STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021: STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:SV-235177r638812_rule
V-235177
SRG-APP-000400-DB-000367
MYS8-00-010300
CAT II
10
Modify system settings to implement the organization-defined limit on the lifetime of cached authenticators.
Configure the MySQL server for GSSAPI/Kerberos LDAP authentication plugin to use the GSSAPI/Kerberos authentication method.
Following is an example of plugin-related settings the server my.cnf file might contain:
[mysqld]
plugin-load-add=authentication_ldap_sasl.so
authentication_ldap_sasl_auth_method_name="GSSAPI"
authentication_ldap_sasl_server_host=198.51.100.10
authentication_ldap_sasl_server_port=389
authentication_ldap_sasl_bind_root_dn="cn=admin,cn=users,dc=MYSQL,dc=LOCAL"
authentication_ldap_sasl_bind_root_pwd="password"
authentication_ldap_sasl_bind_base_dn="cn=users,dc=MYSQL,dc=LOCAL"
authentication_ldap_sasl_user_search_attr="sAMAccountName"
Create account(s) using Kerberos Authentication.
For example:
CREATE USER 'bredon@MYSQL.LOCAL'
IDENTIFIED WITH authentication_ldap_sasl
BY '#krb_grp=proxied_krb_user';
CREATE USER 'proxied_krb_user'
IDENTIFIED WITH mysql_no_login;
GRANT ALL
ON krb_user_db.*
TO 'proxied_krb_user';
GRANT PROXY
ON 'proxied_krb_user'
TO 'bredon@MYSQL.LOCAL’;
Verify that the MySQL is using Kerberos Authentication.
On the server:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE '%ldap%';
On the client(s) where Kerberos will authenticate, check how long the ticket is cached.
First check whether Kerberos authentication works correctly:
Use kinit to authenticate to Kerberos, for example.
kinit bredon@MYSQL.LOCAL
The command authenticates for the Kerberos principal named bredon@MYSQL.LOCAL. Enter the principal's password when the command prompts for it. The KDC returns a TGT that is cached on the client side for use by other Kerberos-aware applications.
Use klist to check whether the TGT was obtained correctly.
The output should be similar to this:
Ticket cache: FILE:/tmp/krb5cc_244306
Default principal: bredon@MYSQL.LOCAL
Valid starting Expires Service principal
03/23/2020 08:18:33 03/23/2020 18:18:33 krbtgt/MYSQL.LOCAL@MYSQL.LOCAL
If the ticket expiration time exceeds the desired maximum expiration, and Kerberos is enabled, check the LDAP server for the maximum lifetime of the Kerberos service Tickets expiration policy.
If the lifetime exceeds the desired expiration time, this is a finding.
V-235177
False
MYS8-00-010300
Verify that the MySQL is using Kerberos Authentication.
On the server:
SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE '%ldap%';
On the client(s) where Kerberos will authenticate, check how long the ticket is cached.
First check whether Kerberos authentication works correctly:
Use kinit to authenticate to Kerberos, for example.
kinit bredon@MYSQL.LOCAL
The command authenticates for the Kerberos principal named bredon@MYSQL.LOCAL. Enter the principal's password when the command prompts for it. The KDC returns a TGT that is cached on the client side for use by other Kerberos-aware applications.
Use klist to check whether the TGT was obtained correctly.
The output should be similar to this:
Ticket cache: FILE:/tmp/krb5cc_244306
Default principal: bredon@MYSQL.LOCAL
Valid starting Expires Service principal
03/23/2020 08:18:33 03/23/2020 18:18:33 krbtgt/MYSQL.LOCAL@MYSQL.LOCAL
If the ticket expiration time exceeds the desired maximum expiration, and Kerberos is enabled, check the LDAP server for the maximum lifetime of the Kerberos service Tickets expiration policy.
If the lifetime exceeds the desired expiration time, this is a finding.
M
5277