From 9a3844aac6d1fcfa7118ef94253a16faaaeebc37 Mon Sep 17 00:00:00 2001 From: "rajesh.kudaka" Date: Fri, 21 Aug 2020 02:15:41 -0500 Subject: [PATCH] mariadb security best practice fixes This commit ensures the below mariadb settings with reference to [0]: - 'local_infile' Is Disabled - 'have_symlink' Is Disabled - 'secure_file_priv' Is Not Empty - 'sql_mode' Contains 'STRICT_ALL_TABLES' [0] https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html Change-Id: I701b9bc2bdfb91d67aef91e88f953a09ac72d8be --- mariadb/Chart.yaml | 2 +- mariadb/values.yaml | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/mariadb/Chart.yaml b/mariadb/Chart.yaml index f8517818..c921e645 100644 --- a/mariadb/Chart.yaml +++ b/mariadb/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v10.2.31 description: OpenStack-Helm MariaDB name: mariadb -version: 0.1.1 +version: 0.1.2 home: https://mariadb.com/kb/en/ icon: http://badges.mariadb.org/mariadb-badge-180x60.png sources: diff --git a/mariadb/values.yaml b/mariadb/values.yaml index c19987a1..b751472d 100644 --- a/mariadb/values.yaml +++ b/mariadb/values.yaml @@ -365,6 +365,16 @@ conf: max_connections=8192 max-connect-errors=1000000 + # General security settings + # Reference: https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html + # secure_file_priv is set to '/home' because it is read-only, which will + # disable this feature completely. + secure_file_priv=/home + local_infile=0 + symbolic_links=0 + sql_mode="STRICT_ALL_TABLES,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" + + ## Generally, it is unwise to set the query cache to be larger than 64-128M ## as the costs associated with maintaining the cache outweigh the performance ## gains.