MySQL 5.7 SecurityDave Stokes MySQL Community ManagerDavid.Stokes@Oracle.com @Stokerslideshare.net/davidmstokesOpenSourceDBA.wordpress.com

What are we talking about?MySQL 5.7 features several security enhancements including password rotation, third party authentication plug-ins, secure by default installation, and encryption. This presentation is an overview of these new features and what you need to do before upgrading.

2

Before upgrading

1.Read the MySQL 5.7 Release Notes

2.Backup all data

3.Double check hardware status (no failing drive in RAID array, no bad memory, etc.)

4.Practice on an old machine

5.Make two or three more backups

3

1. Intro to DB SecurityChapter 7 of the MySQL Manual is devoted to security and is a MUST read.

➔ General Security issues & authentication

➔ UsersPrivileges, passwords, & Proxies

➔ Secure connections & pluginsSSL, Certificates, authentication (SHA256, PAM, Windows, & more), and Enterprise options

4

Authentication System

First MySQL server checks the HOST

Then it checks Username/Password

It is designed to be PERMISSIVE -- Lets use it at first opp.

So bob@10.10.% may or may not also be bob@yourcorp.com

5

Privileges

Do not GRANT ALL to all accounts

DROP_PRIV very messy

Best to be stingy and hand out as needed then always rebuild

Use proxies for functions like accounting, not recreating wheel

6

Big changes were madeto make MySQL 5.7 more secure starting atinstallation

TipYou want to run the latest version of MySQL that you can. There are big improvements in performance, features, and security.

7

Your new root password is nLvQRk7wq-NY Change it!(MySQL 5.7 forces a random password at Install time.)

TipThe new password is records at install time in /var/log/mysql.log or equivalent. BTW do not make this file world read (for hopefully obvious reasons).

8

No more anonymous accounts created You need an accountTo login(No need to remove after upgrade)

TipAnonymous accounts have no username and no password. Search for these -- note permissions and usage before trying to remove them. Also watch for accounts with no passwords and privs!!! 9

No test database created during install You may have one but do not need it(In early days used to check functionality)

TipIf you have a test database it may be a legitimate database used for testing. But please check it!!

10

Previously each upgrade could give someone root access to your server.

TipThis is worse in a cloud world -- new instance spins up and script kiddies jump on new instance before you can get to it.

11

2. usernames➔ Used to be

Upto 16 characters long

➔ Now areUpto 32 characters long

12

IF [NOT] EXISTS Support of IF [NOT] EXISTS has been added to CREATE/DROP user commands. Tip

If your software setup scripts on a fresh install need a dedicated user you may want to add this to your process

13

ALTER USERThis command has been heavily updated for functions such as specifying encryption standards, SSL, resource uses, locking account, expiration options, and more.

TipALTER USER ‘foo’@’local’ ACCOUNT LOCK; is handy when someone leaves organization but you still might need their account.

Story for illustration purposes only 14

Support forTLSv1.2with OpenSSL &TLSv1.1with YaSSL

TipBy default, MySQL attempts to use the highest TLS protocol version available, depending on which SSL library was used to compile the server and client,

15

The mysql.user.password changed to authentication_string This was done to better reflect current use.This field can be used to hold more than passwords.

16

Password RotationYou can now have password rotation, complexity, and can ban certain words from being used in passwords.Tip

Password lifetime is measured in days. Setting to zero means no rotation and setting to NULL means use server default.

17

Banning certain words as passwords

Enable STRONG password verification (can tune down as needed (not recommended)) and then specify a ‘dictionary’ file with words four characters or longer (wonder how they got that length).

Suggestions: password, secret, 12345, qwerty, or any of the famous George Carlin seven dirty words.

18

Authentication Plug-ins

When a client connects to the MySQL server, the server uses the username provided by the client and the client host to select the appropriate account row from the mysql.user table. The server then authenticates the client, determining from the account row which authentication plugin applies for the client

19

Pluggable authentication enables two important capabilities:

External authentication: Pluggable authentication makes it possible for clients to connect to the MySQL server with credentials that are appropriate for authentication methods other than native authentication based on passwords stored in the mysql.user table. For example, plugins can be created to use external authentication methods such as PAM, Windows login IDs, LDAP, or Kerberos.

Proxy users: If a user is permitted to connect, an authentication plugin can return to the server a user name different from the name of the connecting user, to indicate that the connecting user is a proxy for another user. While the connection lasts, the proxy user is treated, for purposes of access control, as having the privileges of a different user. In effect, one user impersonates another.

20

Several authentication plugins are available in MySQLPerform native authentication that matches the password against the Password column of the account row.

Performs authentication using SHA-256 password hashing.

Prevents all client connections to any account that uses it. Use cases for such a plugin includes accounts that must be able to execute stored programs and views with elevated privileges without exposing those privileges to ordinary users, and proxy accounts that should never permit direct login.

Sends the password to the server without hashing or encryption. This plugin can be used by server-side plugins that require access to the password exactly as provided by the client user.

Authenticates clients that connect from the local host through the Unix socket file.

A test plugin that authenticates using MySQL native authentication. This plugin is intended for testing and development purposes, and as an example of how to write an authentication plugin.

21

MySQL wants SSLAs of MySQL 5.7.5, MySQL servers have the capability of automatically generating missing SSL and RSA files at startup, for MySQL distributions compiled using OpenSSL. The auto_generate_certs and sha256_password_auto_generate_rsa_keys system variables control automatic generation of these files. Both variables are enabled by default. They can be enabled at startup and inspected but not set at runtime.

See a short video on Alberto’s story

TipAt startup, the server automatically generates server-side and client-side SSL certificate and key files in the data directory if the auto_generate_certs system variable is enabled

22

Some Other Stuff

➔ Old_password hashHas been removed, left over from 4.1 and earlier

➔ AESSupport for multiple AES Encryption modes

23

InnoDB TABLESPACE ENCRYPTIONInnoDB supports data encryption for InnoDB tables stored in file-per-table tablespaces. This feature provides at-rest encryption for physical tablespace data files.

InnoDB tablespace encryption uses a two tier encryption key architecture, consisting of a master encryption key and tablespace keys. When an InnoDB table is encrypted, a tablespace key is encrypted and stored in the tablespace header. When an application or authenticated user wants to access encrypted tablespace data, InnoDB uses a master encryption key to decrypt the tablespace key. The decrypted version of a tablespace key never changes, but the master encryption key may be changed as required. This action is referred to as master key rotation.

TipThe hard part of encryption is the key management.

24

Bonus Round - DB InfoReading from disk is 100,000 times slower than reading from memory

Make sure you can restore a database, a table or a row from backup

Tune the most frequently run queries first as they will save more overall time 25

DatabaseSecurity isNot one Size fits all.

TipParanoia is a good thing for a database administrator to have.

26

Good luck!Slides are available at http://slideshare.net/davidmstokes

David.Stokes@Oracle,com

@Stoker

27