enhancing mysql security
play

Enhancing MySQL Security Vinicius Grippa Percona About me - PowerPoint PPT Presentation

Nov 27, 2022 •368 likes •1.16k views

Enhancing MySQL Security Vinicius Grippa Percona About me Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server Working with databases for 7 years 2 Agenda OS/Cloud security

  1. Enhancing MySQL Security Vinicius Grippa Percona

  2. About me • Support Engineer at Percona since 2017 Working with MySQL for over 5 years - Started with SQL Server • Working with databases for 7 years 2

  3. Agenda • OS/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 3

  4. Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall 4

  5. Agenda • OS/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 5

  6. OS/Cloud Security

  7. OS/Cloud security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key • AppArmor / SELinux 7

  8. OS/Cloud security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups 8

  9. Agenda • OS/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 9

  10. SSL

  11. SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates • MySQL 5.7 - mysql_ssl_rsa_setup • MySQL 5.6 - openssl 11

  12. SSL mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) 12

  13. SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e " \s "| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 13

  14. SSL It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required 14

  15. SSL 15

  16. Agenda • OS/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 16

  17. Password Management

  18. Password Management • Password expiration • validate_password plugin 18

  19. Password expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior. 19

  20. Password expiration Individual accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1; 20

  21. Password expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement. 21

  22. validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password. 22

  23. validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so 23

  24. validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) 24

  25. validate_plugin - Validate mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec) 25

  26. validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec) 26

  27. validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec) 27

  28. Agenda • OS/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 28

  29. Audit Plugin

  30. Audit Plugin • MySQL Enterprise – Paid • Percona Server (works with community version) – Free • Its different from general log • Filter by command / user / database 30

  31. Audit Plugin - Installing Mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) Mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+ 1 row in set (0.00 sec) 31

  32. Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10 32

  33. Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | | 33

  34. Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec) 34

  35. Agenda • OS/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 35

  36. Percona Server encryption features

  37. Percona Server encryption Percona server provides extra encryption • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality 37

Recommend

Enhancing MySQL Security Vinicius M. Grippa Support Engineer for MySQL/MongoDB

Enhancing MySQL Security Vinicius M. Grippa Support Engineer for MySQL/MongoDB

Enhancing MySQL Security Vinicius M. Grippa Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com 1 About Me Support Engineer at Percona since 2017 Working with MySQL for over six years Working with databases for over nine

861 views • 67 slides
MySQL Security Domas Mituzas, Sun Microsystems Me MySQL Support Security Coordinator (role)

MySQL Security Domas Mituzas, Sun Microsystems Me MySQL Support Security Coordinator (role)

MySQL Security Domas Mituzas, Sun Microsystems Me MySQL Support Security Coordinator (role) Did lots of security consulting and systems design work before Would prefer not to work on protection. Productivity is so much more fun!

706 views • 44 slides
MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

<Insert Picture Here> MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann Development Director MySQL Replication, Backup & Connectors O'Reilly MySQL Users Conference, April 2011 MySQL Releases

456 views • 42 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

Berner Fachhochschule - HTI PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction Basics of MySQL Create a Table See the content of a DB Tables: Change rows and Insert data Select

637 views • 53 slides
Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N A N D R I T I T I K A M A M O O R J A N A N I Introduction Topics Covered Security Checking using Nikto Dangers of Default

262 views • 22 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice Manager Table of Contents Group Replication MySQL Shell (AdminAPI) MySQL Group Replication MySQL Router Best Practices Limitations Production?

993 views • 72 slides
Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011

Forecasting MySQL Scalability Baron Schwartz O'Reilly MySQL Conference & Expo 2011 Consulting Support Training Development For MySQL Percona Server Replaces MySQL Faster Queries More Consistent More Measurable More

670 views • 41 slides
PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great

PHP + MySQL MySQL on the command line is great and all well not its not really that great Using MySQL in PHP is somewhat similar to the command line: Set up a connection to a MySQL database Issue a bunch of commands to the

944 views • 43 slides
Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017

Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017 Introduction: SECURITY REQUIRES A LAYERED APPROACH NXPs 4 + 1 Layer approach for vehicle cyber security: Multiple security techniques, at different

485 views • 19 slides
Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters

Enhancing Openness and Transparency in NRC Security Inspection Programs NRC Headquarters Rockville, MD Sept 4, 2008; 9:30 a.m. 12 noon 1 AGENDA Welcome Patricia Trish Holahan, Director Division of Security Operations (DSO)

