Nessus Report

Report generated by Nessus™

MySQL - By compliance status, detailed findings

Mon, 11 Dec 2017 13:05:26 Eastern Standard Time

TABLE OF CONTENTS
Vulnerabilities by Plugin
33814 (88) - Database Compliance Checks
Risk Factor
None
Plugin Information:
Published: 2008/10/13, Modified: 2017/12/05
Plugin Output

192.168.1.142 (tcp/0)

192.168.1.142 (tcp/0)

192.168.1.142 (tcp/0)

33814 (13) - Database Compliance Checks
Risk Factor
None
Plugin Information:
Published: 2008/10/13, Modified: 2017/12/05
Plugin Output

192.168.1.142 (tcp/0)

192.168.1.142 (tcp/0)

192.168.1.142 (tcp/0)

33814 (114) - Database Compliance Checks
Risk Factor
None
Plugin Information:
Published: 2008/10/13, Modified: 2017/12/05
Plugin Output

192.168.1.142 (tcp/0)

192.168.1.142 (tcp/0)

192.168.1.142 (tcp/0)

14272 (8) - Netstat Portscanner (SSH)
Synopsis
Remote open ports can be enumerated via SSH.
Description
Nessus was able to run 'netstat' on the remote host to enumerate the open ports.

See the section 'plugins options' about configuring this plugin.
See Also
Solution
n/a
Risk Factor
None
Plugin Information:
Published: 2004/08/15, Modified: 2017/11/28
Plugin Output

192.168.1.142 (tcp/22)

Port 22/tcp was found to be open

192.168.1.142 (udp/161)

Port 161/udp was found to be open

192.168.1.142 (tcp/2375)

Port 2375/tcp was found to be open

192.168.1.142 (tcp/3306)

Port 3306/tcp was found to be open

192.168.1.142 (tcp/4001)

Port 4001/tcp was found to be open

192.168.1.142 (tcp/7001)

Port 7001/tcp was found to be open

192.168.1.142 (tcp/8080)

Port 8080/tcp was found to be open

192.168.1.142 (tcp/8834)

Port 8834/tcp was found to be open
Compliance 'FAILED'
2.6 Set a Password Expiry Policy for Specific Users
Info
Password expiry for specific users provides user passwords with a unique time bounded lifetime.
Solution
Using the user and host information from the audit procedure, set each user a password lifetime e.g.
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.4
PCI-DSSV3.2 8.2.4
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.2
800-171 3.5.10
800-171 3.5.7
800-171 3.5.8
800-171 3.5.9
LEVEL 1NS
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
NULL
Hosts

192.168.1.142

(Default): "root"
(Default): "root"
(Default): "root"
(Default): "root"
4.4 Ensure 'local_infile' Is Disabled
Info
The local_infile parameter dictates whether files located on the MySQL client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file.
Solution
Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:
local-infile=0
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 CM-7
CIP 007-6-R1
CSCV6 9.1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"local_infile", "off"
Hosts

192.168.1.142

(Default): "local_infile", "ON"
(Default): "local_infile", "ON"
(Default): "local_infile", "ON"
(Default): "local_infile", "ON"
4.8 Ensure 'secure_file_priv' Is Not Empty
Info
The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL.
Solution
Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:
secure_file_priv=<path_to_load_directory>
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 CM-6
CSCV6 3.1
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"secure_file_priv", regex:".+"
Hosts

192.168.1.142

(Default): "secure_file_priv", ""
(Default): "secure_file_priv", ""
(Default): "secure_file_priv", ""
(Default): "secure_file_priv", ""
4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'
Info
When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work.
Solution
Perform the following actions to remediate this setting:
1. Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 SI-10
LEVEL 2S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Policy Value
"sql_mode", regex:"strict_all_tables"
Hosts

192.168.1.142

(Default): "sql_mode", "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "sql_mode", "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "sql_mode", "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "sql_mode", "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "sql_mode", "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
5.7 Ensure 'grant_priv' Is Not Set to 'Y' for Non-Administrative Users 'mysql.db'
Info
The GRANT OPTION privilege exists in different contexts (mysql.user, mysql.db) for the purpose of governing the ability of a privileged user to manipulate the privileges of other users.
Solution
Perform the following steps to remediate this setting:
1. Enumerate the non-administrative users found in the result sets of the audit procedure 2. For each user, issue the following SQL statement (replace '<user>' with the non- administrative user:

