 'Y') OR (Create_priv = 'Y') OR (Drop_priv = 'Y'));

Ensureallusersreturnedareadministrativeusers.

53|P a g e

Remediation:


1. Enumeratenon-administrativeusersresultingfromtheauditprocedure2. Foreachnon-administrativeuser,usetheREVOKEstatementtoremoveprivilegesas

appropriate

Impact:

Considerationshouldbemadeforwhichprivilegesarerequiredbyeachuserrequiringinteractivedatabaseaccess.

54|P a g e

5.2Ensure'file_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)



Description:

TheFile_privprivilegefoundinthemysql.usertableisusedtoallowordisallowauserfromreadingandwritingfilesontheserverhost.AnyuserwiththeFile_privrightgrantedhastheabilityto:

• ReadfilesfromthelocalfilesystemthatarereadablebytheMySQLserver(thisincludesworld-readablefiles)

• WritefilestothelocalfilesystemwheretheMySQLserverhaswriteaccess

Rationale:

TheFile_privrightallowsmysql userstoreadfilesfromdiskandtowritefilestodisk.ThismaybeleveragedbyanattackertofurthercompromiseMySQL.ItshouldbenotedthattheMySQLservershouldnotoverwriteexistingfiles.

Audit:

ExecutethefollowingSQLstatementtoauditthissetting

select user, host from mysql.user where File_priv = 'Y';

Ensureonlyadministrativeusersarereturnedintheresultset.

Remediation:


1. Enumeratethenon-administrativeusersfoundintheresultsetoftheauditprocedure

2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser:

REVOKE FILE ON *.* FROM '<user>';

References:

1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_file

55|P a g e

5.3Ensure'process_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)



Description:

ThePROCESSprivilegefoundinthemysql.usertabledetermineswhetheragivenusercanseestatementexecutioninformationforallsessions.

Rationale:

ThePROCESS privilegeallowsprincipalstoviewcurrentlyexecutingMySQLstatementsbeyondtheirown,includingstatementsusedtomanagepasswords.ThismaybeleveragedbyanattackertocompromiseMySQLortogainaccesstopotentiallysensitivedata.

Audit:

ExecutethefollowingSQLstatementtoauditthissetting:

select user, host from mysql.user where Process_priv = 'Y';


Remediation:




REVOKE PROCESS ON *.* FROM '<user>';

Impact:

UsersdeniedthePROCESSprivilegemayalsobedenieduseofSHOW ENGINE.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_process

56|P a g e

5.4Ensure'super_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)



Description:

TheSUPERprivilegefoundinthemysql.usertablegovernstheuseofavarietyofMySQLfeatures.Thesefeaturesinclude,CHANGE MASTER TO,KILL,mysqladminkilloption,PURGE BINARY LOGS,SET GLOBAL,mysqladmindebugoption,loggingcontrol,andmore.

Rationale:

TheSUPERprivilegeallowsprincipalstoperformmanyactions,includingviewandterminatecurrentlyexecutingMySQLstatements(includingstatementsusedtomanagepasswords).ThisprivilegealsoprovidestheabilitytoconfigureMySQL,suchasenable/disablelogging,alterdata,disable/enablefeatures.LimitingtheaccountsthathavetheSUPERprivilegereducesthechancesthatanattackercanexploitthesecapabilities.

Audit:


select user, host from mysql.user where Super_priv = 'Y';


Remediation:




REVOKE SUPER ON *.* FROM '<user>';

Impact:

WhentheSUPERprivilegeisdeniedtoagivenuser,thatuserwillbeunabletotakeadvantageofcertaincapabilities,suchascertainmysqladminoptions.

57|P a g e

References:

1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_super

58|P a g e

5.5Ensure'shutdown_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)



Description:

TheSHUTDOWNprivilegesimplyenablesuseoftheshutdownoptiontothemysqladmincommand,whichallowsauserwiththeSHUTDOWNprivilegetheabilitytoshutdowntheMySQLserver.

Rationale:

TheSHUTDOWN privilegeallowsprincipalstoshutdownMySQL.ThismaybeleveragedbyanattackertonegativelyimpacttheavailabilityofMySQL.

Audit:


SELECT user, host FROM mysql.user WHERE Shutdown_priv = 'Y';


Remediation:



2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser):

REVOKE SHUTDOWN ON *.* FROM '<user>';

References:

1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_shutdown

59|P a g e

5.6Ensure'create_user_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)



Description:

TheCREATEUSERprivilegegovernstherightofagivenusertoaddorremoveusers,changeexistingusers'names,orrevokeexistingusers'privileges.

Rationale:

ReducingthenumberofusersgrantedtheCREATE USERrightminimizesthenumberofusersabletoadd/dropusers,alterexistingusers'names,andmanipulateexistingusers'privileges.

Audit:


SELECT user, host FROM mysql.user WHERE Create_user_priv = 'Y';


Remediation:



2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-administrativeuser):

REVOKE CREATE USER ON *.* FROM '<user>';

Impact:

UsersthataredeniedtheCREATEUSERprivilegewillnotonlybeunabletocreateauser,buttheymaybeunabletodropauser,renameauser,orotherwiserevokeagivenuser'sprivileges.

