5.1 Ensure Only Administrative Users Have Full Database Access

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The mysql.user, mysql.db, and other mysql tables ending in _priv list a variety of privileges that can be granted (or denied) to MariaDB users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only. The information_schema.user_privileges provides a consolidated view of all user privileges.


Limiting the accessibility of the mysql database will protect the confidentiality, integrity, and availability of the data housed within MariaDB. A user which has direct access to mysql.* might view password hashes, change permissions, or alter or destroy information intentionally or unintentionally.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Perform the following actions to remediate this setting:

Enumerate non-administrative users resulting from the audit procedure.

For each non-administrative user, use the REVOKE statement to remove privileges as appropriate.

See Also