REVOKE GRANT OPTION ON *.* FROM <user>;
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
5.9 Ensure DML/DDL Grants Are Limited to Specific Databases and Users
Info
DML/DDL includes the set of privileges used to modify or create data structures. This includes INSERT, SELECT, UPDATE, DELETE, DROP, CREATE, and ALTER privileges.
Solution
Perform the following steps to remediate this setting:
1. Enumerate the unauthorized users, hosts, and databases returned in the result set of the audit procedure 2. For each user, issue the following SQL statement (replace '<user>' with the unauthorized user, '<host>' with host name, and '<database>' with the database name):

REVOKE SELECT ON <host>.<database> FROM <user>;
REVOKE INSERT ON <host>.<database> FROM <user>;
REVOKE UPDATE ON <host>.<database> FROM <user>;
REVOKE DELETE ON <host>.<database> FROM <user>;
REVOKE CREATE ON <host>.<database> FROM <user>;
REVOKE DROP ON <host>.<database> FROM <user>;
REVOKE ALTER ON <host>.<database> FROM <user>;
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", regex:".+", "root"
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
7.2 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@global.sql_mode'
Info
NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided.
Solution
Perform the following actions to remediate this setting:
1. Open the MySQL configuration file (my.cnf) 2. Find the sql_mode setting in the [mysqld] area 3. Add the NO_AUTO_CREATE_USER to the sql_mode setting
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
PCI-DSSV3.1 7.1.2
PCI-DSSV3.2 7.1.2
800-171 3.1.5
CN-L3 7.1.3.2(b)
CN-L3 7.1.3.2(g)
CSF PR.AC-4
CSF PR.DS-5
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:"no_auto_create_user"
Hosts

192.168.1.142

(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
7.2 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@session.sql_mode'
Info
NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided.
Solution
Perform the following actions to remediate this setting:
1. Open the MySQL configuration file (my.cnf) 2. Find the sql_mode setting in the [mysqld] area 3. Add the NO_AUTO_CREATE_USER to the sql_mode setting
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
PCI-DSSV3.1 7.1.2
PCI-DSSV3.2 7.1.2
800-171 3.1.5
CN-L3 7.1.3.2(b)
CN-L3 7.1.3.2(g)
CSF PR.AC-4
CSF PR.DS-5
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:"no_auto_create_user"
Hosts

192.168.1.142

(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
(Default): "STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"
7.3 Ensure Passwords Are Set for All MySQL Accounts
Info
Blank passwords allow a user to login without using a password.
Solution
For each row returned from the audit procedure, set a password for the given user using the following statement (as an example):
SET PASSWORD FOR <user>@'<host>' = '<clear password>'

NOTE: Replace <user>, <host>, and <clear password> with appropriate values.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.3
PCI-DSSV3.2 8.2.3
800-171 3.5.7
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.1
TBA-FIISB 26.2.4
LEVEL 1S
LEVEL 2S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Policy Value
NULL, NULL
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
7.5 Ensure Password Complexity Is in Place - 'validate_password_length'
Info
Password complexity includes password characteristics such as length, case, length, and character sets.
Solution
Add to the global configuration:
plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM

And change passwords for users which have passwords which are identical to their username.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.3
PCI-DSSV3.2 8.2.3
800-171 3.5.7
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.1
TBA-FIISB 26.2.4
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"validate_password_length", regex:"(1[4-9]|[2-9][0-9])"
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
7.5 Ensure Password Policy Is in Place - 'validate_password_mixed_case_count'
Info
Password complexity includes password characteristics such as length, case, length, and character sets.
Solution
Add to the global configuration:
plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM

And change passwords for users which have passwords which are identical to their username.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.3
PCI-DSSV3.2 8.2.3
800-171 3.5.7
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.1
TBA-FIISB 26.2.4
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"validate_password_mixed_case_count", regex:"[1-9]"
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
7.5 Ensure Password Policy Is in Place - 'validate_password_number_count'
Info
Password complexity includes password characteristics such as length, case, length, and character sets.
Solution
Add to the global configuration:
plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM

