MariaDB Security- 5 Do's and Don'Ts

7/26/2019 MariaDB Security- 5 Do's and Don'Ts

1/21

*


2/21

MariaDB

17th March 2016

Security: 5 Dos and Donts


3/21

Lets Get Started - Some Housekeeping

We will review the questions as they come in and

answer then during the Q&A. You can post in chat

This session is being recorded1.

2.

3.

4.

5.

Running time is approximately 30 minutes

Copies of the slides will be sent out after the webinar ends

Dont forget to share on your social networks and to follow us o

Twitter, Facebook and LinkedIn to learn about upcoming webin


4/21

Welcome

We will send you the slides and a link

to the recorded webinar.

Please share this with your social

network!

Kolbe

MariaDB Enterpris


5/21

5 Best Practices to Protect Your Data

Enable the MariaDB Audit Plugin.

Use a gateway/proxy such as MariaDB MaxScale to

protect against attacks.

1.

2.

3.

4.

5.

Manage MariaDB user accounts carefully.

Regularly update MariaDB and other critical packages.

Encrypt sensitive data: in the application, in transit, at rest.


6/21

1. Use MariaDB MaxScale

MariaDB MaxScale is an intelligent database gateway. It

provides security, reliability, scalability, and performancebenefits.

MaxScales database firewall filtercan restrict the

operations clients are allowed to perform.

MaxScales connection pooling capabilities can protect

against DDoS attacks.

Learn more about MariaDB MaxScale at https://mariadb.

com/products/mariadb-maxscale
https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale/maxscale-database-firewall-filter/https://mariadb.com/products/mariadb-maxscalehttps://mariadb.com/products/mariadb-maxscalehttps://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale/maxscale-database-firewall-filter/


7/21

2. Enable the MariaDB Audit Plugin

Robust logging is critical for ensuring regulatory compliance.

The Audit Plugin logs connections,query executions, and tables a

Logs created by the Audit Plugin can be used for forensic analysi

incident.

The Audit Plugin can log either to a file or to syslog.

Learn more about the MariaDB Audit Plugin at https://mariadb.

com/kb/en/mariadb/about-the-mariadb-audit-plugin/
https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/


8/21

3. Manage MariaDB user accounts carefully

Allow root access to MariaDB only from local clientsno admini

access over the network.

Use the unix_socket authentication pluginso that only the OS ro

can connect as the MariaDB root user.

Use strong passwords.

Enable the cracklib_password_check plugin.

Use a separate MariaDB user account for each of your applicatio

Allow access from a minimal set of IP addresses.
https://mariadb.com/kb/en/mariadb/cracklib_password_check/https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/https://mariadb.com/kb/en/mariadb/cracklib_password_check/https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/


9/21

4. Update MariaDB and other packages

Stay on top of the most recent security fixes by keeping your

MariaDB packages updated

Apply security updates distributed by your OS vendor, as

highlighted by recent problems in glibcand openssl.
http://www.kb.cert.org/vuls/id/583776http://www.kb.cert.org/vuls/id/457759


10/21

Encrypt some data in the application Non-key data

Credit card numbers

Encrypt data in transit using SSL From clients to MaxScale

From clients to MariaDB

Between MariaDB replication nodes

Encrypt data at rest using advanced tablespace encryption funct

MariaDB 10.1 InnoDB tablespace encryption

InnoDB redo log encryption

Binary log encryption

5. Encrypt sensitive data

Learn more about MariaDB Data-at-Rest encryption at https://mariadb.

com/kb/en/mariadb/data-at-rest-encryption/
https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/


11/21

5 Common Mistakes that Endanger Your Data

Do not use MariaDB packages distributed by your OS.

Do not expose MariaDB to the Internet.1.

2.

3.

4.

5.

Do not grant unnecessary MariaDB privileges.

Do not run your application or other extra services on

the same host as MariaDB.

Do not allow unnecessary access to MariaDB data or

backups, or other parts of the filesystem.


12/21

1. Do not expose MariaDB to the Internet

Do not allow TCP connections to MariaDB from the Internet at

large.

Configure MariaDB to listen on a network interface that is only

accessible from the host where your application runs.

Design your physical network to connect the app to MariaDB

Use bind-address to bind to a specific network interface

Use your OSs firewall


13/21

2. Do not use MariaDB packages from your OS

Linux vendors often distribute outdated versions of MariaDB wh

lack the most up-to-date security fixes and features: MariaDB 10.0 in Debian 8 (Jessie)

MariaDB 5.5 in RHEL 7

Instead, use MariaDB Enterprise packages:

Updated with the most-recent security fixes and features

Critical security features enabled by default


14/21

3. Do not grant excessive MariaDB privileges

Do not use the MariaDB root user for application access.

Grantonly the privileges required by your application.

Minimize the privileges granted to the MariaDB user accounts

used by your applications

Dont grant CREATE or DROP privileges.

Dont grant the FILE privilege.

Dont grant the SUPER privilege. Dont grant access to the mysqldatabase
https://mariadb.com/kb/en/mariadb/grant/https://mariadb.com/kb/en/mariadb/grant/


15/21

4. Do not run your app on your MariaDB serve

Do not run your application on your MariaDB Server.

Do not install unnecessary packages on your MariaDB Server

An overloaded application can use so much memory that

MariaDB could slow or even be killed by the OS. This is an

effective DDoS attack vector.

A compromised application or service can have many seriou

effects Discovery of MariaDB credentials

Direct access to data

Privilege escalation


16/21

5. Do not allow access to data or backups

Use OS permissions to restrict access to MariaDB data and backu

Do not allow unnecessary users SSH access to your MariaDB serv

Do not give unnecessary users sudo privileges on your MariaDB

server.

Set the secure_file_privoption to ensure that users with th

privilege cannot write or read MariaDB data or important system
https://mariadb.com/kb/en/mariadb/server-system-variables/#secure_file_privhttps://mariadb.com/kb/en/mariadb/server-system-variables/#secure_file_priv


17/21

Carefully manage MariaDB user

accounts.

Encrypt important data.

Summary: 5 Dos and Donts

Do not use your OSs M

packages.

Do not expose MariaD

Internet.

1.

2.

3.

4.

5.

Do not use the MariaD

for your application.

Do not run extra servi

applications on your M

Do not allow access to

data or backups.

1.

2.

3.

4.

5.

Use the MariaDB Audit Plugin.

Use MariaDB MaxScale.

Update MariaDB and other

packages.


18/21

Coming Soon in MariaDB Enterprise

More secure by default

root user uses unix_socket authentication by default

cracklib password validation plugin enabled by default

No more anonymous users

No more test database

Encryption

Amazon Web Services (AWS) Key Management Service (KMS) plugin

eperi gateway plugin

Improved SSL support in MariaDB MaxScale


19/21

New Service: MariaDB Security Audit

Evaluate and address database security policies, technologies, and practices

Review of your database security needs and requirements

Access control assessment

Automated attack protection review

Encryption tools and practices

Forensic capabilities review

Ongoing compliance and security planning

Fully leverage

MariaDBs security

capabilities

Reduce legal,

financial, and bra

reputation risk


20/21

Q&AWe will send you the slides

and a link to this recorded

webinar.

Dont forget to share it on

your social networks!


21/21

ThankYou

Kolbe Kegel, MariaDB Enterprise Technical [email protected]
mailto:[email protected]

Documents

MariaDB Security- 5 Do's and Don'Ts