Details

When configured to use a Keyring plugin, internal MySQL components and plugins may securely store sensitive information for later retrieval. Associated files for the selected keyring type should have proper permissions.

Rationale:

Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of internal MySQL component and plugin information.

Solution

If no keyring plugin or keyring file plugin is configured, instructions for configuring a keyring plugin or keyring file plugin may found at:

KMIP – https://dev.mysql.com/doc/refman/8.0/en/keyring-okv-plugin.html#keyring-okv-configuration

OCI Vault – https://dev.mysql.com/doc/refman/8.0/en/keyring-oci-plugin.html

Hashicorp – https://dev.mysql.com/doc/refman/8.0/en/keyring-hashicorp-plugin.html#keyring-hashicorp-plugin-configuration

AWS – https://dev.mysql.com/doc/refman/8.0/en/keyring-aws-plugin.html#keyring-aws-plugin-configuration

Execute the following command for each Keyring file location requiring corrected permissions:

chmod 750
chown mysql:mysql

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3477

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Media Protection.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• 800-53|MP-2
• CSCv7|14.6

Source

• Tenable.com/audits