{"stig":{"title":"Oracle MySQL 8.0 Security Technical Implementation Guide","version":"2","release":"2"},"checks":[{"vulnId":"V-235095","ruleId":"SV-235095r960768_rule","severity":"high","ruleTitle":"MySQL Database Server 8.0 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.","description":"Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. \n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nThe DBMS must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy. \n\nAutomation may be comprised of differing technologies that when placed together contain an overall mechanism supporting an organization's automated account management requirements.","checkContent":"Determine if an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals has been configured.\n\nTo determine if a MySQL Server has any external authentication plugins, connect as a mysql administrator (root) and run the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE '%ldap%' OR PLUGIN_NAME LIKE '%pam%' OR PLUGIN_NAME LIKE '%authentication_windows %';\n\nOne or more of the following plugins must be installed and in the listed results:\nauthentication_ldap_simple\nauthentication_ldap_sasl\nauthentication_pam\nauthentication_windows\n\nIf at least one of the above plugins is not installed, then no organization-level authentication/access is in place, and this is a finding.\n\nDepending on the plugin in use, review its configuration. \n\nFor a list of global variables, run the following query:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'auth%' ; \n\nIf the LDAP plugin is installed, check the ldap_host and mapping. \n\nFor the LDAP plugin, global variables showing the configuration for authentication to ldap hosts and binding to organizational users should look similar to the following:\nauthentication_ldap_simple_server_host=127.0.0.1\nauthentication_ldap_simple_bind_base_dn=\"dc=example,dc=com\"\nauthentication_ldap_sasl_server_host=127.0.0.1\nauthentication_ldap_sasl_bind_base_dn=\"dc=example,dc=com\"\n\nIf the ldap_host is not a valid authentication host or the mapping to the base_dn maps is not correct, this is a finding.\n\nDetermine the accounts (SQL Logins) managed by PAM. Run the statement: \nSELECT `user`.`Host`,\n `user`.`user`,\n `user`.`plugin`,\n `user`.`authentication_string`\n from mysql.user where plugin like 'authentication_pam';\n\nFor PAM, the string consists of a PAM service name, optionally followed by a PAM group mapping list consisting of one or more keyword/value pairs each specifying a PAM group name and a MySQL user name. \n\nIf not defined, this is a finding.\n\nIf the windows plugin is installed, the organization mapping details will be defined within the user \"authentication string\". \n\nDetermine the accounts (SQL logins) managed by Windows. Run the statement: \nReview the accounts\nSELECT `user`.`Host`,\n `user`.`user`,\n `user`.`plugin`,\n `user`.`authentication_string`\n from mysql.user where plugin like 'authentication_windows;\n\nVerify that the Windows user, group, and windows role in the authentication_string map to proper organizational users. If not, this is a finding.\n\nTo determine the accounts (MySQL accounts) actually managed by MySQL Server. Run the statement: \nSELECT `user`.`Host`,\n `user`.`User`,\n `user`.`plugin`,\n `user`.`authentication_string`\n from mysql.user where plugin not like 'auth%' and `user`.`User` not like 'mysql.%';\n\nIf any accounts listed by the query are not listed in the documentation and authorized, this is a finding.","fixText":"Integrate MySQL database server 8.0 security with an organization-level authentication/access mechanism using MySQL external authentication for Microsoft AD or LDAP, or Linux PAMs thus providing account management for all users, groups, roles, and any other principals.\n\nIf native mysql users are required, document the need and justification; describe the measures taken to ensure the use of MySQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the MySQL logins used.\n\nFor each MySQL database server 8.0 managed account that is not documented and approved, either transfer it to management by the external mechanism, or document the need for it and obtain approval, as appropriate. \n\nInstall appropriate external authentication plugin, for example to install LDAP. \nINSTALL PLUGIN authentication_ldap_sasl\n SONAME 'authentication_ldap_sasl.so';\nINSTALL PLUGIN authentication_ldap_simple\n SONAME 'authentication_ldap_simple.so';\n\nConfigure the plugin, for example:\nSET PERSIST authentication_ldap_sasl_server_host='127.0.0.1';\nSET PERSIST authentication_ldap_sasl_bind_base_dn='dc=example,dc=com';\nSET PERSIST authentication_ldap_simple_server_host='127.0.0.1';\nSET PERSIST authentication_ldap_simple_bind_base_dn='dc=example,dc=com';\n\nCreate users with proper organizational mapping, for example:\nCREATE USER 'betsy'@'localhost'\n IDENTIFIED WITH authentication_ldap_simple\n BY 'uid=betsy_ldap,ou=People,dc=example,dc=com';\n\nAssign appropriate permissions via grants on objects or to roles, etc. See https://dev.mysql.com/doc/refman/8.0/en/grant.html.\nFor example:\nGRANT ALL ON db1.* TO 'betsy'@'localhost';\nGRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost';\nGRANT SELECT ON world.* TO 'role3';\n\nFor accounts not required in the MySQL Server:\nDROP USER ;","ccis":["CCI-000015"]},{"vulnId":"V-235096","ruleId":"SV-235096r960735_rule","severity":"medium","ruleTitle":"MySQL Database Server 8.0 must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.","description":"Database management includes the ability to control the number of users and user sessions utilizing a Database Management System (DBMS). Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks.\n\nThis requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts; and it does not deal with the total number of sessions across all accounts.\n\nThe capability to limit the number of concurrent sessions per user must be configured in or added to the DBMS (for example, by use of a logon trigger), when this is technically feasible. Note that it is not sufficient to limit sessions via a web server or application server alone, because legitimate users and adversaries can potentially connect to the DBMS by other means.\n\nThe organization will need to define the maximum number of concurrent sessions by account type, by account, or a combination thereof. In deciding on the appropriate number, it is important to consider the work requirements of the various types of users. For example, 2 might be an acceptable limit for general users accessing the database via an application; but 10 might be too few for a database administrator using a database management GUI tool, where each query tab and navigation pane may count as a separate session.\n\n(Sessions may also be referred to as connections or logons, which for the purposes of this requirement, are synonyms.)","checkContent":"Determine whether the system documentation specifies limits on the number of concurrent MySQL database server 8.0 sessions.\n\nReview the concurrent-sessions settings in the MySQL database server and/or the applications using it, and/or the system software supporting it. \n\nMySQL global variable max_user_connections limits the number of simultaneous connections that can be made by any given account.\n\nTo check global (default) concurrent-sessions settings in the MySQL database server, run the following query:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'max_user_connections' ;\n\nIf the value of MAX_USER_CONNECTIONS is 0 (unlimited) or greater than the site-specific maximum number of sessions, this is a finding.\n \nRetrieve the settings for concurrent sessions for each user with the query: \nSELECT user, host, max_user_connections \nFROM mysql.user \nWHERE user not like 'mysql.%' and user not like 'root';\n\nIf the user account has a nonzero MAX_USER_CONNECTIONS resource limit, the session MAX_USER_CONNECTIONS value is set to that limit. Otherwise, the session max_user_connections value is set to the global value.\n\nIf the DBMS settings for concurrent sessions for each user is greater than the site-specific maximum number of sessions and nonzero, this is a finding.","fixText":"The MySQL Database Server 8.0 is capable of enforcing this restriction. If not configured to do so, configure it to do so.\n\nConnect to the MySQL Database as an administrator.\nTo set the global default to 50: \nSET PERSIST max_user_connections=50;\n\nAdditionally, max user connections can be set per user as well as for a given period of time.\nGRANT ALL ON customer.* TO 'francis'@'localhost'\nWITH MAX_CONNECTIONS_PER_HOUR 5;\nMAX_USER_CONNECTIONS 2;","ccis":["CCI-000054"]},{"vulnId":"V-235097","ruleId":"SV-235097r960891_rule","severity":"medium","ruleTitle":"MySQL Database Server 8.0 must produce audit records containing sufficient information to establish what type of events occurred.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. \n\nDatabase software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type to which an audit record refers. If event type information is not recorded and stored with the audit record, the record itself is of very limited use.\n\nMySQL provides auditing using the MySQL Enterprise Audit Log Plugin. When installed, the audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access.","checkContent":"Verify, using vendor and system documentation if necessary, that the Database Management System (DBMS) is configured to use MySQL auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement.\n\nCheck MySQL auditing to determine whether organization-defined auditable events are being audited by the system.\n\nSELECT PLUGIN_NAME, plugin_status FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit_log' ;\n\nIf the results are not 'audit_log' and plugin_status='ACTIVE' , this is a finding.\n\nNext, determine if the audit log is encrypted: \nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'audit_log_encryption' ;\n\nIf nothing is returned or the value for audit_log_encryption is not AES, this is a finding.\n\nReview the audit files in the file systems.\n\nRun the following command using the audit log location from above and review its output:\nls -l /audit*log*\n\nFor example, if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nls -l /usr/local/mysql/data/audit.log\nExample output:\n-rw-r----- 1 _mysql _mysql 3935888 Apr 25 12:34 audit.20190425T173437.log.enc\n-rw-r----- 1 _mysql _mysql 2336 Apr 25 12:35 audit.20190425T173527.log.enc\n-rw-r----- 1 _mysql _mysql 13763984 Apr 30 14:04 audit.log.enc\n\nNext, verify the log files have set permissions the log_destination:\nIf the user owner is not \"mysql\", this is a finding.\nIf the group owner is not \"mysql\", this is a finding.\nIf the file is more permissive than \"640\", this is a finding.\nCheck that the files end with the \".enc\" file extension. If they do not, this means they are in plaintext, and this is a finding.\n\nRun following command to verify the directory permissions and review its output:\nls -l /usr/local/mysql/data\n\nExample output:\ndrwxr-x--- _mysql _mysql 1760 Apr 26 09:55 data\n\nNext, verify the log files have set permissions for the log_destination:\nIf the user owner is not \"mysql\", this is a finding.\nIf the group owner is not \"mysql\", this is a finding.\nIf more permissive than \"750\", this is a finding.\n\nIf there are no audit log files, then organizational auditable events are not being audited, and this is a finding.\n\nTo confirm that MySQL audit is capturing sufficient information to establish the identity of the user/subject or process, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the audit file, whichever is in use.\n\nIf no audit event is returned for the auditable actions just performed, this is a finding.","fixText":"Configure DBMS auditing to audit standard and organization-defined auditable events, with the audit record to include what type of event occurred. \n\nUse this process to ensure auditable events are captured:\n\nConfigure MySQL database server 8.0 for auditing and configure audit settings to include required events as part of the audit record.\n\nTo install MySQL Enterprise Audit:\nRun the audit_log_filter_linux_install.sql script located in the sharedirectory of your MySQL installation. This can be determined by running – select @@basedir;\nFor example if the basedir is /usr/local/mysql \nshell> bin/mysql -u root -p < /usr/local/mysql/share/audit_log_filter_linux_install.sql\n\nVerify the plugin installation by running:\nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\nThe value for audit_log should return ACTIVE.\n\nTo prevent the plugin from being removed at runtime, add the --audit-log option under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf) with a setting of FORCE_PLUS_PERMANENT.\n\naudit-log=FORCE_PLUS_PERMANENT\n\nRestart the server to apply the configuration change.\n\nBy default, rule-based audit log filtering logs no auditable events for any users. To produce log-everything behavior with rule-based filtering, create a filter to enable logging of all events and assign it to the audit all accounts.\n\nRun the following statements to filter all activity for all users:\nSELECT audit_log_filter_set_filter('log_all', '{ \"filter\": { \"log\": true } }');\nSELECT audit_log_filter_set_user('%', 'log_all');\nSELECT audit_log_filter_set_user('%', 'log_all');","ccis":["CCI-000130"]},{"vulnId":"V-235098","ruleId":"SV-235098r960909_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must include additional, more detailed, organizationally defined information in the audit records for audit events identified by type, location, or subject.","description":"Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. To support analysis, some types of events will need information to be logged that exceeds the basic requirements of event type, time stamps, location, source, outcome, and user identity. If additional information is not available, it could negatively impact forensic investigations into user actions or other malicious events.\n\nThe organization must determine what additional information is required for complete analysis of the audited events. The additional information required is dependent on the type of information (e.g., sensitivity of the data and the environment within which it resides). At a minimum, the organization must employ either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. \n\nExamples of detailed information the organization may require in audit records are full-text recording of privileged commands or the individual identities of group account users.","checkContent":"If a MySQL Server Audit is not in use for audit purposes, this is a finding unless a third-party product is being used that can perform detailed auditing for MySQL Server. \n\nReview system documentation to determine whether MySQL Server is required to audit any events and any fields, in addition to those in the standard audit. \n\nIf there are none specified, this is not a finding. \n\nIf MySQL Server Audit is in use, compare the audit specification(s) with the documented requirements. \n\nIf any such requirement is not satisfied by the audit specification(s) (or by supplemental, locally-deployed mechanisms), this is a finding.","fixText":"Design and deploy an audit configuration that captures all auditable events and data items. \n\nCreate rule\nSELECT audit_log_filter_set_filter('log_all', '{ \"filter\": { \"log\": true } }');\nSELECT audit_log_filter_set_user('%', 'log_all');\n\nIf a third-party tool is used for auditing, it must contain all the required information including, but not limited to, events, type, location, subject, date and time and by whom the change occurred. \n\nImplement additional custom audits to capture the additional organizationally required information.","ccis":["CCI-000135"]},{"vulnId":"V-235099","ruleId":"SV-235099r960930_rule","severity":"medium","ruleTitle":"The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized read access.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, copy, etc.\n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections and limiting log data location. \n\nAdditionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring that audit information is protected from unauthorized access.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nIf the value of audit_log_file is a relative path name, the plugin interprets it relative to the data directory. If the value is a full path name, the plugin uses the value as is. A full path name may be useful if it is desirable to locate audit files on a separate file system or directory. For security reasons, write the audit log file to a directory accessible only to the MySQL server and to users with a legitimate reason to view the log.","checkContent":"Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.\n\nVerify there are appropriate controls and permissions to protect the audit information from unauthorized access.\n\nRun this script in the database to find the path and file name:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'audit_log_file';\n\nIf there is no path for audit_log_file, then the audit files are located in the datadir. Run the this script to find the data directory:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'datadir';\n\nFrom the OS command line, run: \nls -l \nls -l | grep -i \nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nls -l /usr/local/mysql/data/\n\nSee below for an example:\nNote: .enc file extension means the files are encrypted.\n\nls -l / | grep -i audit\n-rw-r----- 1 _mysql _mysql 10083871 Apr 16 15:38 audit.20190416T203832.log\n-rw-r----- 1 _mysql _mysql 398709 Apr 18 10:34 audit.20190418T153446.log\n-rw-r----- 1 _mysql _mysql 15237 Apr 18 10:44 audit.20190418T154402.log\n-rw-r----- 1 _mysql _mysql 876206 Apr 24 14:00 audit.20190424T190008.log\n-rw-r----- 1 _mysql _mysql 30208 Apr 24 14:10 audit.20190424T191044.log.enc\n\nIf the owner and group are not \"mysql\" or \"_mysql\", this is a finding.\n\nIf the directory or file permissions are more permissive than owner having Read/Write (RW) and group having Read (R) access to the audit files, aka \"750\", this is a finding.","fixText":"Apply controls and modify permissions to protect database audit log data from unauthorized access, whether stored in the database itself or at the OS level.\n\nsudo vi /etc/my.cnf\n[mysqld]\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nAfter changing the my.cnf, restart the server.\n\nIf not performed already, set the audit log password.\nSELECT audit_log_encryption_password_set(password);\n\nSet appropriate permissions on the directory and audit files.\nsudo chown mysql \nsudo chgrp mysql \nChange permissions \nchmod 750 ","ccis":["CCI-000162"]},{"vulnId":"V-235100","ruleId":"SV-235100r960933_rule","severity":"medium","ruleTitle":"The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized modification.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data the information system and/or the application must protect audit information from unauthorized modification. \n\nThis requirement can be achieved through multiple methods that will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions and limiting log data locations. \n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys to make access decisions regarding the modification of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. \n\nModification of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.","checkContent":"Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.\n\nVerify there are appropriate controls and permissions to protect the audit information from unauthorized access.\n\nRun this script in the database to find the path and file name:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'audit_log_file';\n\nIf there is no path for audit_log_file then the audit files are located in the datadir. Run the this script to find the data directory:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'datadir';\n\nFrom the OS command line, run: \nls -l \nls -l | grep -i \nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nls -l /usr/local/mysql/data/audit\n\nSee below for an example:\nNote: .enc file extension means the files are encrypted.\n\nls -l / | grep -i audit\n-rw-r----- 1 _mysql _mysql 10083871 Apr 16 15:38 audit.20190416T203832.log\n-rw-r----- 1 _mysql _mysql 398709 Apr 18 10:34 audit.20190418T153446.log\n-rw-r----- 1 _mysql _mysql 15237 Apr 18 10:44 audit.20190418T154402.log\n-rw-r----- 1 _mysql _mysql 876206 Apr 24 14:00 audit.20190424T190008.log\n-rw-r----- 1 _mysql _mysql 30208 Apr 24 14:10 audit.20190424T191044.log.enc\n\nIf the owner and group are not \"mysql\" or\" _mysql\", this is a finding.\n\nIf the directory or file permissions are more permissive than owner having Read/Write (RW) and group having Read (R) access to the audit files, aka \"750\", this is a finding.","fixText":"Apply controls and modify permissions to protect database audit log data from unauthorized access, whether stored in the database itself or at the OS level.\n\nsudo vi /etc/my.cnf\n[mysqld]\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nAfter changing the my.cnf restart the server.\n\nIf not performed already, set the audit log password.\nSELECT audit_log_encryption_password_set(password);\n\nSet appropriate permissions on the directory and audit files.\nsudo chown mysql \nsudo chgrp mysql \nChange permissions \nchmod 750 ","ccis":["CCI-000163"]},{"vulnId":"V-235101","ruleId":"SV-235101r960936_rule","severity":"medium","ruleTitle":"The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized deletion.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. \n\nSome commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections; restricting access; and backing up log data to ensure log data is retained. \n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. \n\nDeletion of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.","checkContent":"Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.\n\nVerify there are appropriate controls and permissions to protect the audit information from unauthorized access.\n\nRun this script in the database to find the path and file name:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'audit_log_file';\n\nIf there is no path for audit_log_file then the audit files are located in the datadir. Run the this script to find the data directory:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'datadir';\n\nFrom the OS command line, run: \nls -l \nls -l | grep -i \nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nls -l /usr/local/mysql/data/\n\nSee below for an example:\nNote: .enc file extension means the files are encrypted.\n\nls -l / | grep -i audit\n-rw-r----- 1 _mysql _mysql 10083871 Apr 16 15:38 audit.20190416T203832.log\n-rw-r----- 1 _mysql _mysql 398709 Apr 18 10:34 audit.20190418T153446.log\n-rw-r----- 1 _mysql _mysql 15237 Apr 18 10:44 audit.20190418T154402.log\n-rw-r----- 1 _mysql _mysql 876206 Apr 24 14:00 audit.20190424T190008.log\n-rw-r----- 1 _mysql _mysql 30208 Apr 24 14:10 audit.20190424T191044.log.enc\n\nIf the owner and group are not \"mysql\" or \"_mysql\", this is a finding.\n\nIf the directory or file permissions are more permissive than owner having Read/Write (RW) and group having Read (R) access to the audit files, aka \"750\", this is a finding.","fixText":"Apply controls and modify permissions to protect database audit log data from unauthorized access, whether stored in the database itself or at the OS level.\n\nsudo vi /etc/my.cnf\n[mysqld]\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nAfter changing the my.cnf, restart the server.\n\nIf not performed already, set the audit log password.\nSELECT audit_log_encryption_password_set(password);\n\nSet appropriate permissions on the directory and audit files.\nsudo chown mysql \nsudo chgrp mysql \nChange permissions \nchmod 750 ","ccis":["CCI-000164"]},{"vulnId":"V-235102","ruleId":"SV-235102r960864_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must protect against a user falsely repudiating having performed organization-defined actions.","description":"Non-repudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables, and configuring DBMS audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, group account.","checkContent":"Obtain the list of authorized MySQL Server accounts in the system documentation. \n\nDetermine if any accounts are shared. A shared account is defined as a username, hostname, and password that are used by multiple individuals to log in to SQL Server. An example of a shared account is the MySQL Server root account – root@localhost.\n\nIf accounts are determined to be shared, determine if individuals are first individually authenticated. \n\nIf individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. \n\nThe key is individual accountability. If this can be traced, this is not a finding.\n\nIf accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding.\n\nReview contents of audit logs, traces, and data tables to confirm the identity of the individual user performing the action is captured.