2.5 Ensure Non-Default, Unique Cryptographic Material is in Use

Information

The cryptographic material used by MariaDB, such as digital certificates and encryption keys, should be used only for MariaDB and only for one instance. Default cryptographic material should not be used since it is not unique to the instance.

Rationale:

If a cryptographic material is used on multiple MariaDB instances and/or systems, then a compromise of one may lead to the network traffic of all servers being compromised that use the same cryptographic material. If an attacker gains access to shared cryptographic material, including default material, the attacker can reuse that material to impersonate the MariaDB server or otherwise compromise its operations.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Generate new certificates, keys, and other cryptographic material as needed for each affected MariaDB instance.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12

Plugin: Unix

Control ID: 2e8985d2f61d69c1d0496ee3a6e4f8b8833b926a94cb05fdacf466ec6050d056