mariadb security features and best practices
play

MariaDB security features and best practices Robert Bindar - PowerPoint PPT Presentation

Aug 29, 2023 •175 likes •606 views

MariaDB security features and best practices Robert Bindar Software Developer @MariaDB Foundation Percona Live Austin, 28-30 May 2019 Motivation - Users Potential public shaming through data breaches Massive loss of business

  1. MariaDB security features and best practices Robert Bindar Software Developer @MariaDB Foundation Percona Live Austin, 28-30 May 2019

  2. Motivation - Users ● Potential public shaming through data breaches ● Massive loss of business ● Angry Clients ● Expensive lawsuits and fines ● And it’s getting worse as more people start realizing the impact of data security ● Bonus points for being compliant with data protection regulations MariaDB Security Features and Best Practices 2 https://mariadb.org

  3. Motivation - MariaDB ● One of the most popular db servers Part of critical infrastructure worldwide ● ● Its main purpose is to manage data Very important for our users ● MariaDB Security Features and Best Practices 3 https://mariadb.org

  4. Potential threats and defense mechanisms MariaDB Security Features and Best Practices 4 https://mariadb.org

  5. Direct DB threats Threat Prevention • Man in the middle attacks • Limit/block outside TCP connections • Spoofing to MariaDB • Memory corruption exploits • Secure your DNS infrastructure • MariaDB should accept connections only from the application host • Use bind_address • Use TLS/SSL • Keep your OS updated • Keep your MariaDB Server updated MariaDB Security Features and Best Practices 5 https://mariadb.org

  6. Application threats Threat Prevention • DOS attacks • Your MariaDB server should ideally • Data leaks/corruption run on a dedicated machine • SQL injection • Avoid running the application on the DB machine • Keep the DB machine as clean as possible • Have a strong permissions system • Application code security practices MariaDB Security Features and Best Practices 6 https://mariadb.org

  7. Limiting Human Errors Threat Prevention • Genuine human mistakes • Limit sudo access on the MariaDB • Bad intentions server machine • Limit ssh access • Avoid running mysqld as root • Use specific hostnames instead of wildcards • Use secure_file_priv • Robust defaults MariaDB Security Features and Best Practices 7 https://mariadb.org

  8. Secure Installations with mysql_secure_installation MariaDB Security Features and Best Practices 8 https://mariadb.org

  9. mysql_secure_installation It won’t provide bullet-proof security for your deployment. This script just presents a basic set of recommended settings to get started. MariaDB Security Features and Best Practices 9 https://mariadb.org

  10. mysql_secure_installation Set/Change root accounts passwords ● ● Delete root accounts accessible from outside Remove anonymous user accounts ● ● Remove test database FLUSH PRIVILEGES on the house! ● MariaDB Security Features and Best Practices 10 https://mariadb.org

  11. Data Encryption MariaDB Security Features and Best Practices 11 https://mariadb.org

  12. #define In-Transit Data : Data transmitted between clients and the MariaDB server, between server instances in replication or data transmitted within the Galera cluster. Defaults to unencrypted! At-Rest Data: Some of the data residing in persistent storage: tables, tablespaces, binary logs. Supported with InnoDB and XtraDB, partially with Aria. MariaDB Security Features and Best Practices 12 https://mariadb.org

  13. Encryption Libraries in MariaDB MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'version_ssl_library'; +---------------------+----------------------------+ | Variable_name | Value | +---------------------+----------------------------+ | version_ssl_library | OpenSSL 1.1.0g 2 Nov 2017 | +---------------------+----------------------------+ ● MariaDB uses TLS static linking with yaSSL - server + client ● dynamic linking with OpenSSL - server + client ● ● dynamic linking with GnuTLS or Schannel - client ● have_ssl will tell you if TLS is supported/enabled MariaDB Security Features and Best Practices 13 https://mariadb.org

