STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.

DISA Rule

SV-235154r638812_rule

Vulnerability Number

V-235154

Group Title

SRG-APP-000224-DB-000384

Rule Version

MYS8-00-007000

Severity

CAT II

CCI(s)

• CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.

Weight

10

Fix Recommendation

Connect as a mysql administrator
mysql> set persist require_secure_transport=ON;

Turn on MySQL FIPS mode (ON or STRICT) and restart mysqld
Edit my.cnf
[mysqld]
ssl_fips_mode=ON
or
ssl_fips_mode=STRICT

Check Contents

Determine if MySQL is configured to require SSL.

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME like 'require_secure_transport';

If require_secure_transport is not "ON", this is a finding.

Determine if MySQL is configured to require the use of FIPS compliant algorithms.

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME = 'ssl_fips_mode';

If ssl_fips_mode is not "ON", this is a finding.

Vulnerability Number

V-235154

Documentable

False

Rule Version

MYS8-00-007000

Severity Override Guidance

Determine if MySQL is configured to require SSL.

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME like 'require_secure_transport';

If require_secure_transport is not "ON", this is a finding.

Determine if MySQL is configured to require the use of FIPS compliant algorithms.

SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME = 'ssl_fips_mode';

If ssl_fips_mode is not "ON", this is a finding.

Check Content Reference

M

Target Key

5277

Comments