\n\nIf shared identifiers are found, and not accompanied by individual identifiers, this is a finding.\n\nNote: Privileged installation accounts like root@localhost may be required to be accessed by the DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.","fixText":"Remove user-accessible shared accounts and use individual user IDs.\n\nBuild/configure applications to ensure successful individual authentication prior to shared account access.\n\nEnsure each user's identity is received and used in audit data in all relevant circumstances.\n\nDesign, develop, and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.","ccis":["CCI-000166"]},{"vulnId":"V-235103","ruleId":"SV-235103r960879_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must be configured to provide audit record generation capability for DoD-defined auditable events within all database components.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the Database Management System (DBMS) (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the DBMS will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities, or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.\n\nOrganizations may define additional events requiring continuous or ad hoc auditing.","checkContent":"Check MySQL auditing to determine whether organization-defined auditable events are being audited by the system.\n\nSELECT PLUGIN_NAME, plugin_status FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit_log' ;\n\nIf nothing is returned OR if the results are not \"audit_log\" and \"plugin_status='ACTIVE'\" , this is a finding.\n\nNext determine if the audit lot is encrypted. \nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'audit_log_encryption' ;\n\nIf nothing is returned OR the value for audit_log_encryption is not \"AES\", this is a finding.","fixText":"Deploy a MySQL Database Server 8.0 that supports the DoD minimum set of auditable events.\n\nConfigure the MySQL Database Server 8.0 to generate audit records for at least the DoD minimum set of events.\n\nsudo vi /etc/my.cnf\n[mysqld]\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nAfter changing the my.cnf, restart the server.\n\nSELECT audit_log_encryption_password_set(password);\n\nCreate auditing rules - for example:\nConnect to MySQL and Use functions to define audit rules and audited users audit_log_filter_set,audit_log_filter_set_user\n\nTo log all auditable events:\nSELECT audit_log_filter_set_filter('log_all', '{ \"filter\": { \"log\": true } }');\n\nAnd to apply this log_all filter to all users:\nSELECT audit_log_filter_set_user('%', 'log_all');","ccis":["CCI-000169"]},{"vulnId":"V-235104","ruleId":"SV-235104r960882_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. \n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAUDIT_ADMIN enables audit log configuration. This privilege is defined by the audit_log plugin when it is installed.\nSUPER is a powerful and far-reaching privilege and should not be granted lightly.","checkContent":"Check MySQL settings and documentation to determine whether designated personnel are able to select which auditable events are being audited.\n \nTo list out users who have rights to administrative access for auditing, run this query:\nSELECT * FROM INFORMATION_SCHEMA.USER_PRIVILEGES where PRIVILEGE_TYPE in ('AUDIT_ADMIN', 'SUPER');\n\nIf any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding.","fixText":"Configure the MySQL Database Server 8.0 settings to allow designated personnel to select which auditable events are audited.\n\nGrant permissions to users who need rights to create auditing rules.\n\nGRANT AUDIT_ADMIN\nON *.* TO ''@'';\n\nFor example:\nGRANT AUDIT_ADMIN\nON *.* TO 'auditusername'@'%';","ccis":["CCI-000171"]},{"vulnId":"V-235105","ruleId":"SV-235105r960885_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must be able to generate audit records when privileges/permissions are retrieved.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. Database Management Systems (DBMSs) typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit the retrieval of privilege/permission/role membership information. \n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters that are in place are generating records when privileges/permissions are retrieved, run the following query:\nselect * from mysql.proxies_priv;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep proxies_prim\n\nFor example if the values returned by - \"select @@datadir, @@audit_log_file;\" are /usr/local/mysql/data/, audit.log\nls -l /usr/local/mysql/data/audit.log\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-19 21:03:39\", \"id\": 13, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select * from mysql.proxies_priv\\nLIMIT 0, 1000\", \"status\": 0 } },\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when audit when privileges/permissions are retrieved.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235106","ruleId":"SV-235106r960885_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must be able to generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. Database Management Systems (DBMSs) typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when unsuccessful attempts to retrieve privileges/permissions occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query:\nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin should be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters that are in place are generating records to audit when unsuccessful attempts to retrieve privileges/permissions occur, run the following query using a user that does not have privileges so that it fails:\nselect * from mysql.proxies_priv;\nERROR: 1142: SELECT command denied to user 'auditme'@'localhost' for table 'proxies_priv'\n\nReview the audit log by running the command:\nsudo cat /audit.log|egrep proxies_priv\nFor example if the values returned by \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep proxies_priv\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-19 21:10:39\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 13, \"account\": { \"user\": \"auditme\", \"host\": \"localhost\" }, \"login\": { \"user\": \"auditme\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select * from mysql.proxies_priv\", \"status\": 1142 } },\nNote status is 1142, like the error.\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when unsuccessful attempts to retrieve privileges/permissions occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235107","ruleId":"SV-235107r961791_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must be able to generate audit records when security objects are accessed.","description":"Changes to the security configuration must be tracked.\n\nThis requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via specialized security functionality.\n\nIn SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when security objects are accessed.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin should be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records to audit when security objects are accessed, run the following query:\nselect * from mysql.proxies_priv;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep proxies_prim\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep proxies_priv\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-19 21:03:39\", \"id\": 13, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select * from mysql.proxies_priv\\nLIMIT 0, 1000\", \"status\": 0 } },\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when security objects are accessed.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235108","ruleId":"SV-235108r961791_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to access security objects occur.","description":"Changes to the security configuration must be tracked.\n\nThis requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via specialized security functionality.\n\nIn a SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when unsuccessful attempts to access security objects occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records when unsuccessful attempts to access security objects occur, run the following query with a user that does not have privileges so that it will fail:\nselect * from mysql.proxies_priv;\nERROR: 1142: SELECT command denied to user 'auditme'@'localhost' for table 'proxies_priv'\n\nReview the audit log by running the command:\nsudo cat /audit.log|egrep proxies_priv\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep proxies_priv\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep proxies_priv\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-19 21:10:39\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 13, \"account\": { \"user\": \"auditme\", \"host\": \"localhost\" }, \"login\": { \"user\": \"auditme\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"select\", \"query\": \"select * from mysql.proxies_priv\", \"status\": 1142 } },\nNote status is 1142, like the error.\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when unsuccessful attempts to retrieve privileges/permissions occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235109","ruleId":"SV-235109r961797_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when categories of information (e.g., classification levels/security levels) are accessed.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"If classification levels/security levels labeling is not required, this is not a finding.\n\nReview the system documentation to determine if MySQL Server is required to audit records when unsuccessful attempts to delete categories of information (e.g., classification levels/security levels) occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nModify MySQL selects that check for changes to categories of information. Modify selects statements to audit when information categories are accessed using MySQL Audit by calling the audit_api_message_emit_udf() function and including the details related to the select. \n\n- An Example test -\n\nCREATE TABLE `test_trigger`.`info_cat_test` (\n `id` INT NOT NULL,\n `name` VARCHAR(20) NULL,\n `desc` VARCHAR(20) NULL,\n `sec_level` CHAR(1) NULL,\n PRIMARY KEY (`id`));\n\nDELIMITER $$\n\n\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('1', 'fred', 'engineer', 'H');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('2', 'jill', 'program manager', 'M');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('3', 'joe', 'maintenance', 'L');\n\nSELECT `info_cat_test`.`id`,\n `info_cat_test`.`name`,\n `info_cat_test`.`desc`,\n `info_cat_test`.`sec_level`,\n IF(`info_cat_test`.`sec_level`= 'H', \n audit_api_message_emit_udf('sec_level_selected',\n 'audit_select_attempt',\n ' H level sec data was accessed',\n 'FOR ', name\n ), \n 'Not Audited')\nFROM `test_trigger`.`info_cat_test`;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log | egrep sec_level_selected\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep sec_level_priv\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-20 21:19:21\", \"id\": 1, \"class\": \"message\", \"event\": \"user\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"message_data\": { \"component\": \"sec_level_selected\", \"producer\": \"audit_select_attempt\", \"message\": \" H level sec data was accessed\", \"map\": { \"FOR \": \"fred\" } } },\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server with stored procedures that use selects that call audit_api_message_emit_udf() function to produce audit records when selection of categories of information occurs.\nAdd security level details in an additional column.\n\nAdd the component for adding information to the audit log.\n\nINSTALL COMPONENT \"file://component_audit_api_message_emit”;\ncreate schema test_trigger;\n\nModify selections adding the audit_api_message_emit_udf to be called, as well as providing the details for the audit event.\n\nTransparently enforcing the use of MySQL stored procedures is required.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235110","ruleId":"SV-235110r961797_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to access categories of information (e.g., classification levels/security levels) occur.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"If classification levels/security levels labeling is not required, this is not a finding.\n\nReview the system documentation to determine if MySQL Server is required to audit records when unsuccessful attempts to access categories of information (e.g., classification levels/security levels) occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin should be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nModify MySQL selects that check for changes to categories of information. Modify selects statements to audit when information categories are access using MySQL Audit by calling the audit_api_message_emit_udf() function and including the details related to the select. \n\n- An Example test -\n\nCREATE TABLE `test_trigger`.`info_cat_test` (\n `id` INT NOT NULL,\n `name` VARCHAR(20) NULL,\n `desc` VARCHAR(20) NULL,\n `sec_level` CHAR(1) NULL,\n PRIMARY KEY (`id`));\n\nDELIMITER $$\n\n\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('1', 'fred', 'engineer', 'H');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('2', 'jill', 'program manager', 'M');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('3', 'joe', 'maintenance', 'L');\n\nCreate a view using the where clause similar to that shown in the select. If inappropriate access is attempted, in this case H level, the select statement will write to the Audit log using the emit function.\n\nSELECT `info_cat_test`.`id`,\n `info_cat_test`.`name`,\n `info_cat_test`.`desc`,\n `info_cat_test`.`sec_level`\nFROM `test_trigger`.`info_cat_test` where IF(`info_cat_test`.`sec_level`= 'H', \n CAST(audit_api_message_emit_udf('sec_level_H_ATTEMPTED_selected',\n 'audit_select_attempt',\n ' H level sec data was accessed',\n 'FOR ', name\n ) as CHAR), \n 'Not Audited') <> 'OK’;\nThe above test will write an audit event related to the selection of H sec_level data.\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log | egrep sec_level_H_ATTEMPTED_selected\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep sec_level_H_ATTEMPTED_selected\n\nIf the audit event similar to the example below is not present, this is a finding. \n\nThe audit data will look similar to the example below:\nNot Audited') <> 'OK'\\nLIMIT 0, 1000\", \"sql_command\": \"select\" } },\n{ \"timestamp\": \"2020-08-21 14:04:53\", \"id\": 2, \"class\": \"message\", \"event\": \"user\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"message_data\": { \"component\": \"sec_level_H_ATTEMPTED_selected\", \"producer\": \"audit_select_attempt\", \"message\": \" H level sec data was accessed\", \"map\": { \"FOR \": \"fred\" } } },","fixText":"If currently required, configure the MySQL Database Server with views that use selects that call audit_api_message_emit_udf() function to produce audit records when selection of categories of information occurs.\nAdd security level details in an additional column if necessary.\n\nAdd the component for adding information to the audit log.\n\nINSTALL COMPONENT \"file://component_audit_api_message_emit”;\n\nTo transparently enforce the use of MySQL view is required.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235111","ruleId":"SV-235111r961800_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when privileges/permissions are added.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individuals and groups privileges could go undetected. Elevated privileges give users access to information and functionality that they must not have; restricted privileges wrongly deny access to authorized users.\n\nIn a SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the DENY command.","checkContent":"Check that MySQL Server Audit is being used for the STIG compliant audit.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin should be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nDetermine if rules are in place to capture the following types of commands related to permissions by running the command:\nselect * from mysql.audit_log_filter;\n\nIf the template SQL filter was used, it will have the name log_stig.\n\nReview the filter value. It will show filters for events of the type field general_sql_command.str for the following SQL statement types:\ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user","fixText":"Configure the MySQL Database Server to audit when privileges/permissions are added.\n\nAdd the following events to the MySQL Server Audit being used for the STIG compliance audit: \ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235112","ruleId":"SV-235112r961800_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to add privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individuals and groups privileges could go undetected.\n\nIn a SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the DENY command.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Check that MySQL Server Audit is being used for the STIG compliant audit.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nDetermine if rules are in place to capture the following types of commands related to permissions by running the command:\nselect * from mysql.audit_log_filter;\n\nIf the template SQL filter was used, it will have the name log_stig.\n\nReview the filter values. It will show filters for events of the type of field general_sql_command.str for the following SQL statement types:\ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user","fixText":"Configure the MySQL Database Server to audit when privileges/permissions are added.\n\nAdd the following events to the MySQL Server Audit that is being used for the STIG compliance audit: \ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235113","ruleId":"SV-235113r961800_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when privileges/permissions are modified.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individuals and groups privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.\n\nIn a SQL environment, modifying permissions is typically done via the GRANT, REVOKE, and DENY commands.","checkContent":"Check that MySQL Server Audit is being used for the STIG compliant audit. \n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nDetermine if rules are in place to capture the following types of commands related to permissions by running:\nselect * from mysql.audit_log_filter;\n\nIf the template SQL filter was used, it will have the name log_stig.\n\nReview the filter values it will show filters for events of the type of the field general_sql_command.str for the following SQL statement types:\ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user","fixText":"Configure the MySQL Database Server to audit when privileges/permissions are added.\n\nAdd the following events to the MySQL Server Audit that is being used for the STIG compliance audit:\ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235114","ruleId":"SV-235114r961800_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to modify privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individual and group privileges could go undetected. \n\nIn an SQL environment, modifying permissions is typically done via the GRANT, REVOKE, and DENY commands. \n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Check that MySQL Server Audit is being used for the STIG compliant audit. \n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nDetermine if rules are in place to capture the following types of commands related to permissions by running:\nselect * from mysql.audit_log_filter;\n\nIf the template SQL filter was used, it will have the name log_stig.\n\nReview the filter values. It will show filters for events of the type of the field general_sql_command.str for the following SQL statement types:\ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user","fixText":"Configure the MySQL Database Server to audit when privileges/permissions are added.\n\nAdd the following events to the MySQL Server Audit that is being used for the STIG compliance audit: \ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235115","ruleId":"SV-235115r961803_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when security objects are modified.","description":"Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized changes to the security subsystem could go undetected. The database could be severely compromised or rendered inoperative.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when security objects are modified.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters that are in place are generating records when security objects are modified, run the following, which will test auditing without destroying data:\nupdate mysql.global_grants set host='%' where PRIV='XXXX’;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep global_grants\nFor example if the values returned by \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep global_grants\nFor example if the values returned by \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep global_grants\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-19 21:32:27\", \"id\": 2, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"update\", \"query\": \"update mysql.global_grants set host='%' where PRIV='XXXX'\", \"status\": 0 } }\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when security objects are modified.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235116","ruleId":"SV-235116r961803_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to modify security objects occur.","description":"Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized changes to the security subsystem could go undetected. The database could be severely compromised or rendered inoperative.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when unsuccessful attempts to modify security objects occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records when unsuccessful attempts to modify security objects occur, run the following as a user without administrator-level privileges:\nupdate mysql.global_grants set host='%' where PRIV='XXXX’;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep global_grants\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep global_grants\n\nThe audit data will look similar to the example below and contain a non-zero status value:\n{ \"timestamp\": \"2020-08-19 21:32:27\", \"id\": 2, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"update\", \"query\": \"update mysql.global_grants set host='%' where PRIV='XXXX'\", \"status\": 1421 } }\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when unsuccessful attempts to modify security objects occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235117","ruleId":"SV-235117r961809_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when categories of information (e.g., classification levels/security levels) are modified.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"If classification levels/security levels labeling is not required, this is not a finding.\n\nReview the system documentation to determine if MySQL Server is required to audit records when deletion of categories of information (e.g., classification levels/security levels) occurs.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nCreate MySQL insert, update, and delete triggers that check for changes to categories of information. If the trigger before data indicates an attempt to delete such information, the trigger must be written to prevent the delete as well as optionally write to the MySQL Audit by calling the audit_api_message_emit_udf() function and including the details related to the attempt. Note: To call from a trigger requires a minimal stored procedure as well.\n\nOnce the trigger has been created, check if the audit filters in place are generating records when categories of information are deleted.\n\n- An Example test -\n\nCREATE TABLE `test_trigger`.`info_cat_test` (\n `id` INT NOT NULL,\n `name` VARCHAR(20) NULL,\n `desc` VARCHAR(20) NULL,\n `sec_level` CHAR(1) NULL,\n PRIMARY KEY (`id`));\n\nuse test_trigger;\n\nDELIMITER $$\n\nCREATE TRIGGER test_trigger.audit_delete\n BEFORE DELETE ON `test_trigger`.`info_cat_test`\n FOR EACH ROW\nBEGIN\n IF OLD.sec_level = 'H' THEN\n\t CALL audit_api_message_emit_sp(OLD.name);\n END IF;\nEND$$\nDELIMITER ;\n\nDELIMITER $$\n\nCREATE TRIGGER audit_insert\n BEFORE INSERT ON `test_trigger`.`info_cat_test`\n FOR EACH ROW\nBEGIN\n IF NEW.sec_level = 'H' THEN\n\t CALL audit_api_message_emit_sp(NEW.name);\n END IF;\nEND$$\nDELIMITER ;\n\nDELIMITER $$\n\nCREATE TRIGGER audit_update\n BEFORE UPDATE ON `test_trigger`.`info_cat_test`\n FOR EACH ROW\nBEGIN\n IF OLD.sec_level = 'H' THEN\n\t CALL audit_api_message_emit_sp(OLD.name);\n END IF;\n\tIF NEW.sec_level = 'H' THEN\n\t CALL audit_api_message_emit_sp(NEW.name);\n END IF;\nEND$$\nDELIMITER ;\n\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('1', 'fred', 'engineer', 'H');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('2', 'jill', 'program manager', 'M');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('3', 'joe', 'maintenance', 'L');\n\ndelete from `test_trigger`.