enhancing mysql security
play

Enhancing MySQL Security Vinicius M. Grippa Support Engineer for - PowerPoint PPT Presentation

Mar 01, 2024 •177 likes •861 views

Enhancing MySQL Security Vinicius M. Grippa Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com 1 About Me Support Engineer at Percona since 2017 Working with MySQL for over six years Working with databases for over nine

  1. Enhancing MySQL Security Vinicius M. Grippa Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com 1

  2. About Me • Support Engineer at Percona since 2017 • Working with MySQL for over six years • Working with databases for over nine years • Speaker at PL 2018 and meetups about MySQL/MongoDB

  3. Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall 3

  4. Agenda • SO/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 4

  5. OS/Cloud Security

  6. OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key 6

  7. OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups 7

  8. OS/Cloud Security 8

  9. OS/Cloud Security 9

  10. OS/Cloud Security 10

  11. SSL

  12. SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 - mysql_ssl_rsa_setup ▪ MySQL 5.6 - openssl 12

  13. SSL mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) 13

  14. SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e " \s "| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 14

  15. SSL It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required 15

  16. SSL 16

  17. Password Management

  18. Password Management • Password expiration • validate_password plugin 18

  19. Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior. 19

  20. Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1; 20

  21. Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement. 21

  22. validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password. 22

  23. validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so 23

  24. validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec) 24

  25. validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec) 25

  26. validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec) 26

  27. Audit Plugin

  28. Audit Plugin • MySQL Enterprise – Paid • Percona Server (works with community version) – Free • It is different from general log • Filter by command / user / database 28

  29. Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+ 1 row in set (0.00 sec) 29

  30. Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10 30

  31. Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | | 31

  32. Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec) 32

  33. Percona Server Encryption Features

  34. Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality 34

  35. Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec) 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda OS/Cloud security

1.16k views • 78 slides
MySQL Security Domas Mituzas, Sun Microsystems Me MySQL Support Security Coordinator (role)

MySQL Security Domas Mituzas, Sun Microsystems Me MySQL Support Security Coordinator (role)

MySQL Security Domas Mituzas, Sun Microsystems Me MySQL Support Security Coordinator (role) Did lots of security consulting and systems design work before Would prefer not to work on protection. Productivity is so much more fun!

706 views • 44 slides
MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

<Insert Picture Here> MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann Development Director MySQL Replication, Backup & Connectors O'Reilly MySQL Users Conference, April 2011 MySQL Releases

456 views • 42 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

Berner Fachhochschule - HTI PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction Basics of MySQL Create a Table See the content of a DB Tables: Change rows and Insert data Select

637 views • 53 slides
Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N A N D R I T I T I K A M A M O O R J A N A N I Introduction Topics Covered Security Checking using Nikto Dangers of Default

262 views • 22 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice Manager Table of Contents Group Replication MySQL Shell (AdminAPI) MySQL Group Replication MySQL Router Best Practices Limitations Production?

993 views • 72 slides
Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011 Consulting Support Training Development For MySQL Percona Server Replaces MySQL Faster Queries More Consistent More Measurable More

670 views • 41 slides
PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great Using MySQL in PHP is somewhat similar to the command line: Set up a connection to a MySQL database Issue a bunch of commands to the

944 views • 43 slides
Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017 Introduction: SECURITY REQUIRES A LAYERED APPROACH NXPs 4 + 1 Layer approach for vehicle cyber security: Multiple security techniques, at different

485 views • 19 slides
Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters Rockville, MD Sept 4, 2008; 9:30 a.m. 12 noon 1 AGENDA Welcome Patricia Trish Holahan, Director Division of Security Operations (DSO)

479 views • 14 slides
SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is a language to interact with the database SQL is used with other databases: Access, Oracle, Portage SQL, MS SQL, etc... MySQL Open source

391 views • 7 slides
Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director MySQL Inception MySQL ACMUG Oracle MySQL ACE Director What do we need to do for MySQL in

