1 # OSSEC Linux Audit - (C) 2018
3 # Released under the same license as OSSEC.
4 # More details at the LICENSE file included with OSSEC or online
5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
7 # [Application name] [any or all] [reference]
11 # - f (for file or directory)
12 # - p (process running)
13 # - d (any file inside the directory)
16 # For the registry , use "->" to look for a specific entry and another
17 # "->" to look for the value.
18 # For files, use "->" to look for a specific value in the file.
20 # Values can be preceeded by: =: (for equal) - default
21 # r: (for ossec regexes)
22 # >: (for strcmp greater)
23 # <: (for strcmp lower)
24 # Multiple patterns can be specified by using " && " between them.
25 # (All of them must match for it to return true).
27 # CIS Checks for MYSQL
28 # Based on Center for Internet Security Benchmark for MYSQL v1.1.0
30 $home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
31 $enviroment_files=/*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile;
32 $mysql-cnfs=/etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf;
35 #1.3 Disable MySQL Command History
36 [CIS - MySQL Configuration - 1.3: Disable MySQL Command History] [any] [https://workbench.cisecurity.org/files/1310/download]
37 d:$home_dirs -> ^.mysql_history$;
40 #1.5 Disable Interactive Login
41 [CIS - MySQL Configuration - 1.5: Disable Interactive Login] [any] [https://workbench.cisecurity.org/files/1310/download]
42 f:/etc/passwd -> r:^mysql && !r:\.*/bin/false$|/sbin/nologin$;
45 #1.6 Verify That 'MYSQL_PWD' Is Not In Use
46 [CIS - MySQL Configuration - 1.6: 'MYSQL_PWD' Is in Use] [any] [https://workbench.cisecurity.org/files/1310/download]
47 f:$enviroment_files -> r:\.*MYSQL_PWD\.*;
50 #4.3 Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'
51 [CIS - MySQL Configuration - 4.3: 'allow-suspicious-udfs' Is Set in my.cnf'] [any] [https://workbench.cisecurity.org/files/1310/download]
52 f:$mysql-cnfs -> !r:^# && r:allow-suspicious-udfs\.+true;
53 f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;
56 #4.4 Ensure 'local_infile' Is Disabled
57 [CIS - MySQL Configuration - 4.4: local_infile is not forbidden in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
58 f:$mysql-cnfs -> !r:^# && r:local-infile\s*=\s*1;
59 f:$mysql-cnfs -> r:local-infile\s*$;
62 #4.5 Ensure 'mysqld' Is Not Started with '--skip-grant-tables'
63 [CIS - MySQL Configuration - 4.5: skip-grant-tables is set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
64 f:$mysql-cnfs -> !r:^# && r:skip-grant-tables\s*=\s*true;
65 f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;
66 f:$mysql-cnfs -> r:skip-grant-tables\s*$;
69 #4.6 Ensure '--skip-symbolic-links' Is Enabled
70 [CIS - MySQL Configuration - 4.6: skip_symbolic_links is not enabled in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
71 f:$mysql-cnfs -> !r:^# && r:skip_symbolic_links\s*=\s*no;
72 f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;
73 f:$mysql-cnfs -> r:skip_symbolic_links\s*$;
76 #4.8 Ensure 'secure_file_priv' is not empty
77 [CIS - MySQL Configuration - 4.8: Ensure 'secure_file_priv' is not empty] [any] [https://workbench.cisecurity.org/files/1310/download]
78 f:$mysql-cnfs -> r:^# && r:secure_file_priv=\s*\S+\s*;
79 f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;
80 f:$mysql-cnfs -> r:secure_file_priv\s*$;
83 #4.9 Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'
84 [CIS - MySQL Configuration - 4.9: strict_all_tables is not set at sql_mode section of my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
85 f:$mysql-cnfs -> !r:strict_all_tables\s*$;
88 #6.1 Ensure 'log_error' is not empty
89 [CIS - MySQL Configuration - 6.1: log-error is not set in my.cnf] [any] [https://workbench.cisecurity.org/files/1310/download]
90 f:$mysql-cnfs -> r:^# && r:log_error\s*=\s*\S+\s*;
91 f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;
92 f:$mysql-cnfs -> r:log_error\s*$;
95 #6.2 Ensure Log Files are not Stored on a non-system partition
96 [CIS - MySQL Configuration - 6.2: log files are maybe stored on systempartition] [any] [https://workbench.cisecurity.org/files/1310/download]
97 f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/\S*\s*;
98 f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/var/\S*\s*;
99 f:$mysql-cnfs -> !r:^# && r:log_bin= && !r:\s*/usr/\S*\s*;
100 f:$mysql-cnfs -> r:log_bin\s*$;
103 #6.3 Ensure 'log_warning' is set to 2 at least
104 [CIS - MySQL Configuration - 6.3: log warnings is set low] [any] [https://workbench.cisecurity.org/files/1310/download]
105 f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*0;
106 f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*1;
107 f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;
108 f:$mysql-cnfs -> r:log_warnings\s*$;
111 #6.5 Ensure 'log_raw' is set to 'off'
112 [CIS - MySQL Configuration - 6.5: log_raw is not set to off] [any] [https://workbench.cisecurity.org/files/1310/download]
113 f:$mysql-cnfs -> !r:^# && r:log-raw\s*=\s*on;
114 f:$mysql-cnfs -> r:log-raw\s*$;
117 #7.1 Ensure 'old_password' is not set to '1' or 'On'
118 [CIS - MySQL Configuration - 7.1:Ensure 'old_passwords' is not set to '1' or 'on'] [any] [https://workbench.cisecurity.org/files/1310/download]
119 f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1;
120 f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on;
121 f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;
122 f:$mysql-cnfs -> r:old_passwords\s*$;
125 #7.2 Ensure 'secure_auth' is set to 'ON'
126 [CIS - MySQL Configuration - 7.2: Ensure 'secure_auth' is set to 'ON'] [any] [https://workbench.cisecurity.org/files/1310/download]
127 f:$mysql-cnfs -> !r:^# && r:secure_auth\s*=\s*off;
128 f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;
129 f:$mysql-cnfs -> r:secure_auth\s*$;
132 #7.3 Ensure Passwords Are Not Stored in the Global Configuration
133 [CIS - MySQL Configuration - 7.3: Passwords are stored in global configuration] [any] [https://workbench.cisecurity.org/files/1310/download]
134 f:$mysql-cnfs -> !r:^# && r:^\s*password\.*;
137 #7.4 Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'
138 [CIS - MySQL Configuration - 7.4: Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'] [any] [https://workbench.cisecurity.org/files/1310/download]
139 f:$mysql-cnfs -> !r:no_auto_create_user\s*$;
140 f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$;
143 #7.6 Ensure Password Policy is in Place
144 [CIS - MySQL Configuration - 7.6: Ensure Password Policy is in Place ] [any] [https://workbench.cisecurity.org/files/1310/download]
145 f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;
146 f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;
147 f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;
148 f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;
149 f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;
150 f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;
151 f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;
154 #9.2 Ensure 'master_info_repository' is set to 'Table'
155 [CIS - MySQL Configuration - 9.2: Ensure 'master_info_repositrory' is set to 'Table'] [any] [https://workbench.cisecurity.org/files/1310/download]
156 f:$mysql-cnfs -> !r:^# && r:master_info_repository\s*=\s*file;
157 f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;
158 f:$mysql-cnfs -> r:master_info_repository\s*$;