Rule ID
SV-241801r971326_rule
Version
V3R1
CCIs
If separate MySQL accounts with limited privileges are not created an adversary could gain unauthorized access to the application or gain access unauthorized features which could lead to the compromise of sensitive DoD data. SFR ID: FMT_SMF.1(2)b. / CM-6 b Satisfies: SRG-APP-000516
Verify separate MySQL user accounts with limited privileges have been created within Jamf Pro EMM. In MySQL, execute the following command: show grants for username@localhost; Verify the privileges match what is in the Jamf Knowledge Base article. If separate MySQL user accounts with limited privileges have not been created within Jamf Pro EMM, this is a finding.
Create separate MySQL user accounts with limited privileges within Jamf Pro EMM. The procedures for creating user accounts and assigning account privileges are found in the following Jamf Knowledge Base articles: MySQL 8.0: https://dev.mysql.com/doc/refman/8.0/en/creating-accounts.html MySQL 5.7: https://dev.mysql.com/doc/refman/5.7/en/creating-accounts.html Following is a list MySQL privileges that are required for different types of environments: - For a standalone web application or the master node in clustered environments: INSERT, SELECT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES - For a child node in clustered environments: INSERT, SELECT, UPDATE, DELETE, DROP, LOCK TABLES - To view connections from cluster nodes with different MySQL users: PROCESS Note: The "PROCESS" privilege requires the use of "*.*".