6.6 Ensure Binary and Relay Logs are Encrypted

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The encrypt_binlog system variable may be used to configure encryption of the binary and relay logs. This may be configured to ON even if binary logging is not enabled in order to encrypt relay log files.

Rationale:

The database, and thus the binary and relay logs, may contain sensitive information. Encrypting the binary and relay logs protects all data stored in these logs from internal and external threats.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Encryption of binary logs is configured by the encrypt_binlog system variable.
To remediate misconfiguration, add encrypt_binlog and restart MariaDB.

[mariadb]
...
# Binary Log Encryption
encrypt_binlog=ON

Default Value:

The default Value: OFF

See Also

https://workbench.cisecurity.org/benchmarks/12270