1.4 Verify That the MYSQL_PWD Environment Variable is Not in Use

Information

MySQL can read a default database password from an environment variable called MYSQL_PWD. Avoiding use of this environment variable can better safeguard the confidentiality of MySQL credentials.

Rationale:

Using the MYSQL_PWD environment variable implies MySQL credentials are stored as clear text.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method.

For unattended logins you should consider

MySQL Configuration Editor

Different authentication methods (e.g., X509 certificate verification)

Use MySQL Enterprise LDAP plugin with Kerberos or SASL tokens.

Default Value:

Not set.

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Windows

Control ID: 64b52c7149ce0374324133a6384f8c9b87fffda787799b7822c6d7632fb410ec