mariadb security best practice fixes

This commit ensures the below mariadb settings with reference to [0]: - 'local_infile' Is Disabled - 'have_symlink' Is Disabled - 'secure_file_priv' Is Not Empty - 'sql_mode' Contains 'STRICT_ALL_TABLES' [0] https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html Change-Id: I701b9bc2bdfb91d67aef91e88f953a09ac72d8be
2020-08-21 02:15:41 -05:00 · 2020-08-21 02:15:41 -05:00 · 9a3844aac6
commit 9a3844aac6
parent b3cea56e55
2 changed files with 11 additions and 1 deletions
--- a/mariadb/Chart.yaml
+++ b/mariadb/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v10.2.31
 description: OpenStack-Helm MariaDB
 name: mariadb
-version: 0.1.1
+version: 0.1.2
 home: https://mariadb.com/kb/en/
 icon: http://badges.mariadb.org/mariadb-badge-180x60.png
 sources:
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@ -365,6 +365,16 @@ conf:
      max_connections=8192
      max-connect-errors=1000000

+      # General security settings
+      # Reference: https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/general-security-issues.html
+      # secure_file_priv is set to '/home' because it is read-only, which will
+      # disable this feature completely.
+      secure_file_priv=/home
+      local_infile=0
+      symbolic_links=0
+      sql_mode="STRICT_ALL_TABLES,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
+
+
      ## Generally, it is unwise to set the query cache to be larger than 64-128M
      ## as the costs associated with maintaining the cache outweigh the performance
      ## gains.