[debian-mysql] MySQL "hardening?"

Norvald H. Ryeng norvald.ryeng at oracle.com
Mon Apr 13 13:26:57 UTC 2015


On Mon, 13 Apr 2015 13:48:18 +0200, Ralf G. R. Bergs  
<Ralf+Debian at bergs.biz> wrote:

> Hi Otto.
>
> On 2015-04-05 22:03 , Otto Kekäläinen wrote:
>> 2015-04-04 14:54 GMT+03:00 Ralf G. R. Bergs <Ralf+Debian at bergs.biz>:
>>> What I was thinking about -- and sorry for not being more specific --  
>>> is
>>> "config hardening" in a way that "dangerous" features might be  
>>> disabled by
>>> default (e. g. might only listen on Unix domain socket and not TCP  
>>> socket by
>>> default, or if TCP socket is active by default the daemon might only  
>>> bind to
>>> the loopback interface), rate limiting and other usage restrictions
>>> (ulimit?) might be enabled for the pre-defined MySQL database users or  
>>> the
>>> MySQL system user to prevent DoS attacks, etc.
>> The my.cnf distributed in Debian (and used at the moment by both
>> mysql-5.5 and mariadb-10.0) can be seen here:
>> https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git/tree/debian/additions/my.cnf
> Thanks. But I was hoping that you guys documented somewhere which
> improvements (if any) you might have performed compared to the original
> "factory" default config. So that I can sell this as an "extra" to our
> security guys who are asking for what kind of hardening Debian do...

It depends on what you mean by factory default. AFAIK, the config is  
pretty much the same in upstream deb packages and in Debian. That is not  
the same as the compiled in defaults, though. E.g., both upstream debs and  
Debian sets bind-address to 127.0.0.1 in my.cnf, but the compiled in  
default (both upstream and in Debian) is 0.0.0.0 (i.e., listen on all IPv4  
addresses).

Regards,

Norvald H. Ryeng



More information about the pkg-mysql-maint mailing list