STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

DISA Rule

SV-235149r638812_rule

Vulnerability Number

V-235149

Group Title

SRG-APP-000180-DB-000115

Rule Version

MYS8-00-006300

Severity

CAT II

CCI(s)

• CCI-000804 - The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

Weight

10

Fix Recommendation

Configure MySQL Database Server 8.0 settings to uniquely identify and authenticate all non-organizational users who log on to the system.

Ensure all logins are uniquely identifiable and authenticate all non-organizational users who log on to the system. This likely would be done by ensuring mapping of MySQL accounts to individual accounts. Verify server documentation to ensure accounts are documented and unique.

Check Contents

Review MySQL Database Server 8.0 settings to determine if users uniquely identify and authenticate all non-organizational users who log on to the system.

select host, user FROM mysql.user WHERE user not in ('mysql.infoschema', 'mysql.session', 'mysql.sys');

If accounts are determined to be shared, determine if individuals are first individually authenticated.

If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.

If non-organizational users are not uniquely identified and authenticated, this is a finding.

Vulnerability Number

V-235149

Documentable

False

Rule Version

MYS8-00-006300

Severity Override Guidance

Review MySQL Database Server 8.0 settings to determine if users uniquely identify and authenticate all non-organizational users who log on to the system.

select host, user FROM mysql.user WHERE user not in ('mysql.infoschema', 'mysql.session', 'mysql.sys');

If accounts are determined to be shared, determine if individuals are first individually authenticated.

If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.

If non-organizational users are not uniquely identified and authenticated, this is a finding.

Check Content Reference

M

Target Key

5277

Comments