Database Mysql--Baseline Check (Part 1)

1. Whether to configure the path of ssl_key

Configuration requirements: Configure the path to ssl_key

Test steps:

Run the following command to check whether to configure the ssl_key path

show variables like 'ssl_key';
AI writing code

Judgment basis: Check whether the path to ssl_key is configured and exists by the file

2. Check whether the path of ssl_ca is configured

Configuration requirements: Configure the path to ssl_ca

Test steps:
Run the following command to check whether to configure the ssl_key path

show variables like 'ssl_ca';
AI writing code

Judgment basis: Check whether the path to ssl_ca is configured and the file exists

3. Check whether to configure the path of ssl_cert

Configuration requirements: Configure the path of ssl_cert

Test steps:
Run the following command to check whether to configure the ssl_cert path

show variables like 'ssl_cert';
AI writing code

Judgment basis: Check whether the path of ssl_cert is configured and the file exists

4. Check whether the log function is configured

Configuration requirements: The database needs to configure error logs to facilitate better analysis of causes and recovery when problems occur

Test steps:
Run the following command to see if the configuration is wrong, query,Binary log

show variables like 'log_error';




show variables like 'log_bin';




show variables like 'log';

AI writing code

Judgment basis: Check whether the database is configured with error log

Reference configuration operation:
mysqlThere are several types of logs:
Error log:log-error 
Query log log (optional)
Slow query log: log-slow-queries (optional)
Update log:log-update
Binary log:log-bin
(1).If there is no in the /etc directory, you can execute the following command to create a mysql configuration file (windowsFile in the environment):

cp /usr/share/mysql/ /etc/
AI writing code

(2). vi /etc/(file in windows environment)
Ensure that there are non-optional log parameters (log-error, log-update, log-bin) in the above log data.
Save and restart the mysql service.
For example:

#Enter a name for the binary log. Otherwise a default name will be used. 




log-bin= 



#Enter a name for the query log file. Otherwise a default name will be used. 



#log= 



#Enter a name for the error log file. Otherwise a default name will be used. 




log-error= 



#Enter a name for the update log file. Otherwise a default name will be used. 




log-update= 

AI writing code

Note: Only some logs are enabled above. To enable other logs, remove the previous ""#""
Please be sure to add the path and log file name of the log after ""=""""
(3). Restart the mysql service.

5. Check whether to remove the test database

Configuration requirements: Remove the test database test

Test steps:Execute the following command to see if the test database exists

mysql>SHOW DATABASES like 'test';
AI writing code

Judgment basis: Check whether to remove the test database

Reference steps:
Remove the test database, use the administrator, and execute the following command:

mysql>DROP DATABASE test;
AI writing code

6. Check whether the configuration prohibits automatic creation of user automatic authorization

Configuration requirements: Automatically create user permissions

Test steps:

Run the following command to see if the configuration prohibits automatic creation of user automatic authorization

mysql>select @@global.sql_mode;
AI writing code

Judgment basis: Check whether NO_AUTO_CREATE_USER exists

Reference steps:
Method 1:
(1). Log in to the database as the administrator user and execute the following command:

>set global sql_mode='NO_AUTO_CREATE_USER';
AI writing code

Method 2:
(1). If there is no in the /etc directory, you can execute the following command to create a mysql configuration file (file in the Windows environment):

cp /usr/share/mysql/ /etc/
AI writing code

(2). Edit the file and add the following configuration statements to [mysqld]:

sql_mode=NO_AUTO_CREATE_USER
AI writing code

7. Check whether to delete irrelevant or anonymous accounts

Configuration requirements: Anonymous and unrelated accounts should not exist

Test steps:

Run the following command to see if an anonymous account exists

select count(*) from  where user = '';
AI writing code

Judgment basis：

1. If [user without name] canConnect to the database, prove that there is an anonymous account, and you need to manually delete this anonymous account according to the reinforcement plan.
2. According to business requirements, check whether the [unrelated account] is included. If it exists, you need to manually delete this account.

Reference configuration operation:
(1). Log in to the database as a management identity and execute the following statement:

mysql>select * from  where user=''；
AI writing code

(2). Use the following steps to delete the query user:
The DROP USER statement is used to delete one or more MySQL accounts. To use DROP USER, you must havemysql databaseGlobal CREATE USER permission or DELETE permission. The user and host portion of the account name correspond to the User and Host column values ​​of the user table record. Using DROP USER, you can cancel an account and its permissions as follows:

DROP USER user;
AI writing code

This statement can delete account permission records from all authorization tables.
Additional operating instructions:DROP USER cannot automatically close any open user conversations. Moreover, if the user has an open conversation and cancel the user at this time, the command will not take effect until the user conversation is closed. Once the conversation is closed and the user is cancelled, the user will fail when trying to log in again.

8. Check whether the database password is encrypted

Configuration requirements: The database password storage is stored in the result of hash encryption

Test steps:

Use the following command to see if there is an unencrypted database password

mysql>select count(*) from  where length(password) < 41 and password!='';
AI writing code

Judgment basis: Check the length of the database user password, generally 41 digits

Reference steps:

The system password is encrypted by default. If there is an unencrypted account, you can modify its password:

mysql>update  set Password='<password>' where User='<username>';
AI writing code

9. Check whether to change the root user

Configuration requirements: Modify the name of the database administrator root

Test steps:

Use the following command to see if the root user name is modified

mysql>select count(*) from  where user = 'root';
AI writing code

Judgment basis: Check whether the root user can log in to the database

Reference steps:
(1). Modify the name of the database root user and enter MYSQL:

#mysql -u root -p
AI writing code

(2).Select the database to operate on.

mysql>use mysql;
AI writing code

(3). Change the user name

mysql>update  set user="New Username"where user="Old username";
AI writing code

10. Check whether to use SSL connection

Configuration requirements: Requires SSL connection

Test steps:

Run the following command to see if you use SSL connection

show variables like 'have_openssl';
AI writing code

Judgment basis: If the value of have_openssl is YES, it will be compliant, otherwise it will not comply.