Check: MADB-10-004700
MariaDB Enterprise 10.x STIG:
MADB-10-004700
(in versions v2 r2 through v1 r2)
Title
MariaDB must invalidate session identifiers upon user logout or other session termination. (Cat II impact)
Discussion
Captured sessions can be reused in replay attacks. This requirement limits the ability of adversaries to capture and continue to employ previously valid session IDs. This requirement focuses on communications protection for the MariaDB session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Session IDs are tokens generated by MariaDB to uniquely identify a user's (or process's) session. MariaDB will make access decisions and execute logic based on the session ID. Unique session IDs help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. When a user logs out, or when any other session termination event occurs, the DBMS must terminate the user's session(s) to minimize the potential for sessions to be hijacked.
Check Content
As the database administrator, run the following SQL: MariaDB> SHOW GLOBAL VARIABLES LIKE 'tcp_keepalive_interval'; MariaDB> SHOW GLOBAL VARIABLES LIKE 'tcp_keepalive_probes'; MariaDB> SHOW GLOBAL VARIABLES LIKE 'tcp_keepalive_time'; MariaDB> SHOW GLOBAL VARIABLES LIKE 'tcp_nodelay'; MariaDB> SHOW GLOBAL VARIABLES LIKE 'max_statement_time'; If these settings are not set, this is a finding.
Fix Text
As the administrator locate the my.cnf file to change. For Centos, RedHat, and similar distributions this will be in /etc/my.cnf.d/. In the [mariadb] section add the lines: tcp_keepalive_interval == seconds https://mariadb.com/docs/reference/mdb/system-variables/tcp_keepalive_interval/ tcp_keepalive_probes == number of probes https://mariadb.com/docs/reference/mdb/system-variables/tcp_keepalive_probes/ tcp_keepalive_time == seconds https://mariadb.com/docs/reference/mdb/system-variables/tcp_keepalive_time/ tcp_nodelay == boolean (off or on) https://mariadb.com/docs/reference/mdb/system-variables/tcp_nodelay/ max_statement_time == seconds https://mariadb.com/docs/reference/mdb/system-variables/max_statement_time/
Additional Identifiers
Rule ID: SV-253706r961113_rule
Vulnerability ID: V-253706
Group Title: SRG-APP-000220-DB-000149
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001185 |
Invalidate session identifiers upon user logout or other session termination. |
Controls
Number | Title |
---|---|
SC-23(1) |
Invalidate Session Identifiers at Logout |