Information
The mysql.user, mysql.db, and other mysql tables ending in _priv list a variety of privileges that can be granted (or denied) to MariaDB users. Some of the privileges of concern include: Select_priv, Insert_priv, Update_priv, Delete_priv, Drop_priv, and so on. Typically, these privileges should not be available to every MySQL user and often are reserved for administrative use only. The information_schema.user_privileges provides a consolidated view of all user privileges.
Rationale:
Limiting the accessibility of the mysql database will protect the confidentiality, integrity, and availability of the data housed within MariaDB. A user which has direct access to mysql.* might view password hashes, change permissions, or alter or destroy information intentionally or unintentionally.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Perform the following actions to remediate this setting:
Enumerate non-administrative users resulting from the audit procedure.
For each non-administrative user, use the REVOKE statement to remove privileges as appropriate.