1.4 Verify That the MYSQL_PWD Environment Variable is Not in Use

Information

MySQL can read a default database password from an environment variable called MYSQL_PWD Avoiding use of this environment variable can better safeguard the confidentiality of MySQL credentials.

Using the MYSQL_PWD environment variable implies MySQL credentials are stored as clear text.

Solution

Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method.

For unattended logins you should consider

- MySQL Configuration Editor
- Different authentication methods (e.g., X509 certificate verification)
- Use MySQL Enterprise LDAP plugin with Kerberos or SASL tokens.

See Also

https://workbench.cisecurity.org/benchmarks/15503

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: eae286960c59e10b4b6e2b9f74e973e49509545b211fd170ef68a2e1892e2dee