From 644c8f3d2a733a6ed78023d5cd2462082bac9bf9 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 14 Oct 2020 09:01:15 +0200 Subject: [PATCH 1/2] check if a password column exists and only then check contents Signed-off-by: Sebastian Gumprich --- controls/mysql_db.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/controls/mysql_db.rb b/controls/mysql_db.rb index 037498e..da5da82 100644 --- a/controls/mysql_db.rb +++ b/controls/mysql_db.rb @@ -51,14 +51,28 @@ end end +# MySQL 5.7.6 dropped the "password" column in the mysql.user table +# so we have to check if it's there before we check if a password is empty control 'mysql-db-05' do impact 1.0 title 'default passwords must be changed' + only_if { command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from information_schema.columns where table_name=\"user\" and table_schema=\"mysql\" and column_name=\"password\";'").stdout.strip == "1" } describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where (length(password)=0 or password=\"\") and (length(authentication_string)=0 or authentication_string=\"\");'") do its(:stdout) { should match(/^0/) } end end +# MySQL versions older than 5.7.6 and MariaDB databases still have the +# password column so we need to check if it is empty +control 'mysql-db-05b' do + impact 1.0 + title 'default passwords must be changed' + only_if { command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from information_schema.columns where table_name=\"user\" and table_schema=\"mysql\" and column_name=\"password\";'").stdout.strip == "0" } + describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where length(authentication_string)=0 or authentication_string=\"\";'") do + its(:stdout) { should match(/^0/) } + end +end + control 'mysql-db-06' do impact 0.5 title 'the grant option must not be used' From df8a1e025456f53e0664ba478fe27b9e2862fd12 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 14 Oct 2020 09:06:16 +0200 Subject: [PATCH 2/2] fix linting Signed-off-by: Sebastian Gumprich --- controls/mysql_db.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/mysql_db.rb b/controls/mysql_db.rb index da5da82..1312f81 100644 --- a/controls/mysql_db.rb +++ b/controls/mysql_db.rb @@ -56,7 +56,7 @@ control 'mysql-db-05' do impact 1.0 title 'default passwords must be changed' - only_if { command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from information_schema.columns where table_name=\"user\" and table_schema=\"mysql\" and column_name=\"password\";'").stdout.strip == "1" } + only_if { command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from information_schema.columns where table_name=\"user\" and table_schema=\"mysql\" and column_name=\"password\";'").stdout.strip == '1' } describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where (length(password)=0 or password=\"\") and (length(authentication_string)=0 or authentication_string=\"\");'") do its(:stdout) { should match(/^0/) } end @@ -67,7 +67,7 @@ control 'mysql-db-05b' do impact 1.0 title 'default passwords must be changed' - only_if { command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from information_schema.columns where table_name=\"user\" and table_schema=\"mysql\" and column_name=\"password\";'").stdout.strip == "0" } + only_if { command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from information_schema.columns where table_name=\"user\" and table_schema=\"mysql\" and column_name=\"password\";'").stdout.strip == '0' } describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where length(authentication_string)=0 or authentication_string=\"\";'") do its(:stdout) { should match(/^0/) } end