2.3 Do Not Specify Passwords in the Command Line

Information

When a command is executed on the command line, for example mariadb -u admin -p password, the password may be visible in the user's shell/command history or in the process list.

Rationale:

If the password is visible in the process list or user's shell/command history, an attacker will be able to access the MariaDB database using the stolen credentials.

Impact:

Depending on the remediation chosen, additional steps may need to be undertaken like:

Entering a password when prompted.

Ensuring the file permissions on .mariadb.cnf is restricted yet accessible by the user.

Use a pluggable secure password store, e.g., a keychain.

Additionally, not all scripts/applications may be able to use .mariadb.cnf.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

MariaDB Client:

Use -p without password and then enter the password when prompted, use a properly secured .mariadb.cnf file, or store authentication information in encrypted format in .mylogin.cnf.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|16.4

Plugin: Unix

Control ID: c5220d49767e97ea061983cf0bafc4f5b84dd20282db0951def32cd1c4c338eb