STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Oracle MySQL 8.0 Security Technical Implementation Guide

V-235177

CAT II (Medium)

The MySQL Database Server 8.0 must prohibit the use of cached authenticators after an organization-defined time period.

Rule ID

SV-235177r961521_rule

STIG

Oracle MySQL 8.0 Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-002007

Discussion

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Check Content

Verify that the MySQL is using Kerberos Authentication.  

On the server:
SELECT PLUGIN_NAME, PLUGIN_STATUS
       FROM INFORMATION_SCHEMA.PLUGINS
       WHERE PLUGIN_NAME LIKE '%ldap%';

On the client(s) where Kerberos will authenticate, check how long the ticket is cached.

First check whether Kerberos authentication works correctly:
Use kinit to authenticate to Kerberos, for example.
kinit bredon@MYSQL.LOCAL

The command authenticates for the Kerberos principal named bredon@MYSQL.LOCAL. Enter the principal's password when the command prompts for it. The KDC returns a TGT that is cached on the client side for use by other Kerberos-aware applications.
Use klist to check whether the TGT was obtained correctly. 

The output should be similar to this:
Ticket cache: FILE:/tmp/krb5cc_244306
Default principal: bredon@MYSQL.LOCAL
Valid starting                 Expires                           Service principal
03/23/2020 08:18:33  03/23/2020 18:18:33  krbtgt/MYSQL.LOCAL@MYSQL.LOCAL

If the ticket expiration time exceeds the desired maximum expiration, and Kerberos is enabled, check the LDAP server for the maximum lifetime of the Kerberos service Tickets expiration policy.  

If the lifetime exceeds the desired expiration time, this is a finding.

Fix Text

Modify system settings to implement the organization-defined limit on the lifetime of cached authenticators.

Configure the MySQL server for GSSAPI/Kerberos LDAP authentication plugin to use the GSSAPI/Kerberos authentication method.

Following is an example of plugin-related settings the server my.cnf file might contain:
[mysqld]
plugin-load-add=authentication_ldap_sasl.so
authentication_ldap_sasl_auth_method_name="GSSAPI"
authentication_ldap_sasl_server_host=198.51.100.10
authentication_ldap_sasl_server_port=389
authentication_ldap_sasl_bind_root_dn="cn=admin,cn=users,dc=MYSQL,dc=LOCAL"
authentication_ldap_sasl_bind_root_pwd="password"
authentication_ldap_sasl_bind_base_dn="cn=users,dc=MYSQL,dc=LOCAL"
authentication_ldap_sasl_user_search_attr="sAMAccountName"

Create account(s) using Kerberos Authentication.
For example:
CREATE USER 'bredon@MYSQL.LOCAL'
  IDENTIFIED WITH authentication_ldap_sasl
  BY '#krb_grp=proxied_krb_user';

CREATE USER 'proxied_krb_user'
  IDENTIFIED WITH mysql_no_login;
GRANT ALL
  ON krb_user_db.*
  TO 'proxied_krb_user';

GRANT PROXY
  ON 'proxied_krb_user'
  TO 'bredon@MYSQL.LOCAL’;