5.1 Ensure Only Administrative Users Have Full Database Access

Information

The mysql.user, mysql.db, and other mysql tables ending in _priv list a variety of privileges that can be granted (or denied) to MySQL users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only. The information_schema.user_privileges provides a consolidated view of all user privileges.

Rationale:

Limiting the accessibility of the mysql database will protect the confidentiality, integrity, and availability of the data housed within MySQL. A user which has direct access to mysql.* might view password hashes, change permissions, or alter or destroy information intentionally or unintentionally.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following actions to remediate this setting:

Enumerate non-administrative users resulting from the audit procedure.

For each non-administrative user, use the REVOKE statement to remove privileges as appropriate.

See Also

https://workbench.cisecurity.org/files/3844