60|P a g e

5.7Ensure'grant_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored)



Description:

TheGRANT OPTION privilegeexistsindifferentcontexts(mysql.user,mysql.db)forthepurposeofgoverningtheabilityofaprivilegedusertomanipulatetheprivilegesofotherusers.

Rationale:

TheGRANT privilegeallowsaprincipaltograntotherprincipalsadditionalprivileges.ThismaybeusedbyanattackertocompromiseMySQL.

Audit:

ExecutethefollowingSQLstatementstoauditthissetting:

SELECT user, host FROM mysql.user WHERE Grant_priv = 'Y'; SELECT user, host FROM mysql.db WHERE Grant_priv = 'Y';


Remediation:


1. Enumeratethenon-administrativeusersfoundintheresultsetsoftheauditprocedure


REVOKE GRANT OPTION ON *.* FROM <user>;

References:

1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_grant-option

61|P a g e

5.8Ensure'repl_slave_priv'IsNotSetto'Y'forNon-SlaveUsers(Scored)



Description:

TheREPLICATION SLAVEprivilegegovernswhetheragivenuser(inthecontextofthemasterserver)canrequestupdatesthathavebeenmadeonthemasterserver.

Rationale:

TheREPLICATION SLAVE privilegeallowsaprincipaltofetchbinlogfilescontainingalldatachangingstatementsand/orchangesintabledatafromthemaster.Thismaybeusedbyanattackertoread/fetchsensitivedatafromMySQL.

Audit:


SELECT user, host FROM mysql.user WHERE Repl_slave_priv = 'Y';

Ensureonlyaccountsdesignatedforslaveusersaregrantedthisprivilege.

Remediation:


1. Enumeratethenon-slaveusersfoundintheresultsetoftheauditprocedure2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withthenon-

slaveuser):

REVOKE REPLICATION SLAVE ON *.* FROM <user>;

UsetheREVOKEstatementtoremovetheSUPERprivilegefromuserswhoshouldn'thaveit.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_replication-slave

62|P a g e

5.9EnsureDML/DDLGrantsAreLimitedtoSpecificDatabasesandUsers(Scored)



Description:

DML/DDLincludesthesetofprivilegesusedtomodifyorcreatedatastructures.ThisincludesINSERT,SELECT,UPDATE,DELETE,DROP,CREATE,andALTERprivileges.

Rationale:

INSERT,SELECT,UPDATE,DELETE,DROP,CREATE,andALTERarepowerfulprivilegesinanydatabase.Suchprivilegesshouldbelimitedonlytothoseusersrequiringsuchrights.Bylimitingtheuserswiththeserightsandensuringthattheyarelimitedtospecificdatabases,theattacksurfaceofthedatabaseisreduced.

Audit:


SELECT User,Host,Db FROM mysql.db WHERE Select_priv='Y' OR Insert_priv='Y' OR Update_priv='Y' OR Delete_priv='Y' OR Create_priv='Y' OR Drop_priv='Y' OR Alter_priv='Y';

Ensureallusersreturnedshouldhavetheseprivilegesontheindicateddatabases.

NOTE:GlobalgrantsarecoveredinRecommendation4.1.

63|P a g e

Remediation:


1. Enumeratetheunauthorizedusers,hosts,anddatabasesreturnedintheresultsetoftheauditprocedure

2. Foreachuser,issuethefollowingSQLstatement(replace"<user>"withtheunauthorizeduser,"<host>"withhostname,and"<database>"withthedatabasename):

REVOKE SELECT ON <host>.<database> FROM <user>; REVOKE INSERT ON <host>.<database> FROM <user>; REVOKE UPDATE ON <host>.<database> FROM <user>; REVOKE DELETE ON <host>.<database> FROM <user>; REVOKE CREATE ON <host>.<database> FROM <user>; REVOKE DROP ON <host>.<database> FROM <user>; REVOKE ALTER ON <host>.<database> FROM <user>;

64|P a g e

6AuditingandLogging

ThissectionprovidesguidancewithrespecttoMySQL'sloggingbehavior.

6.1Ensure'log_error'IsNotEmpty(Scored)



Description:

Theerrorlogcontainsinformationabouteventssuchasmysqldstartingandstopping,whenatableneedstobecheckedorrepaired,and,dependingonthehostoperatingsystem,stacktraceswhenmysqldfails.

Rationale:

EnablingerrorloggingmayincreasetheabilitytodetectmaliciousattemptsagainstMySQL,andothercriticalmessages,suchasiftheerrorlogisnotenabledthenconnectionerrormightgounnoticed.

Audit:


SHOW variables LIKE 'log_error';

EnsuretheValuereturnedisnotempty.

