MySQL5/LogFilePermission

Description

This rule checks if the configured MySQL error log file is owned by the mysql user and belongs to the specified log group. As well as assert that other users and groups do not have read/write/execute access to the log file.

Rationale

Keeping the log file access restricted to only its interested users and processes is a way of avoiding displaying system vulnerabilities and undesired permission exceptions on your database system.

As stated on the of least privilege principle: user, program, or process should have only the bare minimum privileges necessary to perform its function.

Execute the following SQL statement to determine the log_error path:

show global variables like 'log_error';

With the log_error path, execute the following commands at a terminal prompt:

chmod 660 <log file>
chown mysql:adm <log file>