1.5 Ensure Interactive Login is Disabled

Information

When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would.

Rationale:

Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled.

Impact:

This setting will prevent the MySQL administrator from interactively logging into the operating system using the MySQL user. Instead, the administrator will need to log in using one's own account.

Solution

Execute one of the following commands in a terminal:

usermod -s /bin/false mysql

Or

usermod -s /sbin/nologin mysql

See Also

https://workbench.cisecurity.org/files/3859