MySQL Router Charm

  1. Bug #2060644
  2. Comment #0

Comment 0 for bug 2060644

Revision history for this message
Gaetan Gouzi (ggouzi) wrote : Default mysql login /bin/sh not compliant with hardening rule 5.2.4.7

When trying to harden a unit with mysql-router subordinate charm, the audit fails on rule `xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts`: "Ensure that System Accounts Do Not Run a Shell Upon Login"

Indeed, the mysql user account has a /bin/sh shell associated. It should be /sbin/nologin for security standards.

Attached initial usg report.
- Version: 8.0.36
- Revision: 154

CIS hardening suggests the following script to check with user accounts need to be fixed:
```
#!/usr/bin/env bash
{
l_valid_shells="^($(awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
awk -v pat="$l_valid_shells" -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' || $3 == 65534) && $(NF) ~ pat) {print "Service account: \"" $1 "\" has a valid shell: " $7}' /etc/passwd
}
```

Output is:
```
Service account: "mysql" has a valid shell: /bin/sh
```

Do we have a good reason to keep /bin/sh for mysql account that will maybe justify the rationale that breaks this rule ?