2.2 Dedicate the Machine Running MySQL

Information

It is recommended that MySQL Server software be installed on a dedicated server. This architectural consideration affords flexibility in that the database server can be placed on a separate zone allowing access only from particular hosts and over particular protocols.

Rationale:

The attack surface is reduced on a server with only the underlying operating system, MySQL server software, and any security or operational tooling that may be additionally installed. A smaller attack surface reduces the probability of the data within MySQL being compromised.

Impact:

Care must be taken that to ensure applications or services that are required for proper operation of the operating system are not removed.

Custom applications may need to be modified to accommodate database connections over the network rather than on the use (e.g., using TCP/IP connections).

Additional hardware and operating system licenses may be required to make the architectural change.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remove excess applications or services and/or remove unnecessary roles from the underlying operating system.

See Also

https://workbench.cisecurity.org/files/3859

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|2.10

Plugin: Unix

Control ID: c3d2a1682e1a2aec50bfc35e5b82a67d3424e48c05748d603cba27973a6cef6d