Remediation:


1. OpentheMySQLconfigurationfile(my.cnformy.ini)2. Setthelog-erroroptiontothepathfortheerrorlog

References:

1. http://dev.mysql.com/doc/refman/5.6/en/error-log.html

65|P a g e

6.2EnsureLogFilesAreStoredonaNon-SystemPartition(Scored)



Description:

MySQLlogfilescanbesetintheMySQLconfigurationtoexistanywhereonthefilesystem.Itiscommonpracticetoensurethatthesystemfilesystemisleftunclutteredbyapplicationlogs.Systemfilesystemsincludetheroot,/var,or/usr.

Rationale:

MovingtheMySQLlogsoffthesystempartitionwillreducetheprobabilityofdenialofserviceviatheexhaustionofavailablediskspacetotheoperatingsystem.

Audit:


SELECT @@global.log_bin_basename;

Ensurethevaluereturneddoesnotindicateroot('/'),/var,or/usr.

Remediation:


1. OpentheMySQLconfigurationfile(my.cnf)2. Locatethelog-binentryandsetittoafilenotonroot('/'),/var,or/usr

References:

1. http://dev.mysql.com/doc/refman/5.6/en/binary-log.html2. http://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html

66|P a g e

6.3Ensure'log_warnings'IsSetto'2'(Scored)



Description:

Thelog_warningssystemvariable,enabledbydefault,providesadditionalinformationtotheMySQLlog.Avalueof1enablesloggingofwarningmessages,andhigherintegervaluestendtoenablemorelogging.

NOTE:Thevariablescopefor5.6.3andearlierisglobalandsession,butfor5.6.4andgreateritsscopeisglobal.

Rationale:

Thismighthelptodetectmaliciousbehaviorbyloggingcommunicationerrorsandabortedconnections.

Audit:


SHOW GLOBAL VARIABLES LIKE 'log_warnings';

EnsuretheValuereturnedequals2.

Remediation:


• OpentheMySQLconfigurationfile(my.cnf)• Ensurethefollowinglineisfoundinthemysqldsection

log-warnings = 2

DefaultValue:

Theoptionisenabled(1)bydefault.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings

67|P a g e

6.4EnsureAuditLoggingIsEnabled(NotScored)



Description:

AuditloggingisnotreallyincludedintheCommunityEditionofMySQL-onlythegenerallog.Usingthegenerallogispossible,butnotpractical,becauseitgrowsquicklyandhasanadverseimpactonserverperformance.

Nevertheless,enablingauditloggingisanimportantconsiderationforaproductionenvironment,andthird-partytoolsdoexisttohelpwiththis.Enableauditloggingfor

• Interactiveusersessions• Applicationsessions(optional)

Rationale:

Auditlogginghelpstoidentifywhochangedwhatandwhen.Theauditlogmightbeusedasevidenceininvestigations.Itmightalsohelptoidentifywhatanattackerwasabletoaccomplish.

Audit:

Verifythatathird-partytoolisinstalledandconfiguredtoenableloggingforinteractiveusersessionsand(optionally)applicationssessions.

Remediation:

Acquireathird-partyMySQLloggingsolutionasavailablefromavarietyofsourcesincluding,butnotnecessarilylimitedto,thefollowing:

• TheGeneralQueryLog• MySQLEnterpriseAudit• MariaDBAuditPluginforMySQL• McAfeeMySQLAudit

References:

1. http://dev.mysql.com/doc/refman/5.6/en/query-log.html2. http://dev.mysql.com/doc/refman/5.6/en/mysql-enterprise-audit.html3. https://mariadb.com/kb/en/server_audit-mariadb-audit-plugin/4. https://github.com/mcafee/mysql-audit

68|P a g e

6.5Ensure'log-raw'IsSetto'OFF'(Scored)



Description:

Thelog-rawMySQLoptiondetermineswhetherpasswordsarerewrittenbytheserversoasnottoappearinlogfilesasplaintext.Iflog-rawisenabled,thenpasswordsarewrittentothevariouslogfiles(generalquerylog,slowquerylog,andbinarylog)inplaintext.

Rationale:

Withrawloggingofpasswordsenabledsomeonewithaccesstothelogfilesmightseeplaintextpasswords.

Audit:

Performthefollowingactionstoassessthisrecommendation:

• OpentheMySQLconfigurationfile(my.cnf)• Ensurethelog-rawentryispresent• Ensurethelog-rawentryissettoOFF

Remediation:


• OpentheMySQLconfigurationfile(my.cnf)• Findthelog-rawentryandsetitasfollows

log-raw = OFF

DefaultValue:

OFF

References:

1. http://dev.mysql.com/doc/refman/5.6/en/password-logging.html2. http://dev.mysql.com/doc/refman/5.6/en/server-

options.html#option_mysqld_log-raw

69|P a g e

7Authentication

ThissectioncontainsconfigurationrecommendationsthatpertaintotheauthenticationmechanismsofMySQL.

