6.4 Ensure 'log-raw' is Set to 'OFF'

Information

The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files ( general query log slow query log and binary log ) in plain text.

With raw logging of passwords enabled someone with access to the log files might see plain text passwords.

Solution

Perform the following actions to remediate this setting:

- Open the MySQL configuration file ( my.cnf )
- Find the log-raw entry and set it as follows log-raw = OFF

See Also

https://workbench.cisecurity.org/benchmarks/15503

Item Details

Category: MEDIA PROTECTION

References: 800-53|MP-6, CSCv7|13.2

Plugin: Unix

Control ID: 40c0f8f2c16edb24bb6c7bbc67b4d2e93ad4db50dd83915ea8d2329c6e1bd8e1