STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021: STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:SV-235096r638812_rule
V-235096
SRG-APP-000001-DB-000031
MYS8-00-000200
CAT II
10
The MySQL Database Server 8.0 is capable of enforcing this restriction. If not configured to do so, configure it to do so.
Connect to the MySQL Database as an administrator.
To set the global default to 50:
SET PERSIST max_user_connections=50;
Additionally, max user connections can be set per user as well as for a given period of time.
GRANT ALL ON customer.* TO 'francis'@'localhost'
WITH MAX_CONNECTIONS_PER_HOUR 5;
MAX_USER_CONNECTIONS 2;
Determine whether the system documentation specifies limits on the number of concurrent MySQL database server 8.0 sessions.
Review the concurrent-sessions settings in the MySQL database server and/or the applications using it, and/or the system software supporting it.
MySQL global variable max_user_connections limits the number of simultaneous connections that can be made by any given account.
To check global (default) concurrent-sessions settings in the MySQL database server, run the following query:
SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME LIKE 'max_user_connections' ;
If the value of MAX_USER_CONNECTIONS is 0 (unlimited) or greater than the site-specific maximum number of sessions, this is a finding.
Retrieve the settings for concurrent sessions for each user with the query:
SELECT user, host, max_user_connections
FROM mysql.user
WHERE user not like 'mysql.%' and user not like 'root';
If the user account has a nonzero MAX_USER_CONNECTIONS resource limit, the session MAX_USER_CONNECTIONS value is set to that limit. Otherwise, the session max_user_connections value is set to the global value.
If the DBMS settings for concurrent sessions for each user is greater than the site-specific maximum number of sessions and nonzero, this is a finding.
V-235096
False
MYS8-00-000200
Determine whether the system documentation specifies limits on the number of concurrent MySQL database server 8.0 sessions.
Review the concurrent-sessions settings in the MySQL database server and/or the applications using it, and/or the system software supporting it.
MySQL global variable max_user_connections limits the number of simultaneous connections that can be made by any given account.
To check global (default) concurrent-sessions settings in the MySQL database server, run the following query:
SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME LIKE 'max_user_connections' ;
If the value of MAX_USER_CONNECTIONS is 0 (unlimited) or greater than the site-specific maximum number of sessions, this is a finding.
Retrieve the settings for concurrent sessions for each user with the query:
SELECT user, host, max_user_connections
FROM mysql.user
WHERE user not like 'mysql.%' and user not like 'root';
If the user account has a nonzero MAX_USER_CONNECTIONS resource limit, the session MAX_USER_CONNECTIONS value is set to that limit. Otherwise, the session max_user_connections value is set to the global value.
If the DBMS settings for concurrent sessions for each user is greater than the site-specific maximum number of sessions and nonzero, this is a finding.
M
5277