MySQL Configuration
Once the users and privileges have been resolved, there are a few other configuration changes you may wish to make, in order to tighten things up a little more.
- Enable logging via the --log option.
The “general query log” is considered a debugging feature in the MySQL documentation, but you may prefer to use the feature as a routine part of your security posture. It logs successful connections and every query that executes. It doesn't log the results of those queries, or the data that was returned, but it does give you a good idea of who has been doing what on your database, so it may be a worthwhile configuration change. The query log is not enabled by default; you'll have to turn it on using the --log option.
Bear in mind that as well as being an invaluable resource for an administrator, a full query log is an excellent source of information to an attacker. If the log is large, it may contain passwords or other sensitive information. You should ensure that the log file is visible only to MySQL and to the Administrator (or root) account on the system in question.
Another interesting point about the query log is that any account that has FILE privilege (file_priv) can of course read the log file by executing a statement like
select load_file('query.log');(assuming the log file is named query.log). This is another fine reason to avoid giving people FILE privilege.
- Disable the LOAD DATA LOCAL INFILE command by adding set-variable=local-infile=0 to the my.cnf ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
