mysql security 5.7

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

MySQL Security

Mark Swarbrick, MySQL Sales Consultant UK&I [email protected]

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

43%

of companies have experienced a data breach in the past year. Source: Ponemon InsRtute, 2014

Oracle ConfidenRal – Internal/Restricted/Highly Restricted 2


Mega Breaches

552 Million idenRRes exposed in 2013. 493% increase over previous year 77%

Web sites with vulnerabiliRes. 1-‐in-‐8 of all websites had a criRcal vulnerability.

8 Breaches that exposed more than 10 million records in 2013.

Total Breaches increased 62% in 2013


Source: Internet Security Threat Report 2014, Symantec


Target Breach, 2013, $270 million The hackers who commibed the Target breach took 40 million credit and debit card numbers and 70 million records, including names and addresses of shoppers. Source: Fortune.com, 2014


Cybercrime cost the global economy $575 billion/year Source: paymetric.com, 2014

One major data breach discovered every month Those breaches include Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay and P.F. Chang’s Chinese Bistro. Source: paymetric.com, 2014


•  Poor ConfiguraRons –  Set controls and change default segng

•  Over Privileged Accounts –  Privilege Policies

•  Weak Access Control –  Dedicated AdministraRve Accounts

•  Weak AuthenRcaRon –  Strong Password Enforcement

•  Weak AudiRng

–  Compliance & Audit Policies

•  Lack of EncrypRon –  Data, Back, & Network EncrypRon

•  Proper CredenRal or Key Management –  Use mysql_config_editor , Key Vaults

•  Unsecured Backups

–  Encrypted Backups

•  No Monitoring –  Security Monitoring, Users, Objects

•  Poorly Coded ApplicaRons

–  Database Firewall

5

Database VulnerabiliRes


Database Abacks •  SQL InjecRon

–  PrevenRon: DB Firewall, White List, Input ValidaRon •  Buffer Overflow

–  PrevenRon: Frequently apply Database Sooware updates, DB Firewall, White List, Input ValidaRon •  Brute Force Aback

–  PrevenRon: lock out accounts aoer a defined number of incorrect abempts. •  Network Eavesdropping

–  PrevenRon: Require SSL/TLS for all ConnecRons and Transport •  Malware

–  PrevenRon: Tight Access Controls, Limited Network IP access, Change default segngs

6


Database Malicious AcRons

•  InformaRon Disclosure: Obtain credit card and other personal informaRon –  Defense: EncrypRon – Data and Network, Tighter Access Controls

•  Denial of Service: Run resource intensive queries –  Defense: Resource Usage Limits – Set various limits – Max ConnecRons, Sessions, Timeouts, …

•  ElevaRon of Privilege: Retrieve and use administrator credenRals –  Defense: Stronger authenRcaRon, Access Controls, AudiRng

•  Spoofing: Retrieve and use other credenRals –  Defense: Stronger account and password policies

•  Tampering: Change data in the database, Delete transacRon records •  Defense: Tighter Access Controls, AudiRng, Monitoring, Backups

7


Regulatory Compliance

•  RegulaRons –  PCI – DSS: Payment Card Data –  HIPAA: Privacy of Health Data –  Sarbanes Oxley: Accuracy of Financial Data –  EU Data ProtecRon DirecRve: ProtecRon of Personal Data –  Data ProtecRon Act (UK): ProtecRon of Personal Data

•  Requirements –  ConRnuous Monitoring (Users, Schema, Backups, etc) –  Data ProtecRon (EncrypRon, Privilege Management, etc.) –  Data RetenRon (Backups, User AcRvity, etc.) –  Data AudiRng (User acRvity, etc.)

