-
Notifications
You must be signed in to change notification settings - Fork 4
/
inspec.yml
183 lines (150 loc) · 5.41 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: oracle-mysql-8-stig-baseline
title: Oracle MySQL 8.0 STIG Automated Compliance Validation Profile
maintainer: MITRE SAF Team
copyright: MITRE, 2022
license: Apache-2.0
summary: "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]."
version: 1.1.5
inspec_version: ">= 4.0"
inputs:
- name: user
description: 'privileged account username MySQL DB Server'
type: string
value: 'root'
sensitive: true
- name: password
description: 'password specified user'
type: string
value: 'mysqlrootpass'
sensitive: true
- name: host
description: 'hostname of MySQL DB Server'
value: 'localhost'
sensitive: true
- name: port
description: 'port MySQL DB Server'
type: numeric
value: 3306
- name: aws_rds
description: 'State if your database is an AWS RDS instance'
type: Boolean
value: false
- name: audit_log_path
description: 'Wildcard based path to list all audit log files'
type: string
value: '/var/lib/mysql/audit*log*'
- name: audit_admins # SV-235104 SV-235160 SV-235161 SV-235162
description: 'List of documented audit admin accounts.'
type: array
value: ["'root'@'localhost'", "'root'@'%'"]
- name: org_approved_cert_issuer
description: 'Name of the documented server cert issuer.'
type: string
value: 'DoD Root CA'
- name: pki_exception_users # SV-235134 SV-235136
description: 'List of documented accounts exempted from PKI authentication.'
type: array
value: ['healthchecker']
- name: authorized_password_users # SV-235138
description: 'List of documented accounts allowed to login with password.'
type: array
value: ['my_user','healthchecker']
- name: mysql_administrative_users # SV-235096 SV-235150 SV-235168 SV-235179
description: 'List of documented mysql accounts with administrative privileges.'
type: array
value: ['root']
sensitive: true
- name: mysql_administrative_grantees # SV-235179
description: 'List of documented mysql administrative role grantees'
type: array
value: ["'root'@'localhost'"]
sensitive: true
- name: max_user_connections
description: 'max user connections allowed'
type: numeric
value: 50
- name: approved_plugins
description: 'List of approved Plugins'
type: array
value: ['audit_log']
- name: approved_components
description: 'List of approved components'
type: array
value: ['file://component_validate_password']
- name: mysql_ports # SV-235146 SV-235167
description: 'Authorized MySQL port definitions'
type: Hash
value:
port: 3306
admin_port: 33062
mysqlx_port: 33060
- name: mysql_sockets # SV-235146 SV-235167
description: 'Authorized MySQL socket definitions'
type: Hash
value:
socket: ['/var/lib/mysql/mysql.sock', '/tmp/mysql.sock']
mysqlx_socket: '/var/run/mysqld/mysqlx.sock'
- name: mycnf
description: 'Location of the my.cnf file'
type: string
value: '/etc/my.cnf'
- name: mysqld_auto_cnf
description: 'Location of the mysqld-auto.cnf file'
type: string
value: '/var/lib/mysql/auto.cnf'
- name: authorized_procedures
description: 'Location of the mysqld-auto.cnf file'
type: array
value: []
- name: authorized_functions
description: 'Location of the mysqld-auto.cnf file'
type: array
value: []
- name: minimum_mysql_version
description: 'Approved minimum version of MySQL'
type: string
value: '8.0.25'
- name: org_name
desc: "Name of the organization running this profile"
type: string
value: "DoD"
- name: org_approved_cryptography
desc: "Name of the organization providing the approved cryptography-compliant algorithms"
type: string
value: "NSA"
- name: max_audit_record_storage
desc: "Allocated percentage of max audit record storage that leads to a warning"
type: Numeric
value: 75
- name: org_guidance
desc: "Name of the organization that provides security configuration and implementation guidance"
type: string
value: "NSA configuration guides, CTOs, DTMs, and IAVMs"
- name: min_password_length
desc: "Minimum password length"
type: Numeric
value: 15
- name: password_mixed_case_count
desc: "Count of uppercase and lowercase characters required in the password. The password must have that many lowercase characters, and that many uppercase characters"
type: Numeric
value: 1
- name: password_number_count
desc: "Count of numeric characters required in the password"
type: Numeric
value: 1
- name: password_special_character_count
desc: "Count of special characters required in the password"
type: Numeric
value: 1
- name: password_special_character_count
desc: "Count of special characters required in the password"
type: Numeric
value: 1
- name: password_history
desc: "Number of subsequent account password changes that must occur before the password can be reused"
type: Numeric
value: 5
- name: max_password_lifetime
desc: "Number of days that defined the password lifetime"
type: Numeric
value: 180