  14. Server <-> Clients data encryption with TLS [mariadb] ssl_cert = /etc/my.cnf.d/certificates/server-cert.pem ssl_key = /etc/my.cnf.d/certificates/server-key.pem ssl_ca = /etc/my.cnf.d/certificates/ca.pem ● Defaults to not encrypted have_ssl == YES means TLS is enabled ● FLUSH SSL reloads TLS context from 10.4 ● ● Two-way TLS is required if REQUIRE X509, REQUIRE SUBJECT, REQUIRE ISSUER are used for an account TLS can be required for specific accounts from untrusted hosts ● MariaDB Security Features and Best Practices 14 https://mariadb.org

  15. Secure Connections in Replication MariaDB [(none)]> CHANGE MASTER TO MASTER_SSL_CA = '/path/to/ca/ca.pem', MASTER_SSL_VERIFY_SERVER_CERT=1; Defaults to not encrypted ● Enable TLS on all server instances ● ● Stop slaves and execute CHANGE MASTER ● Two-way TLS can also be enabled with CHANGE MASTER MariaDB Security Features and Best Practices 15 https://mariadb.org

  16. Encryption for Galera Cluster [mariadb] … cert,key,ca wsrep_provider_options="socket.ssl_cert=/path/server-cert.pem; socket.ssl_key=/path/server-key.pem; socket.ssl_ca=/path/ca.pem" ● Defaults to not encrypted Enable TLS on each server node ● ● Add wsrep ssl options to cnf along the server ssl options ● Traffic is encrypted within the cluster and with external client connections ● Backup utilities also support encryption MariaDB Security Features and Best Practices 16 https://mariadb.org

  17. At-Rest Data Encryption Encrypting some of the data on disk ● ● Overhead is estimated at 3-5% Supported fully with InnoDB and XtraDB SEs ● ● Aria support for ROW_FORMAT=PAGE tables You need to install an encryption management plugin ● ● Only helpful if the attacker is not an authorized MariaDB user MariaDB Security Features and Best Practices 17 https://mariadb.org

  18. Account Management best practices MariaDB Security Features and Best Practices 18 https://mariadb.org

  19. Password Validation Plugins Simple Password Cracklib Password Check Check • .so shipped with MariaDB - easy install • Not shipped by default with MariaDB • Minimum length • Checks password against a dictionary • Mixed case • Uses the CrackLib db • Alphanumeric checks • Can be used with PAM as of 10.4 • Special chars • Can be used with PAM as of 10.4 MariaDB Security Features and Best Practices 19 https://mariadb.org

  20. Unix Socket Authentication MariaDB [(none)]> CREATE USER username@hostname IDENTIFIED VIA unix_socket; Query OK, 0 rows affected (0.00 sec) ● Use OS credentials when connecting to MariaDB Enabled by default in 10.4.3 ● https://mariadb.org/authentication-in-mariadb-10-4/ ● MariaDB Security Features and Best Practices 20 https://mariadb.org

  21. Account Locking ● Mark an account as locked and deny any subsequent connection requests for that account Minimum privilege package = no client connection at all ● ● Integrated solution for refusing client connections MariaDB Security Features and Best Practices 21 https://mariadb.org

  22. Account Locking MariaDB [(none)]> CREATE USER user@localhost ACCOUNT LOCK; Query OK, 0 rows affected (0.00 sec) ● Creates a user account that is locked MariaDB Security Features and Best Practices 22 https://mariadb.org

  23. Account Locking MariaDB [(none)]> SHOW CREATE USER user@localhost; +---------------------------------------------+ | CREATE USER for user@localhost | +---------------------------------------------+ | CREATE USER 'user'@'localhost' ACCOUNT LOCK | +---------------------------------------------+ 1 row in set (0.000 sec) ● SHOW CREATE USER displays the locking status of an account MariaDB Security Features and Best Practices 23 https://mariadb.org

