identification
Identification A: The logged-in user should be identified and authenticated. The identity identification is unique, and the identification information has complex requirements and is regularly replaced.
Evaluation method:
1) Execute the mysql -u root -p command to check whether you are prompted to enter a password to identify the user.
mysql -u root -p
2) Query the user table, there should not be the same user name.
mysql> SELECT user,host FROM mysql.user;
+---------------+-----------+
| user | host |
+---------------+-----------+
| mysql.session | localhost |
| mysql.sys | localhost | =====> 不存在相同的用户名
| root | localhost |
+---------------+-----------+
3 rows in set (0.00 sec)3) View password complexity configuration information:
SHOW VARIABLES LIKE 'validate%';
+--------------------------------------+-------+
| Variable_name | Value |
+--------------------------------------+-------+
| validate_password_check_user_name | OFF |
| validate_password_dictionary_file | |密码策略文件,策略为STRONG才需要
| validate_password_length | 3 |密码最少长度
| validate_password_mixed_case_count | 0 |大小写字符长度
| validate_password_number_count | 0 |数字最少个数
| validate_password_policy | LOW |修改口令策略
| validate_password_special_char_count | 1 |特殊字符最少个数
+--------------------------------------+-------+
7 rows in set (0.00 sec)Identity authentication B: Check the database system to see if the authentication failure processing function has been configured, and a limit value for the number of illegal logins has been set. For logins exceeding the limit value, terminate the authentication session or temporarily close the account. Check whether the network login connection timeout is set and automatically exit.
Evaluation method:
1) Ask the administrator whether to use other means to configure the database login failure processing function. (If the MySQL database uses third-party management software, the third-party management software should also set the number of login failure locks)
2) Local configuration of the database management system:
It mainly depends on whether these two parameters are set: max_connect_errors (maximum number of user connections), Wait_timeout.
mysql> SHOW VARIABLES LIKE 'max_connect_errors'; =====> 查看登录失败策略
+--------------------+-------+
| Variable_name | Value |
+--------------------+-------+
| max_connect_errors | 100 |
+--------------------+-------+
1 row in set (0.00 sec)
mysql> SHOW VARIABLES LIKE '%timeout%'; =====> 查看登录链接超时自动退出策略
+-----------------------------+----------+
| Variable_name | Value |
+-----------------------------+----------+
| connect_timeout | 10 |
| delayed_insert_timeout | 300 |
| have_statement_timeout | YES |
| innodb_flush_log_at_timeout | 1 |
| innodb_lock_wait_timeout | 50 |
| innodb_rollback_on_timeout | OFF |
| interactive_timeout | 28800 |
| lock_wait_timeout | 31536000 |
| net_read_timeout | 30 |
| net_write_timeout | 60 |
| rpl_stop_slave_timeout | 31536000 |
| slave_net_timeout | 60 |
| wait_timeout | 28800 |
+-----------------------------+----------+
13 rows in set (0.00 sec)
Identity authentication C: When performing remote management, necessary measures should be taken to prevent authentication information from being eavesdropped during network transmission.
Evaluation method:
1) Check whether SSL is used when remotely managing the database (use SSL: conform).
mysql> SHOW VARIABLES LIKE '%have_ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
1 row in set (0.00 sec)If the value is disabled, this function is not activated
2) Local management, this article N/A
Identity authentication D: two or more authentication techniques such as password, cryptography, and biotechnology should be used to authenticate users, and at least one of the authentication techniques should be implemented using cryptography.
Evaluation method:
MySQL cannot integrate other identity authentication measures. It should implement two-factor at the operating system level, interview the system administrator, whether to use other technical means to achieve two-factor authentication, and whether to use two or more combinations of authentication technologies, such as passwords , digital certificate Ukey. token, fingerprint, etc., whether there is an authentication method using cryptographic technology.
Access control
Access Control A: Accounts and permissions should be assigned to logged-in users.
