MariaDB Enterprise 10.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000133-DB-000200
Group -
SRG-APP-000505-DB-000352
Group -
SRG-APP-000506-DB-000353
Group -
SRG-APP-000514-DB-000382
Group -
SRG-APP-000001-DB-000031
Group -
SRG-APP-000023-DB-000001
Group -
SRG-APP-000033-DB-000084
Group -
MariaDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access MariaDB. To mitigate the risk of unauthorized access to sensitive information by entities that ...Rule High Severity -
SRG-APP-000080-DB-000063
Group -
SRG-APP-000089-DB-000064
Group -
SRG-APP-000090-DB-000065
Group -
MariaDB must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. ...Rule Medium Severity -
SRG-APP-000091-DB-000066
Group -
MariaDB must be able to generate audit records when privileges/permissions are retrieved.
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. MariaDB makes such ...Rule Medium Severity -
SRG-APP-000091-DB-000325
Group -
MariaDB must be able to generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. MariaDB makes such ...Rule Medium Severity -
SRG-APP-000092-DB-000208
Group -
MariaDB must initiate session auditing upon startup.
Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it must be in operation for ...Rule Medium Severity -
SRG-APP-000095-DB-000039
Group -
SRG-APP-000101-DB-000044
Group -
SRG-APP-000109-DB-000049
Group -
SRG-APP-000109-DB-000321
Group -
MariaDB must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
It is critical that when MariaDB is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include software/hardware errors; failure...Rule Medium Severity -
SRG-APP-000118-DB-000059
Group -
SRG-APP-000119-DB-000060
Group -
SRG-APP-000120-DB-000061
Group -
SRG-APP-000121-DB-000202
Group -
SRG-APP-000122-DB-000203
Group -
SRG-APP-000123-DB-000204
Group -
MariaDB must protect its audit features from unauthorized removal.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
SRG-APP-000133-DB-000179
Group -
SRG-APP-000133-DB-000198
Group -
SRG-APP-000133-DB-000199
Group -
SRG-APP-000133-DB-000362
Group -
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the MariaDB, etc.) must be restricted to authorized users.
If the MariaDB were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part ...Rule Medium Severity -
SRG-APP-000141-DB-000090
Group -
SRG-APP-000141-DB-000091
Group -
Unused database components, DBMS software, and database objects must be removed.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
SRG-APP-000142-DB-000094
Group -
MariaDB must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restr...Rule Medium Severity -
SRG-APP-000148-DB-000103
Group -
SRG-APP-000164-DB-000401
Group -
If MariaDB authentication, using passwords, is employed, then MariaDB must enforce the DOD standards for password complexity.
OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native MariaDB authentication may be used only when circumstances make it unavoidable; and must be documente...Rule High Severity -
SRG-APP-000164-DB-000401
Group -
If MariaDB authentication using passwords is employed, MariaDB must enforce the DOD standards for password lifetime.
OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native MariaDB authentication may be used only when circumstances make it unavoidable and must be documented...Rule Medium Severity -
SRG-APP-000171-DB-000074
Group -
If passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate and requires...Rule High Severity -
SRG-APP-000172-DB-000075
Group -
SRG-APP-000175-DB-000067
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.