STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

DISA Rule

SV-235146r638812_rule

Vulnerability Number

V-235146

Group Title

SRG-APP-000142-DB-000094

Rule Version

MYS8-00-006000

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Disable functions, ports, protocols, and services that are not approved.

Change mysql options related to network, ports, and protocols for the server and additionally consider refining further at user account level.

vi my.cnf
[mysqld]
port=<port value>
admin_address=<addr>
admin_port=<port value>
mysqlx_port=<port value>
socket={file_name|pipe_name}

If admin_address is not defined then access via the admin port is disabled.

Additionally the X Plugin can be disabled at startup by either setting mysqlx=0 in the MySQL configuration file, or by passing in either --mysqlx=0 or --skip-mysqlx when starting the MySQL server.
Restart mysqld

Check Contents

Review the MySQL Database Server 8.0 settings and local documentation for functions, ports, protocols, and services that are not approved. If any are found, this is a finding.

Run the following SQL to list ports:
SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME in ('port', 'mysqlx_port', 'admin_port');

The default ports for MySQL for organizational connects are:
Classic MySQL - 3306
MySQL X - 33060
MySQL Admin Port - 33062 (disabled by default)

If any these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.

Run the following to determine if a local socket/pipe are in use:
SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables where
VARIABLE_NAME like '%pipe%' or VARIABLE_NAME = 'socket' or VARIABLE_NAME = 'mysqlx_socket';

Values for classic and xprotocol will be returned.
For example on Linux:
'socket','/tmp/mysql.sock'
'mysqlx_socket','/tmp/mysqlx.sock'
Windows
'named_pipe', 'ON'

If these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.

Vulnerability Number

V-235146

Documentable

False

Rule Version

MYS8-00-006000

Severity Override Guidance

Review the MySQL Database Server 8.0 settings and local documentation for functions, ports, protocols, and services that are not approved. If any are found, this is a finding.

Run the following SQL to list ports:
SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables
WHERE VARIABLE_NAME in ('port', 'mysqlx_port', 'admin_port');

The default ports for MySQL for organizational connects are:
Classic MySQL - 3306
MySQL X - 33060
MySQL Admin Port - 33062 (disabled by default)

If any these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.

Run the following to determine if a local socket/pipe are in use:
SELECT VARIABLE_NAME, VARIABLE_VALUE
FROM performance_schema.global_variables where
VARIABLE_NAME like '%pipe%' or VARIABLE_NAME = 'socket' or VARIABLE_NAME = 'mysqlx_socket';

Values for classic and xprotocol will be returned.
For example on Linux:
'socket','/tmp/mysql.sock'
'mysqlx_socket','/tmp/mysqlx.sock'
Windows
'named_pipe', 'ON'

If these are in conflict with guidance, and not explained and approved in the system documentation, this is a finding.

Check Content Reference

M

Target Key

5277

Comments