Nmap Development mailing list archives
Re: [NSE] Auditing MySQL databases against the CIS benchmark
From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 1 Jun 2011 00:16:11 +0200
On May 31, 2011, at 10:41 AM, Paulino Calderon wrote:
Hi, Good work! It works great. I tested your script against a default mysql installation in debian squeeze and these are the results: Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 01:34 PDT NSE: Loaded 1 scripts for scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating SYN Stealth Scan at 01:34 Scanning localhost (127.0.0.1) [1 port] Discovered open port 3306/tcp on 127.0.0.1 Completed SYN Stealth Scan at 01:34, 0.06s elapsed (1 total ports) NSE: Starting runlevel 1 (of 1) scan. NSE: Script scanning 127.0.0.1. Initiating NSE at 01:34 Completed NSE at 01:34, 0.09s elapsed Nmap scan report for localhost (127.0.0.1) Host is up (0.000051s latency). Scanned at 2011-05-31 01:34:26 PDT for 0s PORT STATE SERVICE 3306/tcp open mysql | mysql-audit: | CIS MySQL Benchmarks v1.0.2 | 3.1: Skip symbolic links => SUCCESS | 3.2: Logs not on system partition => SUCCESS | 3.2: Logs not on database partition => SUCCESS | 4.1: Supported version of MySQL => REVIEW | Version: 5.1.49-3 | 4.4: Remove test database => SUCCESS | 4.5: Change admin account name => FAIL | 4.7: Verify Secure Password Hashes => SUCCESS | 4.9: Wildcards in user hostname => SUCCESS | 4.10: No blank passwords => SUCCESS | 4.11: Anonymous account => SUCCESS | 5.1: Access to mysql database => REVIEW | Verify the following users that have access to the MySQL database | user host | root localhost | root cldrn | root 127.0.0.1 | debian-sys-maint localhost | 5.2: Do not grant FILE privileges to non Admin users => FAIL | The following users were found having the FILE privilege | debian-sys-maint | 5.3: Do not grant PROCESS privileges to non Admin users => FAIL | The following users were found having the PROCESS privilege | debian-sys-maint | 5.4: Do not grant SUPER privileges to non Admin users => FAIL | The following users were found having the SUPER privilege | debian-sys-maint | 5.5: Do not grant SHUTDOWN privileges to non Admin users => FAIL | The following users were found having the SHUTDOWN privilege | debian-sys-maint | 5.6: Do not grant CREATE USER privileges to non Admin users => FAIL | The following users were found having the CREATE USER privilege | debian-sys-maint | 5.7: Do not grant RELOAD privileges to non Admin users => FAIL | The following users were found having the RELOAD privilege | debian-sys-maint | 5.8: Do not grant GRANT privileges to non Admin users => FAIL | The following users were found having the GRANT privilege | debian-sys-maint | 6.2: Disable Load data local => FAIL | 6.3: Disable old password hashing => SUCCESS | 6.4: Safe show database => FAIL | 6.5: Secure auth => FAIL | 6.6: Grant tables => FAIL | 6.7: Skip merge => FAIL | 6.8: Skip networking => FAIL | 6.9: Safe user create => FAIL | 6.10: Skip symbolic links => FAIL | |_ The audit was performed using the db-account: root NSE: Starting runlevel 1 (of 1) scan. Read data files from: . Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds Raw packets sent: 1 (44B) | Rcvd: 2 (88B) Cheers.
I've modified the rules to exclude the root and debian-sys-maint account from the privilege (5.x) section. Additional accounts may be added to the ADMIN_ACCOUNT variable in the audit file.
Attachment:
mysql-cis.audit
Description:
Attachment:
mysql-audit.nse
Description:
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 30)
- <Possible follow-ups>
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Paulino Calderon (May 30)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 31)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 31)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Vlatko Kosturjak (May 31)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 01)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 12)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 16)