Hi,
My security team want to do those 3 points here for mysql. If we do that, does it will cause problem with Nagios XI? I would like your advice for each point please
1. Logging – log_bin
For that point, this is what the security asked by modifying /etc/my.cnf.d/mysql-server.cnf that way:
REMOVE:
disable_log_bin
ADD:
log-bin=/var/lib/mysql/logs/binlog
binlog-format=ROW
binlog_expire_logs_seconds=604800
max_binlog_size=64M
2. Protecting Resources – Binary logs enabled as per point 1
chown mysql:mysql /var/lib/mysql/*.log
chown -R mysql:mysql /var/lib/mysql/logs/
chmod 660 /var/lib/mysql/*.log
chmod -R 660 /var/lib/mysql/logs/
3. Protecting Resources – MySQL configuration files
For that point, this is what the security asked for:
chown mysql:mysql /etc/my.cnf
chown mysql:mysql /etc/my.cnf.d/*.cnf
chmod 660 /etc/my.cnf
chmod 660 /etc/my.cnf.d/*.cnf
supported or not for this change to mysql
-
DoubleDoubleA
- Posts: 272
- Joined: Thu Feb 09, 2017 5:07 pm
Re: supported or not for this change to mysql
Hi @steph007,
A couple of recommendations off the top. First, if you are not running your Nagios XI test instance, get that going and first try these changes there. Second, definitely make a backup of my.cnf you can roll back to if you find problems. Third, be ready to put in a full support ticket around this if you need to.
Full disclosure, for what we can do on the forum vs a support ticket, my answer is what I believe to be true, but I have not conducted any testing.
On point 1, should not be a problem, you are simply adding logging as far as I can see.
On point 2, should not be a problem since we'd expect the mysql user to be writing the logs.
On point 3, XI may, on install and/or upgrade, make some changes to my.cnf, though in those cases it would be as root, so those proposed settings would not appear to be a blocker to that process.
Test!
Aaron
A couple of recommendations off the top. First, if you are not running your Nagios XI test instance, get that going and first try these changes there. Second, definitely make a backup of my.cnf you can roll back to if you find problems. Third, be ready to put in a full support ticket around this if you need to.
Full disclosure, for what we can do on the forum vs a support ticket, my answer is what I believe to be true, but I have not conducted any testing.
On point 1, should not be a problem, you are simply adding logging as far as I can see.
On point 2, should not be a problem since we'd expect the mysql user to be writing the logs.
On point 3, XI may, on install and/or upgrade, make some changes to my.cnf, though in those cases it would be as root, so those proposed settings would not appear to be a blocker to that process.
Test!
Aaron