2.4 Do Not Specify Passwords in the Command Line

Information

When a command is executed on the command line, for example mysql -u admin -p password or mysqlsh -u admin -p password the password may be visible in the user's shell/command history or in the process list.

If the password is visible in the process list or user's shell/command history, an attacker will be able to access the MySQL database using the stolen credentials.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

MySQL Client:

Use -p without password and then enter the password when prompted, use a properly securedmy.cnf file, or store authentication information in encrypted format inmylogin.cnf

MySQL Shell:

Use without password and then enter the password when prompted, store authentication information in encrypted format inmylogin.cnf enter shell then authenticate using \connect command ( Note: this also ensures the username is not exposed on the command), or use mysqlsh pluggable password store, e.g., a keychain.

Impact:

Depending on the remediation chosen, additional steps may need to be undertaken like:

- Entering a password when prompted.
- Ensuring the file permissions onmy.cnf is restricted yet accessible by the user.
- Using mysql_config_editor to encrypt the authentication credentials inmylogin.cnf
- Use a pluggable secure password store, e.g., a keychain.
- In the case of shell don't authenticate until mysqlsh is started, then use \connect

Additionally, not all scripts/applications may be able to usemylogin.cnf

See Also

https://workbench.cisecurity.org/benchmarks/15503

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|16.4

Plugin: Unix

Control ID: 202414078a98ed5f522749b347990643dbfff391ee86dd35a8c7b3f03078a535