cis_oracle_mysql_enterprise_edition_5 6_benchmark_v1 1 0

1、CIS Oracle MySQL Enterprise Edition 5.6v1.1.0 - 08-15-20161 | P a g eThe CIS Secur ty Benchmarks d v s on prov des consensus-or ented nformat on secur ty products, serv ces, too s, metr cs, suggest ons, and recommendat ons (the “SB Products”) as a pub c serv ce to Internet users wor dw de. Down oad

2、ng or us ng SB Products n any way s gn f es and conf rms your acceptance of and your b nd ng agreement to these CIS Secur ty Benchmarks Terms of Use.CIS SECURITY BENCHMARKS TERMS OF USEBOTH CIS SECURITY BENCHMARKS DIVISION MEMBERS AND NON-MEMBERS MAY: Download,tall, and use each of the SB Products o

3、n a single computer, and/or Print one or more copies of any SB Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, but only if each such copy is printed in its entirety and is kept intact, including without limitation the text of these CIS Security Benchmarks Terms of Use.UNDER THE FOLLOWIN

4、G TERMS AND CONDITIONS: SB Products Provided As Is. CIS is providing the SB Products “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty regarding: (a) the effect or lack of effect of any SB Product on th

5、e operation or the security of any network, system, software, hardware, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any SB Product); or (2) the responsibility to make or notify you of any corrections, updates, upgrades, or fixes. Intell

6、ectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any SB Product, and full title and all ownership rights to the SB Products remain the exclusive property of CIS. All rights to the SB Products not expressly granted in these Terms of Use are hereby rese

7、rved. Restrictions. You acknowledge and agree that you may not: (1) decompile, dis-assemble, alter, reverse engineer, or otherwise attempt to derive the source code for any software SB Product that is not already in the form of source code; (2) distribute, redistribute, sell, rent, lease, sublicense

8、 or otherwise transfer or exploit any rights to any SB Product in any way or for any purpose; (3) post any SB Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device;(4) remove from or alter these CIS Security Benchmarks Terms of Use on any SB Product; (5)

9、 remove or alter any proprietary notices on any SB Product; (6) use any SB Product or any component of an SB Product with any derivative works based directly on an SB Product or any component of an SB Product; (7) use any SB Product or any component of an SB Product with other products or applicatio

10、ns that are directly and specifically dependent on such SB Product or any component for any part of their functionality; (8) represent or claim a particular level of compliance or consistency with any SB Product; or (9) facilitate or otherwise aid other individuals or entities in violating these CIS

11、 Security Benchmarks Terms of Use. Your Responsibility to Evaluate Risks. You acknowledge and agree that: (1) no network, system, device, hardware, software, or component can be made fully secure; (2) you have the sole responsibility to evaluate the risks and benefits of the SB Products to your part

12、icular circumstances and requirements; and (3) CIS is not assuming any of the liabilities associated with your use of any or all of the SB Products. CIS Liability. You acknowledge and agree that neither CIS nor any of its employees, officers, directors, agents or other service providers has or will

13、have any liability to you whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages that arise out of or are connected in any way with your use of any SB Product. Indemnification. You agree to indemnify, defend

14、, and hold CIS and all of CIS s employees, officers, directors, agents and other service providers harmless from and agat any liabilities, costs and expenses incurred by any of them in connection with your violation of these CIS Security Benchmarks Terms of Use. Jurisdiction. You acknowledge and agr

15、ee that: (1) these CIS Security Benchmarks Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland; (2) any action at law or in equity arising out of or relating to these CIS Security Benchmarks Terms of Use shall be filed only in the courts located in the

16、 State of Maryland; and (3) you hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. U.S. Export Control and Sanctions laws. Regarding your use of the SB Products with any non-U.S. entity or country, you acknowledge that it is your res

17、ponsibility to understand and abide by all U.S. sanctions and export control laws as set from time to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).SPECIAL RULES FOR CIS MEMBER ORGANIZATIONS: CIS reserves the right to create special rules

18、 for: (1) CIS Members; and (2) Non- Member organizations and individuals with which CIS has a written contractual relationship. CIS hereby grants to each CIS Member Organization in good standing the right to distribute the SB Products withuch Member s own organization, whether by manual or electroni

19、c means. Each such Member Organization acknowledges and agrees that the foregoing grants in this paragraph are subject to the terms of such Member s membership arrangement with CIS and may, therefore, be modified or terminated by CIS at any time.Table of ContentsOverview6Intended Audience6Consensus

20、Guidance6Typographical Conventions7Scoring Information7Profile Definitions8Acknowledgements10Recommendations111 Operating System Level Configuration111.1 Place Databases on Non-System Partitions (Scored)111.2 Use Dedicated Least Privileged Account for MySQL Daemon/Service (Scored) . 13 1.3 Disable M

