1.3 Disable MySQL Command History

Information

On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. The default MySQL Client file is named .mysql_history in the user's home directory. The files are split by language and named history.sql, history.js and history.py. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled.

Rationale:

Disabling the MySQL command history reduces the probability of exposing sensitive information, such as password, encryption keys, or other sensitive data or information.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following steps to remediate this setting:

Remove .mysql_history if it exists.

Use either of the techniques below to prevent it from being created again:

Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script.

Create $HOME/.mysql_history as a symbolic to /dev/null.

> ln -s /dev/null $HOME/.mysql_history

Default Value:

By default, the MySQL command history file is located in $HOME/.mysql_history.

See Also

https://workbench.cisecurity.org/files/3859

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-6, CSCv7|13.2

Plugin: Windows

Control ID: 2f6f95282834d5d97257d3334636eac4a85e195135cbe57f40e20e0cd18a60d6