V-253705

Discussion

Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different domain and with additional access controls. If administrative functionality or information regarding MariaDB management is presented on an interface available for users, information on MariaDB settings may be inadvertently made available to the user.

Check Content

To show the list of system privileges that the MariaDB server supports, run:
MariaDB> SHOW PRIVILEGES;
 
Gather a list of SHOW GRANTS commands. SHOW GRANTS will list the privileges granted to the account.

Run this database query to create the SHOW GRANTS script for each user: 

MariaDB> SELECT DISTINCT CONCAT( 'SHOW GRANTS FOR ', user,'@', host,';') AS grantQuery FROM mysql.user WHERE is_role = 'N';

Run each SHOW GRANTS command for each user.

MariaDB> SHOW GRANTS FOR 'user'@'host';

If any nonadministrative role has any one of the following privileges, this is a finding. 

Create user 
Event
Process 
Proxy
Reload
Replication client 
Replication slave 
Show databases 
Shutdown 
Super

If administrator and general user functionality are not separated either physically or logically, this is a finding.