mariadb security features: audit plugin, authentification and roles
Post on 23-Jul-2015
116 Views
Preview:
TRANSCRIPT
© MariaDB Corporation Ab
MariaDB Roadshow 2015
MariaDB Security
Anders Karlsson
© MariaDB Corporation Ab
MariaDB Security
• Authentication Plugins
• Encryption
• User Roles
• Password Validation Plugins
• Audit Plugin
• Security Notifications
© MariaDB Corporation Ab
Before we talk about Plugins
• After installing MariaDB run• shell> mysql_secure_installation
• You can
• set a password for root accounts.
• remove root accounts that are accessible from outside the local host.
• remove anonymous-user accounts.
• remove the test database, which by default can be accessed by anonymous users.
© MariaDB Corporation Ab
MariaDB Security
Authentication Plugins
© MariaDB Corporation Ab
PAM Authentication
• Authentication using /etc/shadow
• Authentication using LDAP, SSH pass phrases, password expiration, username mapping, logging every login attempt, etc…
• INSTALL PLUGIN pam SONAME 'auth_pam.so';
• CREATE USER foo@host IDENTIFIED via pam;
• REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf)
• https://mariadb.com/kb/en/pam-authentication-plugin/
© MariaDB Corporation Ab
Kerberos authentication plugin
KDC
Client MariaDB
Ticket
request1 -
Service
ticket2 -
Here is my service
ticket, authenticate me3 -
Client / Server session4 -
• GSS-API on Linux• Red Hat Directory Server
• OpenLDAP
• SSPI on Windows
• Active Directory
© MariaDB Corporation Ab
MariaDB Security
Encryption
© MariaDB Corporation Ab
Data Encryption
• Encrypts complete tablespaces
• Optional per table encryption possible with--innodb-file-per-table
• Can also encrypt
• InnoDB log files
• ARIA tables
• Temporary tables
• Idependently contributed by Google and Eperi GmbH
© MariaDB Corporation Ab
Configure Key Management
• Load Key Management Plugin
• plugin-load-add=file_key_management
• Choose encryption algorithm, e.g. aes_cbc
• file-key-management-encryption-algorithm=aes_cbc
• Set location of key file
• file-key-management-filename=/mnt/dfs/keys.txt
• Create keys
© MariaDB Corporation Ab
Activate Encryption
• Specify what to encrypt
• Innodb-encrypt-tables=ON ( OFF/FORCE )
• aria-encrypt-tables
• encrypt-tmp-disk-tables
• innodb-encrypt-log
© MariaDB Corporation Ab
Without Table Level Encryption
28/05/2015 11
CREATE TABLE names (
id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
name VARCHAR(255) DEFAULT NULL);
INSERT INTO names VALUES(NULL, 'James Bond');
INSERT INTO names VALUES(NULL, 'Felix Leiter');
INSERT INTO names VALUES(NULL, 'Modesty Blaise');
$ sudo strings –n 10 data/test/names.ibd
James Bond
Felix Leiter
Modesty Blaise
© MariaDB Corporation Ab
With table encryption
28/05/2015 12
SET GLOBAL innodb_encrypt_tables = ON;
CREATE TABLE secret_names (
id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
name VARCHAR(255) DEFAULT NULL);
INSERT INTO secret_names VALUES(NULL, 'James Bond');
INSERT INTO secret_names VALUES(NULL, 'Felix Leiter');
INSERT INTO secret_names VALUES(NULL, 'Modesty Blaise');
$ sudo strings –n 10 data/test/secret_names.ibd
B"u::XiXD=`
© MariaDB Corporation Ab
Skip encrypting a single table
28/05/2015 13
CREATE TABLE open_names (
id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
name VARCHAR(255) DEFAULT NULL) encrypted=no;
INSERT INTO open_names VALUES(NULL, 'John Carpenter');
INSERT INTO open_names VALUES(NULL, 'Dave Clark');
INSERT INTO open_names VALUES(NULL, 'John Irving');
$ sudo strings –n 10 data/test/open_names.ibd
John Carpenter
Dave Clark
John Irving
© MariaDB Corporation Ab
Performance Impact of Data Encryption
TPC-C like OLTP
benchmark showing the
impact of encryption
© MariaDB Corporation Ab
Performance Impact of Data Encryption
New Order transactions/second
benchmark showing the impact of
encryption
© MariaDB Corporation Ab
Deleted Data Encryption
• Scrubbing
•Background threads periodically scan tablespaces and logs and overwrite all data that should be deleted.
