5.9 Ensure DML/DDL Grants are Limited to Specific Databases and Users

Information

DML/DDL includes the set of privileges used to modify or create data structures. This includes INSERT, SELECT, UPDATE, DELETE, DROP, CREATE, and ALTER privileges.

Rationale:

INSERT, SELECT, UPDATE, DELETE, DROP, CREATE, and ALTER are powerful privileges in any database. Such privileges should be limited only to those users requiring such rights. By limiting the users with these rights and ensuring that they are limited to specific databases, the attack surface of the database is reduced.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following steps to remediate this setting:

Enumerate the unauthorized users, hosts, and databases returned in the result set of the audit procedure

For each user, issue the following SQL statement (replace <user> with the unauthorized user, <host> with host name, and <database> with the database name):

REVOKE SELECT ON <host>.<database> FROM <user>;
REVOKE INSERT ON <host>.<database> FROM <user>;
REVOKE UPDATE ON <host>.<database> FROM <user>;
REVOKE DELETE ON <host>.<database> FROM <user>;
REVOKE CREATE ON <host>.<database> FROM <user>;
REVOKE DROP ON <host>.<database> FROM <user>;
REVOKE ALTER ON <host>.<database> FROM <user>;

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MySQLDB

Control ID: c84558fb5c08e1506bd78c24fdfb2221ca3280be769383655bf3a2291295bc9e