`info_cat_test` where id=1;\n// this fails as the trigger defines that sec_level of H can not be deleted.\n\nupdate`test_trigger`.`info_cat_test` set sec_level=‘H’ where id=2;\ndelete from `test_trigger`.`info_cat_test` where id=3;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log | egrep audit_change_attempt\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server with update, insert, and delete triggers that call audit_api_message_emit_udf() function to produce audit records when unsuccessful attempts to modify categories of information occur.\n\nAdd security level details in an additional column.\n\nAdd the component for adding information to the audit log.\n\nINSTALL COMPONENT \"file://component_audit_api_message_emit”;\ncreate schema test_trigger;\n\nCreate a stored procedure to allow the audit_api_message_emit_udf to be called as well as providing the details for the audit event.\n\nDELIMITER $$\n\nCREATE PROCEDURE audit_api_message_emit_delete_sp(name CHAR(20))\nBEGIN\n\tDECLARE aud_msg VARCHAR(255);\n\tselect audit_api_message_emit_udf('sec_level_trigger',\n 'TRIGGER audit_change_attempt',\n 'Attempt was made to change H level sec data',\n 'FOR ', name\n ) into aud_msg;\nEND$$\nDELIMITER ;\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235118","ruleId":"SV-235118r961809_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to modify categories of information (e.g., classification levels/security levels) occur.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"If classification levels/security levels labeling is not required, this is not a finding.\n\nReview the system documentation to determine if MySQL Server is required to audit records when unsuccessful attempts to modify categories of information (e.g., classification levels/security levels) occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin should be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nCreate MySQL insert, update, and delete triggers that check for changes to categories of information. If the trigger before data indicates an attempt to delete such information, the trigger should be written to prevent the delete as well as optionally write to the MySQL Audit by calling the audit_api_message_emit_udf() function and including the details related to the attempt. Note: To call from a trigger requires a minimal stored procedure as well.\n\nOnce the trigger has been created, check if the audit filters that are in place are generating records when categories of information are deleted.\n\n- An Example test -\n\nCREATE TABLE `test_trigger`.`info_cat_test` (\n `id` INT NOT NULL,\n `name` VARCHAR(20) NULL,\n `desc` VARCHAR(20) NULL,\n `sec_level` CHAR(1) NULL,\n PRIMARY KEY (`id`));\n\nuse test_trigger;\n\nDELIMITER $$\n\nCREATE TRIGGER audit_delete\n BEFORE DELETE ON `test_trigger`.`info_cat_test`\n FOR EACH ROW\nBEGIN\n IF OLD.sec_level = 'H' THEN\n\tCALL audit_api_message_emit_sp(OLD.name);\n SIGNAL SQLSTATE '45000'\n SET MESSAGE_TEXT = 'ERROR - THIS DATA IS LEVEL H can not delete’; \n END IF;\nEND$$\nDELIMITER ;\n\nDELIMITER $$\n\nCREATE TRIGGER audit_insert\n BEFORE INSERT ON `test_trigger`.`info_cat_test`\n FOR EACH ROW\nBEGIN\n IF NEW.sec_level = 'H' THEN\n\tCALL audit_api_message_emit_sp(NEW.name);\n SIGNAL SQLSTATE '45000'\n SET MESSAGE_TEXT = 'ERROR - THIS DATA IS LEVEL H can not insert’; \n END IF;\nEND$$\nDELIMITER ;\n\nDELIMITER $$\n\nCREATE TRIGGER audit_update\n BEFORE UPDATE ON `test_trigger`.`info_cat_test`\n FOR EACH ROW\nBEGIN\n IF OLD.sec_level = 'H' THEN\n\t CALL audit_api_message_emit_sp(OLD.name);\n END IF;\n IF NEW.sec_level = 'H' THEN\n\t CALL audit_api_message_emit_sp(NEW.name);\n END IF;\n SIGNAL SQLSTATE '45000'\n SET MESSAGE_TEXT = 'ERROR - THIS DATA IS LEVEL H can not update'; \nEND$$\nDELIMITER ;\n\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('1', 'fred', 'engineer', 'H');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('2', 'jill', 'program manager', 'M');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('3', 'joe', 'maintenance', 'L');\n\ndelete from `test_trigger`.`info_cat_test` where id=1;\n// this fails as the trigger defines that sec_level of H can not be deleted.\n\nupdate`test_trigger`.`info_cat_test` set sec_level=‘H’ where id=2;\ndelete from `test_trigger`.`info_cat_test` where id=3;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log | egrep audit_change_attempt\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep audit_change_attempt\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server with update, insert, and delete triggers that call audit_api_message_emit_udf() function to produce audit records when unsuccessful attempts to modify categories of information occur.\n\nAdd security level details in an additional column.\n\nAdd the component for adding information to the audit log.\n\nINSTALL COMPONENT \"file://component_audit_api_message_emit”;\ncreate schema test_trigger;\n\nCreate a stored procedure to allow the audit_api_message_emit_udf to be called as well as providing the details for the audit event.\n\nDELIMITER $$\n\nCREATE PROCEDURE audit_api_message_emit_delete_sp(name CHAR(20))\nBEGIN\n\tDECLARE aud_msg VARCHAR(255);\n\tselect audit_api_message_emit_udf('sec_level_trigger',\n 'TRIGGER audit_change_attempt',\n 'Attempt was made to change H level sec data',\n 'FOR ', name\n ) into aud_msg;\nEND$$\nDELIMITER ;\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235119","ruleId":"SV-235119r961812_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when privileges/permissions are deleted.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individual and group privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.\n\nIn an SQL environment, deleting permissions is typically done via the REVOKE or DENY command.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when privileges/permissions are deleted.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \n\nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records when privileges/permissions are deleted, run the following, which will test auditing without destroying data:\ndelete from mysql.procs_priv where 1=2; \n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep procs_priv\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep procs_priv\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-19 21:24:26\", \"id\": 2, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"delete\", \"query\": \"delete from procs_priv\", \"status\": 0 } }\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when privileges/permissions are deleted.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235120","ruleId":"SV-235120r961812_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to delete privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individuals and groups privileges could go undetected. \n\nIn a SQL environment, deleting permissions is typically done via the REVOKE or DENY command. \n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when unsuccessful attempts to delete privileges/permissions occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records when unsuccessful attempts to delete privileges/permissions occur, run the following, which will test auditing without destroying data but as a user without administrative privileges so that it fails:\ndelete from mysql.procs_priv where 1=2; \n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep procs_priv\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep procs_priv\n\nThe audit data will look similar to the example below and contain a non-zero status value:\n{ \"timestamp\": \"2020-08-19 21:24:26\", \"id\": 2, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"delete\", \"query\": \"delete from procs_priv\", \"status\": 1142 } }\n\nIf the audit event is not present, this is a finding.","fixText":"Configure the MySQL Database Server to audit when unsuccessful attempts to delete privileges/permissions occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235121","ruleId":"SV-235121r961818_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when security objects are deleted.","description":"The removal of security objects from the database/Database Management System (DBMS) would seriously degrade a system's information assurance posture. If such an event occurs, it must be logged.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when security objects are deleted.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records when security objects are deleted, run the following, which will test auditing. Note: This is destructive. Back up the database table prior to testing so it can be restored.\ndrop mysql.procs_priv; \n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep DROP\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep DROP\n\nThe audit data will look similar to the example below: \n{ \"timestamp\": \"2020-08-21 17:06:02\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 9, \"account\": { \"user\": \"root\", \"host\": \"localhost\" }, \"login\": { \"user\": \"root\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"drop_table\", \"query\": \"DROP TABLE `mysql`.`proxies_priv`\", \"status\": 0 } },\n\nIf the audit event is not present, this is a finding.","fixText":"Configure the MySQL Database Server to audit when security objects are deleted.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235122","ruleId":"SV-235122r961818_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to delete security objects occur.","description":"The removal of security objects from the database/Database Management System (DBMS) would seriously degrade a system's information assurance posture. If such an action is attempted, it must be logged.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when unsuccessful attempts to delete security objects occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records when security objects are deleted, run the following, which will test auditing as a user with administrator-level privileges:\ndrop table mysql.columns_priv;\nERROR: 1142: DROP command denied to user 'newuser'@'localhost' for table 'columns_priv'\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep DROP\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep DROP\n\nThe audit data will look similar to the example below and contain a non-zero status value:\n{ \"timestamp\": \"2020-08-21 17:21:12\", \"id\": 0, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 17, \"account\": { \"user\": \"newuser\", \"host\": \"localhost\" }, \"login\": { \"user\": \"newuser\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"drop_table\", \"query\": \"drop table `mysql`.audit_log_user\", \"status\": 1142 } },\n\nIf the audit event is not present, this is a finding.","fixText":"Configure the MySQL Database Server to audit when unsuccessful attempts to delete security objects occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235123","ruleId":"SV-235123r961821_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when categories of information (e.g., classification levels/security levels) are deleted.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review DBMS documentation to verify that audit records can be produced when categories of information are deleted.\n\nIf the DBMS is not capable of this, this is a finding.\n\nReview the DBMS/database security and audit configurations to verify that audit records are produced when categories of information are deleted.\n\nIf they are not produced, this is a finding.","fixText":"Deploy a MySQL Database Server 8.0 capable of producing the required audit records when categories of information are deleted.\n\nConfigure the MySQL Database Server 8.0 to produce audit records when categories of information are deleted.","ccis":["CCI-000172"]},{"vulnId":"V-235124","ruleId":"SV-235124r961821_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to delete categories of information (e.g., classification levels/security levels) occur.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"If classification levels/security levels labeling is not required, this is not a finding.\n\nReview the system documentation to determine if MySQL Server is required to audit records when unsuccessful attempts to delete categories of information (e.g., classification levels/security levels) occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nCreate MySQL Delete triggers that check for changes to categories of information. If the trigger before data indicates an attempt to delete such information, the trigger should be written to prevent the delete as well as optionally write to the MySQL Audit by calling the audit_api_message_emit_udf() function and including the details related to the attempt. Note: To call from a trigger requires a minimal stored procedure as well.\n\nOnce the trigger has been created, check if the audit filters that are in place are generating records when categories of information are deleted.\n\n- An Example test -\n\nCREATE TABLE `test_trigger`.`info_cat_test` (\n `id` INT NOT NULL,\n `name` VARCHAR(20) NULL,\n `desc` VARCHAR(20) NULL,\n `sec_level` CHAR(1) NULL,\n PRIMARY KEY (`id`));\n\nDELIMITER $$\n\nCREATE TRIGGER test_trigger.audit_delete_attempt\n BEFORE DELETE ON `test_trigger`.`info_cat_test`\n FOR EACH ROW\nBEGIN\n IF OLD.sec_level = 'H' THEN\n\t CALL audit_api_message_emit_sp(OLD.name);\n SIGNAL SQLSTATE '45000'\n SET MESSAGE_TEXT = 'ERROR - THIS DATA IS LEVEL H';\n END IF;\nEND$$\nDELIMITER ;\n\n\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('1', 'fred', 'engineer', 'H');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('2', 'jill', 'program manager', 'M');\nINSERT INTO `test_trigger`.`info_cat_test` (`id`, `name`, `desc`, `sec_level`) VALUES ('3', 'joe', 'maintenance', 'L');\n\ndelete from `test_trigger`.`info_cat_test` where id=1;\n// this fails as the trigger defines that sec_level of H can not be deleted.\n\ndelete from `test_trigger`.`info_cat_test` where id=2;\ndelete from `test_trigger`.`info_cat_test` where id=3;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log | egrep sec_level_trigger\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep sec_level_trigger\n\nIf the audit event is not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server with delete triggers which prevent unauthorized deletes and call audit_api_message_emit_udf() function to produce audit records when unsuccessful attempts to delete categories of information occur.\nAdd security level details in an additional column.\n\nAdd the component for adding information to the audit log.\n\nINSTALL COMPONENT \"file://component_audit_api_message_emit”;\ncreate schema test_trigger;\n\nCreate a stored procedure to allow the audit_api_message_emit_udf to be called as well as providing the details for the audit event.\n\nDELIMITER $$\n\nCREATE PROCEDURE audit_api_message_emit_sp(name CHAR(20))\nBEGIN\n\tDECLARE aud_msg VARCHAR(255);\n\tselect audit_api_message_emit_udf('sec_level_trigger',\n 'TRIGGER audit_delete_attempt',\n 'Attempt was made to delete H level sec data',\n 'FOR ', name\n ) into aud_msg;\nEND$$\nDELIMITER ;","ccis":["CCI-000172"]},{"vulnId":"V-235125","ruleId":"SV-235125r961824_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when successful logons or connections occur.","description":"For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to the Database Management System (DBMS).","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when successful logons or connections occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records when successful logons or connections occur, log in to MySQL and then log out. Below is an example using MySQL Shell:\n% mysqlsh —sql\n MySQL SQL > \\connect newuser@localhost\nCreating a session to 'newuser@localhost'\n MySQL localhost:33060+ ssl SQL > \\quit\nBye!\n\nReview the audit log by running the Linux command:\nNote, \"status\": 0 for each indicates successful.\n\nsudo cat /audit.log | egrep \"\\\"event\\\": \\”connect\\\"\"\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep \"\\\"event\\\": \\”connect\\\"\"\n\nThe audit data will look similar to the example below:\nLogging in - connecting\n\n{ \"timestamp\": \"2020-08-21 17:47:09\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 19, \"account\": { \"user\": \"newuser\", \"host\": \"localhost\" }, \"login\": { \"user\": \"newuser\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"plugin\", \"status\": 0, \"db\": \"\" } },\n\nLogging out - disconnection\n\nsudo cat /audit.log | egrep \"\\\"event\\\": \\\"disconnect\\”\"\n\nExample output:\n{ \"timestamp\": \"2020-08-21 17:47:11\", \"id\": 1, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 19, \"account\": { \"user\": \"newuser\", \"host\": \"localhost\" }, \"login\": { \"user\": \"newuser\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"plugin\" } },","fixText":"If currently required, configure the MySQL Database Server to produce audit records when successful logons or connections occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235126","ruleId":"SV-235126r961824_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful logons or connection attempts occur.","description":"For completeness of forensic analysis, it is necessary to track failed attempts to log on to the Database Management System (DBMS). While positive identification may not be possible in a case of failed authentication, as much information as possible about the incident must be captured.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit when unsuccessful logons or connection attempts occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters that are in place are generating records when unsuccessful logons or connection attempts occur:\n\nLog in to MySQL and then log out. For example, using MySQL Shell:\n% mysqlsh —sql\n MySQL SQL > \\connect notauser@localhost\nCreating a session to 'notauser@localhost'\nPlease provide the password for 'notauser@localhost': \nMySQL Error 1045: Access denied for user 'notauser'@'localhost' (using password: YES)\n\nReview the audit log by running the Linux command:\nNote, \"status\": 1045 for each indicates failed attempt.\n\nsudo cat /audit.log | egrep notauser \nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep notauser\n\nThe audit data will look similar to the example below:\n{ \"timestamp\": \"2020-08-21 17:54:08\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 20, \"account\": { \"user\": \"\", \"host\": \"localhost\" }, \"login\": { \"user\": \"notauser\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"plugin\", \"status\": 1045, \"db\": \"\" } },","fixText":"If currently required, configure the MySQL Database Server to audit when unsuccessful logons or connections attempts occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235127","ruleId":"SV-235127r961827_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records for all privileged activities or other system-level access.","description":"Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nSystem documentation should include a definition of the functionality considered privileged.\n\nA privileged function in this context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In a SQL environment, it encompasses, but is not necessarily limited to:\nCREATE\nALTER\nDROP\nGRANT\nREVOKE\nDENY\n\nThere may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples in SQL include:\n\nTRUNCATE TABLE;\nDELETE, or\nDELETE affecting more than n rows, for some n, or\nDELETE without a WHERE clause;\n\nUPDATE or\nUPDATE affecting more than n rows, for some n, or\nUPDATE without a WHERE clause;\n\nany SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal.\n\nDepending on the capabilities of the DBMS and the design of the database and associated applications, audit logging may be achieved by means of Database Management System (DBMS) auditing features, database triggers, other mechanisms, or a combination of these.\n\nNote that it is particularly important to audit, and tightly control, any action that weakens the implementation of this requirement itself, since the objective is to have a complete audit trail of all administrative activity.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit for all privileged activities or other system-level access.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nDetermine if rules are in place to capture the following types of commands related to permissions by running:\nselect * from mysql.audit_log_filter;\n\nIf the template SQL filter was used, it will have the name \"log_stig\".\n\nReview the filter values. It will show filters for events of the type of the field general_sql_command.str for the following SQL statement types:\ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user","fixText":"Configure the MySQL Database Server to audit for all privileged activities or other system-level access.\n\nAdd the following events to the MySQL Server Audit: \ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235128","ruleId":"SV-235128r961827_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.","description":"Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nSystem documentation should include a definition of the functionality considered privileged.\n\nA privileged function in this context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In an SQL environment, it encompasses, but is not necessarily limited to:\nCREATE\nALTER\nDROP\nGRANT\nREVOKE\nDENY\n\nNote that it is particularly important to audit, and tightly control, any action that weakens the implementation of this requirement itself, since the objective is to have a complete audit trail of all administrative activity.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Review the system documentation to determine if MySQL Server is required to audit for unsuccessful attempts to execute privileged activities or other system-level access.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nDetermine if rules are in place to capture the following types of commands related to permissions by running:\n\nselect * from mysql.audit_log_filter;\n\nIf the template SQL filter was used, it will have the name log_stig.\n\nReview the filter values it will show filters for events of type of the field general_sql_command.str for the following SQL statement types:\ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user","fixText":"Configure the MySQL Database Server to audit for unsuccessful attempts to execute privileged activities or other system-level access.\n\nAdd the following events to the MySQL Server Audit: \ngrant\ngrant_roles\nrevoke\nrevoke_all\nrevoke_roles\ndrop_role\nalter_user_default_role\ncreate_role\ndrop_role\ngrant_roles\nrevoke_roles\nset_role\ncreate_user\nalter_user\ndrop_user\nalter_user\nalter_user_default_role\ncreate_user\ndrop_user\nrename_user\nshow_create_user\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235129","ruleId":"SV-235129r961830_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records showing starting and ending time for user access to the database(s).","description":"For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to the Database Management System (DBMS) lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs. \n\nDisconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.","checkContent":"Check if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters that are in place are generating records when successful logons or connections occur, log in to MySQL and then log out. \n\nBelow is an example using MySQL Shell:\n% mysqlsh —sql\n MySQL SQL > \\connect newuser@localhost\nCreating a session to 'newuser@localhost'\n MySQL localhost:33060+ ssl SQL > \\quit\nBye!\n\nReview the audit log by running the Linux command:\n\"status\": 0 for each indicates successful.\n\"connection_id\": 19 is the same as the connections process id and there will be matching disconnect event with the same connection_id number. This can be used to differentiate multiple connections using the same login.\nEach connect and disconnect has a timestamp tag with the time in Coordinated Universal Time (UTC).\n\nsudo cat /audit.log | egrep \"\\\"event\\\": \\”connect\\\"\"\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log\nsudo cat /usr/local/mysql/data/audit.log |egrep \"\\\"event\\\": \\”connect\\\"\"\n\nThe audit data will look similar to the example below:\nLogging in - connecting\n\n{ \"timestamp\": \"2020-08-21 17:47:09\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 19, \"account\": { \"user\": \"newuser\", \"host\": \"localhost\" }, \"login\": { \"user\": \"newuser\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"plugin\", \"status\": 0, \"db\": \"\" } },\n\nLogging out - disconnection\n\nsudo cat /audit.log | egrep \"\\\"event\\\": \\\"disconnect\\”\"\n\n{ \"timestamp\": \"2020-08-21 17:47:11\", \"id\": 1, \"class\": \"connection\", \"event\": \"disconnect\", \"connection_id\": 19, \"account\": { \"user\": \"newuser\", \"host\": \"localhost\" }, \"login\": { \"user\": \"newuser\", \"os\": \"\", \"ip\": \"::1\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"plugin\" } },","fixText":"If currently required, configure the MySQL Database Server to produce audit records when successful logons or connections occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235130","ruleId":"SV-235130r961833_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when concurrent logons/connections by the same user from different workstations.","description":"For completeness of forensic analysis, it is necessary to track who logs on to the Database Management System (DBMS).