MariaDB Sicherheit: Audit Plugin, Authentification Plugin, Rollen

© MariaDB Corpora,on Ab

MariaDB Roadshow 2015 MariaDB Security

Ralf Gebhardt


MariaDB Security

• Authen,ca,on Plugins • Encryp,on • User Roles • Password Valida,on Plugins • Audit Plugin • Security No,fica,ons


Before we talk about Plugins

•  AJer installing MariaDB run •  shell> mysql_secure_installation

•  You can •  set a password for root accounts. •  remove root accounts that are accessible from outside the local host. •  remove anonymous-‐user accounts. •  remove the test database, which by default can be accessed by anonymous users.


MariaDB Security Authen,ca,on Plugins


PAM Authen,ca,on

•  Authen,ca,on using /etc/shadow •  Authen,ca,on using LDAP, SSH pass phrases, password expira,on, username mapping, logging every login aUempt, etc…

•  INSTALL PLUGIN pam SONAME 'auth_pam.so'; •  CREATE USER foo@host IDENTIFIED via pam; •  REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf) •  hUps://mariadb.com/kb/en/pam-‐authen,ca,on-‐plugin/


Kerberos authen,ca,on plugin

KDC

Client MariaDB

Ticket request 1 - Service

ticket 2 -

Here is my service ticket, authenticate me 3 -

Client / Server session 4 -

•  GSS-‐API on Linux •  Red Hat Directory Server •  OpenLDAP

•  SSPI on Windows •  Ac,ve Directory


MariaDB Security Encryp,on


Data Encryp,on

• Encypts complete tablespaces • Op,onal per table encryp,on possible with -‐-‐innodb-‐file-‐per-‐table

• Can encrypt •  InnoDB log files • Temporary tables

•  Idependently contributed by Google and Eperi GmbH


Configure Key Management

•  Load Key Management Plugin •  plugin-load-add=file_key_management

•  Choose encryp,on algorithm, e.g. aes_cbc •  file-key-management-encryption-algorithm=aes_cbc

•  Set loca,on of key file •  file-key-management-filename=/mnt/dfs/keys.txt

•  Create keys


Ac,vate Encryp,on

•  Specify what to encrypt •  Innodb-encrypt-tables=ON ( OFF/FORCE ) •  aria-encrypt-tables •  encrypt-tmp-disk-tables •  innodb-encrypt-log

•  Op,onal key rota,on •  Innodb-encryption-threads=4 •  Innodb-encryption-rotate-key-age=1800


Encryp,ng one table

CREATE TABLE customer(

CUSTOMER_ID BIGINT NOT NULL PRIMARY KEY, CUSTOMER_NAME VARCHAR(80),

CUSTOMER_CREDITCARD VARCHAR(20))

ENGINE=InnoDB

encrypted=yes

Encryption_key_id=1;


Performance Impact of Data Encryp,on

TPC-C like OLTP benchmark showing the impact of encryption


Performance Impact of Data Encryp,on

New Order transactions/second benchmark showing the impact of encryption


Deleted Data Encryp,on

• Scrubbing • Background threads periodically scan tablespaces and logs and overwrite all data that should be deleted.

• More info: hUps://mariadb.com/kb/en/mariadb/xtradb-‐innodb-‐data-‐scrubbing/


MariaDB Security User Roles


Role-‐Based Access Control

Database Tables

MariaDB 10

Role: DBA

Permissions: ●  Update Schema ●  View Statistics ●  Create Database

DBA

Developer

Sysadmin


Roles

CREATE ROLE journalist;

GRANT SHOW DATABASES ON *.* TO journalist;

GRANT ALL ON db1.* TO journalist;

GRANT journalist to user1;

SET DEFAULT ROLE journalist;

https://mariadb.com/kb/en/mariadb/roles-overview/


MariaDB Security Password Valida,on Plugins


Password valida,on plugins

•  Password valida,on plugin API •  hUps://mariadb.com/kb/en/password-‐valida,on/

•  simple_password_check plugin •  Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase leUers, digits, and punctua,on characters

•  hUps://mariadb.com/kb/en/simple_password_check/

•  cracklib_password_check plugin •  A widely used library •  Stop users from choosing easy to guess passwords. It includes checks for not allowing passwords based on the username or a dic,onary word etc.

•  hUps://mariadb.com/kb/en/cracklib_password_check/


Simple password valida,on

INSTALL PLUGIN simple_password_check SONAME 'simple_password_check.so';

SET PASSWORD = PASSWORD(’pwd’);

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

SET PASSWORD = PASSWORD('AaBbCc$1');

Query OK, 0 rows affected (0.00 sec)


MariaDB Security Audit Plugin


Why is audi,ng needed?

• Monitoring System Access •  Loca,ng Errors •  Discovering Frauds •  Improvement of Internal Control •  Proving the fulfillment of security standards •  And more


What to Monitor

CONNECTION

QUERY

CONNECT

DDL

DISCONNECT

FAILED CONNECT

DML+TCL

OBJECT DATABASE

TABLES

TIMESTAMP HOST USER

(SESSION)

DCL


MariaDB Audit Plugin

• Open Source • Support available

• Audi,ng to • File (comma delimited format) • Syslog

• Modified Plugin API in MariaDB • Audit Plugin compa,ble with MySQL Server • Allows to monitor table level events (MariaDB)


MariaDB Audit Plugin

•  Load plugin via SQL command or my.cnf

• Enable Audi,ng

INSTALL PLUGIN server_audit SONAME 'server_audit.so'

[mysqld]plugin-load=server_audit=server_audit.so

SET server_audit_logging = ON


MariaDB Audit Plugin Log Example for CONNECT

20130810 00:05:30,SkySQLNode1,root,MariaDBMgr,2,0,CONNECT,db1,,020130810 00:05:53,SkySQLNode1,root,MariaDBMgr,2,0,DISCONNECT,,,020130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,FAILED_CONNECT,,,104520130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,DISCONNECT,,,0

Serverhost User Client-Host

Session-ID DB opened on connect

DB opened on connect

Failed Connect with Error Code


Password “Filtering”

Star,ng with Version 1.2.0 passwords are replaced by a placeholder 20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER

"test1"@"localhost" IDENTIFIED BY *****',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test4"@"localhost" IDENTIFIED BY PASSWORD *****',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (1,PASSWORD("mypwd"))',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = PASSWORD("mynewpwd")',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (2,OLD_PASSWORD("mypwd2"))',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = OLD_PASSWORD("mynewpwd2")',020150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'GRANT ALL ON *.* TO "test5"@"localhost" IDENTIFIED BY *****',0


MariaDB Security Security No,fica,ons


MariaDB Security Vulnerability Process

•  Disclosure of a MariaDB Security Vulnerability •  Handling of MySQL Security Vulnerabili,es • MariaDB Security Lis,ngs

•  Full list of security fixes hUps://mariadb.org/security •  Security fixes in 10.0: hUps://mariadb.com/kb/en/mariadb/what-‐is-‐mariadb-‐100

•  Release notes also have a specific list for security fixes •  Informing customers about fixed security vulnerabili,es


Ques,ons?

mariadb.com

[email protected]

"MySQL is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their

respective owners. MariaDB is not affiliated with MySQL."

Software

MariaDB Sicherheit: Audit Plugin, Authentification Plugin, Rollen