5.8 Ensure 'REPLICATION SLAVE' is Not Granted to Non-Administrative Users

Information

The REPLICATION SLAVE privilege governs whether a given user (in the context of the source server) can request updates that have been made on the source server.

Rationale:

The REPLICATION SLAVE privilege allows a principal to fetch binlog files containing all data changing statements and/or changes to table data from the source. This may be used by an attacker to read/fetch sensitive data from MySQL.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following steps to remediate this setting:

Enumerate the non-replica users found in the result set of the audit procedure

For each user, issue the following SQL statement (replace <user> with the non-replica user):

REVOKE REPLICATION SLAVE ON *.* FROM '<user>';

Use the REVOKE statement to remove the REPLICATION SLAVE privilege from users who shouldn't have it.

See Also

https://workbench.cisecurity.org/benchmarks/10139

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MySQLDB

Control ID: 81a3d9ad64fea479ba2364048daed03f8e6eaa789f3bf8caa62458b47c5fe4d2