And change passwords for users which have passwords which are identical to their username.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.3
PCI-DSSV3.2 8.2.3
800-171 3.5.7
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.1
TBA-FIISB 26.2.4
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"validate_password_number_count", regex:"[1-9]"
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
7.5 Ensure Password Policy Is in Place - 'validate_password_policy'
Info
Password complexity includes password characteristics such as length, case, length, and character sets.
Solution
Add to the global configuration:
plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM

And change passwords for users which have passwords which are identical to their username.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.3
PCI-DSSV3.2 8.2.3
800-171 3.5.7
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.1
TBA-FIISB 26.2.4
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"validate_password_policy", regex:"(medium|strong)"
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
7.5 Ensure Password Policy Is in Place - 'validate_password_special_char_count'
Info
Password complexity includes password characteristics such as length, case, length, and character sets.
Solution
Add to the global configuration:
plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM

And change passwords for users which have passwords which are identical to their username.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.3
PCI-DSSV3.2 8.2.3
800-171 3.5.7
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.1
TBA-FIISB 26.2.4
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"validate_password_special_char_count", regex:"[1-9]"
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
7.6 Ensure No Users Have Wildcard Hostnames
Info
MySQL can make use of host wildcards when granting permissions to users on specific databases. For example, you may grant a given privilege to '<user>'@'%'.
Solution
Perform the following actions to remediate this setting:
1. Enumerate all users returned after running the audit procedure 2. Either ALTER the user's host to be specific or DROP the user
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-3
800-171 3.1.1
CSF PR.AC-4
CSF PR.PT-3
ISO/IEC-27001 A.9.4.1
ITSG-33 AC-3
LEVEL 1S
LEVEL 2S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Policy Value
NULL, NULL
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
8.1 Ensure 'have_ssl' Is Set to 'YES'
Info
All network traffic must use SSL/TLS when traveling over untrusted networks.
Solution
Follow the procedures as documented in the MySQL 5.6 Reference Manual to setup SSL.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 SC-8
800-171 3.13.8
CSF PR.DS-2
CSF PR.DS-5
ISO/IEC-27001 A.13.2.3
ITSG-33 SC-8
TBA-FIISB 29.1
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"have_ssl", "yes"
Hosts

192.168.1.142

(Default): "have_ssl", "DISABLED"
(Default): "have_ssl", "DISABLED"
(Default): "have_ssl", "DISABLED"
(Default): "have_ssl", "DISABLED"
8.2 Ensure 'ssl_type' Is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users
Info
All network traffic must use SSL/TLS when traveling over untrusted networks. SSL/TLS should be enforced on a per-user basis for users which enter the system through the network.
Solution
Use the GRANT statement to require the use of SSL: GRANT USAGE ON *.* TO 'my_user'@'app1.example.com' REQUIRE SSL; Note that REQUIRE SSL only enforces SSL. There are options like REQUIRE X509, REQUIRE ISSUER, REQUIRE SUBJECT which can be used to further restrict connection options.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 SC-8
800-171 3.13.8
CSF PR.DS-2
CSF PR.DS-5
ISO/IEC-27001 A.13.2.3
ITSG-33 SC-8
TBA-FIISB 29.1
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", regex:".+", regex:"(any|x509|specified)"
Hosts

192.168.1.142

(Default): "", "%", "root"
(Default): "", "%", "root"
(Default): "", "%", "root"
(Default): "", "%", "root"
9.3 Ensure 'master_info_repository' Is Set to 'TABLE'
Info
The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well.
Solution
Perform the following actions to remediate this setting:
1. Open the MySQL configuration file (my.cnf) 2. Locate master_info_repository 3. Set the master_info_repository value to TABLE

NOTE: If master_info_repository does not exist, add it to the configuration file.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 CM-6
CSCV6 3.1
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
LEVEL 2S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Policy Value
"master_info_repository", "table"
Hosts

