The default MySQL settings for Report Center are very convenient for an initial set up, but they may not ideal for the final implementation. For example, the mysql root password is empty by default, so anyone with access to the server machine (directly, or through the network) can readily compromise the data. The same situation happens with Report Center, itself.
The following table shows which settings should be changed for the final installation:
| Action Code | Object | Platform | Action | Default Setting | Severity |
|---|---|---|---|---|---|
| CONF-1 | DTP operating system user account | Linux | Change password | "grs" | high |
| CONF-2 | MySQL root account | Windows Linux | Change password Change access privileges | no password | high |
| CONF-3 | MySQL Report Center account | Windows Linux | Change password Change access privileges | "report center" | high |
| CONF-6 | DTP administration account | Windows Linux | Change password | "admin" | high |
Additional Information
CONF-1: Without changing the DTP user account, an unauthorized person who knows the default password can log in and delete all software, backups, and undo anything else done under that user account.
CONF-2, CONF-3: Access to MySQL accounts should be limited as much as possible. Ideally, you would allow a root connection only from the machine where MySQL is installed. A Report Center connection should be possible from the machine where the Report Center software (both DTP Server and Data Collector) is running because both of these processes require access to the database as user “grs”. The "grs" user must also be able to connect using the Report Center web interface. If the machine is not defined and connection can be initiated from various machines, then security restrictions should not limit connections from remote machines, or they should limit it to a local subnet. In all cases, the access password should be changed for both accounts. Leaving the connection to database wide open may cause unauthorized access and damage of data stored.
CONF-6: The administrator account should not be widely available. The DTP administrator can grant and revoke access to reports, add and remove users and groups, and access system maintenance tools.
