Information
Use of the chroot() system call at startup, Systemd with settings to achieve isolation, or docker will put MySQL in a Sandbox environment.
Running MySQL in a Sandbox environment may reduce the impact of a MySQL-born vulnerability by making portions of the file system inaccessible to the MySQL instance.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Perform one of the following steps to remediate this setting:
- Configure MySQL to use chroot:
- Choose a non-system partition
<chroot location>
for MySQL
- Add chroot=
<chroot_location>
to the my.cnf option file
- Configure MySQL to run under systemd:
- If mysql is managed by systemd and running, stop the service: $ sudo systemctl stop <mysqld>.service
- If a mysql user and group do not already exist, create them: $ sudo groupadd mysql$ sudo useradd -r -g mysql -s /bin/false mysql
- Set the oenwership of the base director: $ sudo chown -R mysql:mysql /usr/local/mysql/
- Create or modify the
<mysqld>
service file in /lib/systemd/system to include the following entries, if not already present: [Unit]Description=MySQL Server[Install]WantedBy=multi-user.target[Service]User=mysqlGroup=mysql
- If mysql was not already already managed by systemd execute this command: $ sudo systemctl daemon-reload
- Start the MySQL server: $ sudo systemctl start <mysqld>.service
- If you would like mysql to automatically run at startup execute this command: $ sudo systemctl enable <mysqld>.service
- Follow documentation in the references for standing up MySQL in a Docker container.
Impact:
Use of the chroot option somewhat limits LOAD DATA INFILE and SELECT ... INTO OUTFILE