Detections
Analytics

7.3 Ensure strong authentication is utilized for all accounts

Information

The mysql_native_password and mysql_old_password plugins utilize weak cryptography and/or weak password routines.

In particular, the mysql_old_password plugin utilizes cracked password routines and is subject to Pass-the-Hash attacks. The mysql_native_password plugin relies on the Secure Hash Algorithm 1 (SHA-1) algorithm. The National Institute of Standards and Technology (NIST) recommends against use of SHA-1.

Additionally, these plugins allow users to set blank passwords, which allow authentication without providing a password.

All users should be using alternative, stronger plugins or be configured with invalid passwords. See Default Value section and References for more details on specific account configurations.

Rationale:

Without a password, only knowing the username and the list of allowed hosts will allow someone to connect to the server and assume the identity of the user. This, in effect, bypasses authentication mechanisms.

Acquisition of user password hashes exposes users to password cracking and Pass-the-Hash attacks.

Setting a root password exposes password-based root access to remote users and to non-root linux users.

Impact:

Using the ed25519 plugin will require installation of the plugin, and some clients may need to be configured to utilize the client_ed25519 plugin.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If the root user is returned in the audit procedure results, set that account to utilize only the unix_socket plugin by running the following mariadb command:

alter user 'root'@'localhost' identified via 'unix_socket';

If the mysql user is returned in the audit procedure results, set that account to use an invalid password by running the following mariadb command:

set password for 'mysql'@'localhost' = 'invalid';

If the mariadb.sys user is returned in the audit procedure results, set that account to use an invalid password by running the following mariadb command:

set password for 'mariadb.sys'@'localhost' = 'invalid';

For every other user identified by the audit procedure, use the ALTER USER command to configure the account to utilize one of the following authentication plugins as appropriate:

ed25519

gssapi

pam

unix_socket

Notes:
Some of these plugins will require installation if not already in use. Changing a user to utilize the ed25519 plugin but without providing a password will make the account inaccessible. For service accounts, set a new password in MariaDB and where the service account is used. For human user accounts, set a temporary password and notify the user to change the password immediately.
If password validation plugins are already implemented, strict_password_validation may need to be temporarily disabled to reset mysql and mariadb.sys accounts to use invalid passwords. To do so, run set global strict_password_validation=0; before and set global strict_password_validation=1; after the set password commands.

Default Value:

root is configured to use the unix_socket plugin but to fallback to the mysql_native_password plugin. root and mysql users are created with an invalid password string, preventing password-based authentication. mariadb.sys is a locked account without a password set. If the account becomes unlocked, authentication without a password can occur. By default, all new users are created using the mysql_native_password plugin and without a password unless otherwise specified. This allows authentication without a password.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4, CSCv7|16.4

Plugin: MySQLDB

Control ID: ef8647692f8658f20fa68a1754d26ab9b392bac74a31d58b890997a34a21a8c3