3.10 Secure MySQL Keyring

Information

When configured to use a Keyring plugin, internal MySQL components and plugins may securely store sensitive information for later retrieval. Associated files for the selected keyring type should have proper permissions.

Rationale:

Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of internal MySQL component and plugin information.

Solution

If no keyring plugin or keyring file plugin is configured, instructions for configuring a keyring plugin or keyring file plugin may found at:

KMIP - https://dev.mysql.com/doc/refman/8.0/en/keyring-okv-plugin.html#keyring-okv-configuration

OCI Vault - https://dev.mysql.com/doc/refman/8.0/en/keyring-oci-plugin.html

Hashicorp - https://dev.mysql.com/doc/refman/8.0/en/keyring-hashicorp-plugin.html#keyring-hashicorp-plugin-configuration

AWS - https://dev.mysql.com/doc/refman/8.0/en/keyring-aws-plugin.html#keyring-aws-plugin-configuration

Execute the following command for each Keyring file location requiring corrected permissions:

chmod 750 <keyring file>
chown mysql:mysql <keyring file>

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: f1a59967052372c4c2a6844d4e0afa9c382b19c037c924f7832dd668d61d3769