Detections
Analytics
7.3 Ensure strong authentication is utilized for all accounts
Information
The mysql_native_password and mysql_old_password plugins utilize weak cryptography and/or weak password routines.In particular, the mysql_old_password plugin utilizes cracked password routines and is subject to Pass-the-Hash attacks. The mysql_native_password plugin relies on the Secure Hash Algorithm 1 (SHA-1) algorithm. The National Institute of Standards and Technology (NIST) recommends against use of SHA-1.
Additionally, these plugins allow users to set blank passwords, which allow authentication without providing a password.
All users should be using alternative, stronger plugins or be configured with invalid passwords. See Default Value section and References for more details on specific account configurations.
Rationale:
Without a password, only knowing the username and the list of allowed hosts will allow someone to connect to the server and assume the identity of the user. This, in effect, bypasses authentication mechanisms.
Acquisition of user password hashes exposes users to password cracking and Pass-the-Hash attacks.
Setting a root password exposes password-based root access to remote users and to non-root linux users.
Impact:
Using the ed25519 plugin will require installation of the plugin, and some clients may need to be configured to utilize the client_ed25519 plugin.
Solution
If the root user is returned in the audit procedure results, set that account to utilize only the unix_socket plugin by running the following mariadb command:alter user 'root'@'localhost' identified via 'unix_socket';
If the mysql user is returned in the audit procedure results, set that account to use an invalid password by running the following mariadb command:
set password for 'mysql'@'localhost' = 'invalid';
If the mariadb.sys user is returned in the audit procedure results, set that account to use an invalid password by running the following mariadb command:
set password for 'mariadb.sys'@'localhost' = 'invalid';
For every other user identified by the audit procedure, use the ALTER USER command to configure the account to utilize one of the following authentication plugins as appropriate:
ed25519
gssapi
pam
unix_socket
Notes:
Some of these plugins will require installation if not already in use. Changing a user to utilize the ed25519 plugin but without providing a password will make the account inaccessible. For service accounts, set a new password in MariaDB and where the service account is used. For human user accounts, set a temporary password and notify the user to change the password immediately.
If password validation plugins are already implemented, strict_password_validation may need to be temporarily disabled to reset mysql and mariadb.sys accounts to use invalid passwords. To do so, run set global strict_password_validation=0; before and set global strict_password_validation=1; after the set password commands.
If policy disallows use of the unix_plugin (see Recommendation 2.8: 'Ensure Socket Peer-Credential Authentication is Used Appropriately'), choose ONE of the following alternative remediations for root:
set the root user account to use a strong password, using the ALTER USER command as described above, OR
set the root user account to have an invalid password
Setting a valid password exposes root to password attacks, some of which are mitigated by password strength. Setting an invalid password (while also having the unix_socket plugin disabled) makes the root account inaccessible, which may limit recovery options or other capabilities. If a fully-privileged account is needed, consider introducing individual, non-shared accounts for specific users and then set root to have an invalid password. The options above are only recommended in cases where policy necessitates disabling the unix_socket plugin (see also Recommendation 2.8: 'Ensure Socket Peer-Credential Authentication is Used Appropriately').
To set root to use an invalid password, running the following mariadb command:
set password for 'root'@'localhost' = 'invalid';
To set up a fully-privileged, non-shared account for individual use, run the CREATE USER command with appropriate host and authentication settings, then GRANT all privileges to that account by running the following mariadb commands, substituting <user> and <host> as appropriate:
GRANT ALL PRIVILEGES ON *.* TO '<user>'@'<host> WITH GRANT OPTION;
GRANT PROXY ON ''@'%' TO '<user>'@'<host>' WITH GRANT OPTION;
Default Value:
root is configured to use the unix_socket plugin but to fallback to the mysql_native_password plugin. root and mysql users are created with an invalid password string, preventing password-based authentication. mariadb.sys is a locked account without a password set. If the account becomes unlocked, authentication without a password can occur. By default, all new users are created using the mysql_native_password plugin and without a password unless otherwise specified. This allows authentication without a password.
See Also
Item Details
Audit Name: CIS MariaDB 10.6 Database L1 v1.0.0
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1), CSCv7|4.4, CSCv7|16.4
Plugin: MySQLDB
Control ID: ef8647692f8658f20fa68a1754d26ab9b392bac74a31d58b890997a34a21a8c3