Evaluation method:
Use the command to check whether different accounts and permissions have been created for the logged-in user.
mysql> SELECT user,host FROM mysql.user;
+---------------+-----------+
| user | host |
+---------------+-----------+
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+---------------+-----------+
3 rows in set (0.00 sec)mysql> SHOW grants for 'root'@'localhost'; =====> 查看root账户权限
+---------------------------------------------------------------------+
| Grants for root@localhost |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)
Access Control B: The default account should be renamed or deleted, and the default password of the default account should be modified.
Evaluation method:
1) Execute the command and output the result to check whether the root user has been renamed or deleted.
mysql> SELECT user,host FROM mysql.user;
+---------------+-----------+
| user | host |
+---------------+-----------+
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+---------------+-----------+
3 rows in set (0.00 sec)2) If the root account has not been deleted, whether to change its default password to avoid empty or weak passwords.
Access Control C: Delete or deactivate redundant and expired accounts in time to avoid the existence of shared accounts.
Evaluation method:
1) Check and ask whether there are irrelevant accounts, whether there are redundant expired accounts in the following accounts, and if there are redundant expired accounts, check whether the account is disabled.
mysql> select user, host FROM mysql.user;
+---------------+-----------+
| user | host |
+---------------+-----------+
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+---------------+-----------+
3 rows in set (0.00 sec)2) Ask the administrators whether they use their own accounts to log in to the system, and make sure that there is no shared account.
Access control D: The minimum privileges required by administrative users should be granted to realize the separation of administrative users' privileges
Evaluation method:
1) Whether to divide users into roles and only grant necessary permissions to accounts
For example, except root, no user should have access permissions to the user table of the mysql database, and it is forbidden to grant fil, .process, and super permissions to accounts other than administrators.
2) Check the permission table and verify whether the user has the permissions of other users other than his own role.
Access control E: The access control policy should be configured by the authorized subject, and the access control policy stipulates the access rules of the subject to the object.
Evaluation method:
1) Interview whether the administrator has developed an access control policy.
2) Execute the command to view the user permission column:
mysql> SELECT * FROM mysql.user\G
*************************** 1. row ***************************
Host: localhost
User: root
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Reload_priv: Y
Shutdown_priv: Y
Process_priv: Y
File_priv: Y
Grant_priv: Y
References_priv: Y
Index_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Repl_slave_priv: Y
Repl_client_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_tablespace_priv: Y
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
plugin: mysql_native_password
authentication_string: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
password_expired: N
password_last_changed: 2022-03-30 23:12:35
password_lifetime: NULL
account_locked: N
View the database privilege column:
mysql> SELECT * FROM mysql.db\G
*************************** 1. row ***************************
Host: localhost
Db: performance_schema
User: mysql.session
Select_priv: Y
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Execute_priv: N
Event_priv: N
Trigger_priv: N
View the user table permission column:
mysql> SELECT * FROM mysql.tables_priv\G
*************************** 1. row ***************************
Host: localhost
Db: mysql
User: mysql.session
Table_name: user
Grantor: boot@connecting host
Timestamp: 0000-00-00 00:00:00
Table_priv: Select
Column_priv: See if the output permission column is consistent with the access control policy and rules formulated by the administrator
3) Log in to different users to verify whether there is any unauthorized access
Access control F: The granularity of access control should reach the user level or process level as the subject, and the file and database table level as the object.
Evaluation method:
1) Execute the following statement:
mysql> SELECT * FROM mysql.user\G 检查用户权限列
mysql> SELECT * FROM mysql.db\G 检查数据库权限列2) Interview the administrator and check whether the subject of the access control granularity is at the user level, and whether the object is at the database table level.
Access control G: Security marks should be set for important subjects and objects, and access of subjects to information resources with security marks should be controlled.
