{"id":39076158,"url":"https://github.com/cloud-gov/mysql-8-stig-overlay","last_synced_at":"2026-01-17T18:26:49.344Z","repository":{"id":292910512,"uuid":"980792676","full_name":"cloud-gov/mysql-8-stig-overlay","owner":"cloud-gov","description":"Cloud.gov overlay for the baseline InSpec MySQL 8.0 STIG profile","archived":false,"fork":false,"pushed_at":"2025-08-06T16:47:45.000Z","size":52,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-08-06T18:29:57.017Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloud-gov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-09T18:13:42.000Z","updated_at":"2025-07-25T17:04:54.000Z","dependencies_parsed_at":"2025-05-12T19:50:25.308Z","dependency_job_id":"00ded0e7-92f7-4f5e-ba0a-aef7226b8b90","html_url":"https://github.com/cloud-gov/mysql-8-stig-overlay","commit_stats":null,"previous_names":["cloud-gov/mysql-8-stig-overlay"],"tags_count":0,"template":false,"template_full_name":"cloud-gov/.github","purl":"pkg:github/cloud-gov/mysql-8-stig-overlay","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fmysql-8-stig-overlay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fmysql-8-stig-overlay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fmysql-8-stig-overlay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fmysql-8-stig-overlay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloud-gov","download_url":"https://codeload.github.com/cloud-gov/mysql-8-stig-overlay/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2Fmysql-8-stig-overlay/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28515474,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T17:57:59.192Z","status":"ssl_error","status_checked_at":"2026-01-17T17:57:52.527Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-17T18:26:49.250Z","updated_at":"2026-01-17T18:26:49.325Z","avatar_url":"https://github.com/cloud-gov.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloud.gov MySQL STIG Compliance Overlay\n\nCloud.gov overlay for the baseline InSpec profile at \u003chttps://github.com/mitre/oracle-mysql-8-stig-baseline/\u003e with modifications based on Cloud.gov's policy and compliance requirements.\n\nThe baseline InSpec profile is used to validate the secure configuration of Oracle MySQL 8.x exactly against DISA's Oracle MySQL 8.0 (STIG) Version 1 Release 1.\n\nThis Overlay profile clearly distinguishes and measures compliance to OUR policy requirements without modification to the baseline profile or misrepresentation that we are exactly compliant with the original Benchmark. This overlay allows us to show compliance with our own vetted requirements.\n\nThis overlay work is based on upstream work at \u003chttps://github.com/mitre/sample-mysql-overlay\u003e.\n\nFor this work we use the open-source `cinc-auditor` from the [Cinc Project](https://cinc.sh), derived from [Chef InSpec](https://docs.chef.io/inspec/).\n\n## About the Overlay\n\nThe Cloud.gov customizations are in `./controls/overlay.rb`. We've determined that serveral are \"Not Applicable\" in our environment, so we have set `impact: 0.0`.\n\n## About the implementation\n\nSee the following code in our [Terraform provisioning](https://github.com/cloud-gov/terraform-provision) repository:\n\n* [Module `rds_stig`](https://github.com/cloud-gov/terraform-provision/tree/main/terraform/modules/rds_stig)\n* [Script to run MySQL SQL commands](https://github.com/cloud-gov/terraform-provision/blob/main/ci/scripts/create-and-update-mysql.sh)\n\n## Testing this overlay against an existing AWS RDS DB in Cloud.gov\n\nAuditing is currently done on-demand from a Cloud.gov platform operator's workstation.  Running as part of CI/CD is a future implementation step (as of 2025-08-06).  Assuming you're on a Cloud.gov dev workstation:\n\n* Install `mysql-client` and `cinc-auditor`\n  * e.g. `brew install cinc-workstation; brew install mysql-client`\n  * note: We have requested that corporate policies allow access to downloads.cinc.sh, but that may not yet have happened.\n* The next steps are fully described in \u003chttps://github.com/cloud.gov/internal-docs\u003e:\n  * Obtain the MySQL database hostname, username, and password\n  * Establish an SSH tunnel from localhost:3306 to remote_server:3306\n  * Test `mysql` connection with `mysql -p -h 127.0.0.1 -u \u003cUSERNAME\u003e` (and password)\n  * Note: **DO NOT** use `mysql -p$PASSWORD -h 127.0.0.1 -u \u003cUSERNAME\u003e` as the passwords will be visible in the system process list.\n* Copy `input_sample.yml` to `input.yml`\n* Update `input.yml` with the `user` and `password`. Be sure to \n  * set strict file permissions\n  * delete the file when your work is done\n* Run `cinc-auditor` for the profile:\n\n```sh\ncinc-auditor exec .  --show-progress --input-file input.yml  \\\n --reporter=cli json:reports/$(date +'%Y-%m-%dH%H%M').json \n```\n\n* Or run `cinc-auditor` for a single control, e.g.:\n\n```sh\ncinc-auditor exec .  --show-progress --input-file input.yml  \\\n  --reporter=cli json:reports/$(date +'%Y-%m-%dH%H%M').json \\\n  --controls 'SV-235096'\n```\n\n## Using Heimdall for Viewing the JSON Results\n\nThe JSON results output file can be loaded into __[heimdall-lite](https://github.com/mitre/heimdall2/)__ for a user-interactive, graphical view of the InSpec results. For local usage:\n\n```shell\nnpx @mitre/heimdall-lite \u0026\n```\n\nThe Heimdall-Lite interface will be available at \u003chttp://localhost:8080\u003e. From the\nFinder, you can then drag the `.json` results into the viewer to see if there are any variations from our standards.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fmysql-8-stig-overlay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloud-gov%2Fmysql-8-stig-overlay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2Fmysql-8-stig-overlay/lists"}