Professional Documents
Culture Documents
CIS MySQL Benchmark v1.0.2
CIS MySQL Benchmark v1.0.2
1|Page
2|Page
3|Page
CIS has created and will from time to time create special rules for its members and for other
persons and organizations with which CIS has a written contractual relationship. Those special
rules will override and supersede these Agreed Terms of Use with respect to the users who are
covered by the special rules. CIS hereby grants each CIS Security Consulting or Software Vendor
Member and each CIS Organizational User Member, but only so long as such Member remains in
good standing with CIS and complies with all of the terms of these Agreed Terms of Use, the right to
distribute the Products and Recommendations within such Members own organization, whether by
manual or electronic means. Each such Member acknowledges and agrees that the foregoing grant
is subject to the terms of such Members membership arrangement with CIS and may, therefore, be
modified or terminated by CIS at any time.
Choice of law; jurisdiction; venue.
We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in
accordance with the laws of the State of Maryland, that any action at law or in equity arising out of
or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of
Maryland, that we hereby consent and submit to the personal jurisdiction of such courts for the
purposes of litigating any such action. If any of these Agreed Terms of Use shall be determined to be
unlawful, void, or for any reason unenforceable, then such terms shall be deemed severable and
shall not affect the validity and enforceability of any remaining provisions. We acknowledge and
agree that we have read these Agreed Terms of Use in their entirety, understand them and agree to
be bound by them in all respects.
4|Page
Table of Contents
5|Page
Overview
This document, Security Configuration Benchmark for MySQL 4.1, 5.0, 5.1, provides
prescriptive guidance for establishing a secure configuration posture for MySQL versions
4.1, 5.0, and 5.1 running on the Windows Server 2003 and RedHat Enterprise Linux 5
platforms. This guide was tested against MySQL 4.1, 5.0, and 5.1 as installed by MySQL RPM
and MSI. To obtain the latest version of this guide, please visit http://cisecurity.org. If you
have questions, comments, or have identified ways to improve this guide, please write us at
feedback@cisecurity.org.
Consensus Guidance
This guide was created using a consensus review process comprised of volunteer and
contract subject matter experts. Consensus participants provide perspective from a diverse
set of backgrounds including consulting, software development, audit and compliance,
security research, operations, government, and legal.
Intended Audience
This document is intended for system and application administrators, security specialists,
auditors, help desk, and platform deployment personnel who plan to develop, deploy,
assess, or secure solutions that incorporate MySQL on a Windows or Linux platform.
Acknowledgements
The following individuals have contributed greatly to the creation of this guide:
Authors
Michael Eddington, Leviathan Security Group.
Contributors and Reviewers
Blake Frantz
Steven Piliero
Neil Quiogue
Dave Shackleford
Typographic Conventions
The following typographical conventions are used throughout this guide:
Convention
Stylized Monospace font
Monospace font
<italic font in brackets>
Italic font
Note
Meaning
Used for blocks of code, command, and script examples.
Text should be interpreted exactly as presented.
Used for inline code, commands, or examples. Text should
be interpreted exactly as presented.
Italic texts set in angle brackets denote a variable
requiring substitution for a real value.
Used to denote the title of a book, article, or other
publication.
Additional information or caveats
6|Page
Configuration Levels
This section defines the configuration levels that are associated with each benchmark
recommendation. Configuration levels represent increasing levels of security assurance.
Scoring Status
This section defines the scoring statuses used within this document. The scoring status
indicates whether compliance with the given recommendation is discernable in an
automated manner.
Scorable
The platforms compliance with the given recommendation can be determined via
automated means.
Not Scorable
The platforms compliance with the given recommendation cannot be determined via
automated means.
7|Page
Recommendations
1. Operating System Level Configuration
Level
Unix
Comments
Windows
Action / Recommended
Parameters
Harden OS using appropriate
CIS benchmark
Version
ALL
X
1S
ALL
2N
ALL
1N
1N
Dedicated Machine
Dedicated Account
Dedicated non-administrative
account for MySQL
daemon/service
ALL
8|Page
Restrict network
access
2N
1S
1S
Database not on
system partition
ALL
Command history
ALL
9|Page
/dev/null or linking
.mysql_history to /dev/null
MYSQL_PWD
ALL
1N
1S
MySQL User
Remediation:
Unix: Set the users shell to
/sbin/nologin, or similar.
Windows: Deny the user the "Log on
locally" right
Auditing Guidance for section 1.9: N/A
1.10
Windows Network
Service Account
ALL
1S
10 | P a g e
Windows Platform
Selection
ALL
1S
11 | P a g e
Version
ALL
X
Level
Comments
This is the location of the MySQL
databases.
Unix
Action / Recommended
Parameters
Read and write by MySQL
user only.
Windows
Item
#
Configuration Item
2.1
Data directory
1S
1S
Binaries
12 | P a g e
Configuration File
ALL
1S
1S
1S
Log files
SSL files
13 | P a g e
14 | P a g e
3. Logging
Configuration options can be added two ways. First is using the MySQL configuration file my.cnf and placing options under the proper
section of [mysqld]. Options placed in the configuration file should not prefix with a double dash --. Options can also be placed on the
command line by modifying the MySQL startup script. The startup script is system dependent based on your operating system.
Level
Comments
The error log must be enabled.
