Hardening MySQL

Best practices and references used for hardening MySQL.

CIS Benchmarks

MYSQL 5.7 CIS v 1.0.0 Settings Scored Level
1 Operating System Level Configuration
1.1 Place Databases on Non-System Partitions (Scored) Y 1
1.2 Use Dedicated Least Privileged Account for MySQL Daemon/Service (Scored) Y 1
1.3 Disable MySQL Command History (Scored) Y 2
1.4 Verify that ‘MYSQL_PWD’ Is Not Set (Scored) Y 1
1.5 Disable Interactive Login (Scored) Y 2
2 Installation and Planning
2.1 Dedicate Machine Running MySQL (Not Scored) N 1
2.2 Do Not Specify Passwords in Command Line (Not Scored) N 1
2.3 Do Not Reuse User Accounts (Not Scored) N 1
2.4 Do Not Use Default or Shared Cryptographic Material (Not Scored) N 2
3 File Permissions and Ownership
3.1 Ensure ‘datadir’ Has Appropriate Permissions and Ownership (Scored) Y 1
3.2 Ensure ‘log_bin_basename’ Files Have Appropriate Permissions and Ownership (Scored) Y 1
3.3 Ensure ‘log_error’ Has Appropriate Permissions and Ownership (Scored) Y 1
3.4 Ensure ‘slow_query_log’ Has Appropriate Permissions and Ownership (Scored) Y 1
3.5 Ensure ‘relay_log_basename’ Files Have Appropriate Permissions and Ownership (Scored) Y 1
3.6 Ensure ‘general_log_file’ Has Appropriate Permissions and Ownership (Scored) Y 1
3.7 Ensure SSL Key Files Have Appropriate Permissions and Ownership (Scored) Y 1
3.8 Ensure Plugin Directory Has Appropriate Permissions and Ownership (Scored) Y 1
3.9 Ensure ‘audit_log_file’ has Appropriate Permissions and Ownership (Scored) Y 1
4 General
4.1 Ensure Latest Security Patches Are Applied (Not Scored) N 1
4.2 Ensure the ‘test’ Database Is Not Installed (Scored) Y 1
4.3 Ensure ‘allow-suspicious-udfs’ Is Set to ‘FALSE’ (Scored) Y 2
4.4 Ensure ‘local_infile’ Is Disabled (Scored) Y 1
4.5 Ensure ‘mysqld’ Is Not Started with ‘–skip-grant-tables’ (Scored) Y 1
4.6 Ensure ‘–skip-symbolic-links’ Is Enabled (Scored) Y 1
4.7 Ensure the ‘daemon_memcached’ Plugin Is Disabled (Scored) Y 1
4.8 Ensure ‘secure_file_priv’ Is Not Empty (Scored) Y 1
4.9 Ensure ‘sql_mode’ Contains ‘STRICT_ALL_TABLES’ (Scored) Y 2
5 MySQL Permissions
5.1 Ensure Only Administrative Users Have Full Database Access (Scored) Y 1
5.2 Ensure ‘file_priv’ Is Not Set to ‘Y’ for Non-Administrative Users (Scored) Y 1
5.3 Ensure ‘process_priv’ Is Not Set to ‘Y’ for Non-Administrative Users (Scored) Y 2
5.4 Ensure ‘super_priv’ Is Not Set to ‘Y’ for Non-Administrative Users (Scored) Y 1
5.5 Ensure ‘shutdown_priv’ Is Not Set to ‘Y’ for Non-Administrative Users (Scored) Y 1
5.6 Ensure ‘create_user_priv’ Is Not Set to ‘Y’ for Non-Administrative Users (Scored) Y 1
5.7 Ensure ‘grant_priv’ Is Not Set to ‘Y’ for Non-Administrative Users (Scored) Y 1
5.8 Ensure ‘repl_slave_priv’ Is Not Set to ‘Y’ for Non-Slave Users (Scored) Y 1
5.9 Ensure DML/DDL Grants Are Limited to Specific Databases and Users (Scored) Y 1
6 Auditing and Logging
6.1 Ensure ‘log_error’ Is Not Empty (Scored) Y 1
6.2 Ensure Log Files Are Stored on a Non-System Partition (Scored) Y 1
6.3 Ensure ‘log_warnings’ Is Set to ‘2’ (Scored) Y 2
6.4 Ensure ‘log-raw’ Is Set to ‘OFF’ (Scored) Y 1
6.5 Ensure audit_log_connection_policy is not set to ‘NONE’ (Scored) Y 1
6.6 Ensure audit_log_exclude_accounts is set to NULL (Scored) Y 1
6.7 Ensure audit_log_include_accounts is set to NULL (Scored) Y 1
6.8 Ensure audit_log_policy is set to log logins (Scored) Y 1
6.9 Ensure audit_log_policy is set to log logins and connections (Scored) Y 2
6.10 Ensure audit_log_statement_policy is set to ALL (Scored) Y 2
6.11 Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS (Scored) Y 2
6.12 Make sure the audit plugin can’t be unloaded (Scored) Y 1
7 Authentication
7.1 Ensure ‘old_passwords’ Is Not Set to ‘1’ (Scored) Y 1
7.2 Ensure ‘secure_auth’ is set to ‘ON’ (Scored) Y 1 & 2
7.3 Ensure Passwords Are Not Stored in the Global Configuration (Scored) Y 1 & 2
7.4 Ensure ‘sql_mode’ Contains ‘NO_AUTO_CREATE_USER’ (Scored) Y 1 & 2
7.5 Ensure Passwords Are Set for All MySQL Accounts (Scored) Y 1 & 2
7.6 Ensure Password Policy Is in Place (Scored) Y 1
7.7 Ensure No Users Have Wildcard Hostnames (Scored) Y 1 & 2
7.8 Ensure No Anonymous Accounts Exist (Scored) Y 1 & 2
8 Network
8.1 Ensure ‘have_ssl’ Is Set to ‘YES’ (Scored) Y 1
8.2 Ensure ‘ssl_type’ Is Set to ‘ANY’, ‘X509’, or ‘SPECIFIED’ for All Remote Users (Scored) Y 1
9 Replication
9.1 Ensure Replication Traffic Is Secured (Not Scored) N 1
9.2 Ensure ‘MASTER_SSL_VERIFY_SERVER_CERT’ Is Set to ‘YES’ or ‘1’ (Scored) Y 1
9.3 Ensure ‘master_info_repository’ Is Set to ‘TABLE’ (Scored) Y 2
9.4 Ensure ‘super_priv’ Is Not Set to ‘Y’ for Replication Users (Scored) Y 1
9.5 Ensure No Replication Users Have Wildcard Hostnames (Scored) Y 1

Known vulnerabilities:

Best Practises:

Supported versions