Hey,
Can the root@localhost password for mysql be changed or will that cause problems in Nagios XI or future upgrades?
Thanks,
Dave
Changing the mysql root password
Re: Changing the mysql root password
I'll ask tomorrow.
Are you planning on exposing mysql via TCP? Local access is considered root/admin with NasgiosXI. In some cases passwords appear in ps output, for example. If you can get ps output or open your own local domain sockets, you effectively have access rights greater then any of the code that would use the MySQL password.
So in short, if you are logged into a shell then your access privileges would allow you to read the MySQL admin password... Regardless of what it was changed to.
I'd like to hear about any security constraints you would like to satisfy and there ?political? importance. I have a list of my own that I do plan on working on, but securing SQL access is over the horizon currently. Your time would likely be better spent working on the lower hanging fruit.
Are you planning on exposing mysql via TCP? Local access is considered root/admin with NasgiosXI. In some cases passwords appear in ps output, for example. If you can get ps output or open your own local domain sockets, you effectively have access rights greater then any of the code that would use the MySQL password.
So in short, if you are logged into a shell then your access privileges would allow you to read the MySQL admin password... Regardless of what it was changed to.
I'd like to hear about any security constraints you would like to satisfy and there ?political? importance. I have a list of my own that I do plan on working on, but securing SQL access is over the horizon currently. Your time would likely be better spent working on the lower hanging fruit.
Re: Changing the mysql root password
No, it isn't exposed to the general internet and is locked down at the perimeter and the local host. Really the requirement I'm trying to fill is for compliance (not default passwords in installed software). Thanks.
Dave
Dave
Re: Changing the mysql root password
Seams like the requirement needs to have a more explicit conditional to exclude the general cases, you could instead use a copy of MySQL that ignores any data supplied in the password field. That way MySQL would be covered under whatever rule excludes applications like tar, cat, ls and libDB/SQLite.
I will bring up not having a default password to satisfy this requirement for you.
I will bring up not having a default password to satisfy this requirement for you.
Re: Changing the mysql root password
Thanks! I think my last post should have read "No default passwords in installed software". The guideline give is that if the password for a user in the software in known to the public (for example "admin" "admin") then it needs to be changed from the default. I think we should be ok for now. Thanks.
Re: Changing the mysql root password
FYI, the default mysql password is 'nagiosxi' (no quotes). We'll make sure any DB upgrade script in future releases asks you for the MySQL password before upgrading schemas, so it should be safe to modify it.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Ethan Galstad
President
Ethan Galstad
President