STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the MySQL Database Server 8.0.

DISA Rule

SV-235163r638812_rule

Vulnerability Number

V-235163

Group Title

SRG-APP-000133-DB-000179

Rule Version

MYS8-00-008300

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

Remove permissions from users who should not have insert or update access to the mysql.plugin or mysql.component table.

Check Contents

Review Server documentation to determine the authorized owner and users or groups with modify rights for this SQL instance's binary files. Additionally check the owner and users or groups with modify rights for shared software library paths on disk.

If any unauthorized users are granted modify rights, this is a finding.

A plugin located in a plugin library file can be loaded at runtime with the INSTALL PLUGIN statement. The statement also registers the plugin in the mysql.plugin table to cause the server to load it on subsequent restarts. For this reason, INSTALL PLUGIN requires the INSERT privilege for the mysql.plugin table, and UNINSTALL requires DELETE.

Run the following statement to check for table specific privileges:
SELECT * FROM information_schema.TABLE_PRIVILEGES where (table_schema='mysql' and table_name=`plugin`) or (table_schema='mysql' and table_name='component';)

If privilege_type is INSERT or DELETE for an unauthorized user, this is a finding.

Run the following statement to check for global privileges:
select * from information_schema.user_privileges where privilege_type='INSERT' or privilege_type='DELETE';

If privilege_type is INSERT or DELETE for an unauthorized user, this is a finding.

Vulnerability Number

V-235163

Documentable

False

Rule Version

MYS8-00-008300

Severity Override Guidance

Review Server documentation to determine the authorized owner and users or groups with modify rights for this SQL instance's binary files. Additionally check the owner and users or groups with modify rights for shared software library paths on disk.

If any unauthorized users are granted modify rights, this is a finding.

A plugin located in a plugin library file can be loaded at runtime with the INSTALL PLUGIN statement. The statement also registers the plugin in the mysql.plugin table to cause the server to load it on subsequent restarts. For this reason, INSTALL PLUGIN requires the INSERT privilege for the mysql.plugin table, and UNINSTALL requires DELETE.

Run the following statement to check for table specific privileges:
SELECT * FROM information_schema.TABLE_PRIVILEGES where (table_schema='mysql' and table_name=`plugin`) or (table_schema='mysql' and table_name='component';)

If privilege_type is INSERT or DELETE for an unauthorized user, this is a finding.

Run the following statement to check for global privileges:
select * from information_schema.user_privileges where privilege_type='INSERT' or privilege_type='DELETE';

If privilege_type is INSERT or DELETE for an unauthorized user, this is a finding.

Check Content Reference

M

Target Key

5277

Comments