Details
The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf).
Rationale:
Using the password parameter may negatively impact the confidentiality of the user’s password.
Impact:
The global configuration is by default readable for all users on the system. This is needed for global defaults (prompt, port, socket, etc.). If a password is present in this file then all users on the system may be able to access it.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form.
If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.