Title

If MySQL Server authentication, using passwords, is employed, the MySQL Server must enforce the DoD standards for password complexity and lifetime. (Cat II impact)

Discussion

If MySQL Server authentication, using passwords, is not employed, this is not a finding. If the MySQL Server is configured to inherit password complexity and lifetime rules from the operating system or access control program, this is not a finding. Review the MySQL password validation settings relating to password complexity. Determine whether the following rules are enforced. If any are not, this is a finding. a. minimum of 15 characters, including at least one of each of the following character sets: - Upper-case - Lower-case - Numerics - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <) b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight Review the MySQL password validation settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding. a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days c. Number of password changes before an old one may be reused: Minimum of five

Check Content

Verify the MySQL Server password validation plugin is being utilized and is configured correctly to match DoD standards. mysql> SHOW VARIABLES LIKE 'validate_password%';

Fix Text

If the use of passwords is not needed, configure the MySQL server to prevent their use if it is capable of this; if it is not so capable, institute policies and procedures to prohibit their use. Otherwise, use the MySQL password validation plugin to enforce the following rules for passwords: a. minimum of 15 characters, including at least one of each of the following character sets: - Upper-case - Lower-case - Numerics - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <) b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days e. Number of password changes before an old one may be reused: Minimum of five

Additional Identifiers

Rule ID:

Vulnerability ID: V-61407

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.