7.3 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'

Information

NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided.

Rationale:

Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password.

Solution

Perform the following actions to remediate this setting:

Open the MySQL configuration file (my.cnf)

Find the sql_mode setting in the [mysqld] area

Add the NO_AUTO_CREATE_USER to the sql_mode setting

Default Value:

ONLY_FULL_GROUP_BY STRICT_TRANS_TABLES NO_ZERO_IN_DATE NO_ZERO_DATE ERROR_FOR_DIVISION_BY_ZERO NO_AUTO_CREATE_USER NO_ENGINE_SUBSTITUTION

See Also

https://workbench.cisecurity.org/files/3855

Item Details

Category: PLANNING, SYSTEM AND SERVICES ACQUISITION

References: 800-53|PL-8, 800-53|SA-8

Plugin: Unix

Control ID: bc7aa2bc36e26ea94a97ad278c16cd5f1c093208bafe8d1d3f21d162d774c77e