DISA MariaDB Enterprise 10.x v1r2 DB

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA MariaDB Enterprise 10.x v1r2 DB

Updated: 6/17/2024

Authority: DISA STIG

Plugin: MySQLDB

Revision: 1.2

Estimated Item Count: 126

Audit Items

DescriptionCategories
MADB-10-000100 - MariaDB must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
MADB-10-000200 - MariaDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
MADB-10-000300 - MariaDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
MADB-10-000400 - MariaDB must protect against a user falsely repudiating having performed organization-defined actions.
MADB-10-000500 - MariaDB must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.
MADB-10-000600 - MariaDB must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. - mysql.db
MADB-10-000600 - MariaDB must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. - mysql.tables_priv
MADB-10-000600 - MariaDB must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. - mysql.user
MADB-10-000700 - MariaDB must be able to generate audit records when privileges/permissions are retrieved.
MADB-10-000800 - MariaDB must be able to generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.
MADB-10-000900 - MariaDB must initiate session auditing upon startup.
MADB-10-001000 - MariaDB must produce audit records containing sufficient information to establish what type of events occurred.
MADB-10-001600 - MariaDB must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
MADB-10-001700 - MariaDB must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
MADB-10-001800 - MariaDB must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
MADB-10-002000 - The audit information produced by MariaDB must be protected from unauthorized read access.
MADB-10-002100 - The audit information produced by MariaDB must be protected from unauthorized modification.
MADB-10-002200 - The audit information produced by MariaDB must be protected from unauthorized deletion.
MADB-10-002300 - MariaDB must protect its audit features from unauthorized access.
MADB-10-002400 - MariaDB must protect its audit configuration from unauthorized modification.
MADB-10-002500 - MariaDB must protect its audit features from unauthorized removal.
MADB-10-002600 - MariaDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the DBMS.
MADB-10-002700 - The MariaDB software installation account must be restricted to authorized users.
MADB-10-002800 - Database software, including MariaDB configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
MADB-10-002900 - Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MariaDB, etc.) must be owned by database/MariaDB principals authorized for ownership.
MADB-10-003000 - The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the MariaDB, etc.) must be restricted to authorized users.
MADB-10-003100 - Default demonstration and sample databases, database objects, and applications must be removed.
MADB-10-003200 - Unused database components, DBMS software, and database objects must be removed.
MADB-10-003400 - Access to external executables must be disabled or restricted.
MADB-10-003500 - MariaDB must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
MADB-10-003600 - MariaDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
MADB-10-003700 - If MariaDB authentication, using passwords, is employed, then MariaDB must enforce the DoD standards for password complexity.
MADB-10-003750 - If MariaDB authentication using passwords is employed, MariaDB must enforce the DoD standards for password lifetime.
MADB-10-003800 - If passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.
MADB-10-003900 - If passwords are used for authentication, MariaDB must transmit only encrypted representations of passwords.
MADB-10-004000 - MariaDB, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
MADB-10-004100 - MariaDB must enforce authorized access to all PKI private keys stored/used by the DBMS.
MADB-10-004200 - MariaDB must map PKI ID to an associated user account.
MADB-10-004300 - MariaDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
MADB-10-004400 - MariaDB must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations. - have_openssl
MADB-10-004400 - MariaDB must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations. - libmysqlclient
MADB-10-004400 - MariaDB must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations. - version_ssl_library
MADB-10-004500 - The MariaDB must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).
MADB-10-004600 - MariaDB must separate user functionality (including user interface services) from database management functionality.
MADB-10-004700 - MariaDB must invalidate session identifiers upon user logout or other session termination. - max_statement_time
MADB-10-004700 - MariaDB must invalidate session identifiers upon user logout or other session termination. - tcp_keepalive_interval
MADB-10-004700 - MariaDB must invalidate session identifiers upon user logout or other session termination. - tcp_keepalive_probes
MADB-10-004700 - MariaDB must invalidate session identifiers upon user logout or other session termination. - tcp_keepalive_time
MADB-10-004700 - MariaDB must invalidate session identifiers upon user logout or other session termination. - tcp_nodelay
MADB-10-004900 - MariaDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.