2.13 Ensure Socket Peer-Credential Authentication is Used Appropriately

Information

The server-side auth_socket authentication plugin, authenticates clients that connect to the MySQL server from the local host through the Unix socket file. Users authenticated by the auth_socket need not specify a password when connecting to the server. However, users authenticated by the auth_socket plugin are restricted from connecting remotely; they can only connect from the local host through the Unix socket file. This method is only suitable in situations where the server administrator OS account access is restricted.

Rationale:

This method may be desirable in specific cases, including:

The Linux system where MySQL is running is dedicated to the MySQL server and only the MySQL DBA and OS Admin have access.

When control over user authentication is centralized in the operating system.

It is desirable that audit trails in the database and operating system can use the same user names.

For certain other narrow installation use cases auth_socket may be desirable.

Only local connections for a user.

Impact:

Things to consider when using the operating system to authenticate users:

The user must have an operating system account on the computer which must be accessed.

If a user has logged in using this method and steps away from the terminal, another user could easily log in because this user does not need any passwords or credentials. This could pose a serious security problem.

When an operating system is used to authenticate database users, managing distributed database environments and database links requires special care. Special care must also be taken not to leave such a terminal unlocked and unattended. Hence, we recommend that you carefully evaluate your requirements before opting for auth_socket.

This will not work where distributed connections are required.

Solution

Add these options under the [mysqld] option group in the MySQL /etc/my.cnf:

plugin-load-add=auth_socket.so
auth_socket=FORCE_PLUS_PERMANENT

For example:
For an OS user which can login to MySQL using auth_socket:

CREATE USER '<user>'@'localhost' IDENTIFIED WITH auth_socket;

The user can then login using:

mysql -u <user>

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8

Plugin: MySQLDB

Control ID: 15886e6a1f6fb28ea14bc314f124f055ccad37455ca25eaeec1591a940e12905