Re: [NSE] Auditing MySQL databases against the CIS benchmark

[Patrik Karlsson <patrik () cqure net>]

On May 31, 2011, at 10:41 AM, Paulino Calderon wrote:

> Hi,
>
> Good work! It works great. I tested your script against a default mysql installation in debian squeeze and these are 
> the results:
>
> Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 01:34 PDT
> NSE: Loaded 1 scripts for scanning.
> NSE: Starting runlevel 1 (of 1) scan.
> Initiating SYN Stealth Scan at 01:34
> Scanning localhost (127.0.0.1) [1 port]
> Discovered open port 3306/tcp on 127.0.0.1
> Completed SYN Stealth Scan at 01:34, 0.06s elapsed (1 total ports)
> NSE: Starting runlevel 1 (of 1) scan.
> NSE: Script scanning 127.0.0.1.
> Initiating NSE at 01:34
> Completed NSE at 01:34, 0.09s elapsed
> Nmap scan report for localhost (127.0.0.1)
> Host is up (0.000051s latency).
> Scanned at 2011-05-31 01:34:26 PDT for 0s
> PORT     STATE SERVICE
> 3306/tcp open  mysql
> | mysql-audit:
> |   CIS MySQL Benchmarks v1.0.2
> |       3.1: Skip symbolic links => SUCCESS
> |       3.2: Logs not on system partition => SUCCESS
> |       3.2: Logs not on database partition => SUCCESS
> |       4.1: Supported version of MySQL => REVIEW
> |         Version: 5.1.49-3
> |       4.4: Remove test database => SUCCESS
> |       4.5: Change admin account name => FAIL
> |       4.7: Verify Secure Password Hashes => SUCCESS
> |       4.9: Wildcards in user hostname => SUCCESS
> |       4.10: No blank passwords => SUCCESS
> |       4.11: Anonymous account => SUCCESS
> |       5.1: Access to mysql database => REVIEW
> |         Verify the following users that have access to the MySQL database
> |           user              host
> |           root              localhost
> |           root              cldrn
> |           root              127.0.0.1
> |           debian-sys-maint  localhost
> |       5.2: Do not grant FILE privileges to non Admin users => FAIL
> |         The following users were found having the FILE privilege
> |           debian-sys-maint
> |       5.3: Do not grant PROCESS privileges to non Admin users => FAIL
> |         The following users were found having the PROCESS privilege
> |           debian-sys-maint
> |       5.4: Do not grant SUPER privileges to non Admin users => FAIL
> |         The following users were found having the SUPER privilege
> |           debian-sys-maint
> |       5.5: Do not grant SHUTDOWN privileges to non Admin users => FAIL
> |         The following users were found having the SHUTDOWN privilege
> |           debian-sys-maint
> |       5.6: Do not grant CREATE USER privileges to non Admin users => FAIL
> |         The following users were found having the CREATE USER privilege
> |           debian-sys-maint
> |       5.7: Do not grant RELOAD privileges to non Admin users => FAIL
> |         The following users were found having the RELOAD privilege
> |           debian-sys-maint
> |       5.8: Do not grant GRANT privileges to non Admin users => FAIL
> |         The following users were found having the GRANT privilege
> |           debian-sys-maint
> |       6.2: Disable Load data local => FAIL
> |       6.3: Disable old password hashing => SUCCESS
> |       6.4: Safe show database => FAIL
> |       6.5: Secure auth => FAIL
> |       6.6: Grant tables => FAIL
> |       6.7: Skip merge => FAIL
> |       6.8: Skip networking => FAIL
> |       6.9: Safe user create => FAIL
> |       6.10: Skip symbolic links => FAIL
> |
> |_      The audit was performed using the db-account: root
>
> NSE: Starting runlevel 1 (of 1) scan.
> Read data files from: .
> Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
>           Raw packets sent: 1 (44B) | Rcvd: 2 (88B)
>
> Cheers.

Thanks for testing! Much appreciated.

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/