3.8 Ensure Plugin Directory Has Appropriate Permissions

Information

The plugin directory is the location of the MySQL plugins. Plugins are storage engines or user defined functions (UDFs).

Rationale:

Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the MySQL database. If someone can modify plugins then these plugins might be loaded when the server starts and the code will get executed.

Impact:

Users other than the MySQL user will no longer be able to update and add/remove plugins unless they're able to switch to the MySQL user.

Solution

To remediate these settings, execute the following commands at a terminal prompt using the plugin_dir Value from the audit procedure. MySQL server must not be allowed to write to this location.

chmod 550 <plugin_dir Value> #(or use 554)
chown mysql:mysql <plugin_dir Value>

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 3be7057d0a587d6e700be7caea4845f659f9f1a42ed0f4da26ef30121d1068f3