21、ySQL Command History (Scored)141.4 Verify That the MYSQL PWD Environment Variables Is Not In Use (Scored)151.5 Disable Interactive Logcored)161.6 Verify That MYSQL PWD Is Not Set In UsersProfiles (Scored)17tallation and Planning182.1 Backup and Disaster Recovery192.1.1 Backup policy in place (Not Sc

22、ored)192.1.2 Verify backups are good (Not Scored)202.1.3 Secure backup credentials (Not Scored)212.1.4 The backups should be properly secured (Not Scored)222.1.5 Point in time recovery (Not Scored)232.1.6 Disaster recovery plan (Not Scored)242.1.7 Backup of configuration and related files (Not Score

23、d)252.2 Dedicate Machine Running MySQL (Not Scored)262.3 Do Not Specify Passwords in Command Line (Not Scored)272.4 Do Not Reuse Usernames (Not Scored)2822 | P a g e2.5 Do Not Use Default or Non-MySQL-specific Cryptographic Keys (Not Scored) . 29 3 File System Permissions303.1 Ensure datadir Has App

24、ropriate Permissions (Scored)303.2 Ensure log bin basename Files Have Appropriate Permissions (Scored)313.3 Ensure log error Has Appropriate Permissions (Scored)333.4 Ensure slow query log Has Appropriate Permissions (Scored)343.5 Ensure relay log basename Files Have Appropriate Permissions (Scored)

25、363.6 Ensure general log file Has Appropriate Permissions (Scored)383.7 Ensure SSL Key Files Have Appropriate Permissions (Scored)393.8 Ensure Plugin Directory Has Appropriate Permissions (Scored)413.9 Ensure audit log file has Appropriate Permissions (Scored)434 General454.1 Ensure Latest Security

26、Patches Are Applied (Not Scored)454.2 Ensure the test Database Is Nottalled (Scored)474.3 Ensure allow-suspicious-udfs Is Set to FALSE (Scored)484.4 Ensure local infile Is Disabled (Scored)494.5 Ensure mysqld Is Not Started with -skip-grant-tables (Scored)504.6 Ensure -skip-symbolic-links Is Enabled

27、 (Scored)514.7 Ensure the daemon memcached Plugin Is Disabled (Scored)524.8 Ensure secure file priv Is Not Empty (Scored)534.9 Ensure sql mode ContaSTRICT ALL TABLES (Scored)545 MySQL Permissions555.1 Ensure Only Administrative Users Have Full Database Access (Scored)555.2 Ensure file priv Is Not Se

28、t to Y for Non-Administrative Users (Scored)575.3 Ensure process priv Is Not Set to Y for Non-AdministrativeUsers (Scored)585.4 Ensure super priv Is Not Set to Y for Non-Administrative Users (Scored)595.5 Ensure shutdown priv Is Not Set to Y for Non-Administrative Users (Scored). 615.6 Ensure create

29、 user priv Is Not Set to Y for Non-Administrative Users (Scored). 625.7 Ensure grant priv Is Not Set to Y for Non-Administrative Users (Scored)633 | P a g e5.8 Ensure repl slave priv Is Not Set to Y for Non-Slave Users (Scored)645.9 Ensure DML/DDL Grants Are Limited to Specific Databases and Users (

30、Scored). 656 Auditing and Logging676.1 Ensure log error Is Not Empty (Scored)676.2 Ensure Log Files Are Stored on a Non-System Partition (Scored)686.3 Ensure log warnings Is Set to 2 (Scored)696.4 Ensure log-raw Is Set to OFF (Scored)706.5 Ensure audit log connection policy is not set to NONE (Score

31、d)716.6 Ensure audit log exclude accounts is set to NULL (Scored)736.7 Ensure audit log include accounts is set to NULL (Scored)756.8 Ensure audit log policy is set to log log6.9 Ensure audit log policy is set to log log(Scored)77and connections (Scored)786.10 Ensure audit log statement policy is se

32、t to ALL (Scored)796.11 Set audit log strategy to SYNCHRONOUS or SEMISYNCRONOUS (Scored)806.12 Make sure the audit plugin cant be unloaded (Scored)817 Authentication827.1 Ensure old passwords Is Not Set to 1 or ON (Scored)827.2 Ensure secure auth is set to ON (Scored)847.3 Ensure Passwords Are Not S

33、tored in the Global Configuration (Scored)867.4 Ensure sql mode ContaNO AUTO CREATE USER (Scored)877.5 Ensure Passwords Are Set for All MySQL Accounts (Scored)887.6 Ensure Password Policy Is in Place (Scored)897.7 Ensure No Users Have Wildcard Hostnames (Scored)917.8 Ensure No Anonymous Accounts Exi

34、st (Scored)928 Network948.1 Ensure have ssl Is Set to YES (Scored)948.2 Ensure ssl type Is Set to ANY, X509, or SPECIFIED for All Remote Users (Scored)959 Replication979.1 Ensure Replication Traffic Is Secured (Not Scored)974 | P a g e9.2 Ensure master info repository Is Set to TABLE (Scored)989.3 E

