lacework-global-274
6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges (Manual)
Profile Applicability
• Level 1
Description
Best practices recommend setting a password for the administrative user (root
by default) to prevent unauthorized access to the SQL database instances.
This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.
Rationale
At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.
Impact
Connection strings for administrative clients need to be reconfigured to use a password.
Audit
From Command Line:
- List All SQL database instances of type MySQL:
gcloud sql instances list --filter='DATABASE_VERSION:MYSQL* --project <project_id> --format="(NAME,PRIMARY_ADDRESS)"'
- For every MySQL instance try to connect using the
PRIMARY_ADDRESS
, if available:
mysql -u root -h <mysql_instance_ip_address>
The command should return either an error message or a password prompt.
Sample Error message:
ERROR 1045 (28000): Access denied for user 'root'@'<Instance_IP>' (using password: NO)
If a command produces the mysql>
prompt, the MySQL instance allows anyone to connect with administrative privileges without needing a password.
The No Password
setting is exposed only at the time of MySQL instance creation. Once the instance is created, the Google Cloud Platform Console does not expose the set to confirm whether a password for an administrative user is set to a MySQL instance.
Remediation
From Console:
Go to the Cloud SQL Instances page in the Google Cloud Platform Console using
https://console.cloud.google.com/sql/
.Select the instance to open its Overview page.
Select
Access Control > Users
.Click the
More actions
icon for the user to update.Select
Change password
, specify a New password, and clickOK
.
From Command Line:
- Set a password to a MySql instance:
gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password
- When the prompt appears, enter a password:
Instance Password:
- With a successful password configured, the console displays the following message:
Updating Cloud SQL user...done.
References
https://cloud.google.com/sql/docs/mysql/create-manage-users
https://cloud.google.com/sql/docs/mysql/create-instance