5.3 Ensure 'PROCESS' is Not Granted to Non-Administrative Users

Information

The PROCESS privilege found in the mysql.user table determines whether a given user can see statement execution information for all sessions.

Rationale:

The PROCESS privilege allows principals to view currently executing MySQL statements beyond their own, including statements used to manage passwords. This may be leveraged by an attacker to compromise MySQL or to gain access to potentially sensitive data.

Impact:

Users denied the PROCESS privilege may also be denied use of SHOW ENGINE.

Solution

Perform the following steps to remediate this setting:

Enumerate the non-administrative users found in the result set of the audit procedure

For each user, issue the following SQL statement (replace <user> with the non-administrative user):

REVOKE PROCESS ON *.* FROM '<user>';

See Also

https://workbench.cisecurity.org/files/3844