Skip to content

Ensure 'ssl_type' Is Set to 'ANY', 'X509', or 'SPECIFIED' for All Remote Users

Description

All network traffic must use SSL/TLS when traveling over untrusted networks.

Rationale

The SSL/TLS-protected MySQL protocol helps to prevent eavesdropping and man-in-the-middle attacks. It should be enforced on a per-user basis for those users that access the server through the network.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { isEmpty, isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if all remote users are enforcing SSL 
 */
function validate(databaseSettings) {

  var success = true;
  if (databaseSettings && !isEmptyArray(databaseSettings.users)) {
    var hosts = ['::1','127.0.0.1','localhost']
    var sslTypes = ['any','x509','specified']  

    // look for remote users without SSL enabled
    const remoteUsersWithoutSsl = 
         databaseSettings.users.filter(user => user.mysql && 
                                       user.mysql.usersTableSnapshot &&
                                       !isEmpty(user.mysql.usersTableSnapshot.host) &&
                                       !hosts.includes(user.mysql.usersTableSnapshot.host.toLowerCase()) &&
                                       (isEmpty(user.mysql.usersTableSnapshot.sslType) ||
                                       !sslTypes.includes(user.mysql.usersTableSnapshot.sslType.toLowerCase())))

    success = isEmptyArray(remoteUsersWithoutSsl)
  }

  return {
      success,
  }
}

// invoke
validate(databaseSettings);