CIS MySQL 8.0 Enterprise Database L1 v1.3.0

Audit Details

Name: CIS MySQL 8.0 Enterprise Database L1 v1.3.0

Updated: 6/17/2024

Authority: CIS

Plugin: MySQLDB

Revision: 1.3

Estimated Item Count: 47

File Details

Filename: CIS_MySQL_8.0_Enterprise_Benchmark_v1.3.0_Level_1_Database.audit

Size: 113 kB

MD5: 9554093aab81bdab2b3ad1c5d4f62f33
SHA256: f62a37e2d4bb9171c7730cda8017ba31db8870fdc23f1892df409fadd93c4e90

Audit Items

DescriptionCategories
1.1 Place Databases on Non-System Partitions

SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Do Not Reuse Usernames

ACCESS CONTROL

2.7 Ensure 'password_lifetime' is Less Than or Equal to '365'

IDENTIFICATION AND AUTHENTICATION

2.8 Ensure Password Resets Require Strong Passwords

IDENTIFICATION AND AUTHENTICATION

2.18 Implement Connection Delays to Limit Failed Login Attempts

ACCESS CONTROL

3.1 Ensure 'datadir' Has Appropriate Permissions

ACCESS CONTROL

3.2 Ensure 'log_bin_basename' Files Have Appropriate Permissions

ACCESS CONTROL

3.3 Ensure 'log_error' Has Appropriate Permissions

ACCESS CONTROL

3.4 Ensure 'slow_query_log' Has Appropriate Permissions

ACCESS CONTROL

3.5 Ensure 'relay_log_basename' Files Have Appropriate Permissions

ACCESS CONTROL

3.6 Ensure 'general_log_file' Has Appropriate Permissions

ACCESS CONTROL

3.7 Ensure SSL Key Files Have Appropriate Permissions

ACCESS CONTROL

3.8 Ensure Plugin Directory Has Appropriate Permissions

ACCESS CONTROL

3.9 Ensure 'audit_log_file' Has Appropriate Permissions

ACCESS CONTROL

4.1 Ensure the Latest Security Patches are Applied

SYSTEM AND INFORMATION INTEGRITY

4.2 Ensure Example or Test Databases are Not Installed on Production Servers

PLANNING, SYSTEM AND SERVICES ACQUISITION

4.4 Harden Usage for 'local_infile' on MySQL Clients

CONFIGURATION MANAGEMENT

4.6 Ensure Symbolic Links are Disabled

PLANNING, SYSTEM AND SERVICES ACQUISITION

4.7 Ensure the 'daemon_memcached' Plugin is Disabled

CONFIGURATION MANAGEMENT

4.8 Ensure the 'secure_file_priv' is Configured Correctly

ACCESS CONTROL, MEDIA PROTECTION

5.1 Ensure Only Administrative Users Have Full Database Access

ACCESS CONTROL

5.2 Ensure 'FILE' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.4 Ensure 'SUPER' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.5 Ensure 'SHUTDOWN' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.6 Ensure 'CREATE USER' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.7 Ensure 'GRANT OPTION' is Not Granted to Non-Administrative Users

ACCESS CONTROL

5.8 Ensure 'REPLICATION SLAVE' is Not Granted to Non-Administrative Users

ACCESS CONTROL, MEDIA PROTECTION

5.9 Ensure DML/DDL Grants are Limited to Specific Databases and Users

ACCESS CONTROL, MEDIA PROTECTION

5.10 Securely Define Stored Procedures and Functions DEFINER and INVOKER

PLANNING, SYSTEM AND SERVICES ACQUISITION

6.1 Ensure 'log_error' is configured correctly

AUDIT AND ACCOUNTABILITY

6.2 Ensure Log Files are Stored on a Non-System Partition

AUDIT AND ACCOUNTABILITY

6.5 Ensure Audit Filters Capture Connection Attempts

AUDIT AND ACCOUNTABILITY

6.8 Ensure the Audit Plugin Can't be Unloaded

AUDIT AND ACCOUNTABILITY

7.1 Ensure default_authentication_plugin is Set to a Secure Option

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure Passwords are Set for All MySQL Accounts

IDENTIFICATION AND AUTHENTICATION

7.4 Set 'default_password_lifetime' to Require a Yearly Password Change

ACCESS CONTROL

7.5 Ensure Password Complexity Policies are in Place

IDENTIFICATION AND AUTHENTICATION

7.6 Ensure No Users Have Wildcard Hostnames

ACCESS CONTROL, MEDIA PROTECTION

7.7 Ensure No Anonymous Accounts Exist

ACCESS CONTROL

8.1 Ensure 'require_secure_transport' is Set to 'ON' and/or 'have_ssl' is Set to 'YES'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

8.2 Ensure 'ssl_type' is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

8.3 Set Maximum Connection Limits for Server and per User

ACCESS CONTROL

9.1 Ensure Replication Traffic is Secured

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

9.2 Ensure 'SOURCE_SSL_VERIFY_SERVER_CERT' is Set to 'YES' or '1'

CONFIGURATION MANAGEMENT

9.4 Ensure 'super_priv' is Not Set to 'Y' for Replication Users

ACCESS CONTROL

10.1 Ensure All Group Replication Traffic is Secured

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

CIS_MySQL_8.0_Enterprise_Benchmark_v1.3.0_Level_1_Database.audit from CIS Oracle MySQL 8.0 Enterprise Edition Benchmark