7.1Ensure'old_passwords'IsNotSetto'1'or'ON'(Scored)



Description:

ThisvariablecontrolsthepasswordhashingmethodusedbythePASSWORD()functionandfortheIDENTIFIED BYclauseoftheCREATE USERandGRANTstatements.Before5.6.6,thevaluecanbe0(orOFF),or1(orON).Asof5.6.6,thefollowingvaluecanbeoneofthefollowing:

• 0-authenticatewiththemysql_native_password plugin• 1-authenticatewiththemysql_old_password plugin• 2-authenticatewiththesha256_passwordplugin

Rationale:

Themysql_old_passwordpluginleveragesanalgorithmthatcanbequicklybruteforcedusinganofflinedictionaryattack.SeeCVE-2003-1480foradditionaldetails.

Audit:


SHOW VARIABLES WHERE Variable_name = 'old_passwords';

EnsuretheValue fieldisnotsetto1orON.

Remediation:

Configuremysqltoleveragethemysql_native_passwordorsha256_passwordplugin.Formoreinformation,see:

• http://dev.mysql.com/doc/refman/5.6/en/password-hashing.html• http://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html

70|P a g e

Impact:

Whenold_passwordsissetto1thePASSWORD()functionwillcreatepasswordhasheswithaveryweakhashingalgorithmwhichmightbeeasytobreakifcapturedbyanattacker.

DefaultValue:

0

References:

1. http://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords

2. CVE-2003-1480

71|P a g e

7.2Ensure'secure_auth'issetto'ON'(Scored)




Description:

Thisoptiondictateswhethertheserverwilldenyconnectionsbyclientsthatattempttouseaccountsthathavetheirpasswordstoredinthemysql_old_passwordformat.

Rationale:

Enablingthisoptionwillpreventalluseofpasswordsemployingtheoldformat(andhenceinsecurecommunicationoverthenetwork).

Audit:

ExecutethefollowingSQLstatementandensuretheValue fieldisnotsettoON:

SHOWVARIABLESWHEREVariable_name='secure_auth';

Remediation:

Addthefollowinglineto[mysqld]portionsoftheMySQLoptionfiletoestablishtherecommendedstate:

secure_auth=ON

Impact:

Accountshavingcredentialsstoredusingtheoldpasswordformatwillbeunabletologin.Executethefollowingcommandtoidentifyaccountsthatwillbeimpactedbyimplementingthissetting:

SELECT User,Host FROM mysql.user WHERE plugin='mysql_old_password';

DefaultValue:

BeforeMySQL5.6.5,thisoptionisdisabledbydefault.AsofMySQL5.6.5,itisenabledbydefault;todisableit,use--skip-secure-auth.

72|P a g e

References:

1. http://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth

73|P a g e

7.3EnsurePasswordsAreNotStoredintheGlobalConfiguration(Scored)




Description:

The[client]sectionoftheMySQLconfigurationfileallowssettingauserandpasswordtobeused.Verifythepasswordoptionisnotusedintheglobalconfigurationfile(my.cnf).

Rationale:

Theuseofthepasswordparametermaynegativelyimpacttheconfidentialityoftheuser'spassword.

Audit:

Toassessthisrecommendation,performthefollowingsteps:

• OpentheMySQLconfigurationfile(e.g.my.cnf)• Examinethe[client]sectionoftheMySQLconfigurationfileandensurepassword

isnotemployed.

Remediation:

Usethemysql_config_editortostoreauthenticationcredentialsin.mylogin.cnfinencryptedform.

Ifnotpossible,usetheuser-specificoptionsfile,.my.cnf.,andrestrictingfileaccesspermissionstotheuseridentity.

Impact:

Theglobalconfigurationisbydefaultreadableforallusersonthesystem.Thisisneededforglobaldefaults(prompt,port,socket,etc).Ifapasswordispresentinthisfilethenallusersonthesystemmaybeabletoaccessit.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html

74|P a g e

7.4Ensure'sql_mode'Contains'NO_AUTO_CREATE_USER'(Scored)






Description:

NO_AUTO_CREATE_USERisanoptionforsql_modethatpreventsaGRANTstatementfromautomaticallycreatingauserwhenauthenticationinformationisnotprovided.

Rationale:

Blankpasswordsnegatethebenefitsprovidedbyauthenticationmechanisms.Withoutthissettinganadministrativeusermightaccidentallycreateauserwithoutapassword.

Audit:

ExecutethefollowingSQLstatementstoassessthisrecommendation:

SELECT @@global.sql_mode; SELECT @@session.sql_mode;

EnsurethateachresultcontainsNO_AUTO_CREATE_USER.

Remediation:


1. OpentheMySQLconfigurationfile(my.cnf)2. Findthesql_modesettinginthe[mysqld]area3. AddtheNO_AUTO_CREATE_USERtothesql_modesetting

75|P a g e

7.5EnsurePasswordsAreSetforAllMySQLAccounts(Scored)




Description:

Blankpasswordsallowausertologinwithoutusingapassword.

Rationale:

Withoutapasswordonlyknowingtheusernameandthelistofallowedhostswillallowsomeonetoconnecttotheserverandassumetheidentityoftheuser.This,ineffect,bypassesauthenticationmechanisms.

