MADB-10-003400 - Access to external executables must be disabled or restricted.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives.

Applications must adhere to the principles of least functionality by providing only essential capabilities.

MariaDB may spawn additional external processes to execute procedures that are defined in MariaDB but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than MariaDB and provide unauthorized access to the host system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To disable LOAD DATA LOCAL INFILE make the following update as the database administrator:

Edit the mariadb-enterprise.cnf configuration file located in /etc/my.cnf.d/.

Under [mariadb], add the following:

local_infile = 0

Save the configuration file. This change will not take effect until MariaDB Enterprise Server is restarted.

To remove FILE and GRANT OPTION privileges use the right combination of the following commands:
1. revoke FILE privilege from a user
MariaDB> REVOKE FILE FROM 'user'@'host';

2. revoke FILE privilege from a role
MariaDB> REVOKE FILE FROM role;

3. revoke GRANT OPTION privilege from a user
MariaDB> REVOKE GRANT OPTION FROM 'user'@'host';

4. revoke a role grant from a user
MariaDB> REVOKE ROLE FROM grantee;

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MariaDB_Enterprise_10-x_V2R1_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000381, Rule-ID|SV-253692r960963_rule, STIG-ID|MADB-10-003400, Vuln-ID|V-253692

Plugin: MySQLDB

Control ID: 4afabcdf96b6dec3d09a3cec7777b87d56a7e8a7ec77ae7457e79d891133ff0d