Nmap Development mailing list archives

Re: [NSE] Auditing MySQL databases against the CIS benchmark

From: Paulino Calderon <paulino () calderonpale com>
Date: Tue, 31 May 2011 01:41:03 -0700

Hi,

Good work! It works great. I tested your script against a default mysqlinstallation in debian squeeze and these are the results:


Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 01:34 PDT
NSE: Loaded 1 scripts for scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating SYN Stealth Scan at 01:34
Scanning localhost (127.0.0.1) [1 port]
Discovered open port 3306/tcp on 127.0.0.1
Completed SYN Stealth Scan at 01:34, 0.06s elapsed (1 total ports)
NSE: Starting runlevel 1 (of 1) scan.
NSE: Script scanning 127.0.0.1.
Initiating NSE at 01:34
Completed NSE at 01:34, 0.09s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000051s latency).
Scanned at 2011-05-31 01:34:26 PDT for 0s
PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-audit:
|   CIS MySQL Benchmarks v1.0.2
|       3.1: Skip symbolic links => SUCCESS
|       3.2: Logs not on system partition => SUCCESS
|       3.2: Logs not on database partition => SUCCESS
|       4.1: Supported version of MySQL => REVIEW
|         Version: 5.1.49-3
|       4.4: Remove test database => SUCCESS
|       4.5: Change admin account name => FAIL
|       4.7: Verify Secure Password Hashes => SUCCESS
|       4.9: Wildcards in user hostname => SUCCESS
|       4.10: No blank passwords => SUCCESS
|       4.11: Anonymous account => SUCCESS
|       5.1: Access to mysql database => REVIEW
|         Verify the following users that have access to the MySQL database
|           user              host
|           root              localhost
|           root              cldrn
|           root              127.0.0.1
|           debian-sys-maint  localhost
|       5.2: Do not grant FILE privileges to non Admin users => FAIL
|         The following users were found having the FILE privilege
|           debian-sys-maint
|       5.3: Do not grant PROCESS privileges to non Admin users => FAIL
|         The following users were found having the PROCESS privilege
|           debian-sys-maint
|       5.4: Do not grant SUPER privileges to non Admin users => FAIL
|         The following users were found having the SUPER privilege
|           debian-sys-maint
|       5.5: Do not grant SHUTDOWN privileges to non Admin users => FAIL
|         The following users were found having the SHUTDOWN privilege
|           debian-sys-maint
|       5.6: Do not grant CREATE USER privileges to non Admin users => FAIL
|         The following users were found having the CREATE USER privilege
|           debian-sys-maint
|       5.7: Do not grant RELOAD privileges to non Admin users => FAIL
|         The following users were found having the RELOAD privilege
|           debian-sys-maint
|       5.8: Do not grant GRANT privileges to non Admin users => FAIL
|         The following users were found having the GRANT privilege
|           debian-sys-maint
|       6.2: Disable Load data local => FAIL
|       6.3: Disable old password hashing => SUCCESS
|       6.4: Safe show database => FAIL
|       6.5: Secure auth => FAIL
|       6.6: Grant tables => FAIL
|       6.7: Skip merge => FAIL
|       6.8: Skip networking => FAIL
|       6.9: Safe user create => FAIL
|       6.10: Skip symbolic links => FAIL
|
|_      The audit was performed using the db-account: root

NSE: Starting runlevel 1 (of 1) scan.
Read data files from: .
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 1 (44B) | Rcvd: 2 (88B)

Cheers.

On 05/30/2011 10:43 PM, Patrik Karlsson wrote:

Hi all,

I've been working on a script that attempts to audit a MySQL database against parts of the CIS MySQL v1.0.2 benchmark.
The engine is written as a standard NSE script that loads a file containing the tests to run against the database.
The tests are small Lua functions that return a result table back to the engine which then interprets the result and creates the 
"report".

Anyway, In case someone want's to check it out, I'm attaching both the engine and audit file.
I'm interested in comments and suggestions as well as test results as I've just done limited testing against a single 
MySQL database.
I think the NSE framework could easily be adapted to work with MS SQL as well, so depending on the enthusiasm and 
feedback I might get started on that to.

In order to run the script do:
nmap -p 3306 10.0.200.120 --script mysql-audit --script-args 
"mysql-audit.filename='nselib/data/mysql-cis.audit',mysql-audit.username='root',mysql-audit.password='foobar'"

As usual the script goes into your script directory and the mysql-cis.audit file should go into the nselib/data 
directory.




//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived athttp://seclists.org/nmap-dev/



--
Paulino Calderón Pale
Web:http://calderonpale.com
Twitter:http://www.twitter.com/paulinocaIderon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 30)
- <Possible follow-ups>
- Re: [NSE] Auditing MySQL databases against the CIS benchmark Paulino Calderon (May 30)
  - Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 31)
  - Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (May 31)
  - Re: [NSE] Auditing MySQL databases against the CIS benchmark Vlatko Kosturjak (May 31)
    - Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 01)
    - Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 12)
    - Re: [NSE] Auditing MySQL databases against the CIS benchmark Patrik Karlsson (Jun 16)