192.168.1.142

(Default): "master_info_repository", "FILE"
(Default): "master_info_repository", "FILE"
(Default): "master_info_repository", "FILE"
(Default): "master_info_repository", "FILE"
(Default): "master_info_repository", "FILE"
Compliance 'SKIPPED'
Compliance 'PASSED'
1.1 Place Databases on Non-System Partitions
Info
It is generally accepted that host operating systems should include different filesystem partitions for different purposes. One set of filesystems are typically called 'system partitions', and are generally reserved for host system/application operation. The other set of filesystems are typically called 'non-system partitions', and such locations are generally reserved for storing data.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 SC-5
CSF PR.DS-4
ITSG-33 SC-5
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"datadir", regex:"^([^c][:][\\].+|/.+)$"
Hosts

192.168.1.142

(Default): "datadir", "/var/lib/mysql/"
(Default): "datadir", "/var/lib/mysql/"
(Default): "datadir", "/var/lib/mysql/"
(Default): "datadir", "/var/lib/mysql/"
4.2 Ensure the 'test' Database Is Not Installed
Info
The default MySQL installation comes with an unused database called test. It is recommended that the test database be dropped.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 CM-7
CIP 007-6-R1
CSCV6 9.1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
NULL
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
4.6 Ensure '-skip-symbolic-links' Is Enabled
Info
The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 CM-6
CSCV6 3.1
PCI-DSSV3.1 2.2.4
PCI-DSSV3.2 2.2.4
800-171 3.4.2
CSF PR.IP-1
ITSG-33 CM-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"have_symlink", "disabled"
Hosts

192.168.1.142

(Default): "have_symlink", "DISABLED"
(Default): "have_symlink", "DISABLED"
(Default): "have_symlink", "DISABLED"
(Default): "have_symlink", "DISABLED"
4.7 Ensure the 'daemon_memcached' Plugin Is Disabled
Info
The InnoDB memcached Plugin allows users to access data stored in InnoDB with the memcached protocol.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 CM-7
CIP 007-6-R1
CSCV6 9.1
PCI-DSSV3.1 2.2.2
PCI-DSSV3.1 2.2.3
PCI-DSSV3.2 2.2.2
PCI-DSSV3.2 2.2.3
800-171 3.4.6
800-171 3.4.7
CN-L3 7.1.3.5(c)
CN-L3 7.1.3.7(d)
CSF PR.IP-1
CSF PR.PT-3
ITSG-33 CM-7
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
NULL, NULL
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.db'
Info
The mysql.user and mysql.db tables list a variety of privileges that can be granted (or denied) to MySQL users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
5.1 Ensure Only Administrative Users Have Full Database Access 'mysql.user'
Info
The mysql.user and mysql.db tables list a variety of privileges that can be granted (or denied) to MySQL users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
5.2 Ensure 'file_priv' Is Not Set to 'Y' for Non-Administrative Users
Info
The File_priv privilege found in the mysql.user table is used to allow or disallow a user from reading and writing files on the server host. Any user with the File_priv right granted has the ability to:
- Read files from the local file system that are readable by the MySQL server (this includes world-readable files)
- Write files to the local file system where the MySQL server has write access
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1NS
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
5.3 Ensure 'process_priv' Is Not Set to 'Y' for Non-Administrative Users
Info
The PROCESS privilege found in the mysql.user table determines whether a given user can see statement execution information for all sessions.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 2S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
5.4 Ensure 'super_priv' Is Not Set to 'Y' for Non-Administrative Users
Info
The SUPER privilege found in the mysql.user table governs the use of a variety of MySQL features. These features include, CHANGE MASTER TO, KILL, mysqladmin kill option, PURGE BINARY LOGS, SET GLOBAL, mysqladmin debug option, logging control, and more.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
5.5 Ensure 'shutdown_priv' Is Not Set to 'Y' for Non-Administrative Users
Info
The SHUTDOWN privilege simply enables use of the shutdown option to the mysqladmin command, which allows a user with the SHUTDOWN privilege the ability to shut down the MySQL server.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
5.6 Ensure 'create_user_priv' Is Not Set to 'Y' for Non-Administrative Users
Info
The CREATE USER privilege governs the right of a given user to add or remove users, change existing users' names, or revoke existing users' privileges.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
5.7 Ensure 'grant_priv' Is Not Set to 'Y' for Non-Administrative Users 'mysql.user'
Info
The GRANT OPTION privilege exists in different contexts (mysql.user, mysql.db) for the purpose of governing the ability of a privileged user to manipulate the privileges of other users.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
5.8 Ensure 'repl_slave_priv' Is Not Set to 'Y' for Non-Slave Users
Info
The REPLICATION SLAVE privilege governs whether a given user (in the context of the master server) can request updates that have been made on the master server.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
regex:".+", "root"
Hosts

