STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

Default demonstration and sample databases, database objects, and applications must be removed.

DISA Rule

SV-235143r638812_rule

Vulnerability Number

V-235143

Group Title

SRG-APP-000141-DB-000090

Rule Version

MYS8-00-005600

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

MySQL 8.0 contains no demo databases by default. If demo schemas (aka databases) were added, remove them by executing:

mysql -u root -p --execute="DROP DATABASE 'schema_name'"

Check Contents

Review vendor documentation and vendor websites to identify vendor-provided demonstration or sample databases, database applications, objects, and files. Note: MySQL does not include any in MySQL Database Server 8.0.

Review the MySQL Database Server 8.0 to determine if any of the demonstration and sample databases, database applications, or files are installed in the database or are included with the MySQL Database Server 8.0 application. If any are present in the database or are included with the MySQL Database Server 8.0 application, this is a finding.

Check database/schema content of MySQL with the following command:
SELECT * FROM information_schema.SCHEMATA where SCHEMA_NAME not in ('mysql','information_schema', 'sys', 'performance_schema');

If this system is identified as production, gather a listing of databases from the server and look for any matching the following general demonstration database names:
sakila
world
world_x
menagerie

If any of these databases exist, this is a finding.

Vulnerability Number

V-235143

Documentable

False

Rule Version

MYS8-00-005600

Severity Override Guidance

Review vendor documentation and vendor websites to identify vendor-provided demonstration or sample databases, database applications, objects, and files. Note: MySQL does not include any in MySQL Database Server 8.0.

Review the MySQL Database Server 8.0 to determine if any of the demonstration and sample databases, database applications, or files are installed in the database or are included with the MySQL Database Server 8.0 application. If any are present in the database or are included with the MySQL Database Server 8.0 application, this is a finding.

Check database/schema content of MySQL with the following command:
SELECT * FROM information_schema.SCHEMATA where SCHEMA_NAME not in ('mysql','information_schema', 'sys', 'performance_schema');

If this system is identified as production, gather a listing of databases from the server and look for any matching the following general demonstration database names:
sakila
world
world_x
menagerie

If any of these databases exist, this is a finding.

Check Content Reference

M

Target Key

5277

Comments