STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

DISA Rule

SV-235185r638812_rule

Vulnerability Number

V-235185

Group Title

SRG-APP-000295-DB-000305

Rule Version

MYS8-00-011100

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Modify and/or configure MySQL and related applications and tools so that users are always required to reauthenticate when changing role or escalating privileges.

To make a single user reauthenticate, the following must be present:

KILL CONNECTION processslist_id;

Check Contents

Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination. If the documentation explicitly states that such termination is not required or is prohibited, this is not a finding.

Determine the situations where a user must reauthenticate. Check if the mechanisms that handle such situations use the following SQL:

To make a single user reauthenticate, an existing connection must be present:

To search for a specific user:
SELECT * FROM information_schema.PROCESSLIST where user ='<name> and host like '%';

To review all connections:
SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST;

Note the ID(s) (processlist_id) of the connection(s) for the user that must reauthenticate.

To make a user reauthenticate, run the following for each ID returned above (as they can have multiple connections).

KILL CONNECTION processslist_id;

If the provided SQL does not force reauthentication, this is a finding.

Vulnerability Number

V-235185

Documentable

False

Rule Version

MYS8-00-011100

Severity Override Guidance

Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination. If the documentation explicitly states that such termination is not required or is prohibited, this is not a finding.

Determine the situations where a user must reauthenticate. Check if the mechanisms that handle such situations use the following SQL:

To make a single user reauthenticate, an existing connection must be present:

To search for a specific user:
SELECT * FROM information_schema.PROCESSLIST where user ='<name> and host like '%';

To review all connections:
SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST;

Note the ID(s) (processlist_id) of the connection(s) for the user that must reauthenticate.

To make a user reauthenticate, run the following for each ID returned above (as they can have multiple connections).

KILL CONNECTION processslist_id;

If the provided SQL does not force reauthentication, this is a finding.

Check Content Reference

M

Target Key

5277

Comments