MYS8-00-004900 - The MySQL Database Server 8.0 must map the PKI-authenticated identity to an associated user account.

Information

The DoD standard for authentication is DoD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a Database Management System (DBMS) user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the MySQL Database Server 8.0 to map the authenticated identity directly to the MySQL Database Server 8.0 user account.

Alter users to require X509 certificates.

Below is an example to add X509 as a requirement.

For a new user:
CREATE USER 'jeffrey'@'localhost' REQUIRE X509;
AND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith'
AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA';

Or to add to an existing user:
ALTER USER 'johansmith'@'%'
REQUIRE X509
AND SUBJECT '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Johan Smith'
AND ISSUER '/C=US/ST=Texas/L=Houston/O=SomeCompany/CN=Some CA';

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_MySQL_8-0_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(c), CAT|II, CCI|CCI-000187, Rule-ID|SV-235136r961044_rule, STIG-ID|MYS8-00-004900, Vuln-ID|V-235136

Plugin: MySQLDB

Control ID: 3a2b06485ee7a8d76d79e431cbbc157c002bd1ac7d2479512c8182a4cbc55390