Unix
Action / Recommended
Parameters
--logerror[=file_name]
Windows
Item
#
Configuration Item
3.1
Error Logging
Enabled
Version
ALL
X
1S
ALL
1S
ALL
1S
ALL
1N
16 | P a g e
4. General
Level
Unix
Action / Recommended
Parameters
Migrate to version 4.1 or 5.0
Windows
Item
#
Configuration Item
4.1
Supported version of
MySQL
Comments
Rationale: Versions 4.0 and 3.23 only
receive critical fixes. Utilizing a
supported version of MySQL will help
ensure the remediation of identified
MySQL vulnerabilities.
Version
ALL
X
2S
ALL
2N
ALL
1S
Latest security
patches
ALL
1S
ALL
1S
Change admin
account name
18 | P a g e
Complex Passwords
Minimum 8 characters in
length with characters from at
least three of the following
categories: uppercase,
lowercase, numeric, nonalphanumeric
ALL
1N
ALL
1S
Verify Secure
Password Hashes
19 | P a g e
ALL
1N
ALL
2S
Wildcards in user
hostname
No blank passwords
1S
Anonymous account
ALL
1S
22 | P a g e
5. MySQL Permissions
Level
Comments
Version
ALL
X
Verify access by checking the user
and db tables. Use the following two
queries: select user, host
from mysql.user where
(Select_priv = 'Y') or
(Insert_priv = 'Y') or
(Update_priv = 'Y') or
(Delete_priv = 'Y') or
(Create_priv = 'Y') or
(Drop_priv = 'Y'); and
select user, host from
mysql.db where db = 'mysql'
and (
(Select_priv = 'Y') or
(Insert_priv = 'Y') or
(Update_priv = 'Y') or
(Delete_priv = 'Y') or
(Create_priv = 'Y') or
(Drop_priv = 'Y'));
Unix
Action / Recommended
Parameters
Only admin users should have
access to the mysql database
Windows
Item
#
Configuration Item
5.1
Access to mysql
database
1N
23 | P a g e
FILE privilege
ALL
1N
ALL
1N
PROCESS privilege
24 | P a g e
SUPER privilege
1N
1N
SHUTDOWN privilege
ALL
25 | P a g e
CREATE USER
privilege
ALL
1N
ALL
1N
RELOAD privilege
2. Ensure proper access controls are in place, and that the principle of least privilege is enforced
5.8
Global GRANT
privilege
1N
27 | P a g e
Comments
This option prevents attaching arbitrary
shared library functions as user-defined
functions by checking for at least one
corresponding method named _init,
_deinit, _reset, _clear, or _add.
Unix
Action / Recommended
Parameters
Avoid using the --allowsuspicious-udfs
parameter
Windows
Item
#
Configuration Item
6.1
Suspicious UDFs
Version
ALL
X
1S
ALL
2S
--local-infile=0
ALL
1S
1S
2S
--safe-show-database
4.1, 5.0
This option causes the SHOW
DATABASES statement to display
names of only those databases for which
the user has some kind of privilege
(default in 5.1)
Rationale: This reinforces the least
privilege model by limiting a users
knowledge of other existing databases.
Secure auth
--secure-auth
ALL
29 | P a g e
Grant tables
ALL
1S
5.1
2S
ALL
2S
Skip merge
--skip-merge
Skip networking
Use --skip-networking
startup option
30 | P a g e
ALL
1S
ALL
2S
--skip-symboliclinks
31 | P a g e
6.11
Client password
ALL
2S
32 | P a g e
7. SSL Configuration
Configuration options can be added two ways. First is using the MySQL configuration file my.cnf and placing options under the proper
section of [mysqld]. Options placed in the configuration file should not prefix with a double dash --. Options can also be placed on the
command line by modifying the MySQL startup script. The startup script is system dependent based on your operating system.
Level
Comments
Version
Causes the servers common name (CN) 5.1
X
to be verified against the servers
hostname.
Unix
Action / Recommended
Parameters
--ssl-verify-servercert
Windows
Item
#
Configuration Item
7.1
Client Verify Server
Cert
1S
2S
SSL Connection
ALL
Unique Key/Cert
ALL
1N
34 | P a g e
Unix
Action / Recommended
Parameters
Regularly occurring backup
Windows
Item
#
Configuration Item
8.1
Backup of databases
Comments
Rationale: Backing up MySQL
databases, including mysql, will help
ensure the availability of data in the
event of an incident.
Version
ALL
X
1N
ALL
1N
ALL
1N
Verify backups
Replication slave
backups
Verify master.info,
relay-log.info, and
SQL_LOAD-* files.
35 | P a g e
Appendix A: References
Resource
MySQL v4.1 General Security Issues
Location
http://dev.mysql.com/doc/refman/4.1/en/security.html
http://dev.mysql.com/doc/refman/5.0/en/security.html
http://dev.mysql.com/doc/refman/5.1/en/security.html
http://dev.mysql.com/doc/refman/4.1/en/news.html
http://dev.mysql.com/doc/refman/5.0/en/news.html
http://dev.mysql.com/doc/refman/5.1/en/news.html
http://www.securityfocus.com/infocus/1726
http://www.securityfocus.com/infocus/1667
http://blog.blackdown.de/2005/03/04/chrooting-mysqlon-debian/
Version
1.0.0
1.0.1
1.0.2
36 | P a g e