1.4 Verify That the MYSQL_PWD Environment Variable Is Not In Use

Information

MySQL can read a default database password from an environment variable called MYSQL_PWD. Avoiding use of this environment variable can better safeguard the confidentiality of MySQL credentials.

Rationale:

Using the MYSQL_PWD environment variable implies MySQL credentials are stored as clear text.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method.
For unattended logins you should consider:

MySQL Configuration Editor

Different authentication methods (e.g., X509 certificate verification)

Use MySQL Enterprise LDAP plugin with Kerberos or SASL tokens.

Default Value:

Not set.

See Also

https://workbench.cisecurity.org/files/3855

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Windows

Control ID: 7c6f7ff1f50ebfe7f92001810673ac4e6db977acdac0198dd1f690985855198c