5.7 Ensure 'GRANT OPTION' is Not Granted to Non-Administrative Users

Information

The GRANT OPTION privilege exists in different contexts (mysql.user, mysql.db) for the purpose of governing the ability of a privileged user to manipulate the privileges of other users.

Rationale:

The GRANT OPTION privilege allows a principal to grant other principals additional privileges. This may be used by an attacker to compromise MySQL.

Solution

Perform the following steps to remediate this setting:

Enumerate the non-administrative users found in the result sets of the audit procedure

For each user, issue the following SQL statement (replace <user> with the non-administrative user):

REVOKE GRANT OPTION ON *.* FROM <user>;

See Also

https://workbench.cisecurity.org/files/3855