MYS8-00-010300 - The MySQL Database Server 8.0 must prohibit the use of cached authenticators after an organization-defined time period.

Information

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Modify system settings to implement the organization-defined limit on the lifetime of cached authenticators.

Configure the MySQL server for GSSAPI/Kerberos LDAP authentication plugin to use the GSSAPI/Kerberos authentication method.

Following is an example of plugin-related settings the server my.cnf file might contain:
[mysqld]
plugin-load-add=authentication_ldap_sasl.so
authentication_ldap_sasl_auth_method_name='GSSAPI'
authentication_ldap_sasl_server_host=198.51.100.10
authentication_ldap_sasl_server_port=389
authentication_ldap_sasl_bind_root_dn='cn=admin,cn=users,dc=MYSQL,dc=LOCAL'
authentication_ldap_sasl_bind_root_pwd='password'
authentication_ldap_sasl_bind_base_dn='cn=users,dc=MYSQL,dc=LOCAL'
authentication_ldap_sasl_user_search_attr='sAMAccountName'

Create account(s) using Kerberos Authentication.
For example:
CREATE USER '[email protected]'
IDENTIFIED WITH authentication_ldap_sasl
BY '#krb_grp=proxied_krb_user';

CREATE USER 'proxied_krb_user'
IDENTIFIED WITH mysql_no_login;
GRANT ALL
ON krb_user_db.*
TO 'proxied_krb_user';

GRANT PROXY
ON 'proxied_krb_user'
TO '[email protected]';

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_MySQL_8-0_V2R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13), CAT|II, CCI|CCI-002007, Rule-ID|SV-235177r961521_rule, STIG-ID|MYS8-00-010300, Vuln-ID|V-235177

Plugin: MySQLDB

Control ID: 929ed5c791e6d3c5aa91641697e465a879ca2b1eaf54df8bbe3ae77fea9c2a6e