Detections
Analytics

2.8 Ensure Socket Peer-Credential Authentication is Used Appropriately

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The server-side unix_socket authentication plugin authenticates clients that connect to the MariaDB server from the local host through the Unix socket file. Users authenticated using unix_socket need not specify a password when connecting to the server. However, users authenticated by the unix_socket plugin are restricted from connecting remotely; they can only connect from the local host through the Unix socket file. This method is only suitable in situations where the server administrator OS account access is restricted.

Rationale:

This method may be desirable in specific cases, including:

The Linux system where MariaDB is running is dedicated to the MariaDB server and only the MariaDB DBA and OS Admin have access.

When control over user authentication is centralized in the operating system.

It is desirable that audit trails in the database and operating system can use the same user names.

For certain other narrow installation use cases unix_socket may be desirable.

Only local connections for a user.

Impact:

Things to consider when using the operating system to authenticate users:

The user must have an operating system account on the computer which must be accessed.

If a user has logged in using this method and steps away from the terminal, another user could easily log in because this user does not need any passwords or credentials. This could pose a serious security problem.

When an operating system is used to authenticate database users, managing distributed database environments and database links requires special care. Special care must also be taken not to leave such a terminal unlocked and unattended. Hence, we recommend that you carefully evaluate your requirements before opting for unix_socket.

This will not work where distributed connections are required.

The root account in MariaDB utilizes the unix_socket plugin by default. Disabling the unix_socket plugin will make the root account inaccessible unless a valid password is first set for root. If a fully-privileged account is needed while also disabling the unix_socket plugin, see Remediation Procedure (Notes) in Recommendation 7.3 ('Ensure strong authentication is utilized for all accounts') for guidance and considerations.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If the plugin is active and you need to disable it in your environment, first ensure either:

you can accept the root account in MariaDB being inaccessible, OR

you have set a strong password for the root account in MariaDB,

then add the following option under the [mysqld] option group in your MariaDB configuration file and restart MariaDB:

unix_socket=OFF

If the plugin is disabled but you seek to use it, ensure the following option is set under the [mysqld] option group in your MariaDB configuration file, then restart MariaDB:

unix_socket=ON

To enable an OS user to login to MariaDB using unix_socket, include 'unix_socket' as an authentication plugin in your IDENTIFIED VIA clause of CREATE USER or ALTER USER commands. For example, run:

CREATE USER '<user>'@'localhost' IDENTIFIED VIA unix_socket;

The user can then login using:

mysql -u <user>

Note: See Recommendation 7.3 ('Ensure strong authentication is utilized for all accounts') for guidance about handling the root account.

Default Value:

The unix_socket plugin is ON by default.

See Also

https://workbench.cisecurity.org/benchmarks/12270

Item Details

Plugin: Unix

Control ID: d8f64f1e8be8d3876ac8fa994ad25460836bfdb6939bcbe8941327972e67d5d3