2.5 Ensure Non-Default, Unique Cryptographic Material is in Use - 'ssl_cert'

Information

The cryptographic material used by MySQL, such as digital certificates and encryption keys, should be used only for MySQL and only for one instance. Default cryptographic material should not be used since it is not unique to the instance.

Rationale:

If a cryptographic material is used on multiple MySQL instances and/or systems then a compromise of one may lead to the compromise of the network traffic of all servers which use the same cryptographic material. If an attacker gains access to shared cryptographic material, including default material, the attacker can reuse that material to impersonate the MySQL server or otherwise compromise its operations.

Solution

Generate new certificates, keys, and other cryptographic material as needed for each affected MySQL instance.

See Also

https://workbench.cisecurity.org/files/3859

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5e.

Plugin: MySQLDB

Control ID: 7b0f26bcbe580ee5c4b236f6ac87a2a354e8fb3625dfdd1a160b41ef8db3d211