STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

DISA Rule

SV-235168r638812_rule

Vulnerability Number

V-235168

Group Title

SRG-APP-000378-DB-000365

Rule Version

MYS8-00-009100

Severity

CAT II

CCI(s)

• CCI-001812 - The information system prohibits user installation of software without explicit privileged status.

Weight

10

Fix Recommendation

MySQL requires users (other than root) to be explicitly granted the CREATE ROUTINE privilege in order to install logical modules.

Check user grants using the SHOW GRANTS and look for appropriate assignment of CREATE ROUTINE.

For example - REVOKE CREATE ROUTINE ON mydb.* TO 'someuser'@'somehost';

Check Contents

MySQL requires users (other than root) to be explicitly granted the CREATE ROUTINE privilege in order to install logical modules.

To obtain a listing of users and roles who are authorized to create, alter, or replace stored procedures and functions from the server documentation.

Execute the following query:

For server level permissions
SELECT `user`.`Host`,
`user`.`User`
FROM `mysql`.`user`
where `Create_routine_priv`='Y' OR
`Alter_routine_priv` = 'Y';

If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding.

If any user or role membership is not authorized, this is a finding.

For database schema level permission (db is the schema name)
SELECT `db`.`Host`,
`db`.`User`,
`db`.`Db`
FROM `mysql`.`db` where `db`.`Create_routine_priv`='Y' OR
`db`.`Alter_routine_priv` = 'Y';

If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding.

If any user or role membership is not authorized, this is a finding.

Vulnerability Number

V-235168

Documentable

False

Rule Version

MYS8-00-009100

Severity Override Guidance

MySQL requires users (other than root) to be explicitly granted the CREATE ROUTINE privilege in order to install logical modules.

To obtain a listing of users and roles who are authorized to create, alter, or replace stored procedures and functions from the server documentation.

Execute the following query:

For server level permissions
SELECT `user`.`Host`,
`user`.`User`
FROM `mysql`.`user`
where `Create_routine_priv`='Y' OR
`Alter_routine_priv` = 'Y';

If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding.

If any user or role membership is not authorized, this is a finding.

For database schema level permission (db is the schema name)
SELECT `db`.`Host`,
`db`.`User`,
`db`.`Db`
FROM `mysql`.`db` where `db`.`Create_routine_priv`='Y' OR
`db`.`Alter_routine_priv` = 'Y';

If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding.

If any user or role membership is not authorized, this is a finding.

Check Content Reference

M

Target Key

5277

Comments