Audit:

ExecutethefollowingSQLquerytodetermineifanyusershaveablankpassword:

SELECT User,host FROM mysql.user WHERE (plugin IN('mysql_native_password', 'mysql_old_password','') AND (LENGTH(Password) = 0 OR Password IS NULL)) OR (plugin='sha256_password' AND LENGTH(authentication_string) = 0);

Norowswillbereturnedifallaccountshaveapasswordset.

Remediation:

Foreachrowreturnedfromtheauditprocedure,setapasswordforthegivenuserusingthefollowingstatement(asanexample):

SET PASSWORD FOR <user>@'<host>' = PASSWORD('<clear password>')

NOTE:Replace<user>,<host>,and<clear password>withappropriatevalues.

76|P a g e

7.6EnsurePasswordPolicyIsinPlace(Scored)




Description:

Passwordcomplexityincludespasswordcharacteristicssuchaslength,case,length,andcharactersets.

Rationale:

Complexpasswordshelpmitigatedictionary,bruteforcing,andotherpasswordattacks.Thisrecommendationpreventsusersfromchoosingweakpasswordswhichcaneasilybeguessed.

Audit:


SHOW VARIABLES LIKE 'validate_password%';

Theresultsetfromtheabovestatementshouldshow:

• validate_password_length shouldbe14ormore• validate_password_mixed_case_countshouldbe1ormore• validate_password_number_countshouldbe1ormore• validate_password_special_char_countshouldbe1ormore• validate_password_policyshouldbeMEDIUMorSTRONG

Thefollowinglinesshouldbepresentintheglobalconfiguration:

plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT

Checkifusershaveapasswordwhichisidenticaltotheusername:

SELECT User,Password,Host FROM mysql.user WHERE password=CONCAT('*', UPPER(SHA1(UNHEX(SHA1(user)))));

NOTE:Thismethodisonlycapableofcheckingthepost-4.1passwordformatwhichisalsoknownasmysql_native_password.

77|P a g e

Remediation:

Addtotheglobalconfiguration:

plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM

Andchangepasswordsforuserswhichhavepasswordswhichareidenticaltotheirusername.

Impact:

Remediationforthisrecommendationrequiresaserverrestart.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html

78|P a g e

7.7EnsureNoUsersHaveWildcardHostnames(Scored)




Description:

MySQLcanmakeuseofhostwildcardswhengrantingpermissionstousersonspecificdatabases.Forexample,youmaygrantagivenprivilegeto'<user>'@'%'.

Rationale:

Avoidingtheuseofwildcardswithinhostnameshelpscontrolthespecificlocationsfromwhichagivenusermayconnecttoandinteractwiththedatabase.

Audit:


SELECT user, host FROM mysql.user WHERE host = '%';

Ensurenorowsarereturned.

Remediation:


1. Enumerateallusersreturnedafterrunningtheauditprocedure2. EitherALTERtheuser'shosttobespecificorDROPtheuser

79|P a g e

7.8EnsureNoAnonymousAccountsExist(Scored)




Description:

Anonymousaccountsareuserswithemptyusernames('').Anonymousaccountshavenopasswords,soanyonecanusethemtoconnecttotheMySQLserver.

Rationale:

RemovinganonymousaccountswillhelpensurethatonlyidentifiedandtrustedprincipalsarecapableofinteractingwithMySQL.

Audit:

ExecutethefollowingSQLquerytoidentifyanonymousaccounts:

SELECT user,host FROM mysql.user WHERE user = '';

Theabovequerywillreturnzerorowsifnoanonymousaccountsarepresent.

Remediation:


1. Enumeratetheanonymoususersreturnedfromexecutingtheauditprocedure2. Foreachanonymoususer,DROPorassignthemaname

NOTE:Asanalternative,youmayexecutethemysql_secure_installationutility.

Impact:

Anyapplicationsrelyingonanonymousdatabaseaccesswillbeadverselyaffectedbythischange.

DefaultValue:

Usingthestandardinstallationscript,mysql_install_db,itwillcreatetwoanonymousaccounts:oneforthehost'localhost'andtheotherforthenetworkinterface'sIPaddress.

80|P a g e

References:

1. http://dev.mysql.com/doc/refman/5.6/en/mysql-secure-installation.html2. https://dev.mysql.com/doc/refman/5.6/en/default-privileges.html

81|P a g e

8Network

ThissectioncontainsrecommendationsrelatedtohowtheMySQLserverusesthenetwork.

8.1Ensure'have_ssl'IsSetto'YES'(Scored)



Description:

AllnetworktrafficmustuseSSL/TLSwhentravelingoveruntrustednetworks.

Rationale:

TheSSL/TLS-protectedMySQLprotocolhelpstopreventeavesdroppingandman-in-the-middleattacks.

Audit:


SHOW variables WHERE variable_name = 'have_ssl';

EnsuretheValuereturnedisYES.

NOTE:have_openssl isanaliasforhave_ssl asofMySQL5.0.38.MySQLcanbebuildwithOpenSSLorYaSSL.

