Information
Client-side certificates may be used as proof of identity as well as to encrypt data in transit.
Rationale:
Requiring client-side certificates provides additional validation of a user's identity, thus increasing the level of security, while also providing strong encryption.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Create or Alter users using the REQUIRE X509.
For example:
CREATE USER 'newuser2'@'%' IDENTIFIED BY <password> require x509;
For accounts created with a REQUIRE X509 clause, clients must specify at least --ssl-cert and --ssl-key. In addition, --ssl-ca (or --ssl-capath) is recommended so that the public certificate provided by the server can be verified.
For example:
mysql --ssl-ca=ca.pem \
--ssl-cert=client-cert.pem \
--ssl-key=client-key.pem
Additional Information:
The audit procedure excludes these internal user accounts from evaluation because, by default, they are created with an invalid password and are locked to disallow access.
'mysql.infoschema'@'localhost'
'mysql.session'@'localhost'
'mysql.sys'@'localhost'