8

https://www.mysql.com/why-mysql/white-papers/mysql-pci-data-security-compliance/


DBA ResponsibiliRes

•  Ensure only users who should get access, can get access

•  Limit what users and applicaRons can do

•  Limit from where users and applicaRons can access data

•  Watch what is happening, and when it happened

•  Make sure to back things up securely

•  Minimize aback surface

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenRal – Internal 10

MySQL Security Overview

AuthenRcaRon

AuthorizaRon

EncrypRon

Firewall

MySQL Security

AudiRng


Block Threats AudiRng

Regulatory Compliance Login and Query AcRviRes

SSL/TLS Public Key Private Key Digital Signatures

Privilege Management AdministraRon

Database & Objects Proxy Users

MySQL Linux / LDAP Windows AD Custom

Oracle ConfidenRal – Internal 11

MySQL Security Overview

AuthorizaRon AuthenRcaRon

Firewall & AudiRng EncrypRon

Security


MySQL AuthorizaRon

•  AdministraRve Privileges

•  Database Privileges

•  Session Limits and Object Privileges

•  Fine grained controls over user privileges –  CreaRng, altering and deleRng databases –  CreaRng, altering and deleRng tables –  Execute INSERT, SELECT, UPDATE, DELETE queries –  Create, execute, or delete stored procedures and with what rights –  Create or delete indexes

12

Security Privilege Management in MySQL Workbench


MySQL Privilege Management

•  user: user accounts, global privileges columns

•  db: database-‐level privileges

•  tables_priv: Contains table-‐level privileges

•  columns_priv: Contains column-‐level privileges

•  procs_priv: Contains stored procedure and funcRon privileges

•  proxies_priv: Contains proxy-‐user

13


MySQL Privilege Management Grant Tables

tables_priv

•  Table level privileges •  Table and columns

db

•  Database Level Privileges •  Database, Tables, Objects •  User and host

user

•  User Accounts •  Global Privileges

proxies_priv

•  Proxy Users •  Proxy Privileges

procs_priv

•  Stored Procedures •  FuncRons •  Single funcRon privilege

columns_priv

•  Specific columns


MySQL AuthenRcaRon

•  Built in AuthenRcaRon –  user table stores users and encrypted passwords

•  X.509 –  Server authenRcates client cerRficates

•  MySQL NaRve, SHA 256 Password plugin –  NaRve uses SHA1 or plugin with SHA-‐256 hashing and per user salRng for user account passwords.

•  MySQL Enterprise AuthenRcaRon –  Microsoo AcRve Directory –  Linux PAMs (Pluggable AuthenRcaRon Modules)

•  Support LDAP and more

15


MySQL Password Policies

•  Accounts without Passwords –  Assign passwords to all accounts to prevent unauthorized use

•  Password ValidaRon Plugin –  Enforce Strong Passwords

•  Password ExpiraRon/RotaRon –  Require users to reset their password

•  Account lockout (in v. 5.7)

16


MySQL EncrypRon

•  SSL/TLS EncrypRon –  Between MySQL clients and Server –  ReplicaRon: Between Master & Slave

•  Data EncrypRon –  AES Encrypt/Decrypt

17

•  MySQL Enterprise EncrypRon –  Asymmetric Encrypt/Decrypt –  Generate Public Key and Private Keys –  Derive Session Keys –  Digital Signatures

•  MySQL Enterprise Backup –  AES Encrypt/Decrypt


SSL/TLS

•  Encrypted connecRons –  Between MySQL Client and Server –  ReplicaRon: Between Master & Slave

•  MySQL enables encrypRon on a per-‐connecRon basis –  IdenRty verificaRon using the X509 standard

•  Specify the appropriate SSL cerRficate and key files

•  Will work with trusted CAs (CerRficate AuthoriRes) •  Supports CRLs – CerRficate RevocaRon Lists

18


Database AudiRng

•  AudiRng for Security & Compliance

–  FIPS, HIPAA, PCI-‐DSS, SOX, DISA STIG, …

•  MySQL built-‐in logging infrastructure: –  general log, error log

•  MySQL Enterprise Audit

–  Granularity made for audiRng

–  Can be modified live

–  Contains addiRonal details

–  CompaRble with Oracle Audit Vault.


