1.4 Verify That the MYSQL_PWD Environment Variable is Not in Use

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

MySQL can read a default database password from an environment variable called MYSQL_PWD. Avoiding use of this environment variable can better safeguard the confidentiality of MySQL credentials.

Rationale:

Using the MYSQL_PWD environment variable implies MySQL credentials are stored as clear text.

Solution

Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method.

For unattended logins you should consider

MySQL Configuration Editor

Different authentication methods (e.g., X509 certificate verification)

Use MySQL Enterprise LDAP plugin with Kerberos or SASL tokens.

Default Value:

Not set.

See Also

https://workbench.cisecurity.org/benchmarks/12903