1.7 Ensure MariaDB is Run Under a Sandbox Environment

Information

Use of the chroot() system call at startup, Systemd with settings to achieve isolation, or docker will put MariaDB in a Sandbox environment.

Rationale:

Running MariaDB in a Sandbox environment may reduce the impact of a MariaDB-born vulnerability by making portions of the file system inaccessible to the MariaDB instance.

Impact:

Use of the chroot option somewhat limits LOAD DATA INFILE and SELECT ... INTO OUTFILE.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform one of the following steps to remediate this setting:

Configure MariaDB to use chroot:

Choose a non-system partition <chroot location> for MariaDB

Add chroot=<chroot_location> to the my.cnf option file

Configure MariaDB to run under systemd:

If MariaDB is managed by systemd and running, stop the service:

$ sudo systemctl stop <mysqld>.service

If a mysql user and group do not already exist, create them:

$ sudo groupadd mysql
$ sudo useradd -r -g mysql -s /bin/false mysql

Set the ownership of the base directory:

$ sudo chown -R mysql:mysql /usr/local/mysql/

Create or modify the <mysqld>.service file in /lib/systemd/system to include the following entries, if not already present:

[Unit]
Description=MariaDB Server

[Install]
WantedBy=multi-user.target

[Service]
User=mysql
Group=mysql

If MariaDB was not already already managed by systemd execute this command:

$ sudo systemctl daemon-reload

Start the MariaDB server:

$ sudo systemctl start <mariadb>.service

If you would like MariaDB to automatically run at startup execute this command:

$ sudo systemctl enable <mariadb>.service

Follow documentation in the references for standing up MariaDB in a Docker container. During setup, follow the special notes below.

Do not set MARIADB_ALLOW_EMPTY_ROOT_PASSWORD or MYSQL_ALLOW_EMPTY_PASSWORD to a non-empty value.

Ensure that passwords are not set as values of any environment variables being passed to the Docker container. For example, do not orchestrate your container by passing MARIADB_ROOT_PASSWORD= as an environment attribute. Instead, securely set MARIADB_ROOT_PASSWORD within your environment, then simply tell Docker to pass MARIADB_ROOT_PASSWORD (without setting the value) to the container.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|2.10

Plugin: MySQLDB

Control ID: 416554a3046358753ce561d23e7ca1ecdc6b55c9216d5dc9d26a164877337347