Evaluation method:
MySQL does not provide this function, interview the administrator, whether to use other technical means. (generally not consistent)
security audit
Security audit A: The security audit function should be enabled, the audit covers every user, and important user behaviors and important security events are audited
Evaluation method:
1.使用命令查看输出日志是否覆盖到所有用户:
mysql> show variables like '%log%';
###
在MySQL中自带了审计功能——general log,它会记录所有关于mysql的sql语句,如果开启了general log,那么就可以符合审计A条
2.检查是否采用第三方工具增强MySQL日志功能
若有,记录第三方审计工具的审计内容,查看是否包括事件的日期和时间、用户、事件类型、事件是否成功及其他与审计相关的信息
Security Audit B: Audit records should include the date and time of the event, user, event type, whether the event was successful, and other audit-related information.
Evaluation method:
1. According to the log storage location above, enter the directory to check whether the audit record contains date and time, user, event type, whether the event was successful, and other audit-related information.
(As long as the audit function is enabled, whether it is the built-in audit or a plug-in, the recorded information can meet this requirement.)
2. Whether to use third-party tools to enhance the MySQL log function. If yes, record the audit content of the third-party audit tool, and check whether the date and time of the event, user, event type, success of the event, and other audit-related information are included
Security Audit C: Audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting, etc.
Evaluation method:
1. Ask the administrator how to save the audit records (backup, transfer, etc.), the backup strategy (every day/week, full backup/additional backup), and the retention time of the audit records should be longer than 6 months (whether you can see 6 months ago).
2. If a third-party audit product is used, the log audit time must be more than one month.
3. Whether to strictly limit the user's access to audit records. Check whether the MySQL database system has permission settings for the log, and unauthorized personnel cannot operate the log. MySQL logs should be accessible only by root and mysql1.
Access control D: The audit process should be protected against unauthorized interruption
Evaluation method:
The MySQL database system complies by default, but if third-party tools are used, the database system should be checked to see if unauthorized users can interrupt the audit process.
Intrusion Prevention
Database intrusion prevention ABDF is not applicable
Intrusion prevention C: The management terminal managed through the network should be restricted by setting the terminal access method or network address range
Evaluation method:
Check the IP address of the user's login; whether to add IP restrictions to all users, and reject all unknown hosts to connect
Note: When the Host value in the user table is not a local host, a specific IP address should be specified instead of %; or set The Host value in the user table is empty, and the specified user account in the host table is allowed to log in to several hosts; logging in with a database account on an untrusted client should be prompted to reject it, and users logging in from other subnets should be rejected. % stands for all hosts, and localhost stands for local login.
mysql> show grants for root@localhost;
+---------------------------------------------------------------------+
| Grants for root@localhost |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION |
+---------------------------------------------------------------------+
2 rows in set (0.00 sec)
Intrusion prevention E: It should be possible to discover known vulnerabilities that may exist, and patch them in time after full testing and evaluation
Evaluation method:
1. Interview the MySQL patch upgrade mechanism and check the patch installation status.
mysql> show variables where variable_name like "%version%";
+-------------------------+------------------------------+
| Variable_name | Value |
+-------------------------+------------------------------+
| innodb_version | 5.7.37 |
| protocol_version | 10 |
| slave_type_conversions | |
| tls_version | TLSv1,TLSv1.1,TLSv1.2 |
| version | 5.7.37 |
| version_comment | MySQL Community Server (GPL) |
| version_compile_machine | x86_64 |
| version_compile_os | Linux |
+-------------------------+------------------------------+
8 rows in set (0.00 sec)2. Whether the interview database is an enterprise version, whether regular vulnerability scanning is performed, and whether patches are evaluated for high-risk vulnerabilities and installed after testing
Data backup and recovery
Data backup A: Local data backup and recovery functions for important data should be provided
Evaluation method:
1. Ask about the data backup strategy (daily/weekly, full backup/additional backup)
2. Whether there is recovery test record
Data backup B: Provide remote real-time backup function, use communication network to back up important data to the backup site in real time
Evaluation method:
1. Whether to perform off-site backup, record the off-site backup computer room.
2. Ask about the backup strategy (daily/weekly, full backup/additional backup) backup
Data backup C: Hot redundancy of important data processing systems should be provided to ensure high availability of the system
Evaluation method:
1. If it is a database on the cloud, whether it is a highly available version.
2. If the database is offline, see if more than two servers are deployed.