MySQL Security Checklist

Here's a quick reference checklist for the points that we discuss in this chapter.

Background

  1. Read the MySQL security guidelines at http://dev.mysql.com/doc/mysql/en/Security.html.
  2. Visit http://www.mysql.com/products/mysql/ often, and check for updates.
  3. Know your bugs! Check vulnerability databases such as SecurityFocus and ICAT regularly for MySQL bugs, and (if you can stand the noise levels) subscribe to security mailing lists such as VulnWatch, BugTraq, and the MySQL mailing lists.

Operating System

  1. Deploy IPTables (Linux), an IPSec filtering ruleset (Windows), or some other host-based firewall software on your MySQL servers.
  2. Use a low-privileged mysql account to run the MySQL daemon. This is the default on some platforms, but not others.
  3. Run mysqld with the --chroot option.
  4. Ensure that the MySQL user cannot access files outside of a limited set of directories. Specifically, the MySQL user should be prohibited from reading operating system configuration files. In some cases you might want to prevent the MySQL user from being able to modify the MySQL configuration files.
  5. Ensure that MySQL data files (normally residing beneath the MySQL data directory) cannot be read by users other than the root or Administrator account, and the account that MySQL is running under.
  6. Plaintext credentials. Ensure that no user other than the MySQL user can read any MySQL configuration and log files. The files my.cnf, my.ini, and master.info commonly have plaintext usernames ...

Get The Database Hacker's Handbook: Defending Database Servers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.