STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021: STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:SV-235170r638812_rule
V-235170
SRG-APP-000381-DB-000361
MYS8-00-009300
CAT II
10
If currently required, configure the MySQL Database Server to produce audit records when enforcement of access restrictions is associated with changes to the configuration of the DBMS or database(s).
See the supplemental file "MySQL80Audit.sql".
Determine if an audit is configured to capture denied actions.
Check if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.
To further check, execute the following query:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';
The status of the audit_log plugin must be "active". If it is not "active", this is a finding.
Review audit filters and associated users by running the following queries:
SELECT `audit_log_filter`.`NAME`,
`audit_log_filter`.`FILTER`
FROM `mysql`.`audit_log_filter`;
SELECT `audit_log_user`.`USER`,
`audit_log_user`.`HOST`,
`audit_log_user`.`FILTERNAME`
FROM `mysql`.`audit_log_user`;
All currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.
Connect and run commands as a low-privilege user. For example attempt to change system variables, user name, or another user's password, all of which should fail:
set persist wait_timeout=28000;
rename user passme to cantchange;
SET PASSWORD FOR passme = 'sfsdfsdf';
Review the audit log and inspect event data containing identity and user subject details by running the Linux command:
sudo cat <directory where audit log files are located>/audit.log
For example if the values returned by "select @@datadir, @@audit_log_file; " are /usr/local/mysql/data/, audit.log
sudo cat /usr/local/mysql/data/audit.log
{ "timestamp": "2020-08-31 20:10:21", "id": 1, "class": "general", "event": "status", "connection_id": 38, "account": { "user": "fewconnects", "host": "localhost" }, "login": { "user": "fewconnects", "os": "", "ip": "127.0.0.1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "set_option", "query": "set persist wait_timeout=28000", "status": 1227 } },
{ "timestamp": "2020-08-31 20:10:48", "id": 1, "class": "general", "event": "status", "connection_id": 38, "account": { "user": "fewconnects", "host": "localhost" }, "login": { "user": "fewconnects", "os": "", "ip": "127.0.0.1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "rename_user", "query": "rename user passme to cantchange", "status": 1227 } },
, "host": "localhost" }, "login": { "user": "fewconnects", "os": "", "ip": "127.0.0.1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "set_password", "query": "SET PASSWORD FOR `passme`@`%`=<secret>", "status": 1044 } },
Note each has a non-zero status, 1227, 1227, and 1044 respectively.
If the audit log does not contain records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s), this is a finding.
V-235170
False
MYS8-00-009300
Determine if an audit is configured to capture denied actions.
Check if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.
To further check, execute the following query:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';
The status of the audit_log plugin must be "active". If it is not "active", this is a finding.
Review audit filters and associated users by running the following queries:
SELECT `audit_log_filter`.`NAME`,
`audit_log_filter`.`FILTER`
FROM `mysql`.`audit_log_filter`;
SELECT `audit_log_user`.`USER`,
`audit_log_user`.`HOST`,
`audit_log_user`.`FILTERNAME`
FROM `mysql`.`audit_log_user`;
All currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.
Connect and run commands as a low-privilege user. For example attempt to change system variables, user name, or another user's password, all of which should fail:
set persist wait_timeout=28000;
rename user passme to cantchange;
SET PASSWORD FOR passme = 'sfsdfsdf';
Review the audit log and inspect event data containing identity and user subject details by running the Linux command:
sudo cat <directory where audit log files are located>/audit.log
For example if the values returned by "select @@datadir, @@audit_log_file; " are /usr/local/mysql/data/, audit.log
sudo cat /usr/local/mysql/data/audit.log
{ "timestamp": "2020-08-31 20:10:21", "id": 1, "class": "general", "event": "status", "connection_id": 38, "account": { "user": "fewconnects", "host": "localhost" }, "login": { "user": "fewconnects", "os": "", "ip": "127.0.0.1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "set_option", "query": "set persist wait_timeout=28000", "status": 1227 } },
{ "timestamp": "2020-08-31 20:10:48", "id": 1, "class": "general", "event": "status", "connection_id": 38, "account": { "user": "fewconnects", "host": "localhost" }, "login": { "user": "fewconnects", "os": "", "ip": "127.0.0.1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "rename_user", "query": "rename user passme to cantchange", "status": 1227 } },
, "host": "localhost" }, "login": { "user": "fewconnects", "os": "", "ip": "127.0.0.1", "proxy": "" }, "general_data": { "command": "Query", "sql_command": "set_password", "query": "SET PASSWORD FOR `passme`@`%`=<secret>", "status": 1044 } },
Note each has a non-zero status, 1227, 1227, and 1044 respectively.
If the audit log does not contain records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s), this is a finding.
M
5277