1.7 Ensure MySQL is Run Under a Sandbox Environment

Information

Use of the chroot() system call at startup, Systemd with settings to achieve isolation, or docker will put MySQL in a Sandbox environment.

Rationale:

Running MySQL in a Sandbox environment may reduce the impact of a MySQL-born vulnerability by making portions of the file system inaccessible to the MySQL instance.

Impact:

Use of the chroot option somewhat limits LOAD DATA INFILE and SELECT ... INTO OUTFILE.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform one of the following steps to remediate this setting:

Configure MySQL to use chroot:

Choose a non-system partition <chroot location> for MySQL

Add chroot=<chroot_location> to the my.cnf option file

Configure MySQL to run under systemd:

If mysql is managed by systemd and running, stop the service:

$ sudo systemctl stop <mysqld>.service

If a mysql user and group do not already exist, create them:

$ sudo groupadd mysql
$ sudo useradd -r -g mysql -s /bin/false mysql

Set the ownership of the base director:

$ sudo chown -R mysql:mysql /usr/local/mysql/

Create or modify the <mysqld>.service file in /lib/systemd/system to include the following entries, if not already present:

[Unit]
Description=MySQL Server

[Install]
WantedBy=multi-user.target

[Service]
User=mysql
Group=mysql

If mysql was not already already managed by systemd execute this command:

$ sudo systemctl daemon-reload

Start the MySQL server:

$ sudo systemctl start <mysqld>.service

If you would like mysql to automatically run at startup execute this command:

$ sudo systemctl enable <mysqld>.service

Follow documentation in the references for standing up MySQL in a Docker container.

See Also

https://workbench.cisecurity.org/files/3938

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|2.10

Plugin: Unix

Control ID: 05addcff32cd249dd2ef2162035a3310a4e9c0720c9b802ef510b690e5a6bd2d