6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges

Information

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances.

This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.

Rationale:

At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.

Impact:

Connection strings for administrative clients need to be reconfigured to use a password.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

From Google Cloud Console

Go to the Cloud SQL Instances page in the Google Cloud Platform Console using https://console.cloud.google.com/sql/

Select the instance to open its Overview page.

Select Access Control > Users.

Click the More actions icon for the user to be updated.

Select Change password, specify a New password, and click OK.

From Google Cloud CLI

Set a password to a MySql instance:

gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password

A prompt will appear, requiring the user to enter a password:

Instance Password:

With a successful password configured, the following message should be seen:

Updating Cloud SQL user...done.

Default Value:

From the Google Cloud Platform Console, the Create Instance workflow enforces the rule to enter the root password unless the option No Password is selected explicitly.

See Also

https://workbench.cisecurity.org/benchmarks/9562

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CSCv7|4.2

Plugin: GCP

Control ID: 96d080fecb17a956a795df102ea40102c824444799ce1a66fb00ba9a2be5a555