Remediation:

FollowtheproceduresasdocumentedintheMySQL5.6ReferenceManualtosetupSSL.

Impact:

EnablingSSLwillallowclientstoencryptnetworktrafficandverifytheidentityoftheserver.Thiscouldhaveimpactonnetworktrafficinspection.

DefaultValue:

DISABLED

References:

1. http://dev.mysql.com/doc/refman/5.6/en/ssl-connections.html2. http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html

82|P a g e

8.2Ensure'ssl_type'IsSetto'ANY','X509',or'SPECIFIED'forAllRemoteUsers(Scored)



Description:

AllnetworktrafficmustuseSSL/TLSwhentravelingoveruntrustednetworks.

SSL/TLSshouldbeenforcedonaper-userbasisforuserswhichenterthesystemthroughthenetwork.

Rationale:

TheSSL/TLS-protectedMySQLprotocolhelpstopreventeavesdroppingandman-in-the-middleattacks.

Audit:


SELECT user, host, ssl_type FROM mysql.user WHERE NOT HOST IN ('::1', '127.0.0.1', 'localhost');

Ensurethessl_typeforeachuserreturnedisequaltoANY,X509,orSPECIFIED.

NOTE:have_openssl isanaliasforhave_ssl asofMySQL5.0.38.MySQLcanbebuiltwithOpenSSLorYaSSL.

Remediation:

UsetheGRANTstatementtorequiretheuseofSSL:

GRANT USAGE ON *.* TO 'my_user'@'app1.example.com' REQUIRE SSL;

NotethatREQUIRESSLonlyenforcesSSL.ThereareoptionslikeREQUIREX509,REQUIREISSUER,REQUIRESUBJECTwhichcanbeusedtofurtherrestrictconnectionoptions.

Impact:

WhenSSL/TLSisenforcedthenclientswhichdonotuseSSLwillnotbeabletoconnect.IftheserverisnotconfiguredforSSL/TLSthenaccountsforwhichSSL/TLSismandatorywillnotbeabletoconnect

83|P a g e

DefaultValue:

Notenforced(ssl_typeisempty)

References:

1. http://dev.mysql.com/doc/refman/5.6/en/ssl-connections.html2. http://dev.mysql.com/doc/refman/5.6/en/grant.html

84|P a g e

9Replication

Everythingrelatedtoreplicatingdatafromoneservertoanother.

9.1EnsureReplicationTrafficIsSecured(NotScored)



Description:

Thereplicationtrafficbetweenserversshouldbesecured.

Rationale:

Thereplicationtrafficshouldbesecuredasitgivesaccesstoalltransferredinformationandmightleakpasswords.

Audit:

Checkifthereplicationtrafficisusing

• Aprivatenetwork• AVPN• SSL/TLS• ASSHTunnel

Remediation:

Securethenetworktraffic

Impact:

Whenthereplicationtrafficisnotsecuredsomeonemightbeabletocapturepasswordsandothersensitiveinformationwhensenttotheslave.

85|P a g e

9.2Ensure'master_info_repository'IsSetto'TABLE'(Scored)



Description:

Themaster_info_repositorysettingdeterminestowhereaslavelogsmasterstatusandconnectioninformation.TheoptionsareFILEorTABLE.Notealsothatthissettingisassociatedwiththesync_master_infosettingaswell.

Rationale:

Thepasswordwhichtheclientusesisstoredinthemasterinforepository,whichbydefaultisaplaintextfile.TheTABLEmasterinforepositoryisabitsafer,butwithfilesystemaccessit'sstillpossibletogainaccesstothepasswordtheslaveisusing.

Audit:


SHOW GLOBAL VARIABLES LIKE 'master_info_repository';

TheresultshouldbeTABLEinsteadofFILE.

NOTE:Therealsoshouldnotbeamaster.infofileinthedatadir.

Remediation:


1. OpentheMySQLconfigurationfile(my.cnf)2. Locatemaster_info_repository3. Setthemaster_info_repositoryvaluetoTABLE

NOTE:Ifmaster_info_repositorydoesnotexist,addittotheconfigurationfile.

DefaultValue:

FILE

References:

1. http://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository

86|P a g e

9.3Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'or'1'(Scored)



Description:

IntheMySQLslavecontextthesettingMASTER_SSL_VERIFY_SERVER_CERTindicateswhethertheslaveshouldverifythemaster'scertificate.ThisconfigurationitemmaybesettoYesorNo,andunlessSSLhasbeenenabledontheslave,thevaluewillbeignored.

Rationale:

WhenSSLisinusecertificateverificationisimportanttoauthenticatethepartytowhichaconnectionisbeingmade.Inthiscase,theslave(client)shouldverifythemaster's(server's)certificatetoauthenticatethemasterpriortocontinuingtheconnection.

Audit:

Toassessthisrecommendation,issuethefollowingstatement:

select ssl_verify_server_cert from mysql.slave_master_info;

Verifythevalueofssl_verify_server_certis1.

Remediation:

ToremediatethissettingyoumustusetheCHANGE MASTER TOcommand.

