Trustwave Database Security Knowledgebase (ShatterKB) 6.09 is now available. It introduces new checks for MariaDB, MySQL, Percona for MySQL, and PostgreSQL. It also brings updates to compliance policies and a new for policy DISA STIG MySQL 8.0 V1R1.
New Vulnerability and Configuration Check Highlights
MariaDB
CREATE ROUTINE privileges granted
Check whether the CREATE ROUTINE privilege has been granted to users.
Risk: Medium
Ensure that the certification authority is correct and authorized
Verify that the certificate issuer of the server-cert.pem file is issued by an approved Certificate Authority.
Risk: Medium
Ensure the use of valid DoD approved PKI certificates
Verify the certificates to ensure that they are DoD approved for each user and verify the usage of the certificate revocation list file.
Risk: Medium
Maximum number of concurrent sessions
Verify that user accounts have a limit of the maximum number of concurrent sessions.
Risk: Medium
Users with administrative audit privileges
List users with rights to administrative access for auditing.
Risk: Medium
MySQL
CREATE ROUTINE privileges granted
Check whether the CREATE ROUTINE privilege has been granted to users.
Risk: Medium
Discretionary access control over defined objects
Verify that permissions on database objects are configured correctly.
Risk: Medium
Ensure audit directory has appropriate permissions and ownership
Verify that the MySQL audit directory has the appropriate permissions and ownership.
Risk: Medium
Ensure audit_log plugin is enabled
Verify that the audit_log plugin is enabled.
Risk: Low
Ensure audit_log_encryption is set appropriately
Verify that the Audit plugin variable audit_log_encryption is set to 'AES'.
Risk: Medium
Ensure audit_log_filter includes event objects to be audited
Verify that the Audit plugin table audit_log_filter contains events that are will be actively monitored.
Risk: Medium
Ensure audit_log_user includes users to be audited
Verify that the Audit table audit_log_user contains users to be monitored.
Risk: Medium
Ensure MySQL Firewall is in use
Verifies that the MySQL Firewall is installed and set in a proper mode.
Risk: Medium
Ensure software modules have the appropriate privileges
Verify that the modules' DEFINER account is documented and authorized.
Risk: Medium
Ensure SSL FIPS Mode is enabled
Verify that the MySQL variable "ssl_fips_mode" is set to "ON" or "STRICT".
Risk: High
Ensure that the certification authority is correct and authorized
Verify that the certificate issuer of the server-cert.pem file is issued by an approved Certificate Authority.
Risk: Medium
Ensure the audit plugin loads automatically upon startup
Verify that the MySQL audit plugin variables 'plugin-load-add' and 'audit-log' are defined in the my.cnf file.
Risk: Medium
Ensure the permissions on config files are correct
Verify that the permissions of the MySQL config files (my.cnf and mysqld-auto.cnf) are correct.
Risk: Medium
Ensure the use of valid DoD approved PKI certificates
Verify the certificates to ensure that they are DoD approved for each user and verify the usage of the certificate revocation list file.
Risk: Medium
Ensure there is adequate storage for audit logs
Verify that there is enough space on the disk for future audit log file creation.
Risk: Medium
Maximum number of concurrent sessions
Verify that user accounts have a limit of the maximum number of concurrent sessions.
Risk: Medium
Permissions on plugins
List users with rights to install or uninstall plugins.
Risk: Medium
Protecting audit features from unauthorized access
Verify that appropriate permissions are set for 'AUDIT_ADMIN' for database users.
Risk: Medium
Protecting the integrity of information at rest
Verify that certain global variables are set correctly to secure information at rest.
Risk: High
Unused database plugins and components must be removed
Verify that all installed plugins and components fall in line with organizational operations.
Risk: Medium
Users with administrative audit privileges
List users with rights to administrative access for auditing.
Risk: Medium
Percona for MySQL
CREATE ROUTINE privileges granted
Check whether the CREATE ROUTINE privilege has been granted to users.
Risk: Medium
Discretionary access control over defined objects
Verify that permissions on database objects are configured correctly.
Risk: Medium
Ensure audit directory has appropriate permissions and ownership
Verify that the Percona Server for MySQL audit directory has the appropriate permissions and ownership.
Risk: Medium
Ensure audit_log plugin is enabled
Verify that the audit_log plugin is enabled.
Risk: Low
Ensure SSL FIPS Mode is enabled
Verify that the Percona Server for MySQL variable "ssl_fips_mode" is set to "ON" or "STRICT".
Risk: High
Ensure that the certification authority is correct and authorized
Verify that the certificate issuer of the server-cert.pem file is issued by an approved Certificate Authority.
Risk: Medium
Ensure the use of valid DoD approved PKI certificates
Verify the certificates to ensure that they are DoD approved for each user and verify the usage of the certificate revocation list file.
Risk: Medium
Maximum number of concurrent sessions
Verify that user accounts have a limit of the maximum number of concurrent sessions.
Risk: Medium
Users with administrative audit privileges
List users with rights to administrative access for auditing.
Risk: Medium
PostgreSQL
Vulnerability in PostgreSQL core server - CVE-2021-32027
Check version to determine if the database contains vulnerability described by CVE-2021-32027.
Risk: Medium
Vulnerability in PostgreSQL core server - CVE-2021-32028
Check version to determine if the database contains vulnerability described by CVE-2021-32028.
Risk: Medium
Vulnerability in PostgreSQL core server - CVE-2021-32029
Check version to determine if the database contains vulnerability described by CVE-2021-32029.
Risk: Medium
New Policies
DISA-STIG MySQL 8.0 V1R1 Audit (Built-In)
This policy has been created with the guidelines mapped out in the DOD Security Technical Implementation Guides "Oracle MySQL 8.0 Security Technical Implementation Guide Version 1 Release 1".
Updated Policies
- Full list of policy updates is available in the readme file located in the support portal
Availability
- Available to all AppDetectivePRO and DbProtect customers with maintenance (subscription or perpetual) in good standing at no additional cost.
- AppDetectivePRO customers can use the Updater within the product as well