Check: MYS8-00-004900
Oracle MySQL 8.0 STIG:
MYS8-00-004900
(in versions v1 r5 through v1 r1)
Title
The MySQL Database Server 8.0 must map the PKI-authenticated identity to an associated user account. (Cat II impact)
Discussion
The DoD standard for authentication is DoD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a Database Management System (DBMS) user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions.
Check Content
Review MySQL Database Server 8.0 configuration to verify DBMS user accounts are being mapped directly to unique identifying information within the validated PKI certificate. Confirm Issuer and Subject map to the username. Run the following script: SELECT `user`.`Host`, `user`.`User`, `user`.`ssl_type`, CAST(`user`.`x509_issuer` as CHAR) as Issuer, CAST(`user`.`x509_subject` as CHAR) as Subject FROM `mysql`.`user`; If user accounts are not being mapped to authenticated identities, this is a finding.
Fix Text
Configure the MySQL Database Server 8.0 to map the authenticated identity directly to the MySQL Database Server 8.0 user account. Alter users to require X509 certificates. Below is an example to add X509 as a requirement. For a new user: CREATE USER 'jeffrey'@'localhost' REQUIRE X509; AND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith' AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA'; Or to add to an existing user: ALTER USER 'johansmith'@'%' REQUIRE X509 AND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith' AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA';
Additional Identifiers
Rule ID: SV-235136r879614_rule
Vulnerability ID: V-235136
Group Title: SRG-APP-000177-DB-000069
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |