| 2.1.4 Point-in-Time Recovery | CONTINGENCY PLANNING |
| 2.2.1 Ensure Binary and Relay Logs are Encrypted | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Require Current Password for Password Reset | IDENTIFICATION AND AUTHENTICATION |
| 2.10 Use Dual Passwords to Enable Higher Frequency Password Rotation | IDENTIFICATION AND AUTHENTICATION |
| 2.11 Lock Out Accounts if Not Currently in Use | ACCESS CONTROL |
| 2.12 Ensure AES Encryption Mode for AES_ENCRYPT/AES_DECRYPT is Configured Correctly | SYSTEM AND SERVICES ACQUISITION |
| 2.13 Ensure Socket Peer-Credential Authentication is Used Appropriately | CONFIGURATION MANAGEMENT |
| 2.14 Ensure MySQL is Bound to an IP Address | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 2.15 Limit Accepted Transport Layer Security (TLS) Versions | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.16 Require Client-Side Certificates (X.509) | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.17 Ensure Only Approved Ciphers are Used | SYSTEM AND SERVICES ACQUISITION |
| 4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES' | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 4.10 Use MySQL TDE for At-Rest Data Encryption | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3 Ensure 'PROCESS' is Not Granted to Non-Administrative Users | ACCESS CONTROL |
| 6.3 Ensure 'log_error_verbosity' is Set to '2' | AUDIT AND ACCOUNTABILITY |
| 9.3 Ensure 'master_info_repository' is Set to 'TABLE' | CONFIGURATION MANAGEMENT |
| 10.2 Allowlist Approved Servers Belonging to a MySQL InnoDB Cluster | ACCESS CONTROL, MEDIA PROTECTION |
| CIS_MySQL_8.4_Community_Benchmark_v1.0.0_Level_2_Database.audit from CIS Oracle MySQL 8.4 Community Edition Benchmark | |
