7.3 Ensure Passwords Are Not Stored in the Global Configuration - /etc/mysql/my.cnf

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The use of the password parameter may negatively impact the confidentiality of the user's password.

Solution

Use the mysql_config_editor to store authtentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. Impact: The global configuration is by default readable for all users on the system. This is needed for global defaults (prompt, port, socket, etc). If a password is present in this file then all users on the system may be able to access it.

See Also

https://workbench.cisecurity.org/files/1619