\n\nConcurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the CAC for authentication; or they may indicate unauthorized account sharing; or they may be because an account has been compromised.\n\n(If the fact of multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events (logons/connections; voluntary and involuntary disconnections), then it is not mandatory to create additional log entries specifically for this).","checkContent":"Review the system documentation to determine if MySQL Server is required to audit the concurrent logons/connections by the same user from different workstations.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters that are in place are generating records when multiple connections occur:\n\nRun multiple connections from the same user without logging out and from different IP addresses.\n\nReview the audit log:\nsudo cat /audit.log | egrep \nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log and the user is fewconnects then\nsudo cat /usr/local/mysql/data/audit.log |egrep fewconnects\n\n { \"connection_type\": \"ssl\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_pid\": \"9132\", \"_os\": \"macos10.14\", \"_platform\": \"x86_64\", \"_client_version\": \"8.0.20\", \"_client_name\": \"libmysql\", \"program_name\": \"mysqlsh\" } } },\n{ \"timestamp\": \"2020-08-31 18:03:41\", \"id\": 0, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 28, \"account\": { \"user\": \"fewconnects\", \"host\": \"localhost\" }, \"login\": { \"user\": \"fewconnects\", \"os\": \"\", \"ip\": \"\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"ssl\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_pid\": \"9132\", \"_os\": \"macos10.14\", \"_platform\": \"x86_64\", \"_client_version\": \"8.0.20\", \"_client_name\": \"libmysql\", \"program_name\": \"mysqlsh\" } } }\n{ \"timestamp\": \"2020-08-31 18:11:05\", \"id\": 12, \"class\": \"connection\", \"event\": \"connect\", \"connection_id\": 38, \"account\": { \"user\": \"fewconnects\", \"host\": \"localhost\" }, \"login\": { \"user\": \"fewconnects\", \"os\": \"\", \"ip\": \"93.122.141.147\", \"proxy\": \"\" }, \"connection_data\": { \"connection_type\": \"ssl\", \"status\": 0, \"db\": \"\", \"connection_attributes\": { \"_pid\": \"903\", \"_os\": \"macos10.15\", \"_platform\": \"x86_64\", \"_client_version\": \"8.0.20\", \"_client_name\": \"libmysql\", \"program_name\": \"MySQLWorkbench\" } } },\nNote that each connection has a different connection_id - indicating distinctly auditing multiple connections. Here there are connections from mysqlsh and MySQLWorkbench; the event type is \"event\": “connect” and the \"user\": \"fewconnects\", \"os\": \"\", \"ip\": “127.0.0.1” and \"login\": { \"user\": \"fewconnects\", \"os\": \"\", \"ip\": “93.122.141.147” - that is with different IPs from the different workstations.\n\nIf the audit events are not present, this is a finding.\n\nIf currently required, configure the MySQL Database Server to produce audit records when connections occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","fixText":"If currently required, configure the MySQL Database Server to produce audit records when connections occur.\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235131","ruleId":"SV-235131r961836_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must be able to generate audit records when successful accesses to objects occur.","description":"Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nIn an SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE","checkContent":"Review the system documentation to determine if MySQL Server is required to generate audit records when successful accesses to objects occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records to audit when certain objects are accessed:\n\nRun a query and other access types on that object.\nselect * from /;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep \nFor example if the values returned by \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log \nsudo cat /usr/local/mysql/data/audit.log |egrep \n\nIf the audit event is not present, this is a finding.","fixText":"Configure the MySQL Database Server to audit when successful accesses to objects occur. \n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235132","ruleId":"SV-235132r961836_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records when unsuccessful accesses to objects occur.","description":"Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nIn a SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Review the system documentation to determine if MySQL Server is required to generate audit records when unsuccessful accesses to objects occur.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records to audit when certain objects access is unsuccessful:\n\nConnect a user without access to an object.\n\nRun a failed query or other failed access types on that object.\nselect * from /;\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log|egrep \nFor example if the values returned by \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log \nsudo cat /usr/local/mysql/data/audit.log |egrep \n\nThe record will show the failed attempt which is note by a non-zero status value.\n\nIf the audit event is not present, this is a finding.","fixText":"Configure the MySQL Database Server to audit when unsuccessful accesses to objects occur. \n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235133","ruleId":"SV-235133r961839_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must generate audit records for all direct access to the database(s).","description":"In this context, direct access is any query, command, or call to the Database Management System (DBMS) that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.","checkContent":"Review the system documentation to determine if MySQL Server is required to generate audit records for all direct access to the database(s).\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nTo check if the audit filters in place are generating records to audit all direct access to the database(s):\n\nRun any access to the database.\n\nReview the audit log by running the Linux command:\nsudo cat /audit.log\nFor example if the values returned by - \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log \nsudo cat /usr/local/mysql/data/audit.log\n\nIf the audit events are not present, this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records for all direct access to the database(s).\n\nSee the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-000172"]},{"vulnId":"V-235134","ruleId":"SV-235134r961038_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.","description":"The DoD standard for authentication is DoD-approved PKI certificates.\n\nA certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.\n\nDatabase Management Systems that do not validate certificates by performing RFC 5280-compliant certification path validation are in danger of accepting certificates that are invalid and/or counterfeit. This could allow unauthorized access to the database.","checkContent":"The database supports PKI-based authentication by using digital certificates over TLS in addition to the native encryption and data integrity capabilities of these protocols.\n\nReview MySQL Database Server 8.0 configuration to verify DBMS user account certificates are valid by performing RFC 5280-compliant certification path validation.\n\nRun the following command to determine the certificate in use along with other details:\nselect @@ssl_ca, @@ssl_capath, @@ssl_cert, @@ssl_cipher, @@ssl_crl, @@ssl_crlpath, @@ssl_fips_mode, @@ssl_key;\n\nIf ssl_crl is not set to a CRL file, this is a finding. \n\nIf ssl_crlpath is empty then use the default, which is the datadir path. To get that path run select @@datadir.\n\nNext verify the existence of the CRL file.\n\nIf the CRL file does not exist, this is a finding. \n\nNext, verify that require_secure_transport is ON by running:\nselect @@require_secure_transport;\n\nIf require_secure_transport is not 1 for ON, this is a finding.\n\nIf the certificate is not a DoD approved certificate, or if no certificate is listed, this is a finding.\n\nConfirm Issuer and Subject map to the username. Run the following script:\nSELECT `user`.`Host`,\n `user`.`User`,\n `user`.`ssl_type`,\n CAST(`user`.`x509_issuer` as CHAR) as Issuer,\n CAST(`user`.`x509_subject` as CHAR) as Subject\nFROM `mysql`.`user`;\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.","fixText":"Configure the DBMS to validate certificates by constructing a certification path with status information to an accepted trust anchor.\n\nConfigure the database server to support Transport Layer Security (TLS) protocols.\nmysql> set persist require_secure_transport=ON;\n\nSet system variables on the server side specify DoD approved certificate and key files the server uses when permitting clients to establish encrypted connections:\n\nssl_ca: The path name of the Certificate Authority (CA) certificate file. (ssl_capath is similar but specifies the path name of a directory of CA certificate files.)\n\nssl_cert: The path name of the server public key certificate file. This certificate can be sent to the client and authenticated against the CA certificate that it has.\n\nssl_key: The path name of the server private key file.\n\nFor example, to enable the server for encrypted connections with certificates, start it with these lines in the my.cnf file, changing the file names as necessary:\n\n[mysqld]\nssl_ca=ca.pem\nssl_cert=server-cert.pem\nssl_key=server-key.pem\nAlter users to require X509 certificates\n\nBelow is an example to add X509 as a requirement.\n\nFor a new user\nCREATE USER 'jeffrey'@'localhost' REQUIRE X509;\nAND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith'\n AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA';\n\nOr to add to an existing user\nALTER USER 'johansmith'@'%'\nREQUIRE X509\n AND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith'\n AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA';","ccis":["CCI-000185"]},{"vulnId":"V-235135","ruleId":"SV-235135r961041_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must enforce authorized access to all PKI private keys stored/utilized by the MySQL Database Server 8.0.","description":"The DoD standard for authentication is DoD-approved PKI certificates. PKI certificate-based authentication is performed by requiring the certificate holder to cryptographically prove possession of the corresponding private key.\n\nIf the private key is stolen, an attacker can use it to impersonate the certificate holder. In cases where the Database Management System (DBMS)-stored private keys are used to authenticate the DBMS to the system’s clients, loss of the corresponding private keys would allow an attacker to successfully perform undetected man-in-the-middle attacks against the DBMS system and its clients.\n\nBoth the holder of a digital certificate, and the issuing authority, must take careful measures to protect the corresponding private key. Private keys must always be generated and protected in FIPS 140-2 or 140-3 validated cryptographic modules. \n\nAll access to the private key(s) of the DBMS must be restricted to authorized and authenticated users. If unauthorized users have access to one or more of the DBMS's private keys, an attacker could gain access to the key(s) and use them to impersonate the database on the network or otherwise perform unauthorized actions.","checkContent":"Review DBMS configuration to determine whether appropriate access controls exist to protect the DBMS’s private key. \n\nIf strong access controls do not exist to enforce authorized access to the private key, this is a finding.\n\nMySQL stores certificates in PEM formatted files.\n\nVerify User ownership, Group ownership, and permissions on the ssl_files.\n\nselect @@ssl_ca, @@ssl_capath, @@ssl_cert, @@ssl_cipher, @@ssl_crl, @@ssl_crlpath, @@ssl_fips_mode, @@ssl_key;\nIf ssl_path or ssl_crlpath are not defined the locations default to the datadir. \nTo determine the datadir \nselect @@datadir;\n\nExample if path is /\n\nsudo sh -c 'ls -l /*.pem'\nFor example if the value returned by \"select @@datadir;' is /usr/local/mysql/data/\nsudo sh -c 'ls -l /usr/local/mysql/data/*.pem'\n\nPassword:\n-rw------- 1 _mysql _mysql 1676 Feb 25 11:09 /ca-key.pem\n-rw-r--r-- 1 _mysql _mysql 1112 Feb 25 11:09 /ca.pem\n-rw-r--r-- 1 _mysql _mysql 1112 Feb 25 11:09 /client-cert.pem\n-rw------- 1 _mysql _mysql 1680 Feb 25 11:09 /client-key.pem\n-rw------- 1 _mysql _mysql 1676 Feb 25 11:09 /private_key.pem\n-rw-r--r-- 1 _mysql _mysql 452 Feb 25 11:09 /public_key.pem\n-rw-r--r-- 1 _mysql _mysql 1112 Feb 25 11:09 /server-cert.pem\n-rw------- 1 _mysql _mysql 1680 Feb 25 11:09 /server-key.pem\n\nIf the User owner is not \"mysql\", this is a finding. \n\nIf the Group owner is not \"mysql\", this is a finding.\n\nFor public certs and keys, permissions should be \"rw\" for mysql and \"readonly\" for mysql group and world. These files by default are named \"ca.pem\", \"client-cert.pem\", \"public_key.pem\", and \"server-cert.pem\". If not, this is a finding.\n\nFor private certs and keys, permissions should be \"rw\" for mysql and \"no rights\" for mysql group or world. These files by default are named \"ca-key.pem\", \"client-key.pem\", \"private_key.pem\", and \"server-key.pem\". If not, this is a finding.\n\nReview system configuration to determine whether FIPS mode has been enabled. \n\nselect @@ssl_fips_mode;\n\n- OFF: Disable FIPS mode.\n- ON: Enable FIPS mode.\n- STRICT: Enable “strict” FIPS mode.\n\nIf FIPS mode is not \"ON\" or \"STRICT\", this is a finding.\n\nIf the server-key.pem has a password, verify when starting mysqld in a console there is prompt requiring the passphrase for the server-key.","fixText":"Implement strong access and authentication controls to protect the database’s private key.\n\nConfigure the database to support Transport Layer Security (TLS) protocols and the put in place file systems permissions on authentication and signing credentials, including private keys.\n\nPut keys in place in the datadir, or define their locations using ssl_capath and ssl_crlpath.\n\nEnsure proper permissions are set to protect the private keys and certificates.\n\nChange directory ssl_capath, ssl_crlpath, or the default datadir path.\n\nTo determine the file paths:\nselect @@ssl_capath, @@ssl_crlpath, @@ssl_key, @@datadir;\n\nEnsure OS account mysql owns all the pem and key files.\n$ chown mysql *.pem\n$ chgrp mysql *.key\n$ chmod 600 *.key\"\n$ chmod 600 *.pem\n\nOptionally, allow access to public keys.\n$ chmod 644 client-cert.pem client-key.pem\n$chmod 644 public_key.pem server-cert.pem\n\nIf the server-key.pem has a password, provide this password when prompted during a console startup. The server will not start without this password if the server key is password protected.\n\nEdit the mysql configuration file.\n\n[mysqld]\nssl-fips-mode=ON\n\nIf the OpenSSL FIPS Object Module is not available, ssl_fips_mode to ON or STRICT at startup causes the server to produce an error message and exit.","ccis":["CCI-000186"]},{"vulnId":"V-235136","ruleId":"SV-235136r961044_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must map the PKI-authenticated identity to an associated user account.","description":"The DoD standard for authentication is DoD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a Database Management System (DBMS) user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions.","checkContent":"Review MySQL Database Server 8.0 configuration to verify DBMS user accounts are being mapped directly to unique identifying information within the validated PKI certificate.\n\nConfirm Issuer and Subject map to the username. Run the following script:\nSELECT `user`.`Host`,\n `user`.`User`,\n `user`.`ssl_type`,\n CAST(`user`.`x509_issuer` as CHAR) as Issuer,\n CAST(`user`.`x509_subject` as CHAR) as Subject\nFROM `mysql`.`user`;\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.","fixText":"Configure the MySQL Database Server 8.0 to map the authenticated identity directly to the MySQL Database Server 8.0 user account.\n\nAlter users to require X509 certificates.\n\nBelow is an example to add X509 as a requirement.\n\nFor a new user:\nCREATE USER 'jeffrey'@'localhost' REQUIRE X509;\nAND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith'\n AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA';\n\nOr to add to an existing user:\nALTER USER 'johansmith'@'%'\nREQUIRE X509\n AND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith'\n AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA';","ccis":["CCI-000187"]},{"vulnId":"V-235137","ruleId":"SV-235137r1018612_rule","severity":"high","ruleTitle":"If Database Management System (DBMS) authentication using passwords is employed, the DBMS must enforce the DOD standards for password complexity and lifetime.","description":"OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable; and must be documented and Authorizing Official (AO)-approved.\n\nThe DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.\n\nIn such cases, the DOD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.","checkContent":"If DBMS authentication using passwords is not employed, this is not a finding.\n\nIf the DBMS is configured to inherit password complexity and lifetime rules from the operating system or access control program, this is not a finding.\n\nReview the MySQL Database Server 8.0 settings relating to password complexity. Determine whether the following rules are enforced. If any are not, this is a finding.\na. Minimum of 15 characters, including at least one of each of the following character sets:\n- Uppercase\n- Lowercase\n- Numeric\n- Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)\nb. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight.\n\nReview the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding.\na. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days.\nb. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days.\nc. Number of password changes before an old one may be reused: Minimum of five.\n\nConnect as an admin. \n\nSELECT component_urn FROM mysql.component\nwhere component_urn='file://component_validate_password' group by component_urn;\n\nIf the \"validate password\" component is installed the result will be file://component_validate_password.\n\nIf \"validate password\" component is not installed, this is a finding.\n\nIf the \"component_validate_password\" is installed, review the password policies to ensure required password complexity is met. \n\nRun the following to review the password policy:\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where VARIABLE_NAME like 'valid%password%' or VARIABLE_NAME like 'password_%' ;\n\nFor example the results may look like the following:\n\n'validate_password.check_user_name',’ON’\n'validate_password.dictionary_file',''\n'validate_password.length','8'\n'validate_password.mixed_case_count','1'\n'validate_password.number_count','1'\n'validate_password.policy','MEDIUM'\n'validate_password.special_char_count','1'\n'password_reuse_interval','0'\n'password_require_current','OFF'\n'password_history','0'\n\nIf these results do not meet password complexity requirements listed above, this is a finding.","fixText":"If the use of passwords is not needed, configure the MySQL Database Server 8.0 to prevent their use if it is capable of this; if it is not, institute policies and procedures to prohibit their use.\n\nIf the MySQL Database Server 8.0 can inherit password complexity rules from the operating system or access control program, configure it to do so.\n\nOtherwise, use MySQL Database Server 8.0 configuration parameters and/or custom code to enforce the following rules for passwords:\n\na. Minimum of 15 characters, including at least one of each of the following character sets:\n- Uppercase\n- Lowercase\n- Numeric\n- Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)\nb. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight.\nc. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days.\nd. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days.\ne. Number of password changes before an old one may be reused: Minimum of five.\n\nAs the database admin:\n\nINSTALL COMPONENT 'file://component_validate_password';\n\n# Set Password Policies example:\nset persist validate_password.check_user_name='ON';\nset persist validate_password.dictionary_file=' set persist require_secure_transport=ON;\n\nSet system variables on the server side specify DoD approved certificate and key files the server uses when permitting clients to establish encrypted connections:\n\nssl_ca: The path name of the Certificate Authority (CA) certificate file. (ssl_capath is similar but specifies the path name of a directory of CA certificate files.)\n\nssl_cert: The path name of the server public key certificate file. This certificate can be sent to the client and authenticated against the CA certificate that it has.\n\nssl_key: The path name of the server private key file.\n\nFor example, to enable the server for encrypted connections with certificates, start it with these lines in the my.cnf file, changing the file names as necessary:\n\n[mysqld]\nssl_ca=ca.pem\nssl_cert=server-cert.pem\nssl_key=server-key.pem","ccis":["CCI-000197"]},{"vulnId":"V-235140","ruleId":"SV-235140r961047_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.","description":"The DoD standard for authentication is DoD-approved PKI certificates.\n\nNormally, with PKI authentication, the interaction with the user for authentication will be handled by a software component separate from the Database Management System (DBMS), such as ActivIdentity ActivClient. However, in cases where the DBMS controls the interaction, this requirement applies.\n\nTo prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. \n\nObfuscation of user-provided authentication secrets when typed into the system is a method used in addressing this risk. \n\nDisplaying asterisks when a user types in a password or a smart card PIN is an example of obscuring feedback of authentication secrets.\n\nFor mysql tools, which can accept a plain-text password, and any other essential tool with the same limitation:\n1) Document the need for it, who uses it, and any relevant mitigations, and obtain Authorizing Official (AO) approval\n2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden by using the \"-p\" without the password option. The user will then be prompted and the password obfuscated.\n3) Make use of OS pluggable password manager integration to protect passwords using keyrings","checkContent":"If all interaction with the user for purposes of authentication is handled by a software component separate from the MySQL Database Server 8.0, this is not a finding.\n\nIf any application, tool, or feature associated with the MySQL Database Server 8.0/database displays any authentication secrets (to include PINs and passwords) during or after the authentication process, this is a finding.\n\nMySQL command line option --password (or -p) obscures feedback on the typed in password. \n\nEnsure users are trained to use alternatives to command line password parameters, if they are not, this is a finding.","fixText":"Modify and configure each non-compliant application, tool, or feature associated with the MySQL Database Server 8.0/database so that it does not display authentication secrets.\n\nUse -p (--password) without providing a password for the mysql command line tool.\n\nConfigure or modify applications to prohibit display of passwords in clear text.\n\nUse OS pluggable password manager integration to protect passwords using keyrings. Following is an example:\n$ /usr/local/mysql/bin/mysql -uroot -p\nEnter password:\n\n$ mysqlsh --user=user --password\nPlease provide the password for 'user@localhost':","ccis":["CCI-000206"]},{"vulnId":"V-235141","ruleId":"SV-235141r960792_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the Database Management System (DBMS). To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If the DBMS does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.","checkContent":"Check MySQL settings to determine whether users are restricted from accessing objects and data they are not authorized to access. \nReview the system documentation to determine the required levels of protection for DBMS server securables, by type of login. \n\nReview the permissions actually in place on the server. \n\nIf the actual permissions do not match the documented requirements, this is a finding. \n\nThe following tables contain access control data. Run these scripts:\n\nFor information about database-level privileges:\nThe server uses the user and db tables in the mysql database at both the first and second stages of access control.