Information
The GRANT OPTION privilege exists in different contexts (mysql.user, mysql.db) for the purpose of governing the ability of a privileged user to manipulate the privileges of other users.
Rationale:
The GRANT OPTION privilege allows a principal to grant other principals additional privileges. This may be used by an attacker to compromise MySQL.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Perform the following steps to remediate this setting:
Enumerate the non-administrative users found in the result sets of the audit procedure
For each user, issue the following SQL statement (replace <user> with the non-administrative user):
REVOKE GRANT OPTION ON *.* FROM '<user>';