192.168.1.142

(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
(Default): "%", "root"
6.1 Ensure 'log_error' Is Not Empty
Info
The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AU-12
800-171 3.3.1
800-171 3.3.2
CN-L3 7.1.3.3(a)
CN-L3 7.1.3.3(b)
CN-L3 7.1.3.3(c)
CSF DE.CM-1
CSF DE.CM-3
CSF DE.CM-7
CSF PR.PT-1
ISO/IEC-27001 A.12.4.1
ITSG-33 AU-12
TBA-FIISB 45.1.1
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"log_error", regex:".+"
Hosts

192.168.1.142

(Default): "log_error", "stderr"
(Default): "log_error", "stderr"
(Default): "log_error", "stderr"
(Default): "log_error", "stderr"
6.2 Ensure Log Files Are Stored on a Non-System Partition
Info
MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 SC-5
CSF PR.DS-4
ITSG-33 SC-5
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
NULL, NULL
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
6.3 Ensure 'log_error_verbosity' Is Not Set to '1'
Info
The log_error_verbosity system variable provides additional information to the MySQL log. A value of 1 enables logging of error messages. A value of 2 enables logging of error and warning messages, and a value of 3 enables logging of error, warning and note messages.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AU-12
800-171 3.3.1
800-171 3.3.2
CN-L3 7.1.3.3(a)
CN-L3 7.1.3.3(b)
CN-L3 7.1.3.3(c)
CSF DE.CM-1
CSF DE.CM-3
CSF DE.CM-7
CSF PR.PT-1
ISO/IEC-27001 A.12.4.1
ITSG-33 AU-12
TBA-FIISB 45.1.1
LEVEL 2S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Policy Value
"log_error_verbosity", 2 || 3
Hosts

192.168.1.142

(Default): "log_error_verbosity", 3
(Default): "log_error_verbosity", 3
(Default): "log_error_verbosity", 3
(Default): "log_error_verbosity", 3
(Default): "log_error_verbosity", 3
7.4 Ensure 'default_password_lifetime' Is Less Than Or Equal To '90'
Info
Password expiry provides passwords with a time bounded lifetime.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CIP 007-6-R5
HIPAA 164.308(a)(5)(ii)(D)
PCI-DSSV3.1 8.2.4
PCI-DSSV3.2 8.2.4
CN-L3 7.1.2.7(e)
CN-L3 7.1.3.1(b)
CSF PR.AC-1
ISO/IEC-27001 A.9.4.3
ITSG-33 IA-5
TBA-FIISB 26.2.2
800-171 3.5.10
800-171 3.5.7
800-171 3.5.8
800-171 3.5.9
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
NULL
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
7.7 Ensure No Anonymous Accounts Exist
Info
Anonymous accounts are users with empty usernames (''). Anonymous accounts have no passwords, so anyone can use them to connect to the MySQL server.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-14
ITSG-33 AC-14
LEVEL 2S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Policy Value
NULL, NULL
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
9.4 Ensure 'super_priv' Is Not Set to 'Y' for Replication Users
Info
The SUPER privilege found in the mysql.user table governs the use of a variety of MySQL features. These features include, CHANGE MASTER TO, KILL, mysqladmin kill option, PURGE BINARY LOGS, SET GLOBAL, mysqladmin debug option, logging control, and more.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-6
CSCV6 5.1
800-171 3.1.5
CSF PR.AC-4
ISO/IEC-27001 A.9.2.3
ITSG-33 AC-6
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
NULL, NULL
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
9.5 Ensure No Replication Users Have Wildcard Hostnames
Info
MySQL can make use of host wildcards when granting permissions to users on specific databases. For example, you may grant a given privilege to '<user>'@'%'.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 AC-3
800-171 3.1.1
CSF PR.AC-4
CSF PR.PT-3
ISO/IEC-27001 A.9.4.1
ITSG-33 AC-3
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
NULL, NULL
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
MySQL 4.1, 5.0, 5.1 Community Editions is not installed
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_MySQL_Benchmark_v1.0.2.pdf
Audit File
CIS_MySQL_4.1_5.1_Benchmark_v1.0.2_LEVEL_2_DB.audit
Hosts

