1.1 Place Databases on Non-System Partitions

Information

It is generally accepted that host operating systems should include different filesystem partitions for different purposes. One set of filesystems is typically called system partitions, and these are generally reserved for host system/application operation. The other set of filesystems is typically called 'non-system partitions', and such locations are generally reserved for storing data.

Rationale:

Moving the database off the system partition will reduce the probability of denial of service caused by exhaustion of available disk space to the operating system.

Impact:

Moving database files and directories to a non-system partition may be difficult depending on whether there was only a single partition when the operating system was set up and whether there are additional non-system partitions available.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following steps to remediate this setting for the datadir:

Backup the database.

Choose a non-system partition new location for MySQL data.

Stop mysqld using a command like: service mysql stop.

Copy the data using a command like: cp -rp<datadir Value> <new location>.

Set the datadir location to the new location in the MySQL configuration file.

Start mysqld using a command like:

service mysql start

Note: On some Linux distributions you may need to additionally modify apparmor settings. For example, on a Ubuntu 14.04.1 system edit the file /etc/apparmor.d/usr.sbin.mysqld so that the datadir access is appropriate. The original might look like this:

# Allow data dir access
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,

Alter those two paths to be the new location you chose above. For example, if that new location were /media/mysql, then the /etc/apparmor.d/usr.sbin.mysqld file should include something like this:

# Allow data dir access
/media/mysql/ r,
/media/mysql/** rwk,

Default Value:

Not Applicable.

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|2.10

Plugin: Unix

Control ID: bfca665413c1c5476a6c7fcc4c0e9223ee0c71ed491d264ac63d225666d7d552