mariadb europe roadshow 2015 - mariadb security

© MariaDB Corpora,on Ab

MariaDB Roadshow 2015

MariaDB Security


MariaDB Security

• Authen,ca,on Plugins • Encryp,on • User Roles • Password Valida,on Plugins • Audit Plugin • Security No,fica,ons

26.03.15 2


MariaDB Security Authen,ca,on Plugins


PAM Authen,ca,on

•  Authen,ca,on using /etc/shadow •  Authen,ca,on using LDAP, SSH pass phrases, password expira,on, username mapping, logging every login aNempt, etc…

•  INSTALL PLUGIN pam SONAME 'auth_pam.so'; •  CREATE USER foo@host IDENTIFIED via pam •  REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf) •  hNps://mariadb.com/kb/en/pam-‐authen,ca,on-‐plugin/

26.03.15 4


Kerberos authen,ca,on plugin

26.03.15 5

KDC

Client MariaDB

Ticket request 1 - Servicet

icket 2 -

Here is my service ticket, authenticate me 3 -

Client / Server session 4 -

•  GSS-‐API on Linux •  Red Hat Directory Server •  OpenLDAP

•  SSPI on Windows •  Ac,ve Directory


MariaDB Security Encryp,on


Data Encryp,on

MariaDB supports 2 different ways to encrypt data

26.03.15 7

Table Encryption •  Specific tables are

marked for encryption

•  Contributed by Eperi

Tablespace encryption •  Everything is encrypted

(including log files)

•  Contributed by Google


Table Level Encryp,on

•  Choose encryp,on-‐algorithm, e.g. aes_ctr encryption-algorithm=aes_ctr

•  Load Key Management Plugin plugin-load-add=file_key_management_plugin.so file-key-management-plugin

•  Set loca,on of key file file-key-management-plugin-filename=/mnt/dfs/keys.txt

•  Create keys

26.03.15 8


Table Level Encryp,on

CREATE TABLE customer(

CUSTOMER_ID BIGINT NOT NULL PRIMARY KEY, CUSTOMER_NAME VARCHAR(80),

CUSTOMER_CREDITCARD VARCHAR(20))

ENGINE=InnoDB

page_encryption=1

page_encryption_key=1;

26.03.15 9


Tablespace Encryp,on

•  Choose encryp,on-‐algorithm, e.g. aes_ctr encryption-algorithm=aes_ctr

•  Load Key Management Plugin plugin-load-add=example_key_management_plugin.so example_key_management_plugin

•  Specify what to encrypt innodb-encrypt-tables aria aria-encrypt-tables encrypt-tmp-disk-tables innodb-encrypt-log

•  Key rota,on innodb-encryption-threads=4 innodb-encryption-rotate-key-age=1800

26.03.15 10


Performance Impact of Data Encryp,on

26.03.15 11

TPC-C like OLTP benchmark showing the impact of encryption


Performance Impact of Data Encryp,on

26.03.15 12

New Order transactions/second benchmark showing the impact of encryption


More about Data Encryp,on

• Tablespace scrubbing • Background process that regularly scans through the tables and upgrades the encryp,on keys

• More info: hNps://mariadb.com/kb/en/table-‐and-‐tablespace-‐encryp,on

26.03.15 13


MariaDB Security User Roles


Role-‐Based Access Control

26.03.15 15

Database Tables

MariaDB 10

Role: DBA

Permissions: ●  Update Schema ●  View Statistics ●  Create Database

DBA

Developer

Sysadmin


Roles

26.03.15 16

CREATE ROLE journalist;

GRANT SHOW DATABASES ON *.* TO journalist;

GRANT ALL ON db1.* TO journalist;

GRANT journalist to user1;

SET DEFAULT ROLE journalist;

https://mariadb.com/kb/en/mariadb/roles-overview/


MariaDB Security Password Valida,on Plugins

26.03.15 17


Password valida,on plugins

•  Password valida,on plugin API •  hNps://mariadb.com/kb/en/password-‐valida,on/

•  simple_password_check plugin •  Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase leNers, digits, and punctua,on characters

•  hNps://mariadb.com/kb/en/simple_password_check/

•  cracklib_password_check plugin •  A widely used library •  Stop users from choosing easy to guess passwords. It includes checks for not allowing passwords based on the username or a dic,onary word etc.

•  hNps://mariadb.com/kb/en/cracklib_password_check/

26.03.15 18


MariaDB Security Audit Plugin

26.03.15 19


Why is audi,ng needed?

• Monitoring System Access •  Loca,ng Errors •  Discovering Frauds •  Improvement of Internal Control •  Proving the fulfillment of security standards •  And more

26.03.15 20


What to Monitor

26.03.15 21

CONNECTION

QUERY

CONNECT

DDL

DISCONNECT

FAILED CONNECT

DML+TCL

OBJECT DATABASE

TABLES

TIMESTAMP HOST USER

(SESSION)

DCL


Audi,ng without Audit Plugin

26.03.15 22

Log Files

Error Log

Slow Query Log

Binary Log

General Log

MySQL Proxy

Trigger


Password “Filtering”

Star,ng with Version 1.2.0 passwords will be replaced by a placeholder

26.03.15 23

20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test1"@"localhost" IDENTIFIED BY *****',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'CREATE USER "test4"@"localhost" IDENTIFIED BY PASSWORD *****',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (1,PASSWORD("mypwd"))',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = PASSWORD("mynewpwd")',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'INSERT INTO t_pwdtest VALUES (2,OLD_PASSWORD("mypwd2"))',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'UPDATE t_pwdtest SET mypwd = OLD_PASSWORD("mynewpwd2")',0!20150117 23:40:56,MYSQL5530,root,localhost,1,1,QUERY,,'GRANT ALL ON *.* TO "test5"@"localhost" IDENTIFIED BY *****',0!


MariaDB Security Security No,fica,ons

26.03.15 24


MariaDB Security Vulnerability Process

•  Disclosure of a MariaDB Security Vulnerability •  Handling of MySQL Security Vulnerabili,es • MariaDB Security Lis,ngs

•  Full list of security fixes hNps://mariadb.org/security •  Security fixes in 10.0: hNps://mariadb.com/kb/en/mariadb/what-‐is-‐mariadb-‐100

•  Release notes also have a specific list for security fixes •  Informing customers about fixed security vulnerabili,es

26.03.15 25


Ques,ons

26.03.15 26

mariadb europe roadshow 2015 - mariadb security

Software