5.8 Ensure 'REPLICATION SLAVE' is Not Granted to Non-Administrative Users

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The REPLICATION SLAVE privilege governs whether a given user (in the context of the source server) can request updates that have been made on the source server.

Rationale:

The REPLICATION SLAVE privilege allows a principal to fetch binlog files containing all data changing statements and/or changes to table data from the source. This may be used by an attacker to read/fetch sensitive data from MariaDB.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following steps to remediate this setting:

Enumerate the non-replica users found in the result set of the audit procedure

For each user, issue the following SQL statement (replace <user> with the non-replica user):

REVOKE REPLICATION SLAVE ON *.* FROM '<user>';

Use the REVOKE statement to remove the REPLICATION SLAVE privilege from users who shouldn't have it.

See Also

https://workbench.cisecurity.org/benchmarks/12270