320 views • 20 slides
WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation

WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation

WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation PRESENTED BY Rea Adm BORIN KHUN Deputy Secretary General, National Committee for Maritime Security. Phnom Penh, May 25 2012. INTRODUCTION THE

720 views • 7 slides
MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter:

MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter:

MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter: http://rt.fm/s4p Agenda (Don't) Panic Web- und MySQL-Server MySQL Master-Master Cluster MySQL Proxy und Cluster MySQL

1.83k views • 31 slides
Comet Virtual Clusters Whats underneath? Philip Papadopoulos San Diego Supercomputer

Comet Virtual Clusters Whats underneath? Philip Papadopoulos San Diego Supercomputer

Comet Virtual Clusters Whats underneath? Philip Papadopoulos San Diego Supercomputer Center ppapadopoulos@ucsd.edu Overview NSF Award# 1341698, Gateways to Discovery: Cyberinfrastructure for the Long Tail of Science PI: Michael Norman

604 views • 38 slides
Cache Hierarchies Po-An Tsai , Nathan Beckmann, and Daniel Sanchez Executive summary

Cache Hierarchies Po-An Tsai , Nathan Beckmann, and Daniel Sanchez Executive summary

Jenga: Software-Defined Cache Hierarchies Po-An Tsai , Nathan Beckmann, and Daniel Sanchez Executive summary Heterogeneous caches are traditionally organized as a rigid hierarchy Easy to program but introduce expensive overheads when

1.66k views • 152 slides
100GE Upgrades at FNAL Phil DeMar ; Andrey Bobyshev CHEP 2015 April 14, 2015 FNAL High-Impact

100GE Upgrades at FNAL Phil DeMar ; Andrey Bobyshev CHEP 2015 April 14, 2015 FNAL High-Impact

100GE Upgrades at FNAL Phil DeMar ; Andrey Bobyshev CHEP 2015 April 14, 2015 FNAL High-Impact Traffic Isolation Philosophy If feasible, science data traffic kept logically separate: Optimal performance likely over WAN science data

345 views • 16 slides
Review of Symbols Review of Symbols CS 105 Basic Parameters Tour of the Black Holes of

Review of Symbols Review of Symbols CS 105 Basic Parameters Tour of the Black Holes of

366 views • 7 slides
Classes in C++ A lot of this stuff is trivia, but it can be hard to discern up front. Classes in

Classes in C++ A lot of this stuff is trivia, but it can be hard to discern up front. Classes in

Classes in C++ A lot of this stuff is trivia, but it can be hard to discern up front. Classes in C++ are complex and have a ton of rules, most of which I look up as I go Ill try to point out the core concepts and assign readings / practice

625 views • 43 slides
Realizing a Virtual Private Network using Named Data Networking September 28, 2017 Craig

Realizing a Virtual Private Network using Named Data Networking September 28, 2017 Craig

Realizing a Virtual Private Network using Named Data Networking September 28, 2017 Craig Partridge Samuel Nelson Derrick Kong Th This document does not contain technology or te technical data controlled under either the U.S. In Inter

431 views • 13 slides
Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Overview Distributed Services for Distributed VPNs Objectives for Robust Time

Michael Rossberg, Rene Golembewski, Guenter Schaefer Ilmenau University of Technology, Germany ICCCN 2012 Attack-Resistant Distributed Time Synchronization for Virtual Private Networks Overview Distributed Services for Distributed VPNs

212 views • 9 slides
Tag/Label Switching CS598: Advanced Internet Presented by: Imranul Hoque 1 How to go from A to

Tag/Label Switching CS598: Advanced Internet Presented by: Imranul Hoque 1 How to go from A to

Tag/Label Switching CS598: Advanced Internet Presented by: Imranul Hoque 1 How to go from A to B? Broadcast: Go everywhere, stop at B Never ask for directions Hop by hop routing: Hop by hop routing: Ask who is closer to

599 views • 21 slides

More recommend