Nmap Development mailing list archives
Re: [NSE] Auditing MySQL databases against the CIS benchmark
From: Paulino Calderon <paulino () calderonpale com>
Date: Tue, 31 May 2011 01:41:03 -0700
Hi,Good work! It works great. I tested your script against a default mysql installation in debian squeeze and these are the results:
Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 01:34 PDT NSE: Loaded 1 scripts for scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating SYN Stealth Scan at 01:34 Scanning localhost (127.0.0.1) [1 port] Discovered open port 3306/tcp on 127.0.0.1 Completed SYN Stealth Scan at 01:34, 0.06s elapsed (1 total ports) NSE: Starting runlevel 1 (of 1) scan. NSE: Script scanning 127.0.0.1. Initiating NSE at 01:34 Completed NSE at 01:34, 0.09s elapsed Nmap scan report for localhost (127.0.0.1) Host is up (0.000051s latency). Scanned at 2011-05-31 01:34:26 PDT for 0s PORT STATE SERVICE 3306/tcp open mysql | mysql-audit: | CIS MySQL Benchmarks v1.0.2 | 3.1: Skip symbolic links => SUCCESS | 3.2: Logs not on system partition => SUCCESS | 3.2: Logs not on database partition => SUCCESS | 4.1: Supported version of MySQL => REVIEW | Version: 5.1.49-3 | 4.4: Remove test database => SUCCESS | 4.5: Change admin account name => FAIL | 4.7: Verify Secure Password Hashes => SUCCESS | 4.9: Wildcards in user hostname => SUCCESS | 4.10: No blank passwords => SUCCESS | 4.11: Anonymous account => SUCCESS | 5.1: Access to mysql database => REVIEW | Verify the following users that have access to the MySQL database | user host | root localhost | root cldrn | root 127.0.0.1 | debian-sys-maint localhost | 5.2: Do not grant FILE privileges to non Admin users => FAIL | The following users were found having the FILE privilege | debian-sys-maint | 5.3: Do not grant PROCESS privileges to non Admin users => FAIL | The following users were found having the PROCESS privilege | debian-sys-maint | 5.4: Do not grant SUPER privileges to non Admin users => FAIL | The following users were found having the SUPER privilege | debian-sys-maint | 5.5: Do not grant SHUTDOWN privileges to non Admin users => FAIL | The following users were found having the SHUTDOWN privilege | debian-sys-maint | 5.6: Do not grant CREATE USER privileges to non Admin users => FAIL | The following users were found having the CREATE USER privilege | debian-sys-maint | 5.7: Do not grant RELOAD privileges to non Admin users => FAIL | The following users were found having the RELOAD privilege | debian-sys-maint | 5.8: Do not grant GRANT privileges to non Admin users => FAIL | The following users were found having the GRANT privilege | debian-sys-maint | 6.2: Disable Load data local => FAIL | 6.3: Disable old password hashing => SUCCESS | 6.4: Safe show database => FAIL | 6.5: Secure auth => FAIL | 6.6: Grant tables => FAIL | 6.7: Skip merge => FAIL | 6.8: Skip networking => FAIL | 6.9: Safe user create => FAIL | 6.10: Skip symbolic links => FAIL | |_ The audit was performed using the db-account: root NSE: Starting runlevel 1 (of 1) scan. Read data files from: . Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds Raw packets sent: 1 (44B) | Rcvd: 2 (88B) Cheers. On 05/30/2011 10:43 PM, Patrik Karlsson wrote:
Hi all, I've been working on a script that attempts to audit a MySQL database against parts of the CIS MySQL v1.0.2 benchmark. The engine is written as a standard NSE script that loads a file containing the tests to run against the database. The tests are small Lua functions that return a result table back to the engine which then interprets the result and creates the "report". Anyway, In case someone want's to check it out, I'm attaching both the engine and audit file. I'm interested in comments and suggestions as well as test results as I've just done limited testing against a single MySQL database. I think the NSE framework could easily be adapted to work with MS SQL as well, so depending on the enthusiasm and feedback I might get started on that to. In order to run the script do: nmap -p 3306 10.0.200.120 --script mysql-audit --script-args "mysql-audit.filename='nselib/data/mysql-cis.audit',mysql-audit.username='root',mysql-audit.password='foobar'" As usual the script goes into your script directory and the mysql-cis.audit file should go into the nselib/data directory.//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived athttp://seclists.org/nmap-dev/
-- Paulino Calderón Pale Web:http://calderonpale.com Twitter:http://www.twitter.com/paulinocaIderon _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 30)
- <Possible follow-ups>
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Paulino Calderon (May 30)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 31)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 31)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Vlatko Kosturjak (May 31)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 01)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 12)
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 16)