\nSELECT * FROM mysql.db;\nSELECT * FROM mysql.user;\n\nDuring the second stage of access control, the server performs request verification to ensure each client has sufficient privileges for each request it issues. \n\nThese provide finer privilege control at the table and column levels.\nSELECT * FROM mysql.tables_priv;\nSELECT * FROM mysql.columns_priv;\n\nFor verification of requests that involve stored routines.\nSELECT * FROM mysql.procs_priv;\nInformation about proxy accounts\nSELECT * from mysql.proxies_priv;\n\nLists current assignments of dynamic global privileges to user accounts.\nSELECT * from mysql.global_grants;\nLists default user roles\nSELECT * FROM mysql.default_roles;\n\nLists edges for role subgraphs, showing roles assigned to other roles hierarchy.\nSELECT * FROM mysql.role_edges;\n\nTo inspect permissions on specific table(s):\nWITH\n tableprivs AS (SELECT user, host, 'mysql.tables_priv' as PRIV_SOURCE , DB as _db, Table_Name as _obj , ' ' as _col FROM mysql.tables_priv where Table_name like '%' ),\n colprivs AS (SELECT User, Host, 'mysql.columns_priv' as PRIV_SOURCE , DB as _db, table_name as _obj , column_name as _col FROM mysql.columns_priv WHERE Table_name like '%' )\nSELECT user,host, PRIV_SOURCE , _db as _db, _obj, _col FROM\n(\nSELECT user,host, PRIV_SOURCE, _db, _obj, _col FROM colprivs UNION\nSELECT user,host, PRIV_SOURCE, _db, _obj, _col FROM tableprivs) as tt group by user, host, PRIV_SOURCE, _db, _obj, _col;\n\nTo inspect specific user, role or user using role:\nExample\nUser or role\nSHOW GRANTS FOR 'app_developer'@'%';\nUser with Role\nSHOW GRANTS FOR 'u1'@'localhost' USING 'r1';\n\nIf appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding.","fixText":"Configure the MySQL Database Server 8.0 settings and access controls to permit user access only to objects and data that the user is authorized to view or interact with, and to prevent access to all other objects and data.\n\nUse GRANT, REVOKE, ALTER statements to add and remove permissions on server-level securables, bringing them into line with the documented requirements.","ccis":["CCI-000213"]},{"vulnId":"V-235142","ruleId":"SV-235142r961863_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.","description":"Configuring the Database Management System (DBMS) to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nIn addition to this SRG, sources of guidance on security and information assurance exist. These include NSA configuration guides, CTOs, DTMs, and IAVMs. The DBMS must be configured in compliance with guidance from all such relevant sources.","checkContent":"Review the MySQL documentation and configuration to determine it is configured in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.\n\nIf the MySQL is not configured in accordance with security configuration settings, this is a finding.","fixText":"Configure MySQL in accordance with security configuration settings by reviewing the Operation System and MySQL documentation and applying the necessary configuration parameters to meet the configurations required by the STIG, NSA configuration guidelines, CTOs, DTMs, and IAVMs.","ccis":["CCI-000366"]},{"vulnId":"V-235143","ruleId":"SV-235143r960963_rule","severity":"medium","ruleTitle":"Default demonstration and sample databases, database objects, and applications must be removed.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plugins not related to requirements or providing a wide array of functionality, not required for every mission, that cannot be disabled.\n\nDatabase Management Systems (DBMSs) must adhere to the principles of least functionality by providing only essential capabilities.\n\nDemonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system.","checkContent":"Review vendor documentation and vendor websites to identify vendor-provided demonstration or sample databases, database applications, objects, and files. Note: MySQL does not include any in MySQL Database Server 8.0.\n\nReview the MySQL Database Server 8.0 to determine if any of the demonstration and sample databases, database applications, or files are installed in the database or are included with the MySQL Database Server 8.0 application. If any are present in the database or are included with the MySQL Database Server 8.0 application, this is a finding.\n\nCheck database/schema content of MySQL with the following command:\nSELECT * FROM information_schema.SCHEMATA where SCHEMA_NAME not in ('mysql','information_schema', 'sys', 'performance_schema');\n\nIf this system is identified as production, gather a listing of databases from the server and look for any matching the following general demonstration database names: \nsakila \nworld\nworld_x\nmenagerie\n\nIf any of these databases exist, this is a finding.","fixText":"MySQL 8.0 contains no demo databases by default. If demo schemas (aka databases) were added, remove them by executing:\n\nmysql -u root -p --execute=\"DROP DATABASE 'schema_name'\"","ccis":["CCI-000381"]},{"vulnId":"V-235144","ruleId":"SV-235144r960963_rule","severity":"medium","ruleTitle":"Unused database components, MySQL Database Server 8.0 software, and database objects must be removed.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. \n\nDatabase Management Systems (DBMSs) must adhere to the principles of least functionality by providing only essential capabilities.","checkContent":"Review the list of components and features installed with the MySQL Database Server 8.0.\n\nList options MySQL Plugins/Components\n\nSELECT * FROM information_schema.PLUGINS where plugin_library is NOT NULL;\n\nCompare the feature listing against the required plugins listing. \n\nIf any plugins are installed, but are not required, this is a finding.\n\nSELECT * FROM mysql.component;\n\nCompare the feature listing against the required components listing. \n\nIf any components are installed, but are not required, this is a finding.","fixText":"Uninstall unused components or features that are installed and can be uninstalled. Remove any database objects and applications that are installed to support them.\n\nAfter review of installed plugin components uninstall unused plugins. To do this while the server is running using the UNINSTALL PLUGIN; command: \n\nRemove any plugin that is loaded at startup from the my.cnf file.\n\nFor example - ddl_rewriter is discovered but are not being used. Follow these removal instructions.\nRemove this line from my.cnf:\nplugin-load-add=ddl_rewriter.so\n\nRemove any plugin that is not loaded at startup using the --plugin-load parameter from the my.cnf or on the command line. \nUNINSTALL PLUGIN ;\nUNINSTALL PLUGIN ddl_rewriter;\n\nRemove any component not in use\nUNINSTALL COMPONENT component_name [, component_name ] ...;\n\nFor example - The audit message emit function is not being called, the component is not needed. \nUNINSTALL COMPONENT \"file://component_audit_api_message_emit\";","ccis":["CCI-000381"]},{"vulnId":"V-235145","ruleId":"SV-235145r960963_rule","severity":"medium","ruleTitle":"Unused database components which are integrated in the MySQL Database Server 8.0 and cannot be uninstalled must be disabled.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). \n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. \n\nDatabase Management Systems (DBMSs) must adhere to the principles of least functionality by providing only essential capabilities.\n\nUnused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled. The techniques available for disabling components will vary by DBMS product, OS and the nature of the component and may include DBMS configuration settings, OS service settings, OS file access security, and DBMS user/group permissions.","checkContent":"Review the list of components and features installed with the MySQL Database Server 8.0.\n\nList options MySQL Plugins/Components\n\nSELECT * FROM information_schema.PLUGINS where plugin_library is NOT NULL;\n\nCompare the feature listing against the required plugins listing. \n\nIf any plugins are installed, but are not required, this is a finding.\n\nSELECT * FROM mysql.component;\n\nCompare the feature listing against the required components listing. \n\nIf any components are installed, but are not required, this is a finding.","fixText":"Uninstall unused components or features that are installed and can be uninstalled. Remove any database objects and applications that are installed to support them.\n\nAfter review of installed plugin components uninstall unused plugins. To do this while the server is running using the UNINSTALL PLUGIN; command: \n\nRemove any plugin that is loaded at startup from the my.cnf file.\n\nFor example - ddl_rewriter is discovered but are not being used. Follow these removal instructions.\nRemove this line from my.cnf:\nplugin-load-add=ddl_rewriter.so\n\nRemove any plugin that is not loaded at startup using the --plugin-load parameter from the my.cnf or on the command line. \nUNINSTALL PLUGIN ;\nUNINSTALL PLUGIN ddl_rewriter;\n\nRemove any component not in use\nUNINSTALL COMPONENT component_name [, component_name ] ...;\n\nFor example - The audit message emit function is not being called, the component is not needed. \nUNINSTALL COMPONENT \"file://component_audit_api_message_emit\";","ccis":["CCI-000381"]},{"vulnId":"V-235146","ruleId":"SV-235146r960966_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols/services on information systems.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\n\nDatabase Management Systems (DBMSs) using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and through the database to other components of the information system.","checkContent":"Review the MySQL Database Server 8.0 settings and local documentation for functions, ports, protocols, and services that are not approved. If any are found, this is a finding.\n\nRun the following SQL to list ports:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME in ('port', 'mysqlx_port', 'admin_port');\n\nThe default ports for MySQL for organizational connects are: \nClassic MySQL - 3306 \nMySQL X - 33060\nMySQL Admin Port - 33062 (disabled by default)\n\nIf any these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.\n\nRun the following to determine if a local socket/pipe are in use:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where \nVARIABLE_NAME like '%pipe%' or VARIABLE_NAME = 'socket' or VARIABLE_NAME = 'mysqlx_socket';\n\nValues for classic and xprotocol will be returned.\nFor example on Linux:\n'socket','/tmp/mysql.sock'\n'mysqlx_socket','/tmp/mysqlx.sock'\n Windows\n'named_pipe', 'ON'\n\nIf these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.","fixText":"Disable functions, ports, protocols, and services that are not approved.\n\nChange mysql options related to network, ports, and protocols for the server and additionally consider refining further at user account level.\n\nvi my.cnf\n[mysqld]\nport=\nadmin_address=\nadmin_port=\nmysqlx_port=\nsocket={file_name|pipe_name}\n\nIf admin_address is not defined then access via the admin port is disabled. \n\nAdditionally the X Plugin can be disabled at startup by either setting mysqlx=0 in the MySQL configuration file, or by passing in either --mysqlx=0 or --skip-mysqlx when starting the MySQL server.\nRestart mysqld","ccis":["CCI-000382"]},{"vulnId":"V-235147","ruleId":"SV-235147r960969_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. \n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Review MySQL Database Server 8.0 settings to determine whether organizational users are uniquely identified and authenticated when logging on/connecting to the system. \n\nUsing SQL, search for external authentication plugins:\nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE '%ldap%' OR PLUGIN_NAME LIKE '%ldap%' OR PLUGIN_NAME LIKE '%pam%';\n\nThis listing will show what is enabled. \n\nIn addition to MySQL password-based internal accounts, there is also support for external accounts:\nLinux PAM (Pluggable Authentication Modules)\nWindows Active Directory (only for Windows MySQL servers)\nNative LDAP \nauth_socket\n\nReview the configuration of the plugin; for link of accounts and permissions to organizational level, run this SQL:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE 'auth%' ;\n\nThis will show external configuration setup for authentication using an organizational authentication source.\n\nReview users using organizational authentication. Review the \"authentication_string\" for proper mapping:\nSELECT `user`.`Host`,\n `user`.`user`,\n `user`.`plugin`,\n `user`.`authentication_string`\n from mysql.user where plugin like 'auth%';\n\nIf organizational users are not uniquely identified and authenticated, this is a finding.\n\nIf accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding.","fixText":"Configure MySQL Database Server 8.0 settings to uniquely identify and authenticate all organizational users who log on/connect to the system.\n\nRemove user-accessible shared accounts and use individual user names. \n\nConfigure applications to ensure successful individual authentication prior to shared account access. \n\nEnsure each user's identity is received and used in audit data in all relevant circumstances.\n\nInstall appropriate auth plugin, for example LDAP.\nINSTALL PLUGIN authentication_ldap_sasl\n SONAME 'authentication_ldap_sasl.so';\nINSTALL PLUGIN authentication_ldap_simple\n SONAME 'authentication_ldap_simple.so';\n\nConfigure\nSET PERSIST authentication_ldap_sasl_server_host='127.0.0.1';\nSET PERSIST authentication_ldap_sasl_bind_base_dn='dc=example,dc=com';\nSET PERSIST authentication_ldap_simple_server_host='127.0.0.1';\nSET PERSIST authentication_ldap_simple_bind_base_dn='dc=example,dc=com';\n\nCreate users with proper organizational mapping, for example:\nCREATE USER 'betsy'@'localhost'\n IDENTIFIED WITH authentication_ldap_simple\n BY 'uid=betsy_ldap,ou=People,dc=example,dc=com';\n\nAssign appropriate roles and grants.","ccis":["CCI-000764"]},{"vulnId":"V-235148","ruleId":"SV-235148r961050_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.","description":"Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of the Database Management System (DBMS).\n\nApplications, including DBMSs, utilizing cryptography are required to use approved NIST FIPS 140-2 or 140-3 validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. \n\nNSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules.\n\nThe standard for validating cryptographic modules will transition to the NIST FIPS 140-3 publication.\n\nFIPS 140-2 modules can remain active for up to five years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list. Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page:\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules\n\nMore information on the FIPS 140-3 transition can be found here: \nhttps://csrc.nist.gov/Projects/fips-140-3-transition-effort/","checkContent":"Review DBMS configuration to verify it is using NIST FIPS validated cryptographic modules for cryptographic operations.\n\nTo check for FIPS validated cryptographic modules for all operations, run this script in the database: \nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'ssl_fips_mode';\n\nThe result will be either \"ON\" or \"STRICT\". If not, then NIST FIPS validated modules are not being used, and this is a finding.","fixText":"Utilize NIST FIPS validated cryptographic modules for all cryptographic operations.\nSee Use MySQL Server OpenSSL FIPS mode. See https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html\n\nTurn on MySQL FIPS mode and restart mysqld\nEdit my.cnf\n[mysqld]\nssl_fips_mode=ON\n\nor\n[mysqld]\nssl_fips_mode=STRICT\n\nON: Enable FIPS mode.\nSTRICT: Enable “strict” FIPS mode.","ccis":["CCI-000803"]},{"vulnId":"V-235149","ruleId":"SV-235149r961053_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). \n\nNon-organizational users will be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server. \n\nAccordingly, a risk assessment is used in determining the authentication needs of the organization. \n\nScalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.","checkContent":"Review MySQL Database Server 8.0 settings to determine if users uniquely identify and authenticate all non-organizational users who log on to the system.\n\nselect host, user FROM mysql.user WHERE user not in ('mysql.infoschema', 'mysql.session', 'mysql.sys');\n\nIf accounts are determined to be shared, determine if individuals are first individually authenticated. \n\nIf the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding. \n\nIf non-organizational users are not uniquely identified and authenticated, this is a finding.","fixText":"Configure MySQL Database Server 8.0 settings to uniquely identify and authenticate all non-organizational users who log on to the system.\n\nEnsure all logins are uniquely identifiable and authenticate all non-organizational users who log on to the system. This likely would be done by ensuring mapping of MySQL accounts to individual accounts. Verify server documentation to ensure accounts are documented and unique.","ccis":["CCI-000804"]},{"vulnId":"V-235150","ruleId":"SV-235150r961095_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must separate user functionality (including user interface services) from database management functionality.","description":"Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. \n\nThe separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. \n\nAn example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. \n\nThis may include isolating the administrative interface on a different domain and with additional access controls.\n\nIf administrative functionality or information regarding DBMS management is presented on an interface available for users, information on DBMS settings may be inadvertently made available to the user.","checkContent":"Check MySQL settings and documentation to verify that administrative functionality is separate from user functionality.\n\nAs Database Administrator (DBA) (“root\"), list all roles and permissions for the database:\n\n> mysql -u root -p\n\nSELECT user,host, 'Global Priv', Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv,\n Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv,\n Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv,\n Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv,\n Repl_slave_priv, Repl_client_priv, Create_view_priv, Show_view_priv,\n Create_routine_priv, Alter_routine_priv, Create_user_priv,\n Event_priv, Trigger_priv, Create_tablespace_priv, Create_role_priv,\n Drop_role_priv \n FROM mysql.user WHERE 'Y' IN\n (Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv,\n Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv,\n Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv,\n Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv,\n Repl_slave_priv, Repl_client_priv, Create_view_priv, Show_view_priv,\n Create_routine_priv, Alter_routine_priv, Create_user_priv,\n Event_priv, Trigger_priv, Create_tablespace_priv, Create_role_priv,\n Drop_role_priv)\nAND user not in ('mysql.infoschema', 'mysql.session');\n\nIf any non-administrative role has permissions, other than mysql.infoschema and mysql.session, this is a finding.\n\nIf administrator and general user functionality are not separated, this is a finding.","fixText":"Configure MySQL Database Server 8.0 to separate database administration and general user functionality.\n\nRevoke or remove users with admin and user mixed permissions.\n\nReview MySQL documentation related to access controls for users and admins: https://dev.mysql.com/doc/refman/8.0/en/access-control.html.","ccis":["CCI-001082"]},{"vulnId":"V-235151","ruleId":"SV-235151r961131_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must isolate security functions from non-security functions.","description":"An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. \n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. \n\nDatabase Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality.\n\nThe mysql database is the system database. It contains tables that store information required by the MySQL server as it runs.\n\nThe INFORMATION_SCHEMA provides access to database metadata, information about the MySQL server such as the name of a database or table, the data type of a column, or access privileges. Other terms sometimes used for this information are data dictionary and system catalog.\n\nThe MySQL Performance Schema is a feature for monitoring MySQL Server execution at a low level. The Performance Schema has these characteristics: The Performance Schema provides a way to inspect internal execution of the server at runtime. It is implemented using the PERFORMANCE_SCHEMA storage engine and the performance_schema database. The PERFORMANCE_SCHEMA storage engine collects event data using “instrumentation points” in server source code. Tables in the Performance Schema are in-memory tables that use no persistent on-disk storage.\n\nMySQL 8.0 includes the sys schema, a set of objects that helps DBAs and developers interpret data collected by the Performance Schema. The sys schema objects can be used for typical tuning and diagnosis use cases.","checkContent":"Determine elements of security functionality (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside the MySQL server.\n\nFor any elements found, check MySQL to determine if these objects or code implementing security functionality are located in a separate security domain, such as a separate database, schema, or table created specifically for security functionality.\n\nIn more generic data terms, MySQL is a single database per instance with multiple schemas. MySQL uses the term database and schema interchangeably. \n\nRun the following query to list all the user-defined schemas.\nSELECT \n `SCHEMATA`.`SCHEMA_NAME`\nFROM `information_schema`.`SCHEMATA` \nwhere `SCHEMA_NAME` not in ('mysql', 'information_schema', 'performance_schema','sys');\n\nReview the database structure to determine where security-related functionality is stored. \n\nIf security-related database objects or code are not kept separate, this is a finding.","fixText":"Check the server documentation, locate security-related database objects and code in a separate database, schema, table, or other separate security domain from database objects and code implementing application logic. \n\nSchemas, also referred to as databases, are analogous to separate namespaces or containers used to store database objects. Security permissions apply to schemas, making them an important tool for separating and protecting database objects based on access rights. Schemas reduce the work required, and improve the flexibility, for security-related administration of a database. A MySQL schema is a named container for database objects, which allows objects to be grouped into separate namespaces.\n\nWhere possible, locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic. In all cases, use GRANT, REVOKE, … , DROP ROLE statements to add and remove permissions on administrative/server-level and schema/database-level, or database object security-related objects to provide effective isolation.","ccis":["CCI-001084"]},{"vulnId":"V-235152","ruleId":"SV-235152r961149_rule","severity":"medium","ruleTitle":"Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.","description":"Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. \n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls.","checkContent":"Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. \n\nIf the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.","fixText":"Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations.","ccis":["CCI-001090"]},{"vulnId":"V-235153","ruleId":"SV-235153r961149_rule","severity":"medium","ruleTitle":"Access to database files must be limited to relevant processes and to authorized, administrative users.","description":"Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.\n\nAs a general rule, distributed files and resources should follow the principal of least privilege, which requires that users, processes, programs, and other system components only have access to information and resources required for their legitimate purpose.","checkContent":"Review the permissions granted to users via the operating system/file system on the instance files, database files, database redo, undo, archive, bin and audit log files, and database backup files.\n\nIf any user/role who is not an authorized system administrator with a need to know or database administrator with a need to know, or a system account for running DBMS processes permitted to read/view any of these files, this is a finding.\n\nNote: When the instance and database directories are created by mysql installations packages, the permissions are secure and should not be changed.\n\nRun ls -l on the various files and directory. Permissions should be limited to the mysql user and mysql group.