The default MySQL settings for Report Center are very convenient for an initial set up, but they may not ideal for the final implementation. For example, the mysql root password is empty by default, so anyone with access to the server machine (directly, or through the network) can readily compromise the data. The same situation happens with Report Center, itself.

The following table shows which settings should be changed for the final installation:

Action CodeObjectPlatformActionDefault SettingSeverity
CONF-1DTP operating system user accountLinuxChange password"grs"high
CONF-2MySQL root account

Windows

Linux

Change password

Change access privileges

no passwordhigh
CONF-3MySQL Report Center account

Windows

Linux

Change password

Change access privileges

"report center"high
CONF-6DTP administration account

Windows

Linux

Change password"admin"high

Additional Information

CONF-1: Without changing the DTP user account, an unauthorized person who knows the default password can log in and delete all software, backups, and undo anything else done under that user account.

CONF-2, CONF-3: Access to MySQL accounts should be limited as much as possible. Ideally, you would allow a root connection only from the machine where MySQL is installed. A Report Center connection should be possible from the machine where the Report Center software (both DTP Server and Data Collector) is running because both of these processes require access to the database as user “grs”. The "grs" user must also be able to connect using the Report Center web interface. If the machine is not defined and connection can be initiated from various machines, then security restrictions should not limit connections from remote machines, or they should limit it to a local subnet. In all cases, the access password should be changed for both accounts. Leaving the connection to database wide open may cause unauthorized access and damage of data stored.

CONF-6: The administrator account should not be widely available. The DTP administrator can grant and revoke access to reports, add and remove users and groups, and access system maintenance tools.

  • No labels