Skip to content

Ensure Passwords Are Set for All MySQL Accounts

Description

Blank passwords allow a user to login without using a password.

Rationale

A blank password will allow someone who knows the username and the list of allowed hosts to bypass any authentication mechanism.

A potential attacker will be able to connect to the server and assume the identity of a user, resulting in sensitive data exposure or compromising data integrity.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { getServerSetting, isEmpty, isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if STRICT_ALL_TABLES is present in sql_mode list
 */
function validate(databaseSettings) {
  const settingName = "sql_mode"
  const expectedValue = "no_auto_create_user"
  const currentValue = getServerSetting(databaseSettings, settingName)

  var success = true;
  if (databaseSettings && !isEmptyArray(databaseSettings.users)) {
    // look for users with empty passwords
    const blankPwdUsers = databaseSettings.users.filter(user => user.mysql && 
                                                        user.mysql.usersTableSnapshot &&
                                                        isEmpty(user.mysql.usersTableSnapshot.password))

    success = isEmptyArray(blankPwdUsers)
  }

  return {
      success,
  }
}

// invoke
validate(databaseSettings);