  24. Account Locking MariaDB [(none)]> ALTER USER user@localhost ACCOUNT UNLOCK; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> ALTER USER user@localhost ACCOUNT LOCK; Query OK, 0 rows affected (0.00 sec) ● Altering an existing account to lock/unlock MariaDB Security Features and Best Practices 24 https://mariadb.org

  25. Account Locking bindar@computer:~/MariaDB/server$ ./client/mysql -uuser ERROR 4151 (HY000): Access denied, this account is locked ● Attempting a connection using a locked account returns ER_ACCOUNT_HAS_BEEN_LOCKED MariaDB Security Features and Best Practices 25 https://mariadb.org

  26. Account Locking Whether an account is locked or not is checked during the authentication phase (including COM_CHANGE_USER). Locking an account does not affect existing connections. MariaDB Security Features and Best Practices 26 https://mariadb.org

  27. Expiration of User Passwords A new connection with an expired password is either denied or only ● allowed to execute SET PASSWORD ● Supports expiring passwords with immediate effect, per-account automatic expiration as well as global policies for automatic expiration ● Compliance with latest security standards Fully compatible with MySQL 5.7 datadirs ● MariaDB Security Features and Best Practices 27 https://mariadb.org

  28. Password Expiration MariaDB [(none)]> CREATE USER user@localhost PASSWORD EXPIRE; Query OK, 0 rows affected (0.00 sec) ● Creates a new account and expire the password with immediate effect MariaDB Security Features and Best Practices 28 https://mariadb.org

Recommend

MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org

MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org

MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org http://mariadb.com/ Notice: MySQL is a registered trademark of Sun Microsystems, Inc. The origin of My (SQL) At start: Lots of traveling and meeting

1.16k views • 57 slides
MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara,

681 views • 64 slides
Git Best Practices Viceniu Ciorbaru Software Engineer @ MariaDB Foundation Agenda Regular

Git Best Practices Viceniu Ciorbaru Software Engineer @ MariaDB Foundation Agenda Regular

Git Best Practices Viceniu Ciorbaru Software Engineer @ MariaDB Foundation Agenda Regular git workflow Common mistakes and solutions Handling community contributions Regular git workflow $ git checkout bb-10.2-bug Make sure

1.06k views • 16 slides
FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane

FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane

FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane Varoqui &lt;stephane@skysql.com&gt; Colin Charles &lt;byte@mariadb.com&gt; Introduction Fear of Databases Fear of Sharding Fear of

599 views • 30 slides
Histograms in MariaDB, MySQL and PostgreSQL Sergei Petrunia, MariaDB Sergei Petrunia, MariaDB

Histograms in MariaDB, MySQL and PostgreSQL Sergei Petrunia, MariaDB Sergei Petrunia, MariaDB

Histograms in MariaDB, MySQL and PostgreSQL Sergei Petrunia, MariaDB Sergei Petrunia, MariaDB Santa Clara, California | April 24th 27th, 2017 Santa Clara, California | April 24th 27th, 2017 What this talk is about Data statistics

928 views • 44 slides
using Amazon Key Management Service Jan Lindstrm, Principal Engineer, MariaDB Corporation

using Amazon Key Management Service Jan Lindstrm, Principal Engineer, MariaDB Corporation

Transparent tablespace and log encryption on MariaDB 10.1 using Amazon Key Management Service Jan Lindstrm, Principal Engineer, MariaDB Corporation Amsterdam, Netherlands | October 5, 2016 Agenda 1. Introduction 2. Concepts 3.

