1.1 Place Databases on Non-System Partitions | SYSTEM AND COMMUNICATIONS PROTECTION |
1.2 Use Dedicated Least Privileged Account for MariaDB Daemon/Service | ACCESS CONTROL, MEDIA PROTECTION |
1.4 Verify That the MYSQL_PWD Environment Variable is Not in Use | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.6 Verify That 'MYSQL_PWD' is Not Set in Users' Profiles | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.1.1 Backup Policy in Place | CONTINGENCY PLANNING |
2.1.2 Verify Backups are Good | CONTINGENCY PLANNING |
2.1.3 Secure Backup Credentials | ACCESS CONTROL, CONTINGENCY PLANNING, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.1.4 The Backups Should be Properly Secured | CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION |
2.1.6 Disaster Recovery (DR) Plan | CONTINGENCY PLANNING |
2.1.7 Backup of Configuration and Related Files | CONTINGENCY PLANNING |
2.2 Dedicate the Machine Running MariaDB | SYSTEM AND COMMUNICATIONS PROTECTION |
2.3 Do Not Specify Passwords in the Command Line | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.4 Do Not Reuse Usernames | ACCESS CONTROL |
2.5 Ensure Non-Default, Unique Cryptographic Material is in Use | SYSTEM AND COMMUNICATIONS PROTECTION |
2.6 Ensure 'password_lifetime' is Less Than or Equal to '365' | IDENTIFICATION AND AUTHENTICATION |
3.1 Ensure 'datadir' Has Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.2 Ensure 'log_bin_basename' Files Have Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.3 Ensure 'log_error' Has Appropriate Permissions | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
3.4 Ensure 'slow_query_log' Has Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.5 Ensure 'relay_log_basename' Files Have Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.6 Ensure 'general_log_file' Has Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.7 Ensure SSL Key Files Have Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.8 Ensure Plugin Directory Has Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.9 Ensure 'server_audit_file_path' Has Appropriate Permissions | ACCESS CONTROL, MEDIA PROTECTION |
3.10 Ensure File Key Management Encryption Plugin files have appropriate permissions | ACCESS CONTROL, MEDIA PROTECTION |
4.1 Ensure the Latest Security Patches are Applied | SYSTEM AND SERVICES ACQUISITION |
4.2 Ensure Example or Test Databases are Not Installed on Production Servers | PLANNING, SYSTEM AND SERVICES ACQUISITION |
4.4 Harden Usage for 'local_infile' on MariaDB Clients | CONFIGURATION MANAGEMENT |
4.5 Ensure mariadb is Not Started With 'skip-grant-tables' | ACCESS CONTROL, MEDIA PROTECTION |
4.6 Ensure Symbolic Links are Disabled | PLANNING, SYSTEM AND SERVICES ACQUISITION |
4.7 Ensure the 'secure_file_priv' is Configured Correctly | ACCESS CONTROL, MEDIA PROTECTION |
5.1 Ensure Only Administrative Users Have Full Database Access | ACCESS CONTROL |
5.2 Ensure 'FILE' is Not Granted to Non-Administrative Users | ACCESS CONTROL |
5.4 Ensure 'SUPER' is Not Granted to Non-Administrative Users | ACCESS CONTROL |
5.5 Ensure 'SHUTDOWN' is Not Granted to Non-Administrative Users | ACCESS CONTROL |
5.6 Ensure 'CREATE USER' is Not Granted to Non-Administrative Users | ACCESS CONTROL |
5.7 Ensure 'GRANT OPTION' is Not Granted to Non-Administrative Users | ACCESS CONTROL |
5.8 Ensure 'REPLICATION SLAVE' is Not Granted to Non-Administrative Users | ACCESS CONTROL, MEDIA PROTECTION |
5.9 Ensure DML/DDL Grants are Limited to Specific Databases and Users | ACCESS CONTROL, MEDIA PROTECTION |
5.10 Securely Define Stored Procedures and Functions DEFINER and INVOKER | PLANNING, SYSTEM AND SERVICES ACQUISITION |
6.1 Ensure 'log_error' is configured correctly | AUDIT AND ACCOUNTABILITY |
6.2 Ensure Log Files are Stored on a Non-System Partition | AUDIT AND ACCOUNTABILITY |
6.5 Ensure the Audit Plugin Can't be Unloaded | AUDIT AND ACCOUNTABILITY |
7.1 Disable use of the mysql_old_password plugin | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.2 Ensure Passwords are Not Stored in the Global Configuration | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.3 Ensure strong authentication is utilized for all accounts | IDENTIFICATION AND AUTHENTICATION |
7.4 Ensure Password Complexity Policies are in Place | IDENTIFICATION AND AUTHENTICATION |
7.5 Ensure No Users Have Wildcard Hostnames | ACCESS CONTROL, MEDIA PROTECTION |
7.6 Ensure No Anonymous Accounts Exist | ACCESS CONTROL |
8.1 Ensure 'require_secure_transport' is Set to 'ON' and 'have_ssl' is Set to 'YES' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |