1.7 Ensure MySQL is Run Under a Sandbox Environment

Information

Use of the chroot() system call at startup, Systemd with settings to achieve isolation, or docker will put MySQL in a Sandbox environment.

Running MySQL in a Sandbox environment may reduce the impact of a MySQL-born vulnerability by making portions of the file system inaccessible to the MySQL instance.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform one of the following steps to remediate this setting:

- Configure MySQL to use chroot:
- Choose a non-system partition

<chroot location>

for MySQL
- Add chroot=

<chroot_location>

to the my.cnf option file

- Configure MySQL to run under systemd:
- If mysql is managed by systemd and running, stop the service: $ sudo systemctl stop <mysqld>.service
- If a mysql user and group do not already exist, create them: $ sudo groupadd mysql$ sudo useradd -r -g mysql -s /bin/false mysql
- Set the oenwership of the base director: $ sudo chown -R mysql:mysql /usr/local/mysql/
- Create or modify the

<mysqld>

service file in /lib/systemd/system to include the following entries, if not already present: [Unit]Description=MySQL Server[Install]WantedBy=multi-user.target[Service]User=mysqlGroup=mysql
- If mysql was not already already managed by systemd execute this command: $ sudo systemctl daemon-reload
- Start the MySQL server: $ sudo systemctl start <mysqld>.service
- If you would like mysql to automatically run at startup execute this command: $ sudo systemctl enable <mysqld>.service

- Follow documentation in the references for standing up MySQL in a Docker container.

Impact:

Use of the chroot option somewhat limits LOAD DATA INFILE and SELECT ... INTO OUTFILE

See Also

https://workbench.cisecurity.org/benchmarks/15504

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|2.10

Plugin: Unix

Control ID: 52bac4ec6906b52158638de15205665cea58c6b22651f16eb4d9df1e6b965995