mariadb-hardened-fips
Data
Fips
Hardened
Stig
docker pull reg.mini.dev/mariadb-hardened-fips
Data
Fips
Hardened
Stig
Updated 4 days ago
docker pull reg.mini.dev/mariadb-hardened-fips
CIS MariaDB
CIS MariaDB Compliance
100%
Passed
Scan Date
Image Tag
Checks
Analyzed
29Passed
29Failed
01 check excluded as irrelevant
CIS MariaDB 10.11 Benchmark v1.0.0
Use dedicated least privileged account for MariaDB daemon/service
CIS ID
1.2Status
Passed
Notes
Minimus verified the configuration to ensure mysqld/mariadbd runs as a dedicated non-root user with minimal privileges.
Disable MariaDB command history
CIS ID
1.3Status
Passed
Notes
Minimus verified the configuration to ensure MariaDB command history is disabled, to prevent credential and SQL leakage via ~/.mysql_history.
Verify that the MYSQL_PWD environment variable is not in use
CIS ID
1.4Status
Passed
Notes
Minimus verified the configuration to ensure the MYSQL_PWD environment variable is not in use. MYSQL_PWD bypasses normal credential handling and may leak via /proc.
Ensure interactive login is disabled
CIS ID
1.5Status
Passed
Hardened configuration
Notes
Minimus verified the configuration to ensure interactive login is disabled by configuring the database service account with a non-interactive shell.
Verify that 'MYSQL_PWD' is not set in users' profiles
CIS ID
1.6Status
Passed
Notes
Minimus verified the configuration to ensure that MYSQL_PWD is not set in users' profiles to prevent their export.
Ensure MariaDB is run under a sandbox environment
CIS ID
1.7Status
Passed
Notes
Running MariaDB inside a container satisfies the CIS isolation requirement. Implement further isolation (e.g., cgroup limits, seccomp, or AppArmor profiles) as dictated by your organization's deployment policy.
Ensure 'password_lifetime' is less than or equal to '365'
CIS ID
2.6Status
Passed
Hardened configuration
Notes
The Minimus configuration enforces password rotation via default_password_lifetime, helping ensure credentials are periodically renewed.
Limit accepted transport layer security (TLS) versions
CIS ID
2.10Status
Passed
Notes
Minimus verified the configuration to ensure modern Transport Layer Security (TLS) is enforced. Weak protocol versions in tls_version are not allowed.
Ensure 'datadir' has appropriate permissions
CIS ID
3.1Status
Passed
Hardened configuration
Notes
Minimus verified that the DataDir is owned by the database service account with minimal group access and is not world-writable.
Ensure 'relay_log_basename' files have appropriate permissions
CIS ID
3.5Status
Passed
Notes
Minimus verified that no relay log files are present by default. If relay logs are created at runtime, their ownership and permissions should be restricted.
Ensure 'general_log_file' has appropriate permissions
CIS ID
3.6Status
Passed
Notes
General logging is disabled by default. If log files exist, permissions are restricted so they can only be read and modified by the owner.
Ensure 'plugin_dir' has appropriate permissions
CIS ID
3.8Status
Passed
Hardened configuration
Notes
The plugin directory is restricted with appropriate read-only permissions to prevent unauthorized modification of MariaDB plugins.
Ensure the latest security patches are applied
CIS ID
4.1Status
Passed
Notes
Minimus updates the image's MariaDB package regularly to incorporate the latest official security releases and validates versions against supported vendor baselines. View the Minimus new version SLA for further information.
Ensure example or test databases are not installed on production servers
CIS ID
4.2Status
Passed
Notes
Ensures that no example or test databases are present to reduce the attack surface of the MariaDB server.
Ensure 'allow_suspicious_udfs' is set to 'OFF'
CIS ID
4.3Status
Passed
Notes
Ensures that `allow-suspicious-udfs` is set to OFF in the MariaDB configuration and is not specified in the mariadbd start up command. This prevents shared libraries that do not contain user-defined functions from loading to reduce the attack surface. Note that this benchmark is a level 2 defense in depth measure.
Harden usage for 'local_infile' on MariaDB client
CIS ID
4.4Status
Passed
Notes
Disables local_infile to reduce an attacker's ability to read sensitive files off the affected server via an SQL injection vulnerability.
