STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

DISA Rule

SV-235140r638812_rule

Vulnerability Number

V-235140

Group Title

SRG-APP-000178-DB-000083

Rule Version

MYS8-00-005300

Severity

CAT I

CCI(s)

• CCI-000206 - The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Weight

10

Fix Recommendation

Modify and configure each non-compliant application, tool, or feature associated with the MySQL Database Server 8.0/database so that it does not display authentication secrets.

Use -p (--password) without providing a password for the mysql command line tool.

Configure or modify applications to prohibit display of passwords in clear text.

Use OS pluggable password manager integration to protect passwords using keyrings. Following is an example:
$ /usr/local/mysql/bin/mysql -uroot -p
Enter password:

$ mysqlsh --user=user --password
Please provide the password for 'user@localhost':

Check Contents

If all interaction with the user for purposes of authentication is handled by a software component separate from the MySQL Database Server 8.0, this is not a finding.

If any application, tool, or feature associated with the MySQL Database Server 8.0/database displays any authentication secrets (to include PINs and passwords) during or after the authentication process, this is a finding.

MySQL command line option --password (or -p) obscures feedback on the typed in password.

Ensure users are trained to use alternatives to command line password parameters, if they are not, this is a finding.

Vulnerability Number

V-235140

Documentable

False

Rule Version

MYS8-00-005300

Severity Override Guidance

If all interaction with the user for purposes of authentication is handled by a software component separate from the MySQL Database Server 8.0, this is not a finding.

If any application, tool, or feature associated with the MySQL Database Server 8.0/database displays any authentication secrets (to include PINs and passwords) during or after the authentication process, this is a finding.

MySQL command line option --password (or -p) obscures feedback on the typed in password.

Ensure users are trained to use alternatives to command line password parameters, if they are not, this is a finding.

Check Content Reference

M

Target Key

5277

Comments