1.1 Place Databases on Non-System Partitions

Information

It is generally accepted that host operating systems should include different filesystem partitions for different purposes. One set of filesystems is typically called system partitions, and these are generally reserved for host system/application operation. The other set of filesystems is typically called 'non-system partitions', and such locations are generally reserved for storing data.

Rationale:

Moving the database off the system partition will reduce the probability of denial of service caused by exhaustion of available disk space to the operating system.

Impact:

Moving database files and directories to a non-system partition may be difficult depending on whether there was only a single partition when the operating system was set up and whether there are additional non-system partitions available.

Solution

Perform the following steps to remediate this setting for the datadir:

Backup the database.

Choose a non-system partition new location for the MySQL data

Stop mysqld using a command like: service mysql stop

Copy the data using a command like: cp -rp <datadir Value> <new location>

Set the datadir location to the new location in the MySQL configuration file

Start mysqld using a command like:

service mysql start

Note: On some Linux distributions you may need to additionally modify apparmor settings. For example, on a Ubuntu 14.04.1 system edit the file /etc/apparmor.d/usr.sbin.mysqld so that the datadir access is appropriate. The original might look like this:

# Allow data dir access
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,

Alter those two paths to be the new location you chose above. For example, if that new location were /media/mysql, then the /etc/apparmor.d/usr.sbin.mysqld file should include something like this:

# Allow data dir access
/media/mysql/ r,
/media/mysql/** rwk,

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|2.10

Plugin: MySQLDB

Control ID: 1cfbc77276ff20e5c10624e91db6c1c873b601d5a830564c7965850429f48912