I’ve been working on a Nmap script for auditing MySQL databases against the CIS 1.0.2 benchmark for a while. I haven’t committed it to subversion yet, but it’s available to download for anyone who feels up to testing it. While it isn’t perfect nor does it contain all CIS controls, it provides Nmap users with the possibility to quickly scan a database to see whether it complies with the CIS recommendations or not.
The script is comprised of two parts; the engine and the rulebase. The engine (mysql-audit.nse) simply reads the rulebase (mysql-cis.audit) which contains all of the checks. The rulebase is quite simple and contains a few supporting functions making it trivial to add more rules to it.
The script and rulebase can be downloaded from nmap-dev and the files need to be copied to the correct directories in order to run. The script file (mysql-audit.nse) goes into the nmap script directory and the audit file could really go anywhere but I’ve copied it into the nselib/data directory.
In order to run, the script needs the following parameters:
- the hostname against which it’s supposed to run
- the port on which the MySQL database is running
- the username and password of a privileged account (eg. the MySQL root account)
The following command (contains line breaks for readability) instructs Nmap to scan the database at 18.104.22.168 on port 3306 using the username root and password foobar:
nmap -p 3306 22.214.171.124 --script mysql-audit --script-args "mysql-audit.filename='nselib/data/mysql-cis.audit' ,mysql-audit.username='root',mysql-audit.password='foobar'"
The result should look something similar to this:
| mysql-audit: | CIS MySQL Benchmark v1.0.2 | 3.1: Skip symbolic links => PASS | 3.2: Logs not on system partition => PASS | 3.2: Logs not on database partition => PASS | 4.1: Supported version of MySQL => REVIEW | Version: 5.1.54-1ubuntu4 | 4.4: Remove test database => PASS | 4.5: Change admin account name => FAIL | 4.7: Verify Secure Password Hashes => PASS | 4.9: Wildcards in user hostname => FAIL | The following users were found with wildcards in hostname | root | super | super2 | 4.10: No blank passwords => PASS . . .
I’m interested in both bug reports and success stories, so let me know of your results.