STOP SLAVE; -- required if replication was already running CHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=1; START SLAVE; -- required if you want to restart replication

Impact:

WhenusingCHANGE MASTER TO,beawareofthefollowing:

• SlaveprocessesneedtobestoppedpriortoexecutingCHANGE MASTER TO• UseofCHANGE MASTER TOstartsnewrelaylogswithoutkeepingtheoldonesunless

explicitlytoldtokeepthem• WhenCHANGE MASTER TOisinvoked,someinformationisdumpedtotheerrorlog

(previousvaluesforMASTER_HOST, MASTER_PORT, MASTER_LOG_FILE,andMASTER_LOG_POS)

• InvokingCHANGE MASTER TOwillimplicitlycommitanyongoingtransactions

87|P a g e

References:

1. https://dev.mysql.com/doc/refman/5.6/en/change-master-to.html

88|P a g e

9.4Ensure'super_priv'IsNotSetto'Y'forReplicationUsers(Scored)



Description:

TheSUPERprivilegefoundinthemysql.usertablegovernstheuseofavarietyofMySQLfeatures.Thesefeaturesinclude,CHANGE MASTER TO,KILL,mysqladminkilloption,PURGE BINARY LOGS,SET GLOBAL,mysqladmindebugoption,loggingcontrol,andmore.

Rationale:

TheSUPERprivilegeallowsprincipalstoperformmanyactions,includingviewandterminatecurrentlyexecutingMySQLstatements(includingstatementsusedtomanagepasswords).ThisprivilegealsoprovidestheabilitytoconfigureMySQL,suchasenable/disablelogging,alterdata,disable/enablefeatures.LimitingtheaccountsthathavetheSUPERprivilegereducesthechancesthatanattackercanexploitthesecapabilities.

Audit:


select user, host from mysql.user where user='repl' and Super_priv = 'Y';

Norowsshouldbereturned.

NOTE:Substituteyourreplicationuser'snameforreplintheabovequery.

The'repl'usercanbefoundinSHOWSLAVESTATUSbylookingfor:Master_User:

Remediation:

Executethefollowingstepstoremediatethissetting:

1. Enumeratethereplicationusersfoundintheresultsetoftheauditprocedure2. Foreachreplicationuser,issuethefollowingSQLstatement(replace"repl"with

yourreplicationuser'sname):

REVOKE SUPER ON *.* FROM 'repl';

89|P a g e

Impact:

WhentheSUPERprivilegeisdeniedtoagivenuser,thatuserwillbeunabletotakeadvantageofcertaincapabilities,suchascertainmysqladminoptions.

References:

1. http://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html#priv_super2. https://dev.mysql.com/doc/refman/5.6/en/show-slave-status.html

90|P a g e

9.5EnsureNoReplicationUsersHaveWildcardHostnames(Scored)



Description:

MySQLcanmakeuseofhostwildcardswhengrantingpermissionstousersonspecificdatabases.Forexample,youmaygrantagivenprivilegeto'<user>'@'%'.

Rationale:

Avoidingtheuseofwildcardswithinhostnameshelpscontrolthespecificlocationsfromwhichagivenusermayconnecttoandinteractwiththedatabase.

Audit:


SELECT user, host FROM mysql.user WHERE user='repl' AND host = '%';

Ensurenorowsarereturned.

Remediation:


1. Enumerateallusersreturnedafterrunningtheauditprocedure2. EitherALTERtheuser'shosttobespecificorDROPtheuser

91|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 OperatingSystemLevelConfiguration1.1 PlaceDatabasesonNon-SystemPartitions(Scored) o o1.2 UseDedicatedLeastPrivilegedAccountforMySQL

Daemon/Service(Scored) o o

1.3 DisableMySQLCommandHistory(Scored) o o1.4 VerifyThattheMYSQL_PWDEnvironmentVariablesIsNotIn

Use(Scored) o o

1.5 DisableInteractiveLogin(Scored) o o1.6 VerifyThat'MYSQL_PWD'IsNotSetInUsers'Profiles

(Scored) o o

2 InstallationandPlanning2.1 BackupandDisasterRecovery2.1.1 Backuppolicyinplace(NotScored) o o2.1.2 Verifybackupsaregood(NotScored) o o2.1.3 Securebackupcredentials(NotScored) o o2.1.4 Thebackupsshouldbeproperlysecured(NotScored) o o2.1.5 Pointintimerecovery(NotScored) o o2.1.6 Disasterrecoveryplan(NotScored) o o2.1.7 Backupofconfigurationandrelatedfiles(NotScored) o o2.2 DedicateMachineRunningMySQL(NotScored) o o2.3 DoNotSpecifyPasswordsinCommandLine(NotScored) o o2.4 DoNotReuseUsernames(NotScored) o o2.5 DoNotUseDefaultorNon-MySQL-specificCryptographic

Keys(NotScored) o o

3 FileSystemPermissions3.1 Ensure'datadir'HasAppropriatePermissions(Scored) o o3.2 Ensure'log_bin_basename'FilesHaveAppropriate