192.168.1.142

(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.0.2, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.0.2, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.0.2, [0: <array>]
MySQL 5.6 Community Edition is not installed
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.6_Benchmark_v1.1.0.pdf
Audit File
CIS_MySQL_5.6_Enterprise_Benchmark_v1.1.0_LEVEL_1_DB.audit
Hosts

192.168.1.142

(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL CIS 1.1.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'version' ;..., MySQL Enterprise CIS 1.1.0, [0: <array>]
MySQL 5.7 Enterprise Edition is not installed
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Enterprise_Edition_5.7_Benchmark_v1.0.0.pdf
Audit File
CIS_MySQL_5.7_Enterprise_Benchmark_v1.0.0_Level_2_DB.audit
Hosts

192.168.1.142

(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
(Default): FAILED, 1, ['sql_expect': <array>]['type': 65]['check_option': 48]['sql_types': <array>]['sql_request': show variables like 'license' ;..., MySQL CIS 1.0.0, [0: <array>]
Compliance 'INFO', 'WARNING', 'ERROR'
4.1 Ensure Latest Security Patches Are Applied
Info
Periodically, updates to MySQL server are released to resolve bugs, mitigate vulnerabilities, and provide new features. It is recommended that MySQL installations are up to date with the latest security updates.

NOTE: Nessus has not performed this check. This is provided for informational purposes only.
Solution
Install the latest patches for your version or upgrade to the latest version.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 SI-2
HIPAA 164.308(a)(5)(ii)(A)
800-171 3.14.1
CSF ID.RA-1
CSF PR.IP-12
ITSG-33 SI-2
LEVEL 1NS
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
"version", regex:"null"
Hosts

192.168.1.142

(Default): "version", "5.7.5-m15"
(Default): "version", "5.7.5-m15"
(Default): "version", "5.7.5-m15"
(Default): "version", "5.7.5-m15"
6.4 Ensure Audit Logging Is Enabled
Info
Audit logging is not really included in the Community Edition of MySQL - only the general log. Using the general log is possible, but not practical, because it grows quickly and has an adverse impact on server performance. Nevertheless, enabling audit logging is an important consideration for a production environment, and third-party tools do exist to help with this. Enable audit logging for
- Interactive user sessions
- Application sessions (optional)
Solution
Acquire a third-party MySQL logging solution as available from a variety of sources including, but not necessarily limited to, the following:
- The General Query Log
- MySQL Enterprise Audit
- MariaDB Audit Plugin for MySQL
- McAfee MySQL Audit
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
LEVEL 2NS
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_2_DB.audit
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
9.1 Ensure Replication Traffic Is Secured
Info
The replication traffic between servers should be secured. Check if the replication traffic is using
-A private network
-A VPN
-SSL/TLS
-A SSH Tunnel NOTE : Nessus has not performed this query, and this check is only provided for informational purposes.
Solution
Secure the network traffic. When the replication traffic is not secured someone might be able to capture passwords and other sensitive information when sent to the slave.
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
9.2 Ensure 'MASTER_SSL_VERIFY_SERVER_CERT' Is Set to 'YES' or '1'
Info
In the MySQL slave context the setting MASTER_SSL_VERIFY_SERVER_CERT indicates whether the slave should verify the master's certificate. This configuration item may be set to Yes or No, and unless SSL has been enabled on the slave, the value will be ignored.
Solution
To remediate this setting you must use the CHANGE MASTER TO command.
STOP SLAVE; -- required if replication was already running CHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=1;
START SLAVE; -- required if you want to restart replication
See Also
https://benchmarks.cisecurity.org/tools2/mysql/CIS_Oracle_MySQL_Community_Server_5.7_Benchmark_v1.0.0.pdf
References
800-53 IA-5
CSF PR.AC-1
ITSG-33 IA-5
LEVEL 1S
Audit File
CIS_MySQL_5.7_Community_Benchmark_v1.0.0_LEVEL_1_DB.audit
Policy Value
1
Hosts

192.168.1.142

(Default): NULL
(Default): NULL
(Default): NULL
(Default): NULL
© 2017 Tenable™, Inc. All rights reserved.