2.3 Do Not Specify Passwords in the Command Line

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


When a command is executed on the command line, for example mariadb -u admin -p password, the password may be visible in the user's shell/command history or in the process list.


If the password is visible in the process list or user's shell/command history, an attacker will be able to access the MariaDB database using the stolen credentials.


Depending on the remediation chosen, additional steps may need to be undertaken like:

Entering a password when prompted.

Ensuring the file permissions on .mariadb.cnf is restricted yet accessible by the user.

Use a pluggable secure password store, e.g., a keychain.

Additionally, not all scripts/applications may be able to use .mariadb.cnf.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


MariaDB Client:

Use -p without password and then enter the password when prompted, use a properly secured .mariadb.cnf file, or store authentication information in encrypted format in .mylogin.cnf.

See Also