[MDEV-32691] enhanced "Password Reuse Check Plugin" to STIG Standard Created: 2023-11-06  Updated: 2023-11-07  Resolved: 2023-11-07

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Plugins
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Richard Stracke Assignee: Unassigned
Resolution: Won't Do Votes: 1
Labels: authentication


 Description   

STIG Standards are:

1. minimum of 15 characters, including at least one of each of the following character sets:
 
- Upper-case
 
- Lower-case
 
- Numerics
 
- Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)
 
2. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight
 
 
 
3. Review the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding.
 
a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days
 
b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days
 
c. Number of password changes before an old one may be reused: Minimum of five .

https://www.stigviewer.com/stig/database_security_requirements_guide/2022-06-13/finding/V-206555

1. will already be covered from Simple Password Check Plugin

2. Adding variable

password_reuse_min_percentage
with default value of 50.

3.c can be theroretically be emulated (more or less) with manipulating
mysql.password_reuse_check_history table table.

So adding a variable like

password_reuse_check_min_changed

password_reuse_check_min_changed
is the minimum of changed passwords. until the same password can be used again.

 Comments   
Comment by Sergei Golubchik [ 2023-11-06 ]

For the reference, that document says that

OS/enterprise authentication and identification must be used <...>. Native DBMS authentication may be used only when circumstances make it unavoidable <...>. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate

Which means one should use unix_socket/pam/gssapi plugins. And when it's impossible, one should use SSL certiicates for authentication. And when even that is impossible, one is allowed to resort to passwords.

Comment by Alexander Keremidarski [ 2023-11-06 ]

The implementing of c. creates a huge security risk. This requires storing an information about which characters are used in the current password which is pretty much equivalent to storing the password in clear text. This is an insane requirement.

Generated at Thu Feb 08 10:33:16 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.