© MariaDB Corpora,on Ab
MariaDB Roadshow 2015 MariaDB Security
Ralf Gebhardt
© MariaDB Corpora,on Ab
MariaDB Security
• Authen,ca,on Plugins • Encryp,on • User Roles • Password Valida,on Plugins • Audit Plugin • Security No,fica,ons
© MariaDB Corpora,on Ab
Before we talk about Plugins
• AJer installing MariaDB run • shell> mysql_secure_installation
• You can • set a password for root accounts. • remove root accounts that are accessible from outside the local host. • remove anonymous-‐user accounts. • remove the test database, which by default can be accessed by anonymous users.
© MariaDB Corpora,on Ab
MariaDB Security Authen,ca,on Plugins
© MariaDB Corpora,on Ab
PAM Authen,ca,on
• Authen,ca,on using /etc/shadow • Authen,ca,on using LDAP, SSH pass phrases, password expira,on, username mapping, logging every login aUempt, etc…
• INSTALL PLUGIN pam SONAME 'auth_pam.so'; • CREATE USER foo@host IDENTIFIED via pam; • REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf) • hUps://mariadb.com/kb/en/pam-‐authen,ca,on-‐plugin/
© MariaDB Corpora,on Ab
Kerberos authen,ca,on plugin
KDC
Client MariaDB
Ticket request 1 - Service
ticket 2 -
Here is my service ticket, authenticate me 3 -
Client / Server session 4 -
• GSS-‐API on Linux • Red Hat Directory Server • OpenLDAP
• SSPI on Windows • Ac,ve Directory
© MariaDB Corpora,on Ab
MariaDB Security Encryp,on
© MariaDB Corpora,on Ab
Data Encryp,on
• Encypts complete tablespaces • Op,onal per table encryp,on possible with -‐-‐innodb-‐file-‐per-‐table
• Can encrypt • InnoDB log files • Temporary tables
• Idependently contributed by Google and Eperi GmbH
© MariaDB Corpora,on Ab
Configure Key Management
• Load Key Management Plugin • plugin-load-add=file_key_management
• Choose encryp,on algorithm, e.g. aes_cbc • file-key-management-encryption-algorithm=aes_cbc
• Set loca,on of key file • file-key-management-filename=/mnt/dfs/keys.txt
• Create keys
© MariaDB Corpora,on Ab
Ac,vate Encryp,on
• Specify what to encrypt • Innodb-encrypt-tables=ON ( OFF/FORCE ) • aria-encrypt-tables • encrypt-tmp-disk-tables • innodb-encrypt-log
• Op,onal key rota,on • Innodb-encryption-threads=4 • Innodb-encryption-rotate-key-age=1800
© MariaDB Corpora,on Ab
Encryp,ng one table
CREATE TABLE customer(
CUSTOMER_ID BIGINT NOT NULL PRIMARY KEY, CUSTOMER_NAME VARCHAR(80),
CUSTOMER_CREDITCARD VARCHAR(20))
ENGINE=InnoDB
encrypted=yes
Encryption_key_id=1;
© MariaDB Corpora,on Ab
Performance Impact of Data Encryp,on
TPC-C like OLTP benchmark showing the impact of encryption
© MariaDB Corpora,on Ab
Performance Impact of Data Encryp,on
New Order transactions/second benchmark showing the impact of encryption
© MariaDB Corpora,on Ab
Deleted Data Encryp,on
• Scrubbing • Background threads periodically scan tablespaces and logs and overwrite all data that should be deleted.
