The following are the MySQL Security Standard compliance rules:
Description The Enterprise Audit Log Plugin is Filtering Events By Account Origin
Severity Warning
Advice When using the options audit_log_include_accounts or audit_log_exclude_accounts, the plugin may not be logging all events which may be required for later analysis. Consider whether the filtering of events by account is required, and remove the configuration values for audit_log_exclude_accounts or audit_log_include_accounts if not.
Description The Enterprise Audit Log Plugin is Filtering Events By Event Status
Severity Warning
Advice When using these options the plugin may not be logging all events which may be required for later analysis. Consider whether the filtering of events by status is required, and remove the configuration values for audit_log_connection_policy or audit_log_statement_policy if not.
Description MySQL Enterprise Firewall can be in one of two global modes once installed, enabled or disabled.
Severity Warning
Advice To enable or disable the firewall, set the mysql_firewall_mode system variable. By default, this variable is enabled when the firewall is installed. To control the initial firewall state explicitly, you can set the variable at server startup.
Description The LOAD DATA statement can load a file that is located on the server host, or it can load a file that is located on the client host when the LOCAL keyword is specified. There are two potential security issues with supporting the LOCAL version of LOAD DATA statements: The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. In a Web environment where the clients are connecting from a separate web server, a user could use LOAD DATA LOCAL to read any files that the web server process has read access to (assuming that a user could run any statement against the SQL server). In this environment, the client with respect to the MySQL server actually is the web server, not the remote program being run by the user who connects to the web server.
Severity Warning
Advice Start the MySQL Server with the
--local-infile option disabled ( --local-infile=0 ), or add
" local-infile = 0 " to your MySQL configuration file
(my.cnf
).
Description You can move tables and databases from the database directory to other locations and replace them with symbolic links to the new locations. You might want to do this, for example, to move a database to a file system with more free space or to increase the speed of your system by spreading your tables to different disks. However, symlinks can compromise security. This is especially important if you run mysqld as root, because anyone who has write access to the server's data directory could then delete any file in the system!
Severity Warning
Advice Disable the use of symlinks by
starting MySQL with the --skip-symbolic-links option or adding
skip-symbolic-links to your MySQL configuration file
(my.cnf
) and restarting the server.