Download - MariaDB Security- 5 Do's and Don'Ts
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
1/21
*
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
2/21
MariaDB
17th March 2016
Security: 5 Dos and Donts
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
3/21
Lets Get Started - Some Housekeeping
We will review the questions as they come in and
answer then during the Q&A. You can post in chat
This session is being recorded1.
2.
3.
4.
5.
Running time is approximately 30 minutes
Copies of the slides will be sent out after the webinar ends
Dont forget to share on your social networks and to follow us o
Twitter, Facebook and LinkedIn to learn about upcoming webin
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
4/21
Welcome
We will send you the slides and a link
to the recorded webinar.
Please share this with your social
network!
Kolbe
MariaDB Enterpris
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
5/21
5 Best Practices to Protect Your Data
Enable the MariaDB Audit Plugin.
Use a gateway/proxy such as MariaDB MaxScale to
protect against attacks.
1.
2.
3.
4.
5.
Manage MariaDB user accounts carefully.
Regularly update MariaDB and other critical packages.
Encrypt sensitive data: in the application, in transit, at rest.
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
6/21
1. Use MariaDB MaxScale
MariaDB MaxScale is an intelligent database gateway. It
provides security, reliability, scalability, and performancebenefits.
MaxScales database firewall filtercan restrict the
operations clients are allowed to perform.
MaxScales connection pooling capabilities can protect
against DDoS attacks.
Learn more about MariaDB MaxScale at https://mariadb.
com/products/mariadb-maxscale
https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale/maxscale-database-firewall-filter/https://mariadb.com/products/mariadb-maxscalehttps://mariadb.com/products/mariadb-maxscalehttps://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale/maxscale-database-firewall-filter/ -
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
7/21
2. Enable the MariaDB Audit Plugin
Robust logging is critical for ensuring regulatory compliance.
The Audit Plugin logs connections,query executions, and tables a
Logs created by the Audit Plugin can be used for forensic analysi
incident.
The Audit Plugin can log either to a file or to syslog.
Learn more about the MariaDB Audit Plugin at https://mariadb.
com/kb/en/mariadb/about-the-mariadb-audit-plugin/
https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/ -
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
8/21
3. Manage MariaDB user accounts carefully
Allow root access to MariaDB only from local clientsno admini
access over the network.
Use the unix_socket authentication pluginso that only the OS ro
can connect as the MariaDB root user.
Use strong passwords.
Enable the cracklib_password_check plugin.
Use a separate MariaDB user account for each of your applicatio
Allow access from a minimal set of IP addresses.
https://mariadb.com/kb/en/mariadb/cracklib_password_check/https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/https://mariadb.com/kb/en/mariadb/cracklib_password_check/https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/ -
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
9/21
4. Update MariaDB and other packages
Stay on top of the most recent security fixes by keeping your
MariaDB packages updated
Apply security updates distributed by your OS vendor, as
highlighted by recent problems in glibcand openssl.
http://www.kb.cert.org/vuls/id/583776http://www.kb.cert.org/vuls/id/457759 -
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
10/21
Encrypt some data in the application Non-key data
Credit card numbers
Encrypt data in transit using SSL From clients to MaxScale
From clients to MariaDB
Between MariaDB replication nodes
Encrypt data at rest using advanced tablespace encryption funct
MariaDB 10.1 InnoDB tablespace encryption
InnoDB redo log encryption
Binary log encryption
5. Encrypt sensitive data
Learn more about MariaDB Data-at-Rest encryption at https://mariadb.
com/kb/en/mariadb/data-at-rest-encryption/
https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ -
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
11/21
5 Common Mistakes that Endanger Your Data
Do not use MariaDB packages distributed by your OS.
Do not expose MariaDB to the Internet.1.
2.
3.
4.
5.
Do not grant unnecessary MariaDB privileges.
Do not run your application or other extra services on
the same host as MariaDB.
Do not allow unnecessary access to MariaDB data or
backups, or other parts of the filesystem.
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
12/21
1. Do not expose MariaDB to the Internet
Do not allow TCP connections to MariaDB from the Internet at
large.
Configure MariaDB to listen on a network interface that is only
accessible from the host where your application runs.
Design your physical network to connect the app to MariaDB
Use bind-address to bind to a specific network interface
Use your OSs firewall
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
13/21
2. Do not use MariaDB packages from your OS
Linux vendors often distribute outdated versions of MariaDB wh
lack the most up-to-date security fixes and features: MariaDB 10.0 in Debian 8 (Jessie)
MariaDB 5.5 in RHEL 7
Instead, use MariaDB Enterprise packages:
Updated with the most-recent security fixes and features
Critical security features enabled by default
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
14/21
3. Do not grant excessive MariaDB privileges
Do not use the MariaDB root user for application access.
Grantonly the privileges required by your application.
Minimize the privileges granted to the MariaDB user accounts
used by your applications
Dont grant CREATE or DROP privileges.
Dont grant the FILE privilege.
Dont grant the SUPER privilege. Dont grant access to the mysqldatabase
https://mariadb.com/kb/en/mariadb/grant/https://mariadb.com/kb/en/mariadb/grant/ -
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
15/21
4. Do not run your app on your MariaDB serve
Do not run your application on your MariaDB Server.
Do not install unnecessary packages on your MariaDB Server
An overloaded application can use so much memory that
MariaDB could slow or even be killed by the OS. This is an
effective DDoS attack vector.
A compromised application or service can have many seriou
effects Discovery of MariaDB credentials
Direct access to data
Privilege escalation
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
16/21
5. Do not allow access to data or backups
Use OS permissions to restrict access to MariaDB data and backu
Do not allow unnecessary users SSH access to your MariaDB serv
Do not give unnecessary users sudo privileges on your MariaDB
server.
Set the secure_file_privoption to ensure that users with th
privilege cannot write or read MariaDB data or important system
https://mariadb.com/kb/en/mariadb/server-system-variables/#secure_file_privhttps://mariadb.com/kb/en/mariadb/server-system-variables/#secure_file_priv -
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
17/21
Carefully manage MariaDB user
accounts.
Encrypt important data.
Summary: 5 Dos and Donts
Do not use your OSs M
packages.
Do not expose MariaD
Internet.
1.
2.
3.
4.
5.
Do not use the MariaD
for your application.
Do not run extra servi
applications on your M
Do not allow access to
data or backups.
1.
2.
3.
4.
5.
Use the MariaDB Audit Plugin.
Use MariaDB MaxScale.
Update MariaDB and other
packages.
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
18/21
Coming Soon in MariaDB Enterprise
More secure by default
root user uses unix_socket authentication by default
cracklib password validation plugin enabled by default
No more anonymous users
No more test database
Encryption
Amazon Web Services (AWS) Key Management Service (KMS) plugin
eperi gateway plugin
Improved SSL support in MariaDB MaxScale
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
19/21
New Service: MariaDB Security Audit
Evaluate and address database security policies, technologies, and practices
Review of your database security needs and requirements
Access control assessment
Automated attack protection review
Encryption tools and practices
Forensic capabilities review
Ongoing compliance and security planning
Fully leverage
MariaDBs security
capabilities
Reduce legal,
financial, and bra
reputation risk
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
20/21
Q&AWe will send you the slides
and a link to this recorded
webinar.
Dont forget to share it on
your social networks!
-
7/26/2019 MariaDB Security- 5 Do's and Don'Ts
21/21
ThankYou
Kolbe Kegel, MariaDB Enterprise Technical [email protected]
mailto:[email protected]