\n\nUse the following queries/commands to find the locations of instance directory, database directory, transaction logs directory, archive logs directory, audit logs directory, and backup files location.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE '%dir' or VARIABLE_NAME LIKE '%file' order by VARIABLE_NAME;\n\nRegarding Linux default installation:\nProper permissions are shown below. If the permissions are more permissive for a Location Type, this is a finding.\n\nThe following table shows directory and file permissions for the generic binary distribution installation of MySQL Enterprise Edition for Linux x86-64 on Oracle Linux that is described in this guide.\n\nAs indicated previously, most of the MySQL installation can be owned by root. The exceptions are the data directory, the error log file, the mysql-files directory, the pid file, and the socket file, to which the mysql user must have write access. Files and resources to which the mysql user requires read access include configuration files (/etc/my.cnf) and the MySQL binaries (for example /usr/local/mysql/bin).\n\nDesc/Typical Location Owner Directory File\n Permissions Permissions\n--------------------- ----- ----------- -----------\nClient and utility programs directory\n/usr/local/mysql/bin root drwxr-xr-x\nmysqld server \n/usr/local/mysql/bin root drwxr-xr-x -rwxr-xr-x\nMySQL configuration file \n/etc/my.cnf root drwxr-xr-x -rw-r--r--\nData directory \n/usr/local/mysql/data mysql drwxr-x---\nError log file \n /host_name.err \n mysql drwxr-x--- -rw-------\nsecure_file_priv directory \n/usr/local/mysql/mysql-files mysql drwxr-x---\nmysqld systemd service file \n/usr/lib/systemd/system/mysqld.service \n root drwxr-xr-x -rw-r--r--\nsystemd tmpfiles configuration file \n/usr/lib/tmpfiles.d/mysql.conf root drwxr-xr-x -rw-r--r--\npid file \n /mysqld.pid \n mysql drwxr-x--- -rw-r-----\nsocket file \n/tmp/mysql.sock mysql drwxrwxrwt srwxrwxrwx\nUnix manual pages directory \n/usr/local/mysql/man root drwxr-xr-x\nInclude Header files directory \n/usr/local/mysql/include root drwxr-xr-x\nLibraries directory \n/usr/local/mysql/lib root drwxr-xr-x\nMiscellaneous support files directory \n/usr/local/mysql/support-files root drwxr-xr-x\nMiscellaneous files directory \n/usr/local/mysql/share root drwxr-xr-x","fixText":"Configure the permissions granted by the operating system/file system on the database files, database log files, and database backup files so that only relevant system accounts and authorized system administrators and database administrators with a need to know are permitted to read/view these files. Remove any unauthorized permission grants from MySQL data, audit, certificate, key, or other directories.","ccis":["CCI-001090"]},{"vulnId":"V-235154","ruleId":"SV-235154r961119_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.","description":"One class of man-in-the-middle, or session hijacking, attack involves the adversary guessing at valid session identifiers based on patterns in identifiers already known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of unique session identifiers using a FIPS 140-2 or 140-3 approved random number generator.\n\nHowever, it is recognized that available DBMS products do not all implement the preferred technique yet may have other protections against session hijacking. Therefore, other techniques are acceptable, provided they are demonstrated to be effective.","checkContent":"Determine if MySQL is configured to require SSL. \n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME like 'require_secure_transport';\n\nIf require_secure_transport is not \"ON\", this is a finding.\n\nDetermine if MySQL is configured to require the use of FIPS compliant algorithms. \n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME = 'ssl_fips_mode';\n\nIf ssl_fips_mode is not \"ON\", this is a finding.","fixText":"Connect as a mysql administrator \nmysql> set persist require_secure_transport=ON;\n\nTurn on MySQL FIPS mode (ON or STRICT) and restart mysqld\nEdit my.cnf\n[mysqld]\nssl_fips_mode=ON\nor\nssl_fips_mode=STRICT","ccis":["CCI-001188"]},{"vulnId":"V-235155","ruleId":"SV-235155r961128_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must protect the confidentiality and integrity of all information at rest.","description":"This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use. \n\nUser data generated, as well as application-specific configuration data, needs to be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate. \n\nIf the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.","checkContent":"If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.\n\nReview settings to ensure appropriate controls are applied to protect the confidentiality and integrity of data at rest in the database.\n\nUsing SQL determine if all data-at-rest is encrypted.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'audit_log_encryption';\n\nIf \"audit_log_encryption\" is not set to \"AES\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'binlog_encryption';\n\nIf \"binlog_encrypt\" is not set to \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'innodb_redo_log_encrypt';\n\nIf \"innodb_redo_log_encrypt\" is not set to \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'innodb_undo_log_encrypt';\n\nIf \"innodb_undo_log_encrypt\" is not set to \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME like 'general_log';\n\nIf \"general_log\"is not \"OFF\", this is a finding.\n\nFind encryption status for all mysql table and tablespaces.\nSELECT\n `INNODB_TABLESPACES`.`NAME`,\n `INNODB_TABLESPACES`.`ENCRYPTION`\nFROM `information_schema`.`INNODB_TABLESPACES`;\n\nIf any tablespace other than innodb_temporary does not have ENCRYPTION set to \"Y (yes)\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'table_encryption_privilege_check';\n\nIf \"innodb_redo_log_encrypt\" is not set to \"ON\", this is a finding.","fixText":"Apply appropriate MySQL Database 8.0 controls to protect the confidentiality and integrity of data at rest in the database.\n\nsudo vi /etc/my.cnf\n[mysqld]\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nTurn on binlog encryption\nset persist binlog_encryption=ON;\n\nTurn on undo and redo log encryption\nset persist innodb_redo_log_encrypt=ON;\nset persist innodb_undo_log_encrypt=ON;\n\nEnable encryption for a new file-per-table tablespace, specify the ENCRYPTION option in a CREATE TABLE statement. \nThe following example assumes that innodb_file_per_table is enabled.\nmysql> CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';\n\nTo enable encryption for an existing file-per-table tablespace, specify the ENCRYPTION option in an ALTER TABLE statement.\nmysql> ALTER TABLE t1 ENCRYPTION='Y';\n\nTo disable encryption for file-per-table tablespace, set ENCRYPTION='N' using ALTER TABLE.\nmysql> ALTER TABLE t1 ENCRYPTION='N';\n\nDisable the general_log\nSET PERSIST general_log = 'OFF';","ccis":["CCI-001199"]},{"vulnId":"V-235156","ruleId":"SV-235156r961158_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must check the validity of all data inputs except those specifically identified by the organization.","description":"Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.","checkContent":"Review MySQL Database Server 8.0 code (stored procedures, functions, triggers), application code, settings, column and field definitions, triggers, and constraints to determine whether the database is protected against invalid input. If code exists that allows invalid data to be acted upon or input into the database, this is a finding.\n\nIf column/field definitions do not exist in the database, this is a finding.\n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding.\n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.\n\nWhere a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.\n\nMySQL Workbench Schema and Table Inspectors are effective tools for performing the review process, as are the MySQL Information Schema, and MySQL Schema tables.","fixText":"Use parameterized queries, constraints, foreign keys, etc., to validate data input.\n\nModify MySQL SQL Server to properly use the correct column data types as required in the database.","ccis":["CCI-001310"]},{"vulnId":"V-235157","ruleId":"SV-235157r961158_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 and associated applications must reserve the use of dynamic code execution for situations that require it.","description":"With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nThe principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers).","checkContent":"Review MySQL source code (trigger procedures, functions) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements or calls that bind parameters versus generating SQL.\n\nIf dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, this is a finding.","fixText":"Where dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, modify the code to do so.","ccis":["CCI-001310"]},{"vulnId":"V-235158","ruleId":"SV-235158r961158_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.","description":"With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nThe principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers).\n\nWhen dynamic execution is necessary, ways to mitigate the risk include the following, which should be implemented both in the on-screen application and at the database level, in the stored procedures:\n-- Allow strings as input only when necessary. \n-- Rely on data typing to validate numbers, dates, etc. Do not accept invalid values. If substituting other values for them, think carefully about whether this could be subverted.\n-- Limit the size of input strings to what is truly necessary.\n-- If single quotes/apostrophes, double quotes, semicolons, equal signs, angle brackets, or square brackets will never be valid as input, reject them.\n-- If comment markers will never be valid as input, reject them. In SQL, these are -- or /* */ \n-- If HTML and XML tags, entities, comments, etc., will never be valid, reject them.\n-- If wildcards are present, reject them unless truly necessary. In SQL these are the underscore and the percentage sign, and the word \"ESCAPE\" is also a clue that wildcards are in use.\n-- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject them. Use case-insensitive comparisons when searching for these. Bear in mind that some of these words, particularly Grant (as a person's name), could also be valid input. \n-- If there are range limits on the values that may be entered, enforce those limits.\n-- Institute procedures for inspection of programs for correct use of dynamic coding, by a party other than the developer.\n-- Conduct rigorous testing of program modules that use dynamic coding, searching for ways to subvert the intended use.\n-- Record the inspection and testing in the system documentation.\n-- Bear in mind that all this applies not only to screen input, but also to the values in an incoming message to a web service or to a stored procedure called by a software component that has not itself been hardened in these ways. Not only can the caller be subject to such vulnerabilities; it may itself be the attacker.\n\nThe MySQL Firewall runs within the MySQL server and enables database administrators to permit or deny SQL statement execution based on matching against whitelists of accepted statement patterns. This hardens MySQL Server against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics.","checkContent":"Review MySQL Database Server 8.0 source code (stored procedures, functions, and triggers) and application source code to identify cases of dynamic code execution.\n\nDetermine if the MySQL Enterprise Firewall is installed and trained to recognize normal behavior and block or alert of abnormal requests. Run the following command:\nSHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode';\n\nReview firewall users and Mode.\nSELECT * FROM INFORMATION_SCHEMA.MYSQL_FIREWALL_USERS;\nIf no rows are returned and no firewall allow lists are active, this is a finding.\n\nIf LEARNING is returned, the firewall is building an allow list for the userhost user.\n\nIf PROTECTING is returned, the firewall will only permit SQL on the allow list for the userhost user to execute.\n\nIf DETECTING is returned, the firewall will write to the firewall log SQL not on the allow list for the userhost user to execute.\n \nIf dynamic code execution is employed without protective measures against code injection, this is a finding.","fixText":"Where dynamic code execution is used, modify the code to implement protections against code injection. \n\nEnable the MySQL Enterprise Firewall by running this script, which is located in the mysql home share sub directory. \nmysql -u root -p mysql < linux_install_firewall.sql\n\nTrain the firewall for users where dynamic code injection is possible, for examples applications that allow user input.\n\nCALL mysql.sp_set_firewall_mode('fwuser@localhost', 'RECORDING');\n\nOnce the allowlist for the user/host has been captured, the firewall can be placed in PROTECTING (active blocking) or DETECTING(logging) mode.\nCALL mysql.sp_set_firewall_mode('fwuser@localhost', 'PROTECTING');\nCALL mysql.sp_set_firewall_mode('fwuser@localhost', 'DETECTING');","ccis":["CCI-001310"]},{"vulnId":"V-235159","ruleId":"SV-235159r960888_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must initiate session auditing upon startup.","description":"Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it needs to be in operation for the whole time the Database Management System (DBMS) is running.","checkContent":"Determine if an audit is configured and enabled. \n\nThe my.cnf file will set the variable audit_file.\n\nReview the my.cnf file for the following entries:\n[mysqld]\nplugin-load-add=audit_log.so\naudit-log=FORCE_PLUS_PERMANENT\n\nIf these entries are not present. This is a finding.\n\nExecute the following query: \nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the \"audit_log plugin\" must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.","fixText":"Configure the MySQL Audit to automatically start during system startup. \nAdd to the my.cnf: \n\n[mysqld]\nplugin-load-add=audit_log.so\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON","ccis":["CCI-001464"]},{"vulnId":"V-235160","ruleId":"SV-235160r960939_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must protect its audit features from unauthorized access.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. \n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. \n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, OS-provided audit tools, vendor-provided audit tools, and open source audit tools needed to successfully view and manipulate audit information system activity and records. \n\nIf an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.","checkContent":"Check users with permissions to administer MySQL Auditing.\n\nselect * from information_schema.user_privileges where privilege_type = 'AUDIT_ADMIN';\n\nIf unauthorized accounts have these the AUDIT_ADMIN privilege, this is a finding.","fixText":"Remove audit-related permissions from individuals and roles not authorized to have them. \n\nREVOKE AUDIT_ADMIN on *.* FROM ;","ccis":["CCI-001493"]},{"vulnId":"V-235161","ruleId":"SV-235161r960942_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must protect its audit configuration from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Check users with permissions to administer MySQL Auditing.\n\nselect * from information_schema.user_privileges where privilege_type = 'AUDIT_ADMIN';\n\nIf unauthorized accounts have the AUDIT_ADMIN privilege, this is a finding.\n\nCheck that a keyring plugin is installed.\nSELECT * FROM information_schema.PLUGINS where plugin_name like 'keyring%';\n\nIf no keyring is installed, this is a finding.\n\nCheck if the audit files are encrypted.\n\nTo check for data encryption at rest settings in MySQL:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'audit_log_encryption';\n\nIf \"audit_log_encryption\" is not set to \"AES\", this is a finding.","fixText":"Remove audit-related permissions from individuals and roles not authorized to have them. \n\nREVOKE AUDIT_ADMIN on *.* FROM ;\n\nSet audit log format to use AES encryption.\nsudo vi /etc/my.cnf\n[mysqld]\nearly-plugin-load=keyring_file.so\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nNote: First instantiate the keyring plugin which is needed to store the audit encryption key.\nThe example above has an \"early-plugin-load=keyring_file.so\" entry in the my.cnf file. \nA keyring plugin must be present before adding the \"audit-log-encryption=AES\" entry or the database will not start.\n\nBelow are valid key ring plugins: \n\nFor dev test - not encrypted\nearly-plugin-load=keyring_file.so\n\nEncrypted file\nearly-plugin-load=keyring_encrypted_file.so\nkeyring_encrypted_file_data=/usr/local/mysql/mysql-keyring/keyring-encrypted\nkeyring_encrypted_file_password=password\n\nKMIP\nearly-plugin-load=keyring_okv.so\nkeyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv\n\nOracle Cloud Vault\nearly-plugin-load=keyring_oci.so\nkeyring_oci_user=ocid1.user.oc1..longAlphaNumericString\nkeyring_oci_tenancy=ocid1.tenancy.oc1..longAlphaNumericString\nkeyring_oci_compartment=ocid1.compartment.oc1..longAlphaNumericString\nkeyring_oci_virtual_vault=ocid1.vault.oc1.iad.shortAlphaNumericString.longAlphaNumericString\nkeyring_oci_master_key=ocid1.key.oc1.iad.shortAlphaNumericString.longAlphaNumericString\nkeyring_oci_encryption_endpoint=shortAlphaNumericString-crypto.kms.us-ashburn-1.oraclecloud.com\nkeyring_oci_management_endpoint=shortAlphaNumericString-management.kms.us-ashburn-1.oraclecloud.com\nkeyring_oci_vaults_endpoint=vaults.us-ashburn-1.oci.oraclecloud.com\nkeyring_oci_secrets_endpoint=secrets.vaults.us-ashburn-1.oci.oraclecloud.com\nkeyring_oci_key_file=file_name\nkeyring_oci_key_fingerprint=12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef\n\nHashicorp\nearly-plugin-load=keyring_hashicorp.so\nkeyring_hashicorp_role_id='ee3b495c-d0c9-11e9-8881-8444c71c32aa'\nkeyring_hashicorp_secret_id='0512af29-d0ca-11e9-95ee-0010e00dd718'\nkeyring_hashicorp_store_path='/v1/kv/mysql'","ccis":["CCI-001494"]},{"vulnId":"V-235162","ruleId":"SV-235162r960945_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must protect its audit features from unauthorized removal.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Check users with permissions to administer MySQL Auditing.\n\nselect * from information_schema.user_privileges where privilege_type = 'AUDIT_ADMIN';\n\nIf unauthorized accounts have these the AUDIT_ADMIN privilege, this is a finding.","fixText":"This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.","ccis":["CCI-001495"]},{"vulnId":"V-235163","ruleId":"SV-235163r960960_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the MySQL Database Server 8.0.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Review Server documentation to determine the authorized owner and users or groups with modify rights for this SQL instance's binary files. Additionally check the owner and users or groups with modify rights for shared software library paths on disk. \n\nIf any unauthorized users are granted modify rights, this is a finding. \n\nA plugin located in a plugin library file can be loaded at runtime with the INSTALL PLUGIN statement. The statement also registers the plugin in the mysql.plugin table to cause the server to load it on subsequent restarts. For this reason, INSTALL PLUGIN requires the INSERT privilege for the mysql.plugin table, and UNINSTALL requires DELETE.\n\nRun the following statement to check for table specific privileges:\nSELECT * FROM information_schema.TABLE_PRIVILEGES where (table_schema='mysql' and table_name=`plugin`) or (table_schema='mysql' and table_name='component';)\n\nIf privilege_type is INSERT or DELETE for an unauthorized user, this is a finding.\n\nRun the following statement to check for global privileges:\nselect * from information_schema.user_privileges where privilege_type='INSERT' or privilege_type='DELETE';\n\nIf privilege_type is INSERT or DELETE for an unauthorized user, this is a finding.","fixText":"Remove permissions from users who should not have insert or update access to the mysql.plugin or mysql.component table.","ccis":["CCI-001499"]},{"vulnId":"V-235164","ruleId":"SV-235164r960960_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 software installation account must be restricted to authorized users.","description":"When dealing with change control issues, it must be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. \n\nIf the system were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nDBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.","checkContent":"Review procedures for controlling and granting access to use of the DBMS software installation account.\n\nIf access or use of this account is not restricted to the minimum number of personnel required, or if unauthorized access to the account has been granted, this is a finding.","fixText":"Develop, document, and implement procedures to restrict and track use of the MySQL Database Server 8.0 software installation account.","ccis":["CCI-001499"]},{"vulnId":"V-235165","ruleId":"SV-235165r960960_rule","severity":"medium","ruleTitle":"Database software, including MySQL Database Server 8.0 configuration files, must be stored in dedicated directories, or DASD pools (remove), separate from the host OS and other applications.","description":"When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nMultiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.","checkContent":"Review the MySQL Database Server 8.0 software library directory and note other root directories located on the same disk directory or any subdirectories.\n\nTo list directory variables run:\nshow variables where variable_name like '%dir%';\n\nIf any non-MySQL Database Server 8.0 software directories exist on the datadir, basedir, or other non tmpdir directories, examine or investigate their use. \n\nIf any of the directories are used by other applications, including third-party applications that use the MySQL Database Server 8.0, this is a finding.\n\nOnly applications that are required for the functioning and administration, not use, of the MySQL Database Server 8.0 should be located in the same disk directory as the DBMS software libraries. \n\nIf other applications are located in the same directory as the DBMS, this is a finding.\n\nTo determine where the mysql configuration file(s) are being stored and which configuration file(s) was used for which variables, run the following command:\nSELECT t1.*, VARIABLE_VALUE \n FROM performance_schema.variables_info t1 \n JOIN performance_schema.global_variables t2 \n ON t2.VARIABLE_NAME=t1.VARIABLE_NAME where length(t1.variable_path) > 0;\n\nIf result of VARIABLE_PATH shows that configuration values are not stored in files dedicated directories separate from the host os or other applications, this is a finding.","fixText":"Install all applications on directories separate from the DBMS software library directory. Relocate any directories or reinstall other application software that currently shares the DBMS software library directory.\n\nIf it is determined that configuration (options files) are inappropriately located, take the steps to move and protect these files and reconfigure mysqld startup commands to point to new the file location by setting the \"--defaults-file\" to point to the new location and filename for the mysql configuration file.","ccis":["CCI-001499"]},{"vulnId":"V-235166","ruleId":"SV-235166r960960_rule","severity":"medium","ruleTitle":"The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the MySQL Database Server 8.0, etc.) must be restricted to authorized users.","description":"If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"MySQL database objects do not have an owner. MySQL is a single instance and single database with multiple schemas (aliased to be called either schema or database). Permissions are based on schemas and schema objects and privileges include grants to objects or grants to allow users to further grants access to objects. To reiterate, there is not an object owner just rights assigned to schemas and the objects within them.\n\nTo determine rights to objects via schema, table, or user privileges run the following:\nSELECT * FROM `information_schema`.`SCHEMA_PRIVILEGES`;\nSELECT * FROM `information_schema`.`TABLE_PRIVILEGES`;\nSELECT * FROM `information_schema`.`COLUMN_PRIVILEGES`;\nSELECT * FROM `information_schema`.`USER_PRIVILEGES`;\nSELECT * FROM `information_schema`.`ROLE_COLUMN_GRANTS`;\nSELECT * FROM `information_schema`.`ROLE_TABLE_GRANTS`;\n\nOn a per-user basis, for example:\nshow grants for 'test'@'%'; \n\nIf any database objects are found to have access by users not authorized to the database objects, this is a finding.","fixText":"Assign ownership of authorized objects to authorized object owner accounts.