-
Notifications
You must be signed in to change notification settings - Fork 202
/
cis_mysql5-6_community.yml
291 lines (270 loc) · 21.1 KB
/
cis_mysql5-6_community.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
# Security Configuration Assessment
# CIS Checks for Oracle MySQL Community Edition 5.6
# Copyright (C) 2015-2020, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
#
# Based on:
# Center for Internet Security Benchmark for Oracle MySQL Community Edition 5.6 v1.1.0 - 08-15-2016
policy:
id: "cis_mysql_community"
file: "cis_mysql5-6_community.yml"
name: "CIS Benchmark for Oracle MySQL Community Server 5.6"
description: "This document, CIS Oracle MySQL Community Server 5.6 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for MySQL Community Server 5.6. This guide was tested against MySQL Community Server 5.6 running on Ubuntu Linux 14.04, but applies to other linux distributions as well."
references:
- https://www.cisecurity.org/cis-benchmarks/
requirements:
title: "Check that MySQL is installed on the system"
description: "Requirements for running the SCA scan against the MySQL policy."
condition: any
rules:
- 'd:/etc/mysql'
- 'd:/var/lib/mysql'
checks:
#1 Operating System Level Configuration
- id: 10500
title: "Disable MySQL Command History"
description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled."
rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys."
remediation: "Perform the following steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null."
compliance:
- cis: ["1.3"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html
- https://bugs.mysql.com/bug.php?id=72158
condition: none
rules:
- 'd:/home -> ^.mysql_history$'
- 'd:/root -> ^.mysql_history$'
- id: 10501
title: "Disable Interactive Login"
description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would."
rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled."
remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'"
compliance:
- cis: ["1.5"]
condition: all
rules:
- 'c:getent passwd mysql -> r:/bin/false|/sbin/nologin'
- id: 10502
title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles"
description: "MySQL can read a default database password from an environment variable called MYSQL_PWD."
rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved."
remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method."
compliance:
- cis: ["1.6"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html
condition: none
rules:
- 'c:find /home -maxdepth 2 -type f -exec grep MYSQL_PWD {} + -> r:.profile|.bashrc|.bash_profile && r:$MYSQL_PWD'
#4 General
- id: 10503
title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'"
description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add."
rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server."
remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file."
compliance:
- cis: ["4.3"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/udf-security.html
- https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs
condition: none
rules:
- 'c:my_print_defaults mysqld -> r:allow-suspicious-udfs'
- id: 10504
title: "Ensure 'local_infile' is Disabled"
description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'."
rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability."
remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service."
compliance:
- cis: ["4.4"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file
- https://dev.mysql.com/doc/refman/5.6/en/load-data.html
condition: all
rules:
- 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s*=\s*0'
- id: 10505
title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'"
description: "This option causes mysqld to start without using the privilege system."
rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases."
remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE"
compliance:
- cis: ["4.5"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables
condition: all
rules:
- 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false'
- id: 10506
title: "Ensure '--skip-symbolic-links' Is Enabled"
description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. "
rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories."
remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not exist, create it in the 'mysqld' section."
compliance:
- cis: ["4.6"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html
- https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links
condition: all
rules:
- 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes'
- id: 10507
title: "Ensure 'secure_file_priv' is not empty"
description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL."
rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. "
remediation: "Add the line secure_file_priv=<path_to_load_directory> to the [mysqld] section of the MySQL configuration file and restart the MySQL service."
compliance:
- cis: ["4.8"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv
condition: all
rules:
- 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.'
- id: 10508
title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'"
description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work."
rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. "
remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file."
compliance:
- cis: ["4.9"]
condition: all
rules:
- 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables'
#6 Auditing and Logging
- id: 10509
title: "Ensure 'log_error' is not empty"
description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails"
rationale: "Enabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed."
remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)."
compliance:
- cis: ["6.1"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/error-log.html
condition: all
rules:
- 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*'
- id: 10510
title: "Ensure Log Files are not Stored on a non-system partition"
description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr."
rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system."
remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr."
compliance:
- cis: ["6.2"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/binary-log.html
- https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html
condition: none
rules:
- 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+$|log_bin\s*\t*/+var/*$|log_bin\s*\t*/+usr/*$'
- id: 10511
title: "Ensure 'log_warning' is set to 2"
description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging."
rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections."
remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)."
compliance:
- cis: ["6.3"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings
condition: all
rules:
- 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2'
- id: 10512
title: "Ensure 'log_raw' is set to 'OFF'"
description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. "
rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords."
remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF"
compliance:
- cis: ["6.4"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/password-logging.html
- https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw
condition: all
rules:
- 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$'
#7 Authentication
- id: 10513
title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'"
description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin"
rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details."
remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin."
compliance:
- cis: ["7.1"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html
- https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html
- https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords
- https://www.cvedetails.com/cve/CVE-2003-1480/
condition: none
rules:
- 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1'
- 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on'
- id: 10514
title: "Ensure 'secure_auth' is set to 'ON'"
description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format."
rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)."
remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file."
compliance:
- cis: ["7.2"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth
condition: all
rules:
- 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on'
- id: 10515
title: "Ensure Passwords Are Not Stored in the Global Configuration"
description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)."
rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password."
remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. "
compliance:
- cis: ["7.3"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html
condition: none
rules:
- 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*'
- id: 10516
title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'"
description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided."
rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password."
remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting."
compliance:
- cis: ["7.4"]
condition: all
rules:
- 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$'
- id: 10517
title: "Ensure Password Policy is in Place"
description: "Password complexity includes password characteristics such as length, case, length, and character sets."
rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed."
remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required."
compliance:
- cis: ["7.6"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html
condition: all
rules:
- 'c:grep -Rh plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$'
- 'c:grep -Rh validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$'
- 'c:grep -Rh validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14'
- 'c:grep -Rh validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1'
- 'c:grep -Rh validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1'
- 'c:grep -Rh validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1'
- 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*'
#9 Replication
- id: 10518
title: "Ensure 'master_info_repository' is set to 'TABLE'"
description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well."
rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using."
remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist."
compliance:
- cis: ["9.2"]
references:
- https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository
condition: all
rules:
- 'c:grep -Rh master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table'