479 views • 14 slides
SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is

SQL & MySQL Jeff Siarto - TC 361 Whats the Difference? MySQL is a database SQL is a language to interact with the database SQL is used with other databases: Access, Oracle, Portage SQL, MS SQL, etc... MySQL Open source

391 views • 7 slides
Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director

Percona MySQL About Me Qunar.com DB Director MySQL Inception MySQL ACMUG Oracle MySQL ACE Director What do we need to do for MySQL in

320 views • 20 slides
WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation

WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation

WELCOME TO MY PRESENTATION MARITIME SECURITY Common interest and Enhancing Cooperation PRESENTED BY Rea Adm BORIN KHUN Deputy Secretary General, National Committee for Maritime Security. Phnom Penh, May 25 2012. INTRODUCTION THE

720 views • 7 slides
MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter:

MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter:

MySQL Cluster und MySQL Proxy Alles Online Diese Slides gibt es auch unter: http://rt.fm/s4p Agenda (Don't) Panic Web- und MySQL-Server MySQL Master-Master Cluster MySQL Proxy und Cluster MySQL

1.83k views • 31 slides
More on gdb for MySQL DBAs or Using gdb to study MySQL internals and as a last resort Valerii

More on gdb for MySQL DBAs or Using gdb to study MySQL internals and as a last resort Valerii

More on gdb for MySQL DBAs or Using gdb to study MySQL internals and as a last resort Valerii Kravchuk, MySQL Support Engineer vkravchuk@gmail.com Who am I? Valerii (aka Valeriy ) Kravchuk : MySQL Support Engineer in MySQL AB, Sun and

376 views • 20 slides
Reducing Risk When Upgrading Your MySQL Environment Kenny Gryp MySQL Practice Manager My

Reducing Risk When Upgrading Your MySQL Environment Kenny Gryp MySQL Practice Manager My

Reducing Risk When Upgrading Your MySQL Environment Kenny Gryp MySQL Practice Manager My Experience as MySQL Consultant On Upgrading MySQL it's quite complex... Kenny Gryp MySQL Practice Manager Table of Contents The Ocial Documentation

1.13k views • 77 slides
MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd

MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd

MySQL X Protocol Talking to MySQL Directly over the Wire Simon J Mudd <simon.mudd@booking.com> Percona Live Europe Amsterdam 5 th October 2016 Content What is MySQL X protocol How does it work Building Drivers

793 views • 60 slides
Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL

Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL

Geographic Features in MySQL Tibor Korocz Percona What do I try to answer today? - Can MySQL 8 help us with the common usecases? - Distance Calculation. - What is near by me? - Does MySQL 8 give us better options/solutions for these

1.14k views • 52 slides
Performance Guide for MySQL Cluster Mikael Ronstrm, Ph.D Senior MySQL Architect Sun

Performance Guide for MySQL Cluster Mikael Ronstrm, Ph.D Senior MySQL Architect Sun

Performance Guide for MySQL Cluster Mikael Ronstrm, Ph.D Senior MySQL Architect Sun Microsystems MySQL Cluster Application Application Application MySQL Client MySQL Client MySQL Client Application Application MySQL MySQL MySQL

737 views • 50 slides
MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL

MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL

Twitter, Inc. MySQL @Twitter: No More Forkin - Migrating to MySQL Community Version Twitter, Inc. MySQL @Twitter Background Migration Process Migration Challenges Post-Deployment Challenges Future Plans Q&A

703 views • 44 slides
Securing customer data (PII) in MySQL Alexander Rubin VirtualHealth PRIVILEGED + CONFIDENTIAL

Securing customer data (PII) in MySQL Alexander Rubin VirtualHealth PRIVILEGED + CONFIDENTIAL

Securing customer data (PII) in MySQL Alexander Rubin VirtualHealth PRIVILEGED + CONFIDENTIAL About me Working with MySQL for 10-15 years Started at MySQL AB 2006 Sun Microsystems, Oracle (MySQL Consulting) Percona since 2014

1.13k views • 44 slides
Enhancing global security through space Enhancing global security through space the role of

Enhancing global security through space Enhancing global security through space the role of

Enhancing global security through space Enhancing global security through space the role of COPUOS and UNOOSA the role of COPUOS and UNOOSA ACUNS Annual Meeting ACUNS Annual Meeting New Security Challenges New Security Challenges

669 views • 18 slides

More recommend