\n\nReview user accounts with the GRANT OPTION. \n\nREVOKE GRANT OPTION to limit users with grant privileges.","ccis":["CCI-001499"]},{"vulnId":"V-235167","ruleId":"SV-235167r961470_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.","description":"Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.","checkContent":"The server must only use approved network communication libraries, ports, and protocols. \n\nObtain a list of all approved network libraries, communication ports, and protocols from the server documentation. \n\nVerify that the protocols are enabled for the instance. \n\nRun the following SQL to list ports:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME in ('port', 'mysqlx_port', 'admin_port');\n\nThe default ports for MySQL for organizational connects are:\nClassic MySQL Protocol - 3306, MySQL X Protocol 33060, MySQL Admin Port (disabled by default)\n\nIf these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.\n\nRun the following to determine if a local socker/pipe are in use:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where \nVARIABLE_NAME like '%pipe%' or VARIABLE_NAME = 'socket' or VARIABLE_NAME = 'mysqlx_socket';\n\nValues are for classic and xprotocol will be returned.\nFor example on Linux\n'socket','/tmp/mysql.sock'\n'mysqlx_socket','/tmp/mysqlx.sock'\n Windows\n'named_pipe', 'ON';\n\nIf these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.\n\nRun the following statement to inspect port settings:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME LIKE '%port%' or VARIABLE_NAME LIKE '%port' order by VARIABLE_NAME;\n\nLinux local socket \nselect @@socket;\n\nWindows local pipe\nselect @@named_pipe;\n\nIf any ports or protocols are used that are not specifically approved in the server documentation, this is a finding.","fixText":"Disable each prohibited network function, port, protocol, or service prohibited by the PPSM guidance.\n\nChange mysql options related to network, ports, and protocols for the server and additionally consider refining further at user account level.\n\nTo set ports properly, edit the mysql configuration file and change ports or protocol settings.\n\nvi my.cnf\n[mysqld]\nport=\nadmin_port=\nmysqlx_port=\nsocket=/path/to/socket\n\nTo turn off TCP/IP:\n\nskip_networking=ON\n\nIf admin_address is not defined then access via the admin port is disabled. \n\nAdditionally the X Plugin can be disabled at startup/restart by either setting mysqlx=0 in the MySQL configuration file, or by passing in either \"--mysqlx=0\" or \"--skip-mysqlx\" when starting the MySQL server.","ccis":["CCI-001762"]},{"vulnId":"V-235168","ruleId":"SV-235168r1018614_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.","description":"Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDatabase Management System (DBMS) functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nThe DBMS must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. \n\nIn the case of a DBMS, this requirement covers stored procedures, functions, triggers, views, etc.","checkContent":"MySQL requires users (other than root) to be explicitly granted the CREATE ROUTINE privilege in order to install logical modules.\n\nTo obtain a listing of users and roles who are authorized to create, alter, or replace stored procedures and functions from the server documentation.\n\nExecute the following query for server level permissions:\n\nSELECT `user`.`Host`,\n `user`.`User`\nFROM `mysql`.`user`\n where `Create_routine_priv`='Y' OR\n `Alter_routine_priv` = 'Y';\n\nIf any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. \n\nIf any user or role membership is not authorized, this is a finding.\n\nExecute the following query for database schema level permission (db is the schema name):\nSELECT `db`.`Host`,\n `db`.`User`,\n `db`.`Db`\nFROM `mysql`.`db` where `db`.`Create_routine_priv`='Y' OR\n `db`.`Alter_routine_priv` = 'Y';\n\nIf any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. \n\nIf any user or role membership is not authorized, this is a finding.","fixText":"MySQL requires users (other than root) to be explicitly granted the CREATE ROUTINE privilege in order to install logical modules. \n\nCheck user grants using the SHOW GRANTS and look for appropriate assignment of CREATE ROUTINE. \n\nFor example - REVOKE CREATE ROUTINE ON mydb.* TO 'someuser'@'somehost';","ccis":["CCI-003980","CCI-001812"]},{"vulnId":"V-235169","ruleId":"SV-235169r961461_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must enforce access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s).","description":"Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.","checkContent":"Review the security configuration of the MySQL Database Server 8.0 and database(s). If it does not enforce access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s), this is a finding.\n\nMySQL configuration can be set two ways: \n1) The mysql configuration file. This file must be owned and permissions to read or write to it limited to the mysql OS user only. \n2) Via a SET command within the server itself. These commands may be limited by limiting \"server administration\" privileges. User privileges can be shown using the SHOW GRANTS [FOR user]. This data is written to mysqld-auto.cnf file.\n\nSee the mysql secure configuration guide for more information.\n\nRun the following command to check the mysql the linux permissions on my.cnf: \nls -l /etc/my.cnf\n\nThe permissions must be:\nFile or Resource Location Owner Directory Permissions File Permissions\nMySQL configuration file /etc/my.cnf root drwxr-xr-x -rw-r--r--\n\nIf the permissions are more permissive than the above, this is a finding.\n\nAs of mysql 8.0 configuration variables can also be set and changed using persist system variable settings that save to a file named mysqld-auto.cnf\nThis file is in the mysql data dir. See the example below.\n\nsudo ls -l /usr/local/mysql-commercial-8.0.16-macos10.14-x86_64/data/mysqld-auto.cnf\n-rw-r----- 1 _mysql _mysql 2721 May 13 14:00 /usr/local/mysql-commercial-8.0.16-macos10.14-x86_64/data/mysqld-auto.cnf\n\nIf the permissions of the mysqld-auto.cnf are more permissive, this is a finding.","fixText":"Configure the MySQL Database Server 8.0 to enforce access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s).\n\nCheck and change file permissions on the MySQL Configuration file so the mysql OS user owns and file and is the only user with read-write permissions. Use the SHOW GRANTS statements to audit who has SUPER permissions and remove any users with excess privileges.\n\nFor my.cnf, change ownership and permissions to:\nFile or Resource Location Owner Directory Permissions File Permissions\nMySQL configuration file /etc/my.cnf root drwxr-xr-x -rw-r--r--\n\nThe mysqld-auto.cnf is created and managed by the mysql instance, as such permissions should be correct. If not correct, change \"owner\" to \"mysql\" and \"rw r\" to \"640\".","ccis":["CCI-001813"]},{"vulnId":"V-235170","ruleId":"SV-235170r1018615_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s).","description":"Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions. \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.","checkContent":"Determine if an audit is configured to capture denied actions.\n\nCheck if MySQL audit is configured and enabled. The my.cnf file will set the variable audit_file.\n\nTo further check, execute the following query: \n\nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE 'audit%';\n\nThe status of the audit_log plugin must be \"active\". If it is not \"active\", this is a finding.\n\nReview audit filters and associated users by running the following queries:\nSELECT `audit_log_filter`.`NAME`,\n `audit_log_filter`.`FILTER`\nFROM `mysql`.`audit_log_filter`;\n\nSELECT `audit_log_user`.`USER`,\n `audit_log_user`.`HOST`,\n `audit_log_user`.`FILTERNAME`\nFROM `mysql`.`audit_log_user`;\n\nAll currently defined audits for the MySQL server instance will be listed. If no audits are returned, this is a finding.\n\nConnect and run commands as a low-privilege user. For example attempt to change system variables, user name, or another user's password, all of which should fail:\nset persist wait_timeout=28000; \nrename user passme to cantchange;\nSET PASSWORD FOR passme = 'sfsdfsdf';\n\nReview the audit log and inspect event data containing identity and user subject details by running the Linux command:\nsudo cat /audit.log\n\nFor example, if the values returned by \"select @@datadir, @@audit_log_file; \" are /usr/local/mysql/data/, audit.log \nsudo cat /usr/local/mysql/data/audit.log\n\n{ \"timestamp\": \"2020-08-31 20:10:21\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 38, \"account\": { \"user\": \"fewconnects\", \"host\": \"localhost\" }, \"login\": { \"user\": \"fewconnects\", \"os\": \"\", \"ip\": \"127.0.0.1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"set_option\", \"query\": \"set persist wait_timeout=28000\", \"status\": 1227 } },\n{ \"timestamp\": \"2020-08-31 20:10:48\", \"id\": 1, \"class\": \"general\", \"event\": \"status\", \"connection_id\": 38, \"account\": { \"user\": \"fewconnects\", \"host\": \"localhost\" }, \"login\": { \"user\": \"fewconnects\", \"os\": \"\", \"ip\": \"127.0.0.1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"rename_user\", \"query\": \"rename user passme to cantchange\", \"status\": 1227 } },\n, \"host\": \"localhost\" }, \"login\": { \"user\": \"fewconnects\", \"os\": \"\", \"ip\": \"127.0.0.1\", \"proxy\": \"\" }, \"general_data\": { \"command\": \"Query\", \"sql_command\": \"set_password\", \"query\": \"SET PASSWORD FOR `passme`@`%`=\", \"status\": 1044 } },\n\nNote each has a non-zero status, 1227, 1227, and 1044 respectively.\n\nIf the audit log does not contain records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s), this is a finding.","fixText":"If currently required, configure the MySQL Database Server to produce audit records when enforcement of access restrictions is associated with changes to the configuration of the DBMS or database(s).\n\nRefer to the supplemental file \"MySQL80Audit.sql\".","ccis":["CCI-003938","CCI-001814"]},{"vulnId":"V-235173","ruleId":"SV-235173r961392_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.","description":"To ensure sufficient storage capacity for the audit logs, the Database Management System (DBMS) must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the DBMS and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both.\n\nIn determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the DBMS's ability to reuse the space formerly occupied by off-loaded records.","checkContent":"Check the server documentation for the SQL Audit file size configurations. Locate the Audit file path and drive. \n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables\nWHERE VARIABLE_NAME = 'audit_log_file'\n OR VARIABLE_NAME= 'datadir'\n OR VARIABLE_NAME = 'audit_log_rotate_on_size';\n\nIf the value of audit_log_file contains a path, for example:\n/var/log/mysql/audit.log\nThis is the location of the audit log, and the location to assess the storage capacity.\n\nIf the value of audit_log_file is the filename alone, for example:\naudit.log\nThe audit logs are located in the path returned by datadir.\n\nCalculate the space needed based on the audit file size and number of audit files to be stored simultaneously. \n\nNote that MySQL does not delete log files; that requires third-party tools or custom scripts.\n\nIf the calculated product of the \"audit_log_rotate_on_size\" times the number of audit files allowed will exceed the size of the storage location, this is a finding.","fixText":"Review the MySQL Audit file location, ensure the destination has enough space available to accommodate the maximum total size of all files that could be written. \n\nUse a script or third-party tool to manage the maximum number of audit log files that are to be stored, staying within the number of logs the system was sized to support. \n\nUse compression and JSON format to reduce file growth.\n\nUpdate the location for audit_log_file in the MySQL configuration file, for example:\n[mysqld]\naudit-log-file=/var/log/mysql/audit.log\naudit-log-format=JSON\naudit-log-compression=GZIP","ccis":["CCI-001849"]},{"vulnId":"V-235174","ruleId":"SV-235174r961860_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity. \n\nThe DBMS may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.","checkContent":"Review the system documentation for a description of how audit records are off-loaded.\n\nCheck that the OS or software is in place to copy or transfer the specified audit record content to a centralized audit log repository. If it is not, this is a finding.\n\nCheck that permissions are set on the either the MySQL audit log read functions (users granted AUDIT_ADMIN or MySQL Audit Files and on the target repository to enable the required transfer of audit data. If not, this is a finding.\n\nVerify that the specified audit record content is indeed copied or transferred to the central repository. If it is not, this is a finding.","fixText":"If necessary, employ SQL code calls to the audit log read functions or other software to copy or transfer the specified audit record content to the repository.\n\nEnsure that permissions are set to enable transfer of the data. Some SQL may require the AUDIT_ADMIN permission be granted to the MySQL user account used for transferring the data.\n\nBased on the setup, allocate sufficient audit file/table space to support peak demand.\n\nFor example to set to 1 GB:\nset persist audit_log_rotate_on_size=1024*1024*1024;\n\nIf using file copies to move audit logs, only audit..log* formatted files should be copied as audit.log* are still being written to.\n\nIf audit data is copied using a SQL function, the audit files still require removal using some alternative method on the OS filesystem, for example a third-party tool or a scheduled script.\n\nIf, after the preceding steps, the transfer is not succeeding, diagnose and repair the problem.","ccis":["CCI-001851"]},{"vulnId":"V-235175","ruleId":"SV-235175r961398_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.","description":"Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to the DBMS on its own server will not be an issue. However, space will still be required on the Database Management System's (DBMS) server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result.\n\nIf support personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. \n\nThe appropriate support staff include, at a minimum, the Information System Security Officer (ISSO) and the database administrator (DBA)/system administrator (SA).","checkContent":"Review OS, or third-party logging application settings to determine whether a warning will be provided when 75 percent of DBMS audit log storage capacity is reached.\n\nIf no warning will be provided, this is a finding.","fixText":"Modify OS, or third-party logging application settings to alert appropriate personnel when 75 percent of audit log storage capacity is reached.","ccis":["CCI-001855"]},{"vulnId":"V-235176","ruleId":"SV-235176r961401_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must provide an immediate real-time alert to appropriate support staff of all audit log failures.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. \n\nThe appropriate support staff include, at a minimum, the Information System Security Officer (ISSO) and the database administrator (DBA)/system administrator (SA).\n\nA failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions.\n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).","checkContent":"Review MySQL Server settings, OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason.\n\nIf real-time alerts are not sent upon auditing failure, this is a finding.","fixText":"Configure the system to provide immediate real-time alerts to appropriate support staff when an audit log failure occurs.","ccis":["CCI-001858"]},{"vulnId":"V-235177","ruleId":"SV-235177r961521_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must prohibit the use of cached authenticators after an organization-defined time period.","description":"If cached authentication information is out-of-date, the validity of the authentication information may be questionable.","checkContent":"Verify that the MySQL is using Kerberos Authentication. \n\nOn the server:\nSELECT PLUGIN_NAME, PLUGIN_STATUS\n FROM INFORMATION_SCHEMA.PLUGINS\n WHERE PLUGIN_NAME LIKE '%ldap%';\n\nOn the client(s) where Kerberos will authenticate, check how long the ticket is cached.\n\nFirst check whether Kerberos authentication works correctly:\nUse kinit to authenticate to Kerberos, for example.\nkinit bredon@MYSQL.LOCAL\n\nThe command authenticates for the Kerberos principal named bredon@MYSQL.LOCAL. Enter the principal's password when the command prompts for it. The KDC returns a TGT that is cached on the client side for use by other Kerberos-aware applications.\nUse klist to check whether the TGT was obtained correctly. \n\nThe output should be similar to this:\nTicket cache: FILE:/tmp/krb5cc_244306\nDefault principal: bredon@MYSQL.LOCAL\nValid starting Expires Service principal\n03/23/2020 08:18:33 03/23/2020 18:18:33 krbtgt/MYSQL.LOCAL@MYSQL.LOCAL\n\nIf the ticket expiration time exceeds the desired maximum expiration, and Kerberos is enabled, check the LDAP server for the maximum lifetime of the Kerberos service Tickets expiration policy. \n\nIf the lifetime exceeds the desired expiration time, this is a finding.","fixText":"Modify system settings to implement the organization-defined limit on the lifetime of cached authenticators.\n\nConfigure the MySQL server for GSSAPI/Kerberos LDAP authentication plugin to use the GSSAPI/Kerberos authentication method.\n\nFollowing is an example of plugin-related settings the server my.cnf file might contain:\n[mysqld]\nplugin-load-add=authentication_ldap_sasl.so\nauthentication_ldap_sasl_auth_method_name=\"GSSAPI\"\nauthentication_ldap_sasl_server_host=198.51.100.10\nauthentication_ldap_sasl_server_port=389\nauthentication_ldap_sasl_bind_root_dn=\"cn=admin,cn=users,dc=MYSQL,dc=LOCAL\"\nauthentication_ldap_sasl_bind_root_pwd=\"password\"\nauthentication_ldap_sasl_bind_base_dn=\"cn=users,dc=MYSQL,dc=LOCAL\"\nauthentication_ldap_sasl_user_search_attr=\"sAMAccountName\"\n\nCreate account(s) using Kerberos Authentication.\nFor example:\nCREATE USER 'bredon@MYSQL.LOCAL'\n IDENTIFIED WITH authentication_ldap_sasl\n BY '#krb_grp=proxied_krb_user';\n\nCREATE USER 'proxied_krb_user'\n IDENTIFIED WITH mysql_no_login;\nGRANT ALL\n ON krb_user_db.*\n TO 'proxied_krb_user';\n\nGRANT PROXY\n ON 'proxied_krb_user'\n TO 'bredon@MYSQL.LOCAL’;","ccis":["CCI-002007"]},{"vulnId":"V-235178","ruleId":"SV-235178r1018616_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.","description":"The DOD standard for authentication of an interactive user is the presentation of a Common Access Card (CAC) or other physical token bearing a valid, current, DOD-issued Public Key Infrastructure (PKI) certificate, coupled with a Personal Identification Number (PIN) to be entered by the user at the beginning of each session and whenever reauthentication is required.\n\nWithout reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate.\n\nIn addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances:\n\n(i) When authenticators change; \n(ii) When roles change; \n(iii) When security categories of information systems change; \n(iv) When the execution of privileged functions occurs; \n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.","checkContent":"Determine all situations where a user must reauthenticate. Check if the mechanisms that handle such situations use the following SQL:\n\nTo make a single user reauthenticate, an existing connection must be present:\n\nTo search for a specific user:\nSELECT * FROM information_schema.PROCESSLIST where user =' and host like '%';\n\nTo review all connections:\nSELECT * FROM INFORMATION_SCHEMA.PROCESSLIST;\n\nNote the ID(s) (processlist_id) of the connection(s) for the user that must reauthenticate.\n\nTo make a user reauthenticate, run the following for each ID returned above (as they can have multiple connections):\n\nKILL CONNECTION processslist_id;\n\nIf the provided SQL does not force reauthentication, this is a finding.","fixText":"Modify and/or configure MySQL and related applications and tools so that users are always required to reauthenticate when changing role or escalating privileges.\n\nTo make a single user reauthenticate, the following must be present:\n\nKILL CONNECTION processslist_id;","ccis":["CCI-004895","CCI-002038"]},{"vulnId":"V-235179","ruleId":"SV-235179r961317_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.","description":"Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.","checkContent":"Use the following query to discover database object access rights:\n\nUsers with DDL rights on database objects\nAt Instance Level\nSELECT *\nFROM `mysql`.`user`\nWHERE (`mysql`.`user`.`user` not like 'mysql.%') AND (\n `user`.`Create_priv` = 'Y' OR\n `user`.`Drop_priv` = 'Y' OR\n `user`.`Grant_priv` = 'Y' OR\n `user`.`References_priv` = 'Y' OR\n `user`.`Index_priv` = 'Y' OR\n `user`.`Alter_priv` = 'Y' OR\n `user`.`Super_priv` = 'Y' OR\n `user`.`Execute_priv` = 'Y' OR\n `user`.`Create_view_priv` = 'Y' OR\n `user`.`Create_routine_priv` = 'Y' OR\n `user`.`Alter_routine_priv` = 'Y' OR\n `user`.`Create_user_priv` = 'Y' OR\n `user`.`Event_priv` = 'Y' OR\n `user`.`Trigger_priv` = 'Y' OR\n `user`.`Create_role_priv` = 'Y' OR\n `user`.`Drop_role_priv` = 'Y') ;\n\nAt DB/Schema Level - Users with DDL rights on database objects\nEnsure only administrative users are returned in the result set.\nSELECT * FROM mysql.db where\n (`db`.`Grant_priv` = 'Y' OR\n `db`.`References_priv`= 'Y' OR\n `db`.`Index_priv`= 'Y' OR\n `db`.`Alter_priv`= 'Y' OR\n `db`.`Create_tmp_table_priv`= 'Y' OR\n `db`.`Lock_tables_priv`= 'Y' OR\n `db`.`Create_view_priv`= 'Y' OR\n `db`.`Show_view_priv`= 'Y' OR\n `db`.`Create_routine_priv`= 'Y' OR\n `db`.`Alter_routine_priv`= 'Y' OR\n `db`.`Execute_priv`= 'Y' OR\n `db`.`Event_priv`= 'Y' OR\n `db`.`Trigger_priv`) and user not like 'mysql.%';\n\nEnsure only administrative users are returned in the result set.\n\nUse the following query to discover database users who have been delegated the right to grant permissions to other users:\n\nExecute the following SQL statements to audit this setting:\nSELECT `USER_PRIVILEGES`.`GRANTEE`,\n `USER_PRIVILEGES`.`TABLE_CATALOG`,\n `USER_PRIVILEGES`.`PRIVILEGE_TYPE`,\n `USER_PRIVILEGES`.`IS_GRANTABLE`\nFROM `information_schema`.`USER_PRIVILEGES`\nwhere `USER_PRIVILEGES`.`IS_GRANTABLE`='YES';\n\nEnsure only administrative users are returned in the result set.\n\nIf any of these rights are not documented and authorized, this is a finding.","fixText":"To correct object ownership:\n\nTo revoke any unauthorized permissions:\n\nREVOKE\n priv_type [(column_list)]\n [, priv_type [(column_list)]] ...\n ON [object_type] priv_level\n FROM user_or_role [, user_or_role] ...\n\nREVOKE ALL [PRIVILEGES], GRANT OPTION\n FROM user_or_role [, user_or_role] ...\n\nREVOKE PROXY ON user_or_role\n FROM user_or_role [, user_or_role] ...\n\nREVOKE role [, role ] ...\n FROM user_or_role [, user_or_role ] ...","ccis":["CCI-002165"]},{"vulnId":"V-235180","ruleId":"SV-235180r961359_rule","severity":"medium","ruleTitle":"Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.","description":"In certain situations, to provide required functionality, a Database Management System (DBMS) needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse.","checkContent":"Review the server documentation to obtain a listing of accounts used for executing external processes. Execute the following query to obtain a listing of accounts currently configured for use by external processes. \n\nSHOW PROCEDURE STATUS where security_type <> 'INVOKER';\nSHOW FUNCTION STATUS where security_type <> 'INVOKER';\n\nIf DEFINER accounts are returned that are not documented and authorized, this is a finding.\n\nIf elevation of MySQL privileges using DEFINER is documented, but not implemented as described in the documentation, this is a finding.\n\nIf the privilege-elevation logic can be invoked in ways other than intended, or in contexts other than intended, or by subjects/principals other than intended, this is a finding.","fixText":"Remove any procedures that are not authorized.\n\nDrop the procedure or function using \nDROP PROCEDURE ;\nDROP FUNCTION ;","ccis":["CCI-002233"]},{"vulnId":"V-235181","ruleId":"SV-235181r961353_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. \n\nSystem documentation should include a definition of the functionality considered privileged.\n\nDepending on circumstances, privileged functions can include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.\n\nA privileged function in the Database Management System (DBMS)/database context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In a SQL environment, it encompasses, but is not necessarily limited to: \nCREATE\nALTER\nDROP\nGRANT\nREVOKE\nDENY\n\nThere may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples include:\n\nTRUNCATE TABLE;\nDELETE, or\nDELETE affecting more than n rows, for some n, or\nDELETE without a WHERE clause;\n\nUPDATE or\nUPDATE affecting more than n rows, for some n, or\nUPDATE without a WHERE clause;\n\nany SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal.