Skip to content

Ensure No Anonymous Accounts Exist

Description

Anonymous accounts are users with empty usernames ('') and have no password.

Rationale

Anyone, including unidentified, untrusted and/or malicious users can use anonymous accounts to connect to the server. Removing them will help ensure that only identified and trusted users are capable of interacting with MySQL servers.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { isEmpty, isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if no user has an empty username
 */
function validate(databaseSettings) {

  var success = true;
  if (databaseSettings && !isEmptyArray(databaseSettings.users)) {
    // look for users with empty username
    const anonymousUsers = databaseSettings.users.filter(user => user.mysql && 
                                                        user.mysql.usersTableSnapshot &&
                                                        isEmpty(user.mysql.usersTableSnapshot.username))

    success = isEmptyArray(anonymousUsers)
  }

  return {
      success,
  }
}

// invoke
validate(databaseSettings);