12.5 MySQL Security Standard Rules

The following are the MySQL Security Standard compliance rules:

Audit Log Accounts Excluded

Description The Enterprise Audit Log Plugin is Filtering Events By Account Origin

Severity Warning

Advice When using the options audit_log_include_accounts or audit_log_exclude_accounts, the plugin may not be logging all events which may be required for later analysis. Consider whether the filtering of events by account is required, and remove the configuration values for audit_log_exclude_accounts or audit_log_include_accounts if not.

Audit Log Policy Not ALL

Description The Enterprise Audit Log Plugin is Filtering Events By Event Status

Severity Warning

Advice When using these options the plugin may not be logging all events which may be required for later analysis. Consider whether the filtering of events by status is required, and remove the configuration values for audit_log_connection_policy or audit_log_statement_policy if not.

Firewall Disabled

Description MySQL Enterprise Firewall can be in one of two global modes once installed, enabled or disabled.

Severity Warning

Advice To enable or disable the firewall, set the mysql_firewall_mode system variable. By default, this variable is enabled when the firewall is installed. To control the initial firewall state explicitly, you can set the variable at server startup.

LOCAL Option Of LOAD DATA Statement Is Enabled

Description The LOAD DATA statement can load a file that is located on the server host, or it can load a file that is located on the client host when the LOCAL keyword is specified. There are two potential security issues with supporting the LOCAL version of LOAD DATA statements: The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. In a Web environment where the clients are connecting from a separate web server, a user could use LOAD DATA LOCAL to read any files that the web server process has read access to (assuming that a user could run any statement against the SQL server). In this environment, the client with respect to the MySQL server actually is the web server, not the remote program being run by the user who connects to the web server.

Severity Warning

Advice Start the MySQL Server with the --local-infile option disabled ( --local-infile=0 ), or add " local-infile = 0 " to your MySQL configuration file (my.cnf).

Symlinks Are Enabled

Description You can move tables and databases from the database directory to other locations and replace them with symbolic links to the new locations. You might want to do this, for example, to move a database to a file system with more free space or to increase the speed of your system by spreading your tables to different disks. However, symlinks can compromise security. This is especially important if you run mysqld as root, because anyone who has write access to the server's data directory could then delete any file in the system!

Severity Warning

Advice Disable the use of symlinks by starting MySQL with the --skip-symbolic-links option or adding skip-symbolic-links to your MySQL configuration file (my.cnf) and restarting the server.