Information
When a command is executed on the command line, for example mysql -u admin -p password or mysqlsh -u admin -p password, the password may be visible in the user's shell/command history or in the process list.
Rationale:
If the password is visible in the process list or user's shell/command history, an attacker will be able to access the MySQL database using the stolen credentials.
Impact:
Depending on the remediation chosen, additional steps may need to be undertaken like:
Entering a password when prompted.
Ensuring the file permissions on .my.cnf is restricted yet accessible by the user.
Using mysql_config_editor to encrypt the authentication credentials in .mylogin.cnf.
Use a pluggable secure password store, e.g., a keychain.
In the case of shell don't authenticate until mysqlsh is started, then use connect
Additionally, not all scripts/applications may be able to use .mylogin.cnf.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
MySQL Client:
Use -p without password and then enter the password when prompted, use a properly secured .my.cnf file, or store authentication information in encrypted format in .mylogin.cnf.
MySQL Shell:
Use without password and then enter the password when prompted, store authentication information in encrypted format in .mylogin.cnf, enter shell then authenticate using connect command (Note: this also ensures the username is not exposed on the command), or use mysqlsh pluggable password store, e.g., a keychain.