Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Secure Deployment Changesin MySQL 5.7Common problems and how do we intend to solve them

Georgi KodinovTeam Lead, MySQL Server General Team

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

• Former banking IT Manager

• Veteran software developer

• Leading the MySQL Server General development team

• Been with MySQL since 2006

• Regular MySQL conference speaker

About Me

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Program Agenda

Recent trends in secure MySQL deployment

Secure deployment changes in MySQL 5.7

1

2

4

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Recent Trends in Secure MySQL Deployment

5

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Secure by Default !

• Help the novice user

• People now needing to explicitly relax security constraints

• Increases awareness and visibility of security issues

6

The “why”

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Secure by Default !

• mysql_secure_installation not needed on new installs !

• Single account with a random, expired password

• No test/demo databases and data in the server package

• Password strength validation plugin installed by default

• Self signed SSL CA/keys pre-generated if absent

• SSL encrypted connections by default

• Control over data import/export file system locations

• “Development” and “production” packages

7

The “how”

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Packaged in a Secure Way

• Careful use of the OS accounts

• All demo/test/example files in separate packages

• No default passwords

• Designated location data imported/exported through SQL commands

8

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Secure Deployment Changes in MySQL 5.7

9

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

A Single root@localhost Account

• Fully implemented in 5.7.7 (RC1)

• No root@<ip address>

• No anonymous accounts

• No test accounts

• With expired, auto-generated password

• Looking into using passwordless authentication where available

• FYI: Interactive installers will ask for a password

10

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

SSL Encryption by Default

• Fully implemented in 5.7.7 (RC1)

• SSL key material generated and set up at install time

– CA, server and client certificates and keys

• Clients attempting SSL connections by default

• A way to force SSL on the client side

11

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Security Conscious Package Layout

• Fully implemented in 5.7.7 (RC1)

• Tests and demos into a separate package

• A designated directory for OS file handling SQL commands

• Reviewed the use of OS accounts and permissions

12

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Non Security Related, But Noteworthy

13

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The New Server –initialize* Option

• Heavy: mysql_install_db spawns the server in a weird mode

• Not platform independent

• Relying on external script files to bootstrap

14

Why ?

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

The New Server –initialize* Option

• Everything needed linked into the server

• No extra binaries

• Works with the server binary = all server’s startup options work

• Platform independent

• Two modes:

– --initialize: root account with expired auto-generated strong password

– --initialize-insecure: root account without a password (scripts)

• mysql_install_db still works, but deprecated

15

How ?

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Questions and Answers

16

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 17