opensuse 2015: secure deployment changes coming in mysql 5.7
TRANSCRIPT
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Secure Deployment Changesin MySQL 5.7Common problems and how do we intend to solve them
Georgi KodinovTeam Lead, MySQL Server General Team
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Former banking IT Manager
• Veteran software developer
• Leading the MySQL Server General development team
• Been with MySQL since 2006
• Regular MySQL conference speaker
About Me
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Recent trends in secure MySQL deployment
Secure deployment changes in MySQL 5.7
1
2
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Recent Trends in Secure MySQL Deployment
5
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Secure by Default !
• Help the novice user
• People now needing to explicitly relax security constraints
• Increases awareness and visibility of security issues
6
The “why”
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Secure by Default !
• mysql_secure_installation not needed on new installs !
• Single account with a random, expired password
• No test/demo databases and data in the server package
• Password strength validation plugin installed by default
• Self signed SSL CA/keys pre-generated if absent
• SSL encrypted connections by default
• Control over data import/export file system locations
• “Development” and “production” packages
7
The “how”
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Packaged in a Secure Way
• Careful use of the OS accounts
• All demo/test/example files in separate packages
• No default passwords
• Designated location data imported/exported through SQL commands
8
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Secure Deployment Changes in MySQL 5.7
9
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
A Single root@localhost Account
• Fully implemented in 5.7.7 (RC1)
• No root@<ip address>
• No anonymous accounts
• No test accounts
• With expired, auto-generated password
• Looking into using passwordless authentication where available
• FYI: Interactive installers will ask for a password
10
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
SSL Encryption by Default
• Fully implemented in 5.7.7 (RC1)
• SSL key material generated and set up at install time
– CA, server and client certificates and keys
• Clients attempting SSL connections by default
• A way to force SSL on the client side
11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Security Conscious Package Layout
• Fully implemented in 5.7.7 (RC1)
• Tests and demos into a separate package
• A designated directory for OS file handling SQL commands
• Reviewed the use of OS accounts and permissions
12
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Non Security Related, But Noteworthy
13
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
The New Server –initialize* Option
• Heavy: mysql_install_db spawns the server in a weird mode
• Not platform independent
• Relying on external script files to bootstrap
14
Why ?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
The New Server –initialize* Option
• Everything needed linked into the server
• No extra binaries
• Works with the server binary = all server’s startup options work
• Platform independent
• Two modes:
– --initialize: root account with expired auto-generated strong password
– --initialize-insecure: root account without a password (scripts)
• mysql_install_db still works, but deprecated
15
How ?