mariadb-hardened-fips
MariaDB Hardened FIPS
Secure your stack with a CIS-hardened MariaDB FIPS validated image freshly-built by Minimus. Minimus images always include the most up-to-date package version for all packages and dependencies contained in the image.
MariaDB-Hardened-FIPS is intended for regulated workloads or any production deployment. The image delivers all controls that can be baked into the image and requires additional runtime checks to pass a CIS audit.
About Minimus Hardened Images
Minimus Hardened images provide secure by default configurations that comply with CIS Benchmarks. The CIS Benchmark for MariaDB is a consensus-based security hardening guide that is aligned with industry standards and defines recommended configuration settings, access controls, and operational practices to reduce the attack surface. Review the compliance report to see the special audit report.
Notes:
- The image’s default configuration file enforces many CIS Mongo hardening controls. Exercise caution when overriding this file, as custom configurations may inadvertently weaken or negate CIS compliance.
- Full CIS benchmark compliance requires additional post-deployment runtime validations that are out of scope for Minimus.
FIPS 140-3 Certification
This image is FIPS-validated to ensure its cryptographic operations meet the Federal Information Processing Standards (FIPS) required for secure government and regulated environments. Its core cryptographic modules are validated under the NIST Cryptographic Module Validation Program (CMVP) and comply with the FIPS 140-3 standard.
To verify that the FIPS 140-3 provider is configured and active, follow the instructions in the FIPS compliance tab.
Try It Out
Take the Minimus MariaDB Hardened FIPS image for a test run. The image's CIS password policy requires a strong root password with a minimum of 14 characters:
docker run -d --name minimus-mariadb-hardened \
-e MARIADB_ROOT_PASSWORD='ChangeMe-Now#2026!' \
reg.mini.dev/mariadb-hardened-fipsOpen an interactive shell in your running container:
docker exec -it minimus-mariadb-hardened shThen log into the database:
mariadb -u root -pSubmit the password you set when you ran the container. Once logged in you should see MariaDB status messages such as:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 11.4.x-MariaDB MariaDB Server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.Verify that CIS hardening is active
Run these from the MariaDB shell to confirm the hardening plugins are loaded and locked:
SELECT PLUGIN_NAME, PLUGIN_STATUS, LOAD_OPTION
FROM information_schema.plugins
WHERE PLUGIN_NAME IN (
'simple_password_check',
'cracklib_password_check',
'password_reuse_check',
'server_audit'
);Every row should report PLUGIN_STATUS = ACTIVE and
LOAD_OPTION = FORCE_PLUS_PERMANENT.
Then verify the most-visible server settings:
SHOW VARIABLES WHERE Variable_name IN (
'tls_version', 'local_infile', 'secure_file_priv',
'symbolic_links', 'sql_mode', 'log_warnings',
'default_password_lifetime', 'max_connections', 'max_user_connections'
);You should see tls_version = TLSv1.2,TLSv1.3, local_infile = OFF,
sql_mode containing STRICT_ALL_TABLES, and so on.
The audit log lands at /var/lib/mysql/server_audit.log (inside the persistent
volume). Tail it to verify audit logging is active (CIS 6.2):
docker exec minimus-mariadb-hardened tail -f /var/lib/mysql/server_audit.logRun MariaDB Hardened with Docker Compose
The hardened image accepts the regular MariaDB initialization environment variables, including:
MARIADB_USERandMARIADB_PASSWORD— create a new user and set its password.MARIADB_DATABASE— create a new empty database.MARIADB_ROOT_PASSWORD_FILE— read the root password from a file (recommended over an inline env var).
services:
db:
image: reg.mini.dev/mariadb-hardened-fips
environment:
MARIADB_ROOT_PASSWORD_FILE: /run/secrets/mariadb_root
MARIADB_DATABASE: app
MARIADB_USER: appuser
MARIADB_PASSWORD_FILE: /run/secrets/mariadb_app
secrets:
- mariadb_root
- mariadb_app
volumes:
- mariadb-data:/var/lib/mysql
volumes:
mariadb-data:
secrets:
mariadb_root:
file: ./secrets/mariadb_root
mariadb_app:
file: ./secrets/mariadb_appPassword constraints: Every password set against this image — root, application user, healthcheck — must be at least 14 characters, pass cracklib strength checks, and cannot be reused. You'll need to avoid setting the same password twice on the same user as CIS 7.7 (password_reuse_check) will refuse it.
Technical Considerations
The MariaDB-Hardened-FIPS image provided by Minimus is a slim, security-hardened alternative to the public image from Docker Hub. The images are largely interchangeable, with a few differences as noted below.
MariaDB-Hardened built by Minimus:
- Runs as non-root by default in alignment with the public image.
- Port 3306/TCP is listening but unexposed.
- Drill down on the version specification tab to see the default user, listening ports, entrypoint, volumes, environment variables, etc.
The Payoff
A hardened, minimal image that will remain more secure for the long run and accrue vulnerabilities at a slower rate.
- See the risk reduction dashboard for a detailed CVE comparison over the past 30 days.
- Review the compliance report to see the default hardening and security configurations for the image.
Terms & Info
Trademark
This catalog is published by Minimus. All product names, logos, and marks, other than those belonging to Minimus, shown are owned by their respective rights holders and appear here only to identify the open source software each image contains. Minimus claims no ownership of those marks and implies no affiliation with, endorsement by, certification by, or sponsorship by any rights holder.
Disclaimer
Images are provided "as-is" without warranty of any kind. "Hardened" refers to the security configuration applied at the time of build and does not constitute a guarantee of ongoing security or absence of vulnerabilities. The free tier is provided without support, SLA, or guaranteed patching timelines. Security updates may be applied to paid subscriptions before or instead of free tier images. By pulling or using any image you agree to our Terms of Use.