Documentation - V-253668

Title

MariaDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Description

<VulnDiscussion>Authentication with a DOD-approved PKI certificate does not necessarily imply authorization to access MariaDB. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems, including databases, must be properly configured to implement access control policies. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures ...

Fix Text (Documentation Requirement)

Create and/or maintain documentation on the appropriate permissions on database objects for each kind (group role) of user. Implement these permissions in the database and remove any permissions that exceed those documented. The following are examples of how to use role privileges in MariaDB to enforce access controls. Run these as the database administrator. For a complete list of privileges, refer to the official documentation: https://mariadb.com/kb/en/grant/ #### Roles Example 1 The following example demonstrates how to create an admin role with SHUTDOWN privileges. As the database administrator, run the following SQL: MariaDB> CREATE ROLE admin; MariaDB> GRANT SHUTDOWN ON *.* TO admin; #### Roles Example 2 The following example demonstrates how to create a user make the user a...