Permissions(Scored) o o

3.3 Ensure'log_error'HasAppropriatePermissions(Scored) o o3.4 Ensure'slow_query_log'HasAppropriatePermissions

(Scored) o o

3.5 Ensure'relay_log_basename'FilesHaveAppropriatePermissions(Scored) o o

3.6 Ensure'general_log_file'HasAppropriatePermissions(Scored) o o

3.7 EnsureSSLKeyFilesHaveAppropriatePermissions(Scored) o o3.8 EnsurePluginDirectoryHasAppropriatePermissions o o

92|P a g e

(Scored)4 General4.1 EnsureLatestSecurityPatchesAreApplied(NotScored) o o4.2 Ensurethe'test'DatabaseIsNotInstalled(Scored) o o4.3 Ensure'allow-suspicious-udfs'IsSetto'FALSE'(Scored) o o4.4 Ensure'local_infile'IsDisabled(Scored) o o4.5 Ensure'mysqld'IsNotStartedwith'--skip-grant-tables'

(Scored) o o

4.6 Ensure'--skip-symbolic-links'IsEnabled(Scored) o o4.7 Ensurethe'daemon_memcached'PluginIsDisabled(Scored) o o4.8 Ensure'secure_file_priv'IsNotEmpty(Scored) o o4.9 Ensure'sql_mode'Contains'STRICT_ALL_TABLES'(Scored) o o5 MySQLPermissions5.1 EnsureOnlyAdministrativeUsersHaveFullDatabaseAccess

(Scored) o o

5.2 Ensure'file_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o

5.3 Ensure'process_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o

5.4 Ensure'super_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o

5.5 Ensure'shutdown_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o

5.6 Ensure'create_user_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o

5.7 Ensure'grant_priv'IsNotSetto'Y'forNon-AdministrativeUsers(Scored) o o

5.8 Ensure'repl_slave_priv'IsNotSetto'Y'forNon-SlaveUsers(Scored) o o

5.9 EnsureDML/DDLGrantsAreLimitedtoSpecificDatabasesandUsers(Scored) o o

6 AuditingandLogging6.1 Ensure'log_error'IsNotEmpty(Scored) o o6.2 EnsureLogFilesAreStoredonaNon-SystemPartition

(Scored) o o

6.3 Ensure'log_warnings'IsSetto'2'(Scored) o o6.4 EnsureAuditLoggingIsEnabled(NotScored) o o6.5 Ensure'log-raw'IsSetto'OFF'(Scored) o o7 Authentication7.1 Ensure'old_passwords'IsNotSetto'1'or'ON'(Scored) o o7.2 Ensure'secure_auth'issetto'ON'(Scored) o o7.3 EnsurePasswordsAreNotStoredintheGlobalConfiguration

(Scored) o o

93|P a g e

7.4 Ensure'sql_mode'Contains'NO_AUTO_CREATE_USER'(Scored) o o

7.5 EnsurePasswordsAreSetforAllMySQLAccounts(Scored) o o7.6 EnsurePasswordPolicyIsinPlace(Scored) o o7.7 EnsureNoUsersHaveWildcardHostnames(Scored) o o7.8 EnsureNoAnonymousAccountsExist(Scored) o o8 Network8.1 Ensure'have_ssl'IsSetto'YES'(Scored) o o8.2 Ensure'ssl_type'IsSetto'ANY','X509',or'SPECIFIED'forAll

RemoteUsers(Scored) o o

9 Replication9.1 EnsureReplicationTrafficIsSecured(NotScored) o o9.2 Ensure'master_info_repository'IsSetto'TABLE'(Scored) o o9.3 Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'

or'1'(Scored) o o

9.4 Ensure'super_priv'IsNotSetto'Y'forReplicationUsers(Scored) o o

9.5 EnsureNoReplicationUsersHaveWildcardHostnames(Scored) o o

94|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

01-28-2015 1.0.0 InitialPublicRelease

07-07-2016 1.1.0 Ticket#240:Incorporated“root”intotheartifact

07-07-2016 1.1.0 Ticket#241:Resolvedincompleteremediationprocedure

07-07-2016 1.1.0 Ticket#243:Revisedaudittoincludemorepluginconfigurationoptions

07-07-2016 1.1.0 Ticket#275:Clarifiedthemeaningof“fullprivileges”

07-18-2016 1.1.0 Ticket#247:Addednoteclarifying‘repl’inqueryistobesubstituted

07-21-2016 1.1.0 Ticket#242:Addedimprovedauditprocedure

07-21-2016 1.1.0 Ticket#245:Revisedtheorderof“Ensure'master_info_repository'IsSetto'TABLE'”and“Ensure'MASTER_SSL_VERIFY_SERVER_CERT'IsSetto'YES'or'1'”

CIS Oracle MySQL Community Server 5.6 Benchmark v1.1.0 · This document, CIS Oracle MySQL Community...

Documents

Transcript of CIS Oracle MySQL Community Server 5.6 Benchmark v1.1.0 · This document, CIS Oracle MySQL Community...