9.3 Ensure 'super_priv' is Not Set to 'Y' for Replication Users

Information

The SUPER privilege found in the mysql.user table governs the use of a variety of MariaDB features. These features include, CHANGE MASTER TO, KILL, mysqladmin kill option, PURGE BINARY LOGS, SET GLOBAL, mysqladmin debug option, logging control, and more.

Rationale:

The SUPER privilege allows principals to perform many actions, including view and terminate currently executing MariaDB statements (including statements used to manage passwords). This privilege also provides the ability to configure MariaDB, such as enable/disable logging, alter data, disable/enable features. Limiting the accounts that have the SUPER privilege reduces the chances that an attacker can exploit these capabilities.

Impact:

When the SUPER privilege is denied to a given user, that user will be unable to take advantage of certain capabilities, such as certain mysqladmin options.

Solution

Execute the following steps to remediate this setting:

Enumerate the replication users found in the result set of the audit procedure

For each replication user, issue the following SQL statement (replace repl with your replication user's name):

REVOKE SUPER ON *.* FROM 'repl';

See Also

https://workbench.cisecurity.org/benchmarks/16527