mysql's new secure by default install -- all things open october 20th 2015

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1

Insert Picture Here

MySQL’S New MySQL’S New Secure by Default Secure by Default InstallationInstallationDave StokesMySQL Community Manager

[email protected]@stokerSlideshare.net/davidmstokes

Insert Picture Here

mailto:[email protected]


Safe HarborThe following is intended to outline our general product direction. It

is intended for information purposes only, and may not be

incorporated into any contract. It is not a commitment to deliver any

material, code, or functionality, and should not be relied upon in

making purchasing decision. The development, release, and timing

of any features or functionality described for Oracle’s products

remains at the sole discretion of Oracle.


MySQL

Most popular database on the web Ubiquitous 16+ million instances Feeds 80% of Hadoop installs 20 Years Old


But what have you done for us lately??


http://www.thecompletelistoffeatures.com/


MySQL 5.7 Highlights● Native JSON data type● GIS Spacial Extension● Multi source Replication● Query Rewrite Plugin● Optimizer Cost Model● InndoDB full text search

● For Chinese, Japanese, Korean

● Replication Enhanced

● SyS Schema● InnoDB

● Transparent page level compression

● Native Partitioning● Optimizer Cost Model● Secure by default

Installation


MySQL 5.7 Security http://www.thecompletelistoffeatures.com/

● Username size increased to 32 characters

● Support for IF [NOT] EXISTS clause in CREATE/DROP USER

● Server option to require secure transport

● Support for multiple AES Encryption modes

● Support to LOCK/UNLOCK user accounts

● Support for password expiration policy

● Password strength enforcement

● test database no longer created on installation

● Anonymous users no longer created on installation

● MySQL Firewall (* commercial; feature also backported)

● Random password generated by default on installation

● New ALTER USER command

● SET password='' now accepts a password instead of hash

● Server now generates SSL keys by default

● Insecure old_password hash removed

● Ability to create utility users for stored programs that can not login

● mysql.user.password field renamed as authentication_string to better describe its current usage.


Yes, these changes will impact you!


Benchmarkshttp://www.mysql.com/why-mysql/benchmarks/


More Benchmarks


Username size increased to 32 characters

● Used to be 16

● Long requested change


Support for IF [NOT] EXISTS clause in CREATE/DROP USER

● An error occurs if you try to create an account that already exists.

● As of MySQL 5.7.8, the IF NOT EXISTS clause can be used, which causes the statement to produce a warning for each named account that already exists, rather than an error.


Server option to require secure transport

A new system variable, require_secure_transport, enables administrators to require all client connections to the server to be made using some form of secure transport. Qualifying connections are those that use SSL, a socket file (on Unix), or shared memory (on Windows). When this variable is enabled, the server rejects nonsecure connection attempts, which fail with an ER_SECURE_TRANSPORT_REQUIRED error.


Server now generates SSL keys by default● As of MySQL 5.7.5, the server-side --ssl option value is enabled by default. Also as of MySQL

5.7.5, MySQL servers compiled using OpenSSL can generate missing SSL files automatically at startup. See Section 6.3.13.1, “Creating SSL and RSA Certificates and Keys using MySQL”.

● SSL file autodiscovery is enabled as of MySQL 5.7.5 (for servers compiled using OpenSSL) or 5.7.6 (for servers compiled using yaSSL). If --ssl is enabled and other SSL options are not given to configure SSL explicitly, the server attempts to enable SSL automatically at startup:

● If the server discovers valid SSL files named ca.pem, server-cert.pem, and server-key.pem in the data directory, it enables SSL to permit SSL connections by clients. (These files need not have been autogenerated; what matters is that they have the indicated names and are valid.)

● If the server does not find valid SSL files in the data directory, it continues executing but does not enable SSL.

● If the server automatically enables SSL, it writes a message to the error log. As of MySQL 5.7.6, if the server discovers that the CA certificate is self-signed, it writes a warning to the error log. (The certificate will be self-signed if created automatically by the server or manually using mysql_ssl_rsa_setup.)


Support to LOCK/UNLOCK user accounts● As of version 5.7.6, MySQL supports locking and unlocking user accounts using the

ACCOUNT LOCK and ACCOUNT UNLOCK clauses for the CREATE USER and ALTER USER statements:

● When used with CREATE USER, these clauses specify the initial locking state for a new account. In the absence of either clause, the account is created in an unlocked state.

● When used with ALTER USER, these clauses specify the new locking state for an existing account. In the absence of either clause, the account locking state remains unchanged.

● Account locking state is recorded in the account_locked column of the mysql.user table. The output from SHOW CREATE USER indicates whether an account is locked or unlocked.


