Skip to content

Ensure the 'daemon_memcached' Plugin Is Disabled

Description

The InnoDB memcached Plugin allows users to access data stored in InnoDB with the memcached protocol.

Rationale

Anyone with access to the TCP/IP port of the plugin can access and modify the data stored in InnoDB as the plugin doesn't use an authentication mechanism by default.

While the optional SASL authentication provides the capability to protect your MySQL database from unauthenticated access through memcached clients, it is not as strong as traditional DBMS security measures.

However, not all data is exposed by default.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { getServerExtension } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if 'daemon_memcached' is either not installed or disabled
 */
function validate(databaseSettings) {
    const pluginName = "daemon_memcached"
    const expectedStatus = "disabled"
    const currentValue = getServerExtension(databaseSettings, pluginName)

    const success = !currentValue || 
                    (typeof currentValue.status === 'string' && 
                    currentValue.status.toLowerCase() === expectedStatus)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);