only run password-checks when the appropriate columns exist

Sebastian Gumprich · Sebastian Gumprich · commit 7ac92c60a6f8 · 2020-08-20T20:25:46.000+02:00
Signed-off-by: Sebastian Gumprich &lt;github@gumpri.ch&gt;
diff --git a/controls/mysql_db.rb b/controls/mysql_db.rb
@@ -54,11 +54,25 @@
 control 'mysql-db-05' do
   impact 1.0
   title 'default passwords must be changed'
+  only_if('mysql user table has a password column') do
+    command("mysql -u#{user} -p#{pass} mysql -sN -e 'SELECT count(COLUMN_NAME) FROM information_schema.COLUMNS  WHERE      TABLE_SCHEMA = \"mysql\"  AND TABLE_NAME = \"user\"  AND COLUMN_NAME = \"password\";'").stdout.strip == '1'
+  end
   describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where length(password)=0 or password=\"\";' | tail -1") do
     its(:stdout) { should match(/^0/) }
   end
 end
 
+control 'mysql-db-05b' do
+  impact 1.0
+  title 'default passwords must be changed'
+  only_if('mysql user table has an authentication_string column') do
+    command("mysql -u#{user} -p#{pass} mysql -sN -e 'SELECT count(COLUMN_NAME) FROM information_schema.COLUMNS  WHERE      TABLE_SCHEMA = \"mysql\"  AND TABLE_NAME = \"user\"  AND COLUMN_NAME = \"authentication_string\";'").stdout.strip == '1'
+  end
+  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where length(authentication_string)=0 or authentication_string=\"\";' | tail -1") do
+    its(:stdout) { should match(/^0/) }
+  end
+end
+
 control 'mysql-db-06' do
   impact 0.5
   title 'the grant option must not be used'
