sca/applications/cis_mysql5-6_community.yml

# Security Configuration Assessment
# CIS Checks for Oracle MySQL Community Edition 5.6
# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# Based on:
# Center for Internet Security Benchmark for Oracle MySQL Community Edition 5.6 v1.1.0  - 08-15-2016

policy:
  id: "cis_mysql_community"
  file: "cis_mysql5-6_community.yml"
  name: "CIS Benchmark for Oracle MySQL Community Server 5.6"
  description: "This document, CIS Oracle MySQL Community Server 5.6 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for MySQL Community Server 5.6. This guide was tested against MySQL Community Server 5.6 running on Ubuntu Linux 14.04, but applies to other linux distributions as well."
  references:
    - https://www.cisecurity.org/cis-benchmarks/

requirements:
  title: "Check that MySQL is installed on the system"
  description: "Requirements for running the SCA scan against the MySQL policy."
  condition: any
  rules:
    - 'd:/etc/mysql'
    - 'd:/var/lib/mysql'

checks:
#1 Operating System Level Configuration
  - id: 10500 
    title: "Disable MySQL Command History"
    description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled."
    rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys."
    remediation: "Perform the following steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null."
    compliance:
      - cis: ["1.3"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html
      - https://bugs.mysql.com/bug.php?id=72158
    condition: none
    rules:
      - 'd:/home -> ^.mysql_history$'
      - 'd:/root -> ^.mysql_history$'

  - id: 10501 
    title: "Disable Interactive Login"
    description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would."
    rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled."
    remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'"
    compliance:
      - cis: ["1.5"]
    condition: all
    rules:
      - 'c:getent passwd mysql -> r:/bin/false|/sbin/nologin'

  - id: 10502 
    title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles"
    description: "MySQL can read a default database password from an environment variable called MYSQL_PWD."
    rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved."
    remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method."
    compliance:
      - cis: ["1.6"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html
    condition: none
    rules:
      - 'c:find /home -maxdepth 2 -type f -exec grep MYSQL_PWD {} + -> r:.profile|.bashrc|.bash_profile && r:$MYSQL_PWD'

#4 General
  - id: 10503 
    title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'"
    description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add."
    rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server."
    remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file."
    compliance:
      - cis: ["4.3"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html
      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs
    condition: none
    rules:
      - 'c:my_print_defaults mysqld -> r:allow-suspicious-udfs'

  - id: 10504 
    title: "Ensure 'local_infile' is Disabled"
    description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'."
    rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability."
    remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service."
    compliance:
      - cis: ["4.4"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file
      - https://dev.mysql.com/doc/refman/5.6/en/load-data.html
    condition: all
    rules:
      - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s*=\s*0'

  - id: 10505 
    title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'"
    description: "This option causes mysqld to start without using the privilege system."
    rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases."
    remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE"
    compliance:
      - cis: ["4.5"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables
    condition: all
    rules:
      - 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false'

  - id: 10506 
    title: "Ensure '--skip-symbolic-links' Is Enabled"
    description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available.  When use of symbolic links are enabled, they have different effects depending on the host platform.  When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. "
    rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories."
    remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not exist, create it in the 'mysqld' section."
    compliance:
      - cis: ["4.6"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html
      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links
    condition: all
    rules:
      - 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes'

  - id: 10507 
    title: "Ensure 'secure_file_priv' is not empty"
    description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL."
    rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. "
    remediation: "Add the line secure_file_priv=<path_to_load_directory> to the [mysqld] section of the MySQL configuration file and restart the MySQL service."
    compliance:
      - cis: ["4.8"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv
    condition: all
    rules:
      - 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.'

  - id: 10508 
    title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'"
    description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work."
    rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. "
    remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file."
    compliance:
      - cis: ["4.9"]
    condition: all
    rules:
      - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables'

#6 Auditing and Logging
  - id: 10509 
    title: "Ensure 'log_error' is not empty"
    description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails"
    rationale: "Enabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed."
    remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)."
    compliance:
      - cis: ["6.1"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/error-log.html
    condition: all
    rules:
      - 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*'

  - id: 10510 
    title: "Ensure Log Files are not Stored on a non-system partition"
    description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem.  It is common practice to ensure that the system filesystem is left uncluttered by application logs.  System filesystems include the root, /var, or /usr."
    rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system."
    remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr."
    compliance:
      - cis: ["6.2"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html
      - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html
    condition: none
    rules:
      - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+$|log_bin\s*\t*/+var/*$|log_bin\s*\t*/+usr/*$'

  - id: 10511 
    title: "Ensure 'log_warning' is set to 2"
    description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log.  A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging."
    rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections."
    remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)."
    compliance:
      - cis: ["6.3"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings
    condition: all
    rules:
      - 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2'

  - id: 10512 
    title: "Ensure 'log_raw' is set to 'OFF'"
    description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text.  If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. "
    rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords."
    remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF"
    compliance:
      - cis: ["6.4"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html
      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw
    condition: all
    rules:
      - 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$'

#7 Authentication
  - id: 10513 
    title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'"
    description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements.  Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin"
    rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details."
    remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin."
    compliance:
      - cis: ["7.1"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html
      - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html
      - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords
      - https://www.cvedetails.com/cve/CVE-2003-1480/
    condition: none
    rules:
      - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1'
      - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on'

  - id: 10514 
    title: "Ensure 'secure_auth' is set to 'ON'"
    description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format."
    rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)."
    remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file."
    compliance:
      - cis: ["7.2"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth
    condition: all
    rules:
      - 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on'

  - id: 10515 
    title: "Ensure Passwords Are Not Stored in the Global Configuration"
    description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)."
    rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password."
    remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. "
    compliance:
      - cis: ["7.3"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html
    condition: none
    rules:
      - 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*'

  - id: 10516 
    title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'"
    description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided."
    rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password."
    remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting."
    compliance:
      - cis: ["7.4"]
    condition: all
    rules:
      - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$'

  - id: 10517 
    title: "Ensure Password Policy is in Place"
    description: "Password complexity includes password characteristics such as length, case, length, and character sets."
    rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
    remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required."
    compliance:
      - cis: ["7.6"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html
    condition: all
    rules:
      - 'c:grep -Rh plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$'
      - 'c:grep -Rh validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$'
      - 'c:grep -Rh validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14'
      - 'c:grep -Rh validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1'
      - 'c:grep -Rh validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1'
      - 'c:grep -Rh validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1'
      - 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*'

#9 Replication
  - id: 10518 
    title: "Ensure 'master_info_repository' is set to 'TABLE'"
    description: "The master_info_repository setting determines to where a slave logs master status and connection information.  The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well."
    rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using."
    remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist."
    compliance:
      - cis: ["9.2"]
    references:
      - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository
    condition: all
    rules:
      - 'c:grep -Rh master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table'