8.2 Ensure 'ssl_type' is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users

Information

All network traffic must use SSL/TLS when traveling over untrusted networks.

SSL/TLS should be enforced on a per-user basis for users which enter the system through the network.

Rationale:

SSL/TLS helps to prevent eavesdropping and man-in-the-middle attacks.

Impact:

When SSL/TLS is enforced then clients which do not use SSL will not be able to connect. If the server is not configured for SSL/TLS then accounts for which SSL/TLS is mandatory will not be able to connect.

Solution

Use the ALTER USER statement to require the use of SSL/TLS:

ALTER USER 'my_user'@'app1.example.com' REQUIRE SSL;

Note: REQUIRE SSL only enforces TLS. There are additional options REQUIRE X509, REQUIRE ISSUER, REQUIRE SUBJECT and REQUIRE CIPHER which can be used to further restrict the connection.

Default Value:

The Value of ssl_type defaults to an empty string, the equivalent result of using REQUIRE NONE with an ALTER USER statement.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: f0700bd8b5add60934b74d60d6ed613b23a6c08f6edb7b9c654e97a05e6a0d12