MySql Account Vulnerability in DX NetOps Performance Management
search cancel

MySql Account Vulnerability in DX NetOps Performance Management

book

Article ID: 217206

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

Can the default mysql OS user created for the MySql database on the DX NetOps Performance Management (PM) Performance Center (PC) Portal web UI be locked or set with a password?

A vulnerability has been identified in PM with the MySql account (mysql).  The vulnerability is listed as:

"Accounts that have been locked are prohibited from running commands on the system. Such accounts are not able to login to the system and not able to use scheduled execution facilities such as cron.
          
System accounts should be locked and their shells set to a blocked environment as according to the business needs and organization's security policies.

Unused user accounts should be removed from the host as according to the business needs and organization's security policies.

To lock the user accounts:

# passwd -l [username]

","2021-04-14 21:52:54","110500","[C1] - CIS Benchmark for Red Hat Enterprise Linux 7, v2.1.1 [Scored, Level 1 and Level 2] v.2.0","9391","","Access Control Requirements","Account Creation/User Management","Failed","Red Hat Enterprise Linux 7.x","Red Hat Enterprise Linux Server 7.9","N","6","Status of the System Accounts"

The suggested remediation is to lock the mysql account with the command:

passwd -l mysql

Can you advise if this will break PM?

Environment

All supported DX NetOps Performance Managed releases

Resolution

By default the mysql OS user created for the MySql database on the DX NetOps Performance Management (PM) Performance Center (PC) Portal web UI server:

  • The OS mysql user account doesn't have a valid password set.
    • We don't set one when creating the user the first time during initial/new installation.
    • As a result no user should be able to log in as the mysql OS system user.
  • The PM tool never logs in as the mysql OS system user. It's only used to manage and run the mysql services and database.
  • We don't create or run any cron jobs or other automated tasks using the OS mysql user account.

Options to lock this user for improved security without breaking the product are as follows.

  • Set a password
  • Use the passwd commands -l option to lock the user.
  • Recommended solution if necessary is to use sudo to start/stop the services.
Powered by Wolken Software