\n\nDepending on the capabilities of the DBMS and the design of the database and associated applications, the prevention of unauthorized use of privileged functions may be achieved by means of DBMS security features, database triggers, other mechanisms, or a combination of these.","checkContent":"Review the server documentation to obtain a listing of accounts used for executing external processes. Execute the following query to obtain a listing of accounts currently configured for use by external processes. \n\nSHOW PROCEDURE STATUS where security_type <> 'INVOKER';\nSHOW FUNCTION STATUS where security_type <> 'INVOKER';\n\nIf DEFINER accounts are returned that are not documented and authorized, this is a finding.\nIf elevation of MySQL privileges using DEFINER is documented, but not implemented as described in the documentation, this is a finding.\nIf the privilege-elevation logic can be invoked in ways other than intended, or in contexts other than intended, or by subjects/principals other than intended, this is a finding.","fixText":"Remove any procedures that are not authorized.\n\nDrop the procedure or function using \nDROP PROCEDURE ;\nDROP FUNCTION ;","ccis":["CCI-002235"]},{"vulnId":"V-235182","ruleId":"SV-235182r961269_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must associate organization-defined types of security labels having organization-defined security label values with information in storage.","description":"Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of the DBMS product, a third-party product, or custom application code.\n\nFor MySQL, a view or stored procedures can limit access to only selected columns of the base table. A view can provide value-based security for the information in a table. To use a view requires appropriate privileges only for the view itself. The user need not be given privileges on base objects underlying the view.","checkContent":"If security labeling is not required, this is not a finding.\n\nFor data that have been labeled with a column indicating data is classified read-only views can be created and secured via access privileges such that a user can only view the data that have a specific tag or tags (e.g., user [x] can only view records that are labeled with the tag of classified). \n\nIf security labeling requirements have been specified, but neither a third-party solution nor a MySQL Views and Stored Procedures are used to implement row level security solution is implemented that reliably maintains labels on information in storage, this is a finding.","fixText":"Deploy MySQL Views and Stored Procedures or a third-party software, or add custom data structures, data elements, and application code, to provide reliable security labeling of information in storage.","ccis":["CCI-002262"]},{"vulnId":"V-235183","ruleId":"SV-235183r961272_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must associate organization-defined types of security labels having organization-defined security label values with information in process.","description":"Without the association of security labels to information, there is no basis for the Database Management System (DBMS) to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of the DBMS product, a third-party product, or custom application code.\n\nFor MySQL, a view or stored procedures can limit access to only selected columns of the base table. A view can provide value-based security for the information in a table. To use a view requires appropriate privileges only for the view itself. The user need not be given privileges on base objects underlying the view.","checkContent":"If security labeling is not required, this is not a finding.\n\nIf security labeling requirements have been specified, check for a MySQL solution using views and Stored Procedures to implement a row-level security solution that reliably maintains labels on information in storage. \n\nFor data that have been labeled with a column indicating data is classified read-only, views can be created and secured via access privileges such that a user should only be able to view the data that have a specific tag or tags (e.g., user [x] can only view records that are labeled with the tag of classified). \n\nIf a MySQL solution through the use of views and stored procedures or a third party solution does not exist, this is a finding.","fixText":"Deploy MySQL Views and Stored Procedures or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage.","ccis":["CCI-002263"]},{"vulnId":"V-235184","ruleId":"SV-235184r961275_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must associate organization-defined types of security labels having organization-defined security label values with information in transmission.","description":"Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of the DBMS product, a third-party product, or custom application code.\n\nFor MySQL, a view or stored procedures can limit access to only selected columns of the base table. A view can provide value-based security for the information in a table. To use a view requires appropriate privileges only for the view itself. The user need not be given privileges on base objects underlying the view.","checkContent":"If security labeling is not required, this is not a finding.\n\nIf security labeling requirements have been specified, check for a MySQL solution using views and Stored Procedures to implement a row-level security solution that reliably maintains labels on information in storage. \n\nFor data that have been labeled with a column indicating data is classified read-only, views can be created and secured via access privileges such that a user can only view the data that have a specific tag or tags (e.g., user [x] can only view records that are labeled with the tag of classified). \n\nIf a MySQL solution through the use of views and stored procedures or a third party solution does not exist, this is a finding.","fixText":"Deploy MySQL Views and Stored Procedures or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage.","ccis":["CCI-002264"]},{"vulnId":"V-235185","ruleId":"SV-235185r961221_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.","description":"This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. \n\nSession termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated. \n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance.\n\nEach connection to mysqld runs in a separate thread. Kill a connection by killing the connections thread with the KILL processlist_id statement.\n\nThread processlist identifiers can be determined from the ID column of the INFORMATION_SCHEMA PROCESSLIST table, the Id column of SHOW PROCESSLIST output, and the PROCESSLIST_ID column of the Performance Schema threads table.","checkContent":"Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination. If the documentation explicitly states that such termination is not required or is prohibited, this is not a finding.\n\nDetermine the situations where a user must reauthenticate. Check if the mechanisms that handle such situations use the following SQL:\n\nTo make a single user reauthenticate, an existing connection must be present:\n\nTo search for a specific user:\nSELECT * FROM information_schema.PROCESSLIST where user =' and host like '%';\n\nTo review all connections:\nSELECT * FROM INFORMATION_SCHEMA.PROCESSLIST;\n\nNote the ID(s) (processlist_id) of the connection(s) for the user that must reauthenticate.\n\nTo make a user reauthenticate, run the following for each ID returned above (as they can have multiple connections).\n\nKILL CONNECTION processslist_id;\n\nIf the provided SQL does not force reauthentication, this is a finding.","fixText":"Modify and/or configure MySQL and related applications and tools so that users are always required to reauthenticate when changing role or escalating privileges.\n\nTo make a single user reauthenticate, the following must be present:\n\nKILL CONNECTION processslist_id;","ccis":["CCI-002361"]},{"vulnId":"V-235186","ruleId":"SV-235186r961638_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must maintain the confidentiality and integrity of information during preparation for transmission.","description":"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nUse of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. \n\nWhen transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms.","checkContent":"If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.\n\nRun the following:\nselect @@require_secure_transport;\n\nThe value should be 1 (ON) versus 0 (OFF), if the value is 0 (OFF), this is a finding.","fixText":"Turn on require_secure_transport. In this mode the server permits only TCP/IP connections encrypted using TLS/SSL, or connections that use a socket file (on UNIX) or shared memory (on Windows). \n\nThe server rejects nonsecure connection attempts, which fail with an ER_SECURE_TRANSPORT_REQUIRED error.\n\nset persist require_secure_transport=ON;","ccis":["CCI-002420"]},{"vulnId":"V-235187","ruleId":"SV-235187r962034_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices.","checkContent":"Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html.\n\nReview system documentation to determine whether cryptography for classified or sensitive information is required by the information owner.\n\nIf the system documentation does not specify the type of information hosted on MySQL: classified, sensitive, and/or unclassified, this is a finding.\n\nIf classified or sensitive information does not exist within MySQL Server, this is not a finding.\n\nVerify that the operating system provides the OpenSSL FIPS Object Module, and is configured to require the use of OpenSSL of FIPS compliant algorithms, available at MySQL runtime.\n\nIf the Security Setting for FIPS mode option is \"Disabled\" on the server's OS, this is a finding.\n\nIf cryptography is being used by MySQL, verify that the cryptography is NIST FIPS certified by running the following SQL query:\nDetermine if MySQL is running in FIPS mode.\nselect @@ssl_fips_mode;\n\nIf ssl_fips_mode is not \"ON\" or \"STRICT\", this is a finding.\n\nView the versions of TLS, then review the cipher suites in use for the versions returned by statement:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables WHERE VARIABLE_NAME = 'tls_version';\n\nIf the results include less than version TLS 1.2, for example TLS 1.0 or 1.1, this is a finding. \n\nIf the results include TLS 1.2 view the supported ciphers on the MySQL Server, run\nselect * from performance_schema.global_status where variable_name= 'Ssl_cipher_list';\n\nIf the results include TLS 1.3 view the supported ciphers on the MySQL Server, run\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables WHERE VARIABLE_NAME = 'tls_ciphersuites';\n\nIf any results list show an uncertified NIST FIPS 140-2 algorithm type, this is a finding.\n\nCheck MySQL certificate PEM file(s) for compliance with DoD requirements by running this command: \nopenssl x509 -in server-cert.pem -text -noout\n\nIf any PEM file is not in compliance, this is a finding.","fixText":"Configure cryptographic functions to use NSA-approved cryptography-compliant algorithms.\n\nTurn on MySQL FIPS mode.\nEdit my.cnf\n[mysqld]\nssl_fips_mode=ON\n\nor\n[mysqld]\nssl_fips_mode=STRICT\n\nTo restrict TLS versions:\n\n[mysqld]\ntls_version='TLSv1.2,TLSv1.3'\n\nExample to define ciphers for TLSv1.2:\n\n[mysqld]\nssl_ciphers='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'\n\nIf TLSv1.3 is enabled, the \"tls_ciphersuites\" setting must contain all or a subset of the following ciphers based on certificates being used by server and client. Enabling FIPS mode will limit the OpenSSL library to operate within the FIPS object module.\n\nExample to define TLS ciphers for TLSv1.3:\n\n[mysqld]\ntls_ciphersuites='TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256'\n\nAfter adding any entries to the my.cnf file, restart mysqld.\n\nCreate and use DOD-approved certificates for asymmetric keys used by the database.","ccis":["CCI-002450"]},{"vulnId":"V-235188","ruleId":"SV-235188r961857_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nFor detailed information, refer to NIST FIPS Publication 140-2 or Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"ALL cryptography is provided via OpenSSL and can be verified in FIPS mode. \n\nRun this command:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'ssl_fips_mode';\n\nIf the VARIABLE_VALUE does not return \"ON\" or \"STRICT\", this is a finding.\n\nIn general, STRICT imposes more restrictions than ON, but MySQL itself has no FIPS-specific code other than to specify to OpenSSL the FIPS mode value. The exact behavior of FIPS mode for ON or STRICT depends on the OpenSSL version.","fixText":"Implement NIST FIPS validated cryptographic modules to provision digital signatures.\n\nTurn on MySQL FIPS mode and restart mysqld\nEdit my.cnf\n[mysqld]\nssl_fips_mode=ON\n\nor\n[mysqld]\nssl_fips_mode=STRICT\n\nIn general, STRICT imposes more restrictions than ON, but MySQL itself has no FIPS-specific code other than to specify to OpenSSL the FIPS mode value. The exact behavior of FIPS mode for ON or STRICT depends on the OpenSSL version.","ccis":["CCI-002450"]},{"vulnId":"V-235189","ruleId":"SV-235189r961857_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n \nFor detailed information, refer to NIST FIPS Publication 140-2 or Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"ALL cryptography is provided via OpenSSL and can be verified in FIPS mode. \n\nRun this command:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'ssl_fips_mode';\n\nIf the VARIABLE_VALUE does not return \"ON\" or \"STRICT\", this is a finding.\n\nIn general, STRICT imposes more restrictions than ON, but MySQL itself has no FIPS-specific code other than to specify to OpenSSL the FIPS mode value. The exact behavior of FIPS mode for ON or STRICT depends on the OpenSSL version.","fixText":"Implement NIST FIPS validated cryptographic modules to provision digital signatures.\n\nTurn on MySQL FIPS mode and restart mysqld\nEdit my.cnf\n[mysqld]\nssl_fips_mode=ON\n\nor\n[mysqld]\nssl_fips_mode=STRICT\n\nIn general, STRICT imposes more restrictions than ON, but MySQL itself has no FIPS-specific code other than to specify to OpenSSL the FIPS mode value. The exact behavior of FIPS mode for ON or STRICT depends on the OpenSSL version.","ccis":["CCI-002450"]},{"vulnId":"V-235190","ruleId":"SV-235190r961857_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2 or Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"ALL cryptography is provided via OpenSSL and can be verified in FIPS mode. \n\nRun this command:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'ssl_fips_mode';\n\nIf the VARIABLE_VALUE does not return \"ON\" or \"STRICT\", this is a finding.\n\nIn general, STRICT imposes more restrictions than ON, but MySQL itself has no FIPS-specific code other than to specify to OpenSSL the FIPS mode value. The exact behavior of FIPS mode for ON or STRICT depends on the OpenSSL version.","fixText":"Implement NIST FIPS validated cryptographic modules to provision digital signatures.\n\nTurn on MySQL FIPS mode and restart mysqld\nEdit my.cnf\n[mysqld]\nssl_fips_mode=ON\n\nor\n[mysqld]\nssl_fips_mode=STRICT\n\nIn general, STRICT imposes more restrictions than ON, but MySQL itself has no FIPS-specific code other than to specify to OpenSSL the FIPS mode value. The exact behavior of FIPS mode for ON or STRICT depends on the OpenSSL version.","ccis":["CCI-002450"]},{"vulnId":"V-235191","ruleId":"SV-235191r961596_rule","severity":"medium","ruleTitle":"The MySQL Database Server 8.0 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.","description":"Only DoD-approved external PKIs have been evaluated to ensure they have security controls and identity vetting procedures in place that are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users. \n\nThe authoritative list of DoD-approved PKIs is published at https://cyber.mil/pki-pke/interoperability.\n\nThis requirement focuses on communications protection for the DBMS session rather than for the network packet.","checkContent":"To run MySQL in SSL mode, obtain a valid certificate signed by a single certificate authority. \n\nBefore starting the MySQL database in SSL mode, verify the certificate used is issued by a valid DoD certificate authority.\n\nRun this command:\nopenssl x509 -in -text | grep -i \"issuer\"\n\nIf there is any issuer present in the certificate that is not a DoD-approved certificate authority, this is a finding.","fixText":"Remove any certificate that was not issued by a valid DoD certificate authority.\n\nContact the organization's certificate issuer and request a new certificate that is issued by a valid DoD certificate authorities.","ccis":["CCI-002470"]},{"vulnId":"V-235192","ruleId":"SV-235192r1018560_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.","description":"Database Management Systems (DBMSs) handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of the MySQL 8.0 Database Server, operating system/file system, and additional software as relevant.\n\nIf any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.\n\nTo check for data encryption at rest settings in MySQL:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'audit_log_encryption';\nIf the value for audit_log_encryption is not AES, this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'binlog_encryption'; \nIf the value for binlog_encryption is not \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'innodb_redo_log_encrypt';\nIf the value for binlog_innodb_redo_log_encrypt is not \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'innodb_undo_log_encrypt';\nIf the value for innodb_undo_log_encrypt is not \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'table_encryption_privilege_check';\nIf the value for table_encryption_privilege_check is not \"ON\", this is a finding.\n\nSELECT\n `INNODB_TABLESPACES`.`NAME`,\n `INNODB_TABLESPACES`.`ENCRYPTION`\nFROM `information_schema`.`INNODB_TABLESPACES`;\nIf tables or tablespaces are not encrypted and the value is not \"Y\", this is a finding.","fixText":"Configure the MySQL Database Server 8.0, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection.\n\nEnable the MySQL Key Ring for securely managing encryption keys with KMIP or other supported protocols.\n\nChange TABLESPACES, TABLES to put in place encryption.\n\nALTER TABLESPACE ENCRYPTION = 'Y';\nALTER TABLE ENCRYPTION = 'Y';\n\nRequire all new tables and tablespaces to be encrypted.\nset persist table_encryption_privilege_check=ON;\n\nRequire AUDIT LOG encryption\nsudo vi /etc/my.cnf\n[mysqld]\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nRequire BINLOG encryption\nset persist binlog_encryption=ON;\n\nRequire REDO and UNDO log encryption\nset persist innodb_redo_log_encrypt=ON;\nset persist innodb_undo_log_encrypt=ON;\n\nTurn off insecure logging (use the audit log above to track activity).\nSET PERSIST general_log = 'OFF';","ccis":["CCI-002475"]},{"vulnId":"V-235193","ruleId":"SV-235193r1018561_rule","severity":"high","ruleTitle":"The MySQL Database Server 8.0 must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.","description":"Database Management Systems (DBMSs) handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of the MySQL 8.0 Database Server, operating system/file system, and additional software as relevant.\n\nIf any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.\n\nTo check for data encryption at rest settings in MySQL:\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'audit_log_encryption';\nIf the value for audit_log_encryption is not \"AES\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'binlog_encryption'; \nIf the value for binlog_encryption is not \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'innodb_redo_log_encrypt';\nIf the value for binlog_innodb_redo_log_encrypt is not \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'innodb_undo_log_encrypt';\nIf the value for innodb_undo_log_encrypt is not \"ON\", this is a finding.\n\nSELECT VARIABLE_NAME, VARIABLE_VALUE\nFROM performance_schema.global_variables where variable_name = 'table_encryption_privilege_check';\nIf the value for table_encryption_privilege_check is not \"ON\", this is a finding.\n\nSELECT\n `INNODB_TABLESPACES`.`NAME`,\n `INNODB_TABLESPACES`.`ENCRYPTION`\nFROM `information_schema`.`INNODB_TABLESPACES`;\nIf tables or tablespaces are not encrypted and the value is not \"Y\", this is a finding.","fixText":"Configure the MySQL Database Server 8.0, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection.\n\nEnable the MySQL Key Ring for securely managing encryption keys with KMIP or other supported protocols.\n\nChange TABLESPACES, TABLES to put in place encryption.\n\nALTER TABLESPACE ENCRYPTION = 'Y';\nALTER TABLE ENCRYPTION = 'Y';\n\nRequire all new tables and tablespaces to be encrypted.\nset persist table_encryption_privilege_check=ON;\n\nRequire AUDIT LOG encryption\nsudo vi /etc/my.cnf\n[mysqld]\naudit-log=FORCE_PLUS_PERMANENT\naudit-log-format=JSON\naudit-log-encryption=AES\n\nRequire BINLOG encryption\nset persist binlog_encryption=ON;\n\nRequire REDO and UNDO log encryption\nset persist innodb_redo_log_encrypt=ON;\nset persist innodb_undo_log_encrypt=ON;\n\nTurn off insecure logging - (use the audit log above to track activity)\nSET PERSIST general_log = 'OFF';","ccis":["CCI-002476"]},{"vulnId":"V-235194","ruleId":"SV-235194r1001008_rule","severity":"medium","ruleTitle":"Security-relevant software updates to the MySQL Database Server 8.0 must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. \n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). \n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"To check the version of the installed MySQL, run the following SQL statement:\n\nselect @@version;\n\nThe result will show the version, for example:\n8.0.22-commercial\n\nObtain evidence that software MRU updates are consistently applied to MySQL Server within the time frame defined for each update. To be considered supported, Oracle must report that the version is supported by security patches to known vulnerability. \n\nReview the MySQL Support dates at the following link:\nhttps://www.oracle.com/support/lifetime-support/resources.html\n\nReview the MySQL Release notes page:\nhttps://dev.mysql.com/doc/relnotes/mysql/8.0/en/\n \nIf MySQL Enterprise Edition 8.0 is not at the latest version, this is a finding.","fixText":"Institute and adhere to policies and procedures to ensure that patches are consistently applied to MySQL within the time allowed.","ccis":["CCI-002605"]},{"vulnId":"V-235195","ruleId":"SV-235195r961656_rule","severity":"medium","ruleTitle":"When invalid inputs are received, the MySQL Database Server 8.0 must behave in a predictable and documented manner that reflects organizational and system objectives.","description":"A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.\n\nThe behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Review the MySQL Server to ensure it behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.\n\nTo determine if table check constraints that have been put in place:\nSELECT * FROM INFORMATION_SCHEMA.TABLE_CONSTRAINTS;\n\nIf input validation is required beyond those enforced by the datatype and no constraints exist for data input, this is a finding.","fixText":"Configure the MySQL Server to behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.\n\nTo validate data at the database table level modify tables by adding constraints CHECK constraint is a type of integrity constraint in SQL within the create or alter table statement.\n\n[CONSTRAINT [symbol]] CHECK (expr) [[NOT] ENFORCED]\nFor example\nCREATE TABLE checker (i tinyint, CONSTRAINT i_must_be_between_7_and_12 CHECK (i BETWEEN 7 AND 12 ) ); \nAdding a constraint to an existing table \n\nALTER TABLE \n ADD [CONSTRAINT [symbol]] CHECK (condition) [[NOT] ENFORCED]","ccis":["CCI-002754"]},{"vulnId":"V-265876","ruleId":"SV-265876r999534_rule","severity":"high","ruleTitle":"MySQL database products must be a version supported by the vendor.","description":"Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.\n\nSystems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nWhen maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.","checkContent":"Review the version and release information.\n\nTo check the version of the installed MySQL, run the following SQL statement:\n\nselect @@version;\n\nThe result will show the version. For example:\n8.0.22-commercial\n\nAccess the vendor website or use other means to verify the version is still supported.\nOracle lifetime support: \nhttps://www.oracle.com/us/assets/lifetime-support-technology-069183.pdf\nScroll down to Oracle MySQL Releases (approximately page 28).\n\nIf the Oracle MySQL version or any of the software components are not supported by the vendor, this is a finding.","fixText":"Remove or decommission all unsupported software products.\n\nUpgrade unsupported DBMS or unsupported components to a supported version of the product.","ccis":["CCI-003376"]}]}