CIS MySQL 5.7 Enterprise Database L1 v2.0.0

Audit Details

Name: CIS MySQL 5.7 Enterprise Database L1 v2.0.0

Updated: 6/17/2024

Authority: CIS

Plugin: MySQLDB

Revision: 1.1

Estimated Item Count: 68

File Details

Filename: CIS_MySQL_5.7_Enterprise_Benchmark_v2.0.0_Level_1_Database.audit

Size: 149 kB

MD5: 93e3ef31e1adacf9ee03088d6721095f
SHA256: 03b25bd31f6e9b0bdcebced8ce94a2125f6aaaf76c95095856a5104d9deb022b

Audit Items

DescriptionCategories
1.1 Place Databases on Non-System Partitions

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Do Not Reuse Usernames

ACCESS CONTROL

2.6 Ensure 'password_lifetime' is Less Than or Equal to '365'

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure Password Complexity is Configured - validate_password_check_user_name

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure Password Complexity is Configured - validate_password_dictionary_file

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure Password Complexity is Configured - validate_password_length

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure Password Complexity is Configured - validate_password_mixed_case_count

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure Password Complexity is Configured - validate_password_number_count

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure Password Complexity is Configured - validate_password_policy

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure Password Complexity is Configured - validate_password_special_char_count

IDENTIFICATION AND AUTHENTICATION

2.15 Implement Connection Delays to Limit Failed Login Attempts - CONNECTION_CONTROL

ACCESS CONTROL

2.15 Implement Connection Delays to Limit Failed Login Attempts - connection_control_failed_connections_threshold

ACCESS CONTROL

2.15 Implement Connection Delays to Limit Failed Login Attempts - CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS

ACCESS CONTROL

2.15 Implement Connection Delays to Limit Failed Login Attempts - connection_control_max_connection_delay

ACCESS CONTROL

2.15 Implement Connection Delays to Limit Failed Login Attempts - connection_control_min_connection_delay

ACCESS CONTROL

3.1 Ensure 'datadir' Has Appropriate Permissions
3.2 Ensure 'log_bin_basename' Files Have Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

3.3 Ensure 'log_error' Has Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

3.4 Ensure 'slow_query_log' Has Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

3.5 Ensure 'relay_log_basename' Files Have Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

3.6 Ensure 'general_log_file' Has Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

3.7 Ensure SSL Key Files Have Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

3.8 Ensure Plugin Directory Has Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

3.9 Ensure 'audit_log_file' Has Appropriate Permissions

ACCESS CONTROL, MEDIA PROTECTION

4.1 Ensure the Latest Security Patches are Applied

SYSTEM AND SERVICES ACQUISITION

4.2 Ensure Example or Test Databases are Not Installed on Production Servers

PLANNING, SYSTEM AND SERVICES ACQUISITION

4.4 Harden Usage for 'local_infile' on MySQL Clients

CONFIGURATION MANAGEMENT

4.6 Ensure Symbolic Links are Disabled

PLANNING, SYSTEM AND SERVICES ACQUISITION

4.7 Ensure the 'daemon_memcached' Plugin is Disabled

CONFIGURATION MANAGEMENT

4.8 Ensure the 'secure_file_priv' is Configured Correctly

ACCESS CONTROL, MEDIA PROTECTION

5.1 Ensure Only Administrative Users Have Full Database Access

ACCESS CONTROL

5.2 Ensure 'FILE' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.4 Ensure 'SUPER' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.5 Ensure 'SHUTDOWN' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.6 Ensure 'CREATE USER' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.7 Ensure 'GRANT OPTION' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.8 Ensure 'REPLICATION SLAVE' is Not Granted to Non-Administrative Users

ACCESS CONTROL, MEDIA PROTECTION

5.9 Ensure DML/DDL Grants are Limited to Specific Databases and Users

ACCESS CONTROL, MEDIA PROTECTION

5.10 Securely Define Stored Procedures and Functions DEFINER and INVOKER

PLANNING, SYSTEM AND SERVICES ACQUISITION

6.1 Ensure 'log_error' is configured correctly

AUDIT AND ACCOUNTABILITY

6.2 Ensure Log Files are Stored on a Non-System Partition

AUDIT AND ACCOUNTABILITY

6.5 Ensure Audit Filters Capture Connection Attempts

AUDIT AND ACCOUNTABILITY

6.5 Ensure Audit Filters Capture Connection Attempts - audit_log_filter

AUDIT AND ACCOUNTABILITY

6.5 Ensure Audit Filters Capture Connection Attempts - audit_log_user

AUDIT AND ACCOUNTABILITY

6.5 Ensure Audit Filters Capture Connection Attempts - Legacy Audit Mode

AUDIT AND ACCOUNTABILITY

6.8 Ensure the Audit Plugin Can't be Unloaded

AUDIT AND ACCOUNTABILITY

7.1 Ensure default_authentication_plugin is Set to a Secure Option

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@global.sql_mode'

PLANNING, SYSTEM AND SERVICES ACQUISITION

7.3 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER' - '@@session.sql_mode'

PLANNING, SYSTEM AND SERVICES ACQUISITION

7.4 Ensure Passwords are Set for All MySQL Accounts

IDENTIFICATION AND AUTHENTICATION