35、nsure MASTER SSL VERIFY SERVER CERT Is Set to YES or 1 (Scored)999.4 Ensure super priv Is Not Set to Y for Replication Users (Scored)1019.5 Ensure No Replication Users Have Wildcard Hostnames (Scored)103Appendix: Summary Table104Appendix: Change History1075 | P a g eOverviewThis document, CIS Oracle

36、 MySQL Enterprise Edition 5.6 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for MySQL Enterprise Edition5.6. This guide was tested agat MySQL Enterprise Edition 5.6 running on Ubuntu Linux14.04, but applies to other linux distributions as well. To obtain t

37、he latest version of this guide, please visit . If you have questions, comments, or have identified ways to improve this guide, please write us at .Intended AudienceThis document is intended for system and application administrators, security spec

38、ialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Oracle MySQL Enterprise Edition 5.6.Consensus GuidanceThis benchmark was created using a consensus review process comprised of subject matter experts. Consensus p

39、articipants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal.Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark develo

40、pment. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase beg after the benchmark has been published. During this phase, all feedback pr

41、ovided by the Internet community is reviewed by the consensus team for incorporation in the benchmark. If you are interested in participating in the consensus process, please visit .6 | P a g eTypographical ConventionsThe following typographical conventions are used th

42、roughout this guide:Scoring InformationA scoring status indicates whether compliance with the given recommendation impacts the assessed targets benchmark score. The following scoring statuses are used in this benchmark:ScoredFailure to comply with Scored recommendations will decrease the final bench

43、mark score. Compliance with Scored recommendations will increase the final benchmark score.Not ScoredFailure to comply with Not Scored recommendations will not decrease the final benchmark score. Compliance with Not Scored recommendations will not increase the final benchmark score.7 | P a g eConven

44、tionMeaningStylized Monospace fontUsed for blocks of code, command, and script examples.Text should be interpreted exactly as presented.Monospace fontUsed for inline code, commands, or examples. Text should be interpreted exactly as presented.Italic texts set in angle brackets denote a variablerequi

45、ring substitution for a real value.Italic fontUsed to denote the title of a book, article, or other publication.NoteAdditional information or caveatsProfile DefinitionsThe following configuration profiles are defined by this Benchmark:Level 1 - MySQL RDBMS on LinuxItems in this profile apply to MySQ

46、L Community Server 5.6 running on Linux and intend to:o be practical and prudent;o provide a clear security benefit; ando not inhibit the utility of the technology beyond acceptable means.Level 2 - MySQL RDBMS on LinuxThis profile extends the Level 1 - MySQL RDBMS on Linux profile. Items in this pro

47、file apply to MySQL Community Server 5.6 running on Linux and exhibit one or more of the following characteristics:are intended for environments or use cases where security is paramount acts as defense in depth measuremay negatively inhibit the utility or performance of the technology.o ooLevel 1 -

48、MySQL RDBMSItems in this profile apply to MySQL Community Server 5.6 and intend to:be practical and prudent;provide a clear security benefit; andnot inhibit the utility of the technology beyond acceptable means.o ooNote: the intent of this profile is to include checks that can be assessed by remotel

49、y connecting to a MySQL RDBMS. Therefore, file system-related checks are not contained in this profile.Level 2 - MySQL RDBMSThis profile extends the Level 1 - MySQL RDBMS profile and exhibit one or more of the following characteristics:o are intended for environments or use cases where security is p

50、aramounto acts as defense in depth measureo may negatively inhibit the utility or performance of the technology.8 | P a g eNote: the intent of this profile is to include checks that can be assessed by remotely connecting to a MySQL RDBMS. Therefore, file system-related checks are not contained in th

51、is profile.9 | P a g eAcknowledgementsThis benchmark exemplifies the great things a community of users, vendors, and subject matterexperts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who cont

52、ributed greatly to the creation of this guide:Editor(s)Binod Bista Danil van EedenContributor(s)Adam Montville, Center for Internet SecurityTimothy Harrison, Center for Internet SecuritySheryl Coppenger, U.S. Government Accountability OfficeKaren ScarfoneRobert Warren Thomas Neil QuiogueDan White, C

53、IS Community10 | P a g eRecommendations1 Operating System Level ConfigurationThis section contarecommendations related to the Operating System on which theMySQL database server is running.1.1 Place Databases on Non-System Partitions (Scored)Profile Applicability: Level 1 - MySQL RDBMS on LinuxDescri

54、ption:It is generally accepted that host operating systems should include different filesystem partitions for different purposes. One set of filesystems are typically called system partitions, and are generally reserved for host system/application operation. The other set of filesystems are typicall

55、y called non-system partitions, and such locations are generally reserved for storing data.Rationale:Moving the database off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system.Audit:Execute the following steps to assess this recommendation: Discover the datadir by executing the following SQL statement Using the returned datadir Value from the above query, execute the following in a system terminal