Nagios Support Forum

Hi,

My security team want to do those 3 points here for mysql. If we do that, does it will cause problem with Nagios XI? I would like your advice for each point please

1. Logging – log_bin
For that point, this is what the security asked by modifying /etc/my.cnf.d/mysql-server.cnf that way:
REMOVE:
disable_log_bin
ADD:
log-bin=/var/lib/mysql/logs/binlog
binlog-format=ROW
binlog_expire_logs_seconds=604800
max_binlog_size=64M


2. Protecting Resources – Binary logs enabled as per point 1
chown mysql:mysql /var/lib/mysql/*.log
chown -R mysql:mysql /var/lib/mysql/logs/
chmod 660 /var/lib/mysql/*.log
chmod -R 660 /var/lib/mysql/logs/


3. Protecting Resources – MySQL configuration files
For that point, this is what the security asked for:
chown mysql:mysql /etc/my.cnf
chown mysql:mysql /etc/my.cnf.d/*.cnf
chmod 660 /etc/my.cnf
chmod 660 /etc/my.cnf.d/*.cnf

Hi @steph007,

A couple of recommendations off the top. First, if you are not running your Nagios XI test instance, get that going and first try these changes there. Second, definitely make a backup of my.cnf you can roll back to if you find problems. Third, be ready to put in a full support ticket around this if you need to.

Full disclosure, for what we can do on the forum vs a support ticket, my answer is what I believe to be true, but I have not conducted any testing.

On point 1, should not be a problem, you are simply adding logging as far as I can see.
On point 2, should not be a problem since we'd expect the mysql user to be writing the logs.
On point 3, XI may, on install and/or upgrade, make some changes to my.cnf, though in those cases it would be as root, so those proposed settings would not appear to be a blocker to that process.

Test!

Aaron