Check: MADB-10-008300
MariaDB Enterprise 10.x STIG:
MADB-10-008300
(in versions v2 r2 through v1 r2)
Title
MariaDB must prohibit the use of cached authenticators after an organization-defined time period. (Cat II impact)
Discussion
If cached authentication information is out-of-date, the validity of the authentication information may be questionable. Each connection to the MariaDB database requires the authentication of the user. The authentication remains in place for the connection until the connection is closed or the connection times out due to inactivity.
Check Content
The system parameter idle_transaction_timeout specifies in seconds when a connection will be terminated due to inactivity. After a connection is terminated, a new request to the database must be preceded by an authentication, which is not cached within the database. Run the following SQL: MariaDB> SHOW GLOBAL VARIABLES LIKE 'idle_transaction_timeout'; If the value is 0, this is a finding.
Fix Text
Verify that the idle_transaction_wait is set to a value greater than 0 or is set to the value needed by the administrator. The value of idle_transaction_wait can be validated by issuing SHOW VARIABLES. Example: Locate the MariaDB Enterprise Server configuration files in /etc/my.cnf.d/. Add the following: Under the [mariadb] section: idle_transaction_timeout = 60 After making changes to the .cnf file, stop and restart the database service.
Additional Identifiers
Rule ID: SV-253736r961521_rule
Vulnerability ID: V-253736
Group Title: SRG-APP-000400-DB-000367
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002007 |
Prohibit the use of cached authenticators after an organization-defined time period. |
Controls
Number | Title |
---|---|
IA-5(13) |
Expiration of Cached Authenticators |