Support for password expiration policy

● ALTER USER 'script'@'localhost' PASSWORD EXPIRE NEVER

● ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE;

● [mysqld]default_password_lifetime=180

● A client session operates in restricted mode if the account password was expired manually or if the password is considered past its lifetime per the automatic expiration policy. In restricted mode, operations performed within the session result in an error until the user establishes a new account password:

● ALTER USER USER() IDENTIFIED BY 'new_password';


Password strength enforcement● The validate_password plugin can be used to test passwords and improve security

● The three levels of password checking are LOW, MEDIUM, and STRONG. The default is MEDIUM; to change this, modify the value of validate_password_policy. The policies implement increasingly strict password tests. The following descriptions refer to default parameter values; these can be modified by changing the appropriate system variables.

● LOW policy tests password length only. Passwords must be at least 8 characters long.● MEDIUM policy adds the conditions that passwords must contain at least 1 numeric character,

1 lowercase and uppercase character, and 1 special (nonalphanumeric) character.● STRONG policy adds the condition that password substrings of length 4 or longer must not

match words in the dictionary file, if one has been specified.● If the validate_password plugin is not installed, the validate_password_xxx system

variables are not available, passwords in statements are not checked, and VALIDATE_PASSWORD_STRENGTH() always returns 0.


No test database or anonymous users created

● No test database, one less vulnerability for someone guessing about your instance

● No accounts with no user name, no password.


Random Root Password Generated by Default on Installation

● mysql_install_db is deprecated as of MySQL 5.7.6 because its functionality has been integrated into mysqld, the MySQL server. To initialize a MySQL installation, invoke mysqld with the --initialize or --initialize-insecure option, See https://dev.mysql.com/doc/refman/5.7/en/data-directory-initialization-mysqld.html

● With --initialize the server generates a random password, marks it as expired, and writes a message displaying the password:

[Warning] A temporary password is generated for root@localhost:iTag*AfrH5ej

● With --initialize-insecure the server does not generate a password or mark it expired, and writes a warning message:

Warning] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.

https://dev.mysql.com/doc/refman/5.7/en/data-directory-initialization-mysqld.html

mailto:root@localhost


New ALTER USER command

ALTER USER 'jeffrey'@'localhost' IDENTIFIED BY 'new-password', 'jeanne'@'localhost' REQUIRE SSL WITH MAX_USER_CONNECTIONS 2;


mysql.user.password field renamed as authentication_string to better describe its current usage

● More than just a password!

● LDAP data

● CREATE USER 'sha256user'@'localhost'IDENTIFIED WITH sha256_password BY 'Sh@256Pa33'

● [mysqld]default_authentication_plugin=sha256_password

● New accounts will use SHA256

mailto:'Sh@256Pa33


SQL MODE STRICT● New Default SQL MODE

● Strict mode controls how MySQL handles invalid or missing values in data-change statements such as INSERT or UPDATE. A value can be invalid for several reasons. For example, it might have the wrong data type for the column, or it might be out of range. A value is missing when a new row to be inserted does not contain a value for a non-NULL column that has no explicit DEFAULT clause in its definition. (For a NULL column, NULL is inserted if the value is missing.) Strict mode also affects DDL statements such as CREATE TABLE.

● If strict mode is not in effect, MySQL inserts adjusted values for invalid or missing values and produces warnings (see Section 13.7.5.40, “SHOW WARNINGS Syntax”). In strict mode, you can produce this behavior by using INSERT IGNORE or UPDATE IGNORE.


MySQL Modes● The default SQL mode in MySQL 5.7 includes these modes:

ONLY_FULL_GROUP_BY, STRICT_TRANS_TABLES, NO_ZERO_IN_DATE, NO_ZERO_DATE, ERROR_FOR_DIVISION_BY_ZERO, NO_AUTO_CREATE_USER, and NO_ENGINE_SUBSTITUTION.

● For information about all available modes and MySQL's default behavior, see Section 5.1.7, “Server SQL Modes” in the manual.


Replication Changes● Loss-less semi-sync replication

● Semi-sync can now wait for a configurable number of slaves

● Intra-schema parallel replication

● Ability to tune group commit via binlog_group_commit_sync_delay and binlog_group_commit_sync_no_delay_count options.

● Non-blocking SHOW SLAVE STATUS

● Online CHANGE REPLICATION FILTER

● Online CHANGE MASTER TO without stopping SQL thread


MySQL Enterprise Firewall


Where to get MySQL 5.7MySQL 5.7● Community & Enterprise Editions Download Page

www.mysql.com● Yum repo

http://dev.mysql.com/downloads/repo/yum/● Apt repo

http://dev.mysql.com/downloads/repo/apt/● SUSE repo

http://dev.mysql.com/downloads/repo/suse/● Windows

http://dev.mysql.com/downloads/windows/

http://www.mysql.com/

http://dev.mysql.com/downloads/repo/yum/

http://dev.mysql.com/downloads/repo/apt/

http://dev.mysql.com/downloads/repo/suse/

http://dev.mysql.com/downloads/windows/


Q/AQ/A● Slides – Slideshare.net/davidmstokes

● Twitter – @Stoker

● Email – [email protected]

● Blog – [email protected]

mailto:[email protected]

mysql's new secure by default install -- all things open october 20th 2015

Internet