UCF STIG Viewer Logo

Separate MySQL user accounts with limited privileges must be created within Jamf Pro EMM.


Overview

Finding ID Version Rule ID IA Controls Severity
V-99603 JAMF-10-100100 SV-108707r1_rule Medium
Description
If separate MySQL accounts with limited privileges are not created an adversary could gain unauthorized access to the application or gain access unauthorized features which could lead to the compromise of sensitive DoD data. SFR ID: FMT_SMF.1(2)b. / CM-6 b Satisfies: SRG-APP-000516
STIG Date
Jamf Pro v10.x EMM Security Technical Implementation Guide 2020-02-04

Details

Check Text ( C-98453r1_chk )
Verify separate MySQL user accounts with limited privileges have been created within Jamf Pro EMM.

In MySQL, execute the following command:
show grants for username@localhost;

Verify the privileges match what is in the Jamf Knowledge Base article.

If separate MySQL user accounts with limited privileges have not been created within Jamf Pro EMM, this is a finding.
Fix Text (F-105287r1_fix)
Create separate MySQL user accounts with limited privileges within Jamf Pro EMM.

The procedures for creating user accounts and assigning account privileges are found in the following Jamf Knowledge Base articles:

MySQL 8.0: https://dev.mysql.com/doc/refman/8.0/en/creating-accounts.html
MySQL 5.7: https://dev.mysql.com/doc/refman/5.7/en/creating-accounts.html

Following is a list MySQL privileges that are required for different types of environments:
- For a standalone web application or the master node in clustered environments:
INSERT, SELECT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES

- For a child node in clustered environments:
INSERT, SELECT, UPDATE, DELETE, DROP, LOCK TABLES

- To view connections from cluster nodes with different MySQL users:
PROCESS

Note: The "PROCESS" privilege requires the use of "*.*".