Skip to content

Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'

Description

NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided.

Rationale

Without this setting an administrative user might accidentally create a user without a password.

Blank passwords may allow someone to bypass authentication mechanisms, connect to the server and assume the identity of a user, compromising the security.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { getServerSetting, isEmpty } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if STRICT_ALL_TABLES is present in sql_mode list
 */
function validate(databaseSettings) {
  const settingName = "sql_mode"
  const expectedValue = "no_auto_create_user"
  const currentValue = getServerSetting(databaseSettings, settingName)

  var success = false;
  if (!isEmpty(currentValue)) {
    const currentValueArray = currentValue.toLowerCase().split(",")
    success = currentValueArray.includes(expectedValue)
  }

  return {
      success,
  }
}

// invoke
validate(databaseSettings);