Ensure mariadb is not started with 'skip-grant-tables'
CIS ID
4.5Status
Passed
Hardened configuration
Notes
Configured to disable all occurrences of skip-grant-tables and skip_grant_tables. This ensures mariadbd starts with the privilege system active, preventing clients from having unrestricted access to all databases.
Ensure symbolic links are disabled
CIS ID
4.6Status
Passed
Hardened configuration
Notes
Configured to disable symlink support (for example sets skip-symbolic-links to YES). Symbolic links are disabled to prevent their use in database files and to prevent overwriting files.
Ensure the 'secure_file_priv' is configured correctly
CIS ID
4.7Status
Passed
Hardened configuration
Notes
Ensures secure_file_priv is restricted to a dedicated directory to reduce an attacker's ability to read sensitive files via an SQL injection vulnerability.
Ensure 'sql_mode' contains 'STRICT_ALL_TABLES'
CIS ID
4.8Status
Passed
Hardened configuration
Notes
Ensures strict mode with sql_mode contains STRICT_ALL_TABLES to prevent silent data truncation which can lead to abuse. Note that this benchmark is a level 2 defense in depth measure.
Ensure 'log_error' is configured correctly
CIS ID
6.1Status
Out of scope
Notes
MariaDB error logging is enabled and written to stderr for collection by the container runtime or orchestration platform.
Ensure 'log_warnings' is set to '2'
CIS ID
6.3Status
Passed
Notes
The verbosity of the MariaDB error log is configured to include error and warning messages (log_warnings = 2).
Ensure audit logging is enabled
CIS ID
6.4Status
Passed
Hardened configuration
Notes
Configured to enable audit logging for connect events. Audit logs are used to investigate attacks.
Ensure the audit plugin can't be unloaded
CIS ID
6.5Status
Passed
Hardened configuration
Notes
Configures the audit tool to use the FORCE_PLUS_PERMANENT state. This ensures the audit plugin must load successfully for MariaDB to start and that it cannot be unloaded, disabled, or uninstalled while the database is live.
Disable use of the mysql_old_password plugin
CIS ID
7.1Status
Passed
Notes
Disables the legacy old_passwords configuration and enables secure_auth to completely block the outdated mysql_old_password plugin. This eliminates a flawed authentication routine, and protects database credentials from being easily cracked or exploited via Pass-the-Hash attacks.
Ensure passwords are not stored in the global configuration
CIS ID
7.2Status
Passed
Hardened configuration
Notes
Ensured no passwords are stored in the global configuration file (mariadb.cnf) since it must remain readable by all system users. This limits the risk of local credential exposure.
Ensure password complexity policies are in place
CIS ID
7.4Status
Passed
Hardened configuration
Notes
Configured with password validations to ensure password complexity policies are enforced. The policy requires passwords to be a minimum length of 14 characters and checks them against dictionaries of common, known, and expected passwords.
Ensure no anonymous accounts exist
CIS ID
7.6Status
Passed
Notes
Ensures no anonymous accounts exist. This disables anonymous database access and helps to ensure that only identified and trusted principals are capable of interacting with MariaDB.
Prevent password reuse
CIS ID
7.7Status
Passed
Hardened configuration
Notes
Configured to prevent password reuse and enforce strict password validation, helping reduce the risk of credential reuse after rotation.
Set maximum connection limits for server and per user
CIS ID
8.3Status
Passed
Hardened configuration
Notes
Limits the number of concurrent sessions at the server and per user level to reduce the risk of DoS attacks.
Additional Sections (Runtime benchmarks)
Additional checks
Additional sections involve runtime checks and other configurations that are out of scope for the image level. Their compliance must be configured and validated by operators in the deployed environment. The Minimus mariadb-hardened image is CIS-aligned and provides secure defaults with the required configuration hooks to implement these controls.
The following depend on deployment-specific inputs such as operator-provided certificates, secrets, network policy and the live database role and grant state: backup and disaster recovery (Section 2.1), dedicated hosts, account lifecycle and TLS policy (Sections 2.2-2.5, 2.7-2.8, 2.11-2.12, 7.3, 7.5, 8.1-8.2), database grants and stored routines (Section 5), partition placement and runtime file permissions (Sections 1.1, 3.2-3.4, 3.7, 3.9, 6.2), data and log encryption (Sections 4.9, 6.6) and replication (Section 9).
Status
Out of scope