• More info:
https://mariadb.com/kb/en/mariadb/xtradb-innodb-data-scrubbing/
© MariaDB Corporation Ab
MariaDB Security
User Roles
© MariaDB Corporation Ab
Role-Based Access Control
Database
Tables
MariaDB 10
Role: DBA
Permissions:● Update Schema
● View Statistics
● Create DatabaseDBA
Developer
Sysadmin
© MariaDB Corporation Ab
Roles
CREATE ROLE journalist;
GRANT SHOW DATABASES ON *.* TO journalist;
GRANT ALL ON db1.* TO journalist;
GRANT journalist to user1;
SET DEFAULT ROLE journalist;
https://mariadb.com/kb/en/mariadb/roles-overview/
© MariaDB Corporation Ab
MariaDB Security
Password Validation Plugins
© MariaDB Corporation Ab
Password validation plugins
• Password validation plugin API
• https://mariadb.com/kb/en/password-validation/
• simple_password_check plugin
• Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase letters, digits, and punctuation characters
• https://mariadb.com/kb/en/simple_password_check/
• cracklib_password_check plugin
• A widely used library
• Stop users from choosing easy to guess passwords. It includes checks for not allowing passwords based on the username or a dictionary word etc.
• https://mariadb.com/kb/en/cracklib_password_check/
© MariaDB Corporation Ab
Simple password validation
INSTALL PLUGIN simple_password_check
SONAME 'simple_password_check.so';
SET PASSWORD = PASSWORD(’pwd’);
ERROR 1819 (HY000): Your password does not
satisfy the current policy requirements
SET PASSWORD = PASSWORD('AaBbCc$1');
Query OK, 0 rows affected (0.00 sec)
© MariaDB Corporation Ab
MariaDB Security
Audit Plugin
© MariaDB Corporation Ab
Why is auditing needed?
• Monitoring System Access
• Locating Errors
• Discovering Frauds
• Improvement of Internal Control
• Proving the fulfillment of security standards
• And more
© MariaDB Corporation Ab
What to Monitor
CONNECTION
QUERY
CONNECT
DDL
DISCONNECT
FAILED CONNECT
DML+TCL
OBJECT
DATABASE
TABLES
TIMESTAMP
HOST
USER
(SESSION)
DCL
© MariaDB Corporation Ab
MariaDB Audit Plugin
• Open Source
• Support available
• Auditing to
• File (comma delimited format)
• Syslog
• Modified Plugin API in MariaDB
• Audit Plugin compatible with MySQL Server
• Allows to monitor table level events (MariaDB)
© MariaDB Corporation Ab
MariaDB Audit Plugin
• Load plugin via SQL command
or my.cnf
• Enable Auditing
INSTALL PLUGIN server_audit SONAME 'server_audit.so'
[mysqld]
plugin-load=server_audit=server_audit.so
SET server_audit_logging = ON
© MariaDB Corporation Ab
MariaDB Audit Plugin LogExample for CONNECT
20130810 00:05:30,SkySQLNode1,root,MariaDBMgr,2,0,CONNECT,db1,,0
20130810 00:05:53,SkySQLNode1,root,MariaDBMgr,2,0,DISCONNECT,,,0
20130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,FAILED_CONNECT,,,1045
20130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,DISCONNECT,,,0
Serverhost User Client-Host
Session-IDDB opened on
connectDB opened on
connect
Failed Connect
with Error Code
© MariaDB Corporation Ab
MariaDB Security
Security Notifications
© MariaDB Corporation Ab
MariaDB Security Vulnerability Process
• Disclosure of a MariaDB Security Vulnerability
• Handling of MySQL Security Vulnerabilities
• MariaDB Security Listings
• Full list of security fixes https://mariadb.org/security
• Security fixes in 10.0: https://mariadb.com/kb/en/mariadb/what-is-mariadb-100
• Release notes also have a specific list for security fixes
• Informing customers about fixed security vulnerabilities
The question is not “What is
the answer?”, the question is
“What is the question?”.
Henri Poincaré
Questions? Answers!
top related