4.3 Ensure 'allow-suspicious-udfs' is Set to 'OFF'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add.

Rationale:

Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server.

Solution

Perform the following to establish the recommended state:

Remove --allow-suspicious-udfs from the mariadbd start up command line.

Remove allow-suspicious-udfs from the MariaDB option file.

Default Value:

OFF

See Also

https://workbench.cisecurity.org/benchmarks/12270