STIGQter: STIG Summary: Oracle MySQL 8.0 Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

The MySQL Database Server 8.0 must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.

DISA Rule

SV-235179r638812_rule

Vulnerability Number

V-235179

Group Title

SRG-APP-000328-DB-000301

Rule Version

MYS8-00-010500

Severity

CAT II

CCI(s)

• CCI-002165 - The information system enforces organization-defined discretionary access control policies over defined subjects and objects.

Weight

10

Fix Recommendation

To correct object ownership:

To revoke any unauthorized permissions:

REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
FROM user_or_role [, user_or_role] ...

REVOKE ALL [PRIVILEGES], GRANT OPTION
FROM user_or_role [, user_or_role] ...

REVOKE PROXY ON user_or_role
FROM user_or_role [, user_or_role] ...

REVOKE role [, role ] ...
FROM user_or_role [, user_or_role ] ...

Check Contents

Use the following query to discover database object access rights:

Users with DDL rights on database objects
At Instance Level
SELECT *
FROM `mysql`.`user`
WHERE (`mysql`.`user`.`user` not like 'mysql.%') AND (
`user`.`Create_priv` = 'Y' OR
`user`.`Drop_priv` = 'Y' OR
`user`.`Grant_priv` = 'Y' OR
`user`.`References_priv` = 'Y' OR
`user`.`Index_priv` = 'Y' OR
`user`.`Alter_priv` = 'Y' OR
`user`.`Super_priv` = 'Y' OR
`user`.`Execute_priv` = 'Y' OR
`user`.`Create_view_priv` = 'Y' OR
`user`.`Create_routine_priv` = 'Y' OR
`user`.`Alter_routine_priv` = 'Y' OR
`user`.`Create_user_priv` = 'Y' OR
`user`.`Event_priv` = 'Y' OR
`user`.`Trigger_priv` = 'Y' OR
`user`.`Create_role_priv` = 'Y' OR
`user`.`Drop_role_priv` = 'Y') ;

At DB/Schema Level - Users with DDL rights on database objects
Ensure only administrative users are returned in the result set.
SELECT * FROM mysql.db where
(`db`.`Grant_priv` = 'Y' OR
`db`.`References_priv`= 'Y' OR
`db`.`Index_priv`= 'Y' OR
`db`.`Alter_priv`= 'Y' OR
`db`.`Create_tmp_table_priv`= 'Y' OR
`db`.`Lock_tables_priv`= 'Y' OR
`db`.`Create_view_priv`= 'Y' OR
`db`.`Show_view_priv`= 'Y' OR
`db`.`Create_routine_priv`= 'Y' OR
`db`.`Alter_routine_priv`= 'Y' OR
`db`.`Execute_priv`= 'Y' OR
`db`.`Event_priv`= 'Y' OR
`db`.`Trigger_priv`) and user not like 'mysql.%';

Ensure only administrative users are returned in the result set.

Use the following query to discover database users who have been delegated the right to grant permissions to other users:

Execute the following SQL statements to audit this setting:
SELECT `USER_PRIVILEGES`.`GRANTEE`,
`USER_PRIVILEGES`.`TABLE_CATALOG`,
`USER_PRIVILEGES`.`PRIVILEGE_TYPE`,
`USER_PRIVILEGES`.`IS_GRANTABLE`
FROM `information_schema`.`USER_PRIVILEGES`
where `USER_PRIVILEGES`.`IS_GRANTABLE`='YES';

Ensure only administrative users are returned in the result set.

If any of these rights are not documented and authorized, this is a finding.

Vulnerability Number

V-235179

Documentable

False

Rule Version

MYS8-00-010500

Severity Override Guidance

Use the following query to discover database object access rights:

Users with DDL rights on database objects
At Instance Level
SELECT *
FROM `mysql`.`user`
WHERE (`mysql`.`user`.`user` not like 'mysql.%') AND (
`user`.`Create_priv` = 'Y' OR
`user`.`Drop_priv` = 'Y' OR
`user`.`Grant_priv` = 'Y' OR
`user`.`References_priv` = 'Y' OR
`user`.`Index_priv` = 'Y' OR
`user`.`Alter_priv` = 'Y' OR
`user`.`Super_priv` = 'Y' OR
`user`.`Execute_priv` = 'Y' OR
`user`.`Create_view_priv` = 'Y' OR
`user`.`Create_routine_priv` = 'Y' OR
`user`.`Alter_routine_priv` = 'Y' OR
`user`.`Create_user_priv` = 'Y' OR
`user`.`Event_priv` = 'Y' OR
`user`.`Trigger_priv` = 'Y' OR
`user`.`Create_role_priv` = 'Y' OR
`user`.`Drop_role_priv` = 'Y') ;

At DB/Schema Level - Users with DDL rights on database objects
Ensure only administrative users are returned in the result set.
SELECT * FROM mysql.db where
(`db`.`Grant_priv` = 'Y' OR
`db`.`References_priv`= 'Y' OR
`db`.`Index_priv`= 'Y' OR
`db`.`Alter_priv`= 'Y' OR
`db`.`Create_tmp_table_priv`= 'Y' OR
`db`.`Lock_tables_priv`= 'Y' OR
`db`.`Create_view_priv`= 'Y' OR
`db`.`Show_view_priv`= 'Y' OR
`db`.`Create_routine_priv`= 'Y' OR
`db`.`Alter_routine_priv`= 'Y' OR
`db`.`Execute_priv`= 'Y' OR
`db`.`Event_priv`= 'Y' OR
`db`.`Trigger_priv`) and user not like 'mysql.%';

Ensure only administrative users are returned in the result set.

Use the following query to discover database users who have been delegated the right to grant permissions to other users:

Execute the following SQL statements to audit this setting:
SELECT `USER_PRIVILEGES`.`GRANTEE`,
`USER_PRIVILEGES`.`TABLE_CATALOG`,
`USER_PRIVILEGES`.`PRIVILEGE_TYPE`,
`USER_PRIVILEGES`.`IS_GRANTABLE`
FROM `information_schema`.`USER_PRIVILEGES`
where `USER_PRIVILEGES`.`IS_GRANTABLE`='YES';

Ensure only administrative users are returned in the result set.

If any of these rights are not documented and authorized, this is a finding.

Check Content Reference

M

Target Key

5277

Comments