• More info: hUps://mariadb.com/kb/en/mariadb/xtradb-‐innodb-‐data-‐scrubbing/
© MariaDB Corpora,on Ab
MariaDB Security User Roles
© MariaDB Corpora,on Ab
Role-‐Based Access Control
Database Tables
MariaDB 10
Role: DBA
Permissions: ● Update Schema ● View Statistics ● Create Database
DBA
Developer
Sysadmin
© MariaDB Corpora,on Ab
Roles
CREATE ROLE journalist;
GRANT SHOW DATABASES ON *.* TO journalist;
GRANT ALL ON db1.* TO journalist;
GRANT journalist to user1;
SET DEFAULT ROLE journalist;
https://mariadb.com/kb/en/mariadb/roles-overview/
© MariaDB Corpora,on Ab
MariaDB Security Password Valida,on Plugins
© MariaDB Corpora,on Ab
Password valida,on plugins
• Password valida,on plugin API • hUps://mariadb.com/kb/en/password-‐valida,on/
• simple_password_check plugin • Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase leUers, digits, and punctua,on characters
• hUps://mariadb.com/kb/en/simple_password_check/
• cracklib_password_check plugin • A widely used library • Stop users from choosing easy to guess passwords. It includes checks for not allowing passwords based on the username or a dic,onary word etc.
• hUps://mariadb.com/kb/en/cracklib_password_check/
© MariaDB Corpora,on Ab
Simple password valida,on
INSTALL PLUGIN simple_password_check SONAME 'simple_password_check.so';
SET PASSWORD = PASSWORD(’pwd’);
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
SET PASSWORD = PASSWORD('AaBbCc$1');
Query OK, 0 rows affected (0.00 sec)
© MariaDB Corpora,on Ab
MariaDB Security Audit Plugin
© MariaDB Corpora,on Ab
Why is audi,ng needed?
• Monitoring System Access • Loca,ng Errors • Discovering Frauds • Improvement of Internal Control • Proving the fulfillment of security standards • And more
© MariaDB Corpora,on Ab
What to Monitor
CONNECTION
QUERY
CONNECT
DDL
DISCONNECT
FAILED CONNECT
DML+TCL
OBJECT DATABASE
TABLES
TIMESTAMP HOST USER
(SESSION)
DCL
© MariaDB Corpora,on Ab
MariaDB Audit Plugin
• Open Source • Support available
• Audi,ng to • File (comma delimited format) • Syslog
• Modified Plugin API in MariaDB • Audit Plugin compa,ble with MySQL Server • Allows to monitor table level events (MariaDB)
© MariaDB Corpora,on Ab
MariaDB Audit Plugin
• Load plugin via SQL command or my.cnf
• Enable Audi,ng
INSTALL PLUGIN server_audit SONAME 'server_audit.so'
[mysqld]plugin-load=server_audit=server_audit.so
SET server_audit_logging = ON
© MariaDB Corpora,on Ab
MariaDB Audit Plugin Log Example for CONNECT
20130810 00:05:30,SkySQLNode1,root,MariaDBMgr,2,0,CONNECT,db1,,020130810 00:05:53,SkySQLNode1,root,MariaDBMgr,2,0,DISCONNECT,,,020130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,FAILED_CONNECT,,,104520130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,DISCONNECT,,,0
Serverhost User Client-Host
Session-ID DB opened on connect
DB opened on connect
Failed Connect with Error Code
© MariaDB Corpora,on Ab
Password “Filtering”
Star,ng with Version 1.2.0 passwords are replaced by a placeholder 20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER
"test1"@"localhost" IDENTIFIED BY *****',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test4"@"localhost" IDENTIFIED BY PASSWORD *****',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (1,PASSWORD("mypwd"))',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = PASSWORD("mynewpwd")',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (2,OLD_PASSWORD("mypwd2"))',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = OLD_PASSWORD("mynewpwd2")',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'GRANT ALL ON *.* TO "test5"@"localhost" IDENTIFIED BY *****',0
© MariaDB Corpora,on Ab
MariaDB Security Security No,fica,ons
© MariaDB Corpora,on Ab
MariaDB Security Vulnerability Process
• Disclosure of a MariaDB Security Vulnerability • Handling of MySQL Security Vulnerabili,es • MariaDB Security Lis,ngs
• Full list of security fixes hUps://mariadb.org/security • Security fixes in 10.0: hUps://mariadb.com/kb/en/mariadb/what-‐is-‐mariadb-‐100
• Release notes also have a specific list for security fixes • Informing customers about fixed security vulnerabili,es
© MariaDB Corpora,on Ab
Ques,ons?
mariadb.com
"MySQL is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners. MariaDB is not affiliated with MySQL."