Skip to content

Ensure 'secure_auth' is set to 'ON'

Description

This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format.

Rationale

Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network).

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { checkRdsVersion, OK_SKIP_VERSION, checkServerSetting } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database instance has a correct value for secure_auth option
 */
function validate(databaseSettings) {
    supportedVersions = ["5.6"]
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if (!supported){
        return OK_SKIP_VERSION
    }

    const settingName = "secure_auth"
    const expectedValue = "on"
    const success = checkServerSetting(databaseSettings, settingName, expectedValue)
    return {
        success,
    }
}

// invoke
validate(databaseSettings);