MariaDB Enterprise 10.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
MariaDB, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
The DoD standard for authentication is DoD-approved PKI certificates. A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA)....Rule Medium Severity -
SRG-APP-000176-DB-000068
Group -
SRG-APP-000177-DB-000069
Group -
MariaDB must map PKI ID to an associated user account.
The DoD standard for authentication is DoD-approved PKI certificates. Once a PKI is validated, it is mapped to the DBMS user account for the authentication identity and then can be used for authori...Rule Medium Severity -
SRG-APP-000178-DB-000083
Group -
SRG-APP-000179-DB-000114
Group -
MariaDB must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated ...Rule High Severity -
SRG-APP-000180-DB-000115
Group -
The MariaDB must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).
Nonorganizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status ...Rule Medium Severity -
SRG-APP-000211-DB-000122
Group -
MariaDB must separate user functionality (including user interface services) from database management functionality.
Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers and typically requires privileged user access. The s...Rule Medium Severity -
SRG-APP-000220-DB-000149
Group -
SRG-APP-000224-DB-000384
Group -
MariaDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Unique session IDs help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a sess...Rule Medium Severity -
SRG-APP-000225-DB-000153
Group -
SRG-APP-000226-DB-000147
Group -
In the event of a system failure, MariaDB must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, ...Rule Medium Severity -
SRG-APP-000231-DB-000154
Group -
SRG-APP-000243-DB-000128
Group -
Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.
Applications, including MariaDB, must prevent unauthorized and unintended information transfer via shared system resources. Data used for the development and testing of applications often involve...Rule Medium Severity -
SRG-APP-000243-DB-000373
Group -
MariaDB must prevent unauthorized and unintended information transfer via shared system resources.
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf...Rule Medium Severity -
SRG-APP-000243-DB-000374
Group -
Access to database files must be limited to relevant processes and to authorized, administrative users.
Applications, including MariaDB, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only MariaDB processes and authorized, administrative users to...Rule Medium Severity -
SRG-APP-000251-DB-000160
Group -
MariaDB must check the validity of all data inputs except those specifically identified by the organization.
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated applic...Rule Medium Severity -
SRG-APP-000251-DB-000391
Group -
SRG-APP-000251-DB-000392
Group -
MariaDB and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various pr...Rule Medium Severity -
SRG-APP-000295-DB-000305
Group -
SRG-APP-000296-DB-000306
Group -
MariaDB must provide logout functionality to allow the user to manually terminate a session initiated by that user.
If a user cannot explicitly end a DBMS session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Such logout may be explicit or implicit. Examp...Rule Medium Severity -
SRG-APP-000311-DB-000308
Group -
SRG-APP-000313-DB-000309
Group -
SRG-APP-000314-DB-000310
Group -
SRG-APP-000328-DB-000301
Group -
MariaDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects, and objects.
Discretionary Access Control (DAC) is based on the notion that individual users are owners of objects and therefore have discretion over who should be authorized to access the object and in which m...Rule Medium Severity -
SRG-APP-000340-DB-000304
Group -
MariaDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. System d...Rule Medium Severity -
SRG-APP-000342-DB-000302
Group -
SRG-APP-000357-DB-000316
Group -
SRG-APP-000359-DB-000319
Group -
SRG-APP-000360-DB-000320
Group -
MariaDB must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
SRG-APP-000374-DB-000322
Group -
MariaDB must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by MariaDB must include date and time. Time i...Rule Medium Severity -
SRG-APP-000378-DB-000365
Group -
SRG-APP-000380-DB-000360
Group -
MariaDB must enforce access restrictions associated with changes to the configuration of MariaDB or database(s).
Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions p...Rule Medium Severity -
SRG-APP-000381-DB-000361
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.