Database Firewall •  SQL InjecRon: #1 Web ApplicaRon Vulnerability

–  77% of Web Sites had vulnerabiliRes –  1 in 8 criRcal vulnerabiliRes

•  MySQL Enterprise Firewall –  Monitor database statements in real-‐Rme –  AutomaRc White List “rules” generaRon for any applicaRon –  Out of policy database transacRons detected and blocked

20


MySQL Database Hardening

User Management •  Remove Extra Accounts •  Grant Minimal Privileges •  Audit users and privileges

ConfiguraRon

•  Firewall •  AudiRng and Logging •  Limit Network Access •  Monitor changes

InstallaRon

•  Mysql_secure_installaRon •  Keep MySQL up to date

−  MySQL Installer for Windows −  Yum/Apt Repository

Backups

•  Monitor Backups •  Encrypt Backups

EncrypRon

•  SSL/TLS for Secure ConnecRons •  Data EncrypRon (AES, RSA)

Passwords

•  Strong Password Policy •  Hashing, ExpiraRon •  Password ValidaRon Plugin


MySQL 5.7 Linux Packages -‐ Security Improvements

•  Test/Demo database has been removed –  Now in separate packages (prod/dev)

•  Anonymous account creaRon is removed. •  CreaRon of single root account – local host only •  Default installaRon ensures encrypted communicaRon by default

–  AutomaRc generaRon of SSL/RSA Certs/Keys •  For EE : At server startup if opRons Certs/Keys were not set •  For CE : Through new mysql_ssl_rsa_setup uRlity

•  AutomaRc detecRon of SSL Certs/Keys •  Client abempts secure TLS connecRon by default

22

MySQL Installer for Windows includes various Security Setup and Hardening Steps


MySQL Database Hardening: InstallaRon

•  MySQL_Secure_InstallaRon / MySQL Installer for Windows –  Set a strong password for root account –  Remove root accounts that are accessible from outside the local host –  Remove anonymous-‐user accounts –  Remove the test database

•  Which by default can be accessed by all users •  Including Anonymous Users

•  Keep MySQL up to date –  Repos – YUM/APT/SUSE –  MySQL Installer for Windows

23


Sooware Updates -‐ Database and OS Maintenance

•  Maintaining security requires keeping OperaRng System and MySQL security patches up to date.

–  May require a restart (mysql or operaRng system) to take effect. •  To enable seamless upgrades consider MySQL ReplicaRon

–  Allows for changes to be performed in a rolling fashion •  Best pracRce to upgrade slaves first

–  MySQL 5.6 and above supports GTID-‐based replicaRon •  Provides for simple rolling upgrades

•  Follow OS vendor specific hardening Guidelines –  For example

•  hbp://www.oracle.com/technetwork/arRcles/servers-‐storage-‐admin/Rps-‐harden-‐oracle-‐linux-‐1695888.html

24


MySQL Database Hardening: ConfiguraRon

•  Audit AcRvity –  Use Enterprise Audit –  Alt. Transiently enable Query Logging –  Monitor and Inspect regularly

•  Disable or Limit Remote Access –  If local “skip-‐networking” or bind-‐ address=127.0.0.1 –  If Remote access then limit hosts/IP

• Change root username

25

•  Disable unauthorized reading from local files

–  Disable LOAD DATA LOCAL INFILE •  Run MySQL on non default port

–  More difficult to find database •  Limit MySQL OS User •  Ensure secure-‐auth is enabled (do not allow old passwords format)


MySQL Database Hardening: Best PracRces

Parameter Recommended Value Why Secure_file_priv A Designated Leaf directory for

data loads Only allows file to be loaded from a specific locaRon. Limits use of MySQL to get data from across the OS

Symbolic_links Boolean – NO Prevents redirecRon into less secure filesystem directories

Default-‐storage_engine InnoDB Ensures transacRons commits, data safety! General-‐log Boolean – OFF Should only be used for debugging – off

otherwise Log-‐raw Default -‐ OFF Should only be used for debugging – off

otherwise Skip-‐networking or bind-‐address

ON 127.0.0.1

If all local, then block network connecRons or limit to the local host.

SSL opRons Set valid values Should encrypt network communicaRon

26


MySQL Database Hardening: Password Policies

•  Enforce Strong Password Policies

•  Password Hashing

•  Password ExpiraRon

•  Password ValidaRon Plugin

•  AuthenRcaRon Plugin –  Inherits the password policies from the component –  LDAP, Windows AcRve Directory, etc.

•  Disable accounts when not in use –  Account lockout (5.7+)

27


MySQL Database Hardening: Backups

•  Backups are Business CