MariaDB Europe Roadshow 2015 - MariaDB Security
Transcript of MariaDB Europe Roadshow 2015 - MariaDB Security
© MariaDB Corpora,on Ab
MariaDB Roadshow 2015
MariaDB Security
© MariaDB Corpora,on Ab
MariaDB Security
• Authen,ca,on Plugins • Encryp,on • User Roles • Password Valida,on Plugins • Audit Plugin • Security No,fica,ons
26.03.15 2
© MariaDB Corpora,on Ab
MariaDB Security Authen,ca,on Plugins
© MariaDB Corpora,on Ab
PAM Authen,ca,on
• Authen,ca,on using /etc/shadow • Authen,ca,on using LDAP, SSH pass phrases, password expira,on, username mapping, logging every login aNempt, etc…
• INSTALL PLUGIN pam SONAME 'auth_pam.so'; • CREATE USER foo@host IDENTIFIED via pam • REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf) • hNps://mariadb.com/kb/en/pam-‐authen,ca,on-‐plugin/
26.03.15 4
© MariaDB Corpora,on Ab
Kerberos authen,ca,on plugin
26.03.15 5
KDC
Client MariaDB
Ticket request 1 - Servicet
icket 2 -
Here is my service ticket, authenticate me 3 -
Client / Server session 4 -
• GSS-‐API on Linux • Red Hat Directory Server • OpenLDAP
• SSPI on Windows • Ac,ve Directory
© MariaDB Corpora,on Ab
MariaDB Security Encryp,on
© MariaDB Corpora,on Ab
Data Encryp,on
MariaDB supports 2 different ways to encrypt data
26.03.15 7
Table Encryption • Specific tables are
marked for encryption
• Contributed by Eperi
Tablespace encryption • Everything is encrypted
(including log files)
• Contributed by Google
© MariaDB Corpora,on Ab
Table Level Encryp,on
• Choose encryp,on-‐algorithm, e.g. aes_ctr encryption-algorithm=aes_ctr
• Load Key Management Plugin plugin-load-add=file_key_management_plugin.so file-key-management-plugin
• Set loca,on of key file file-key-management-plugin-filename=/mnt/dfs/keys.txt
• Create keys
26.03.15 8
© MariaDB Corpora,on Ab
Table Level Encryp,on
CREATE TABLE customer(
CUSTOMER_ID BIGINT NOT NULL PRIMARY KEY, CUSTOMER_NAME VARCHAR(80),
CUSTOMER_CREDITCARD VARCHAR(20))
ENGINE=InnoDB
page_encryption=1
page_encryption_key=1;
26.03.15 9
© MariaDB Corpora,on Ab
Tablespace Encryp,on
• Choose encryp,on-‐algorithm, e.g. aes_ctr encryption-algorithm=aes_ctr
• Load Key Management Plugin plugin-load-add=example_key_management_plugin.so example_key_management_plugin
• Specify what to encrypt innodb-encrypt-tables aria aria-encrypt-tables encrypt-tmp-disk-tables innodb-encrypt-log
• Key rota,on innodb-encryption-threads=4 innodb-encryption-rotate-key-age=1800
26.03.15 10
© MariaDB Corpora,on Ab
Performance Impact of Data Encryp,on
26.03.15 11
TPC-C like OLTP benchmark showing the impact of encryption
© MariaDB Corpora,on Ab
Performance Impact of Data Encryp,on
26.03.15 12
New Order transactions/second benchmark showing the impact of encryption
© MariaDB Corpora,on Ab
More about Data Encryp,on
• Tablespace scrubbing • Background process that regularly scans through the tables and upgrades the encryp,on keys
• More info: hNps://mariadb.com/kb/en/table-‐and-‐tablespace-‐encryp,on
26.03.15 13
© MariaDB Corpora,on Ab
MariaDB Security User Roles
© MariaDB Corpora,on Ab
Role-‐Based Access Control
26.03.15 15
Database Tables
MariaDB 10
Role: DBA
Permissions: ● Update Schema ● View Statistics ● Create Database
DBA
Developer
Sysadmin
© MariaDB Corpora,on Ab
Roles
26.03.15 16
CREATE ROLE journalist;
GRANT SHOW DATABASES ON *.* TO journalist;
GRANT ALL ON db1.* TO journalist;
GRANT journalist to user1;
SET DEFAULT ROLE journalist;
https://mariadb.com/kb/en/mariadb/roles-overview/
© MariaDB Corpora,on Ab
MariaDB Security Password Valida,on Plugins
26.03.15 17
© MariaDB Corpora,on Ab
Password valida,on plugins
• Password valida,on plugin API • hNps://mariadb.com/kb/en/password-‐valida,on/
• simple_password_check plugin • Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase leNers, digits, and punctua,on characters
• hNps://mariadb.com/kb/en/simple_password_check/
• cracklib_password_check plugin • A widely used library • Stop users from choosing easy to guess passwords. It includes checks for not allowing passwords based on the username or a dic,onary word etc.
• hNps://mariadb.com/kb/en/cracklib_password_check/
26.03.15 18
© MariaDB Corpora,on Ab
MariaDB Security Audit Plugin
26.03.15 19
© MariaDB Corpora,on Ab
Why is audi,ng needed?
• Monitoring System Access • Loca,ng Errors • Discovering Frauds • Improvement of Internal Control • Proving the fulfillment of security standards • And more
26.03.15 20
© MariaDB Corpora,on Ab
What to Monitor
26.03.15 21
CONNECTION
QUERY
CONNECT
DDL
DISCONNECT
FAILED CONNECT
DML+TCL
OBJECT DATABASE
TABLES
TIMESTAMP HOST USER
(SESSION)
DCL
© MariaDB Corpora,on Ab
Audi,ng without Audit Plugin
26.03.15 22
Log Files
Error Log
Slow Query Log
Binary Log
General Log
MySQL Proxy
Trigger
© MariaDB Corpora,on Ab
Password “Filtering”
Star,ng with Version 1.2.0 passwords will be replaced by a placeholder
26.03.15 23
20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test1"@"localhost" IDENTIFIED BY *****',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test4"@"localhost" IDENTIFIED BY PASSWORD *****',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (1,PASSWORD("mypwd"))',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = PASSWORD("mynewpwd")',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (2,OLD_PASSWORD("mypwd2"))',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = OLD_PASSWORD("mynewpwd2")',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'GRANT ALL ON *.* TO "test5"@"localhost" IDENTIFIED BY *****',0!
© MariaDB Corpora,on Ab
MariaDB Security Security No,fica,ons
26.03.15 24
© MariaDB Corpora,on Ab
MariaDB Security Vulnerability Process
• Disclosure of a MariaDB Security Vulnerability • Handling of MySQL Security Vulnerabili,es • MariaDB Security Lis,ngs
• Full list of security fixes hNps://mariadb.org/security • Security fixes in 10.0: hNps://mariadb.com/kb/en/mariadb/what-‐is-‐mariadb-‐100
• Release notes also have a specific list for security fixes • Informing customers about fixed security vulnerabili,es
26.03.15 25
© MariaDB Corpora,on Ab
Ques,ons
26.03.15 26