5.8 Ensure 'REPLICATION SLAVE' is Not Granted to Non-Administrative Users

Information

The REPLICATION SLAVE privilege governs whether a given user (in the context of the source server) can request updates that have been made on the source server.

Rationale:

The REPLICATION SLAVE privilege allows a principal to fetch binlog files containing all data changing statements and/or changes to table data from the source. This may be used by an attacker to read/fetch sensitive data from MySQL.

Solution

Perform the following steps to remediate this setting:

Enumerate the non-replica users found in the result set of the audit procedure

For each user, issue the following SQL statement (replace <user> with the non-replica user):

REVOKE REPLICATION SLAVE ON *.* FROM <user>;

Use the REVOKE statement to remove the REPLICATION SLAVE privilege from users who shouldn't have it.

See Also

https://workbench.cisecurity.org/files/3855

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MySQLDB

Control ID: 64757276c65cfa04978499ada4cf59119ab929c1b992f9cc2eac3fc49e2eb110