Page 1 of 1
Changing the mysql root password
Posted: Mon Apr 05, 2010 12:20 pm
by edgeweb
Hey,
Can the root@localhost password for mysql be changed or will that cause problems in Nagios XI or future upgrades?
Thanks,
Dave
Re: Changing the mysql root password
Posted: Mon Apr 05, 2010 6:56 pm
by mmestnik
I'll ask tomorrow.
Are you planning on exposing mysql via TCP? Local access is considered root/admin with NasgiosXI. In some cases passwords appear in ps output, for example. If you can get ps output or open your own local domain sockets, you effectively have access rights greater then any of the code that would use the MySQL password.
So in short, if you are logged into a shell then your access privileges would allow you to read the MySQL admin password... Regardless of what it was changed to.
I'd like to hear about any security constraints you would like to satisfy and there ?political? importance. I have a list of my own that I do plan on working on, but securing SQL access is over the horizon currently. Your time would likely be better spent working on the lower hanging fruit.
Re: Changing the mysql root password
Posted: Tue Apr 06, 2010 9:45 am
by edgeweb
No, it isn't exposed to the general internet and is locked down at the perimeter and the local host. Really the requirement I'm trying to fill is for compliance (not default passwords in installed software). Thanks.
Dave
Re: Changing the mysql root password
Posted: Tue Apr 06, 2010 12:07 pm
by mmestnik
Seams like the requirement needs to have a more explicit conditional to exclude the general cases, you could instead use a copy of MySQL that ignores any data supplied in the password field. That way MySQL would be covered under whatever rule excludes applications like tar, cat, ls and libDB/SQLite.
I will bring up not having a default password to satisfy this requirement for you.
Re: Changing the mysql root password
Posted: Tue Apr 06, 2010 12:11 pm
by edgeweb
Thanks! I think my last post should have read "No default passwords in installed software". The guideline give is that if the password for a user in the software in known to the public (for example "admin" "admin") then it needs to be changed from the default. I think we should be ok for now. Thanks.
Re: Changing the mysql root password
Posted: Tue Apr 06, 2010 12:36 pm
by admin
FYI, the default mysql password is 'nagiosxi' (no quotes). We'll make sure any DB upgrade script in future releases asks you for the MySQL password before upgrading schemas, so it should be safe to modify it.