795 views • 32 slides
ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB

ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB

ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB Corporation Generic ALTER TABLE in MySQL &amp; MariaDB CREATE ; INSERT SELECT ; RENAME ; DROP Starting with MySQL 5.6 &amp; MariaDB 10.0,

1.51k views • 25 slides
Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services Agenda Security Advisories @ Apache Issues associated with the advisory process Apache CXF advisories + lessons learned

394 views • 28 slides
Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership

Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership

Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership Developer role, 15 yrs with MySQL engineering Background: DBMS Engineering Data Security Seppo Jaakola www.galeracluster.com C o d e r s h i p

1.01k views • 75 slides
Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler

MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler

MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler Duzan Formerly an operations engineer for more than 12 years focused on security and automation Now a Product Manager at Percona

4.42k views • 37 slides
How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi,

How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi,

How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W orkshop for I nformation S ecurity for E -infrastructures 2015-10-22, Barcelona This work is licensed under the Creative Commons

492 views • 12 slides
Analytics 101 The Importance of Data Literacy Sprinklr Analytics Features Best Practices Why

Analytics 101 The Importance of Data Literacy Sprinklr Analytics Features Best Practices Why

Analytics 101 The Importance of Data Literacy Sprinklr Analytics Features Best Practices Why this matters and why we need to make this a priority. Only 24% of business decision makers, from junior managers to the C-suite, feel fully

197 views • 16 slides
Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches, Fixes, Revisions Antivirus Software Post-Install Security Checklist: Windows/UNIX File System Security Issues Chapter 10 User

361 views • 8 slides
School Safety and Security Agenda 1. The Law and Training 2. Practices and Procedures 3.

School Safety and Security Agenda 1. The Law and Training 2. Practices and Procedures 3.

Berkeley Heights Public Schools School Safety and Security Agenda 1. The Law and Training 2. Practices and Procedures 3. Crisis Planning Committee 4. Physical Security School Security Drill Law This law requires: 1 Fire Drill per

294 views • 14 slides
Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&amp;P 19 1 Outline Introduction Obstacles for

679 views • 65 slides
Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab

Understanding the Security of ARM Debugging Features Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University May 21, 2019 Understanding the Security of ARM Debugging Features, S&amp;P 19 1 Outline Introduction Obstacles in

1.03k views • 63 slides
Digit Digital al Se Security y Training Be Best Practices A digital training brought to you

Digit Digital al Se Security y Training Be Best Practices A digital training brought to you

Digit Digital al Se Security y Training Be Best Practices A digital training brought to you by RSAT Security in partnership with Supreme Technologies Group. Topics Covered Week 5 Week 1 Social Media Introduction to Information Security

410 views • 19 slides
MariaDB Optimizer in 10.3, where does it stand? Santa Clara, California | April 23th 25th,

MariaDB Optimizer in 10.3, where does it stand? Santa Clara, California | April 23th 25th,

MariaDB Optimizer in 10.3, where does it stand? Santa Clara, California | April 23th 25th, 2018 Santa Clara, California | April 23th 25th, 2018 Sergey Petrunia MariaDB Project Sergey Petrunia MariaDB Project Vicen

1.01k views • 65 slides
Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is &quot;Security&quot;? ISO/IEC 27000:2009 Information Security is... Confidentiality Integrity Availability And some other things Controls

236 views • 20 slides
Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging

401 views • 7 slides
Document Security Features: Counterfeit Detection e-Learning Joel Zlotnick Supervisory Physical

Document Security Features: Counterfeit Detection e-Learning Joel Zlotnick Supervisory Physical

Document Security Features: Counterfeit Detection e-Learning Joel Zlotnick Supervisory Physical Scientist Bureau of Consular Affairs U.S. Department of State Date 1 Document Security Features Produced by the U.S. Department of State

368 views • 3 slides
UNFAIR COMMERCIAL UNFAIR COMMERCIAL PRACTICES DIRECTIVE PRACTICES DIRECTIVE An Overview Peter

UNFAIR COMMERCIAL UNFAIR COMMERCIAL PRACTICES DIRECTIVE PRACTICES DIRECTIVE An Overview Peter

UNFAIR COMMERCIAL UNFAIR COMMERCIAL PRACTICES DIRECTIVE PRACTICES DIRECTIVE An Overview Peter Deft CCP Directorate 25 January 2006 Ill Cover Purpose &amp; Key Features Structure The DTIs Consultation paper Next steps

125 views • 12 slides

More recommend