7.2 Ensure Passwords are Not Stored in the Global Configuration

Information

The [client] section of the MariaDB configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (mariadb.cnf).

Rationale:

Using the password parameter may negatively impact the confidentiality of the user's password.

Impact:

The global configuration is by default readable for all users on the system. This is needed for global defaults (prompt, port, socket, etc.). If a password is present in this file then all users on the system may be able to access it.

Solution

Use the user-specific options file, .mariadb.cnf., and restricting file access permissions to the user identity.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 37f898cc6ebc806f944cbdeb57cd8aacefe2e45081805e340d7c450f185c6eb7