MYSQL5/SecureConfigs

Description

This rule checks if a series of relevant security configurations are correctly defined for MySQL server. Specifically:

user

Must be set to mysql. Run the mysqld server as the user having the name mysql

skip-symbolic-links

Must be set to 1. Enable symbolic link support, On Unix, enabling symbolic links means that you can link a MyISAM index file or data file to another directory with the INDEX DIRECTORY or DATA DIRECTORY option of the CREATE TABLE statement.

secure-file-priv

Must not be set. LOAD DATA, SELECT …​ INTO and LOAD FILE() will only work with files in the specified path. If not set, the default, or set to empty string, the statements will work with any files that can be accessed.

local-infile

Must be set to 0. Attempts to perform a LOAD DATA LOCAL will fail with an error message.

skip-show-database

Must be set to OFF. Only users with the SHOW DATABASES privilege can use the SHOW DATABASES statement to see all database names.

skip-grant-tables

Must not be set (default is OFF). If set to ON gives anyone with access to the server unrestricted access to all databases.

allow-suspicious-udfs

Must be set to OFF. This option controls whether user-defined functions that have only an xxx symbol for the main function can be loaded. By default, the option is off and only UDFs that have at least one auxiliary symbol can be loaded.

Rationale

Following these recommended security settings will prevent execution of undesired SQL scripts, keep your mysql.user table safe from unauthorized users access, exposing databases to undesired queries, among others.

Most of these configurations are a default for MySQL servers and changing these can compromise your MySQL database as well as the overall server security.

Change the MySQL configuration file to ensure the settings described above are defined as recommended.