2.13 Require Client-Side Certificates (X.509)

Information

Client-side certificates may be used as proof of identity as well as to encrypt data in transit.

Rationale:

Requiring client-side certificates provides additional validation of a user's identity, thus increasing the level of security, while also providing strong encryption.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Create or Alter users using the REQUIRE X509.

For example:

CREATE USER 'newuser2'@'%' IDENTIFIED BY <password> require x509;

For accounts created with a REQUIRE X509 clause, clients must specify at least --ssl-cert and --ssl-key. In addition, --ssl-ca (or --ssl-capath) is recommended so that the public certificate provided by the server can be verified.

For example:

mysql --ssl-ca=ca.pem \
--ssl-cert=client-cert.pem \
--ssl-key=client-key.pem

Additional Information:

The audit procedure excludes these internal user accounts from evaluation because, by default, they are created with an invalid password and are locked to disallow access.

'mysql.infoschema'@'localhost'

'mysql.session'@'localhost'

'mysql.sys'@'localhost'

See Also

https://workbench.cisecurity.org/files/3855

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: MySQLDB

Control ID: 9e27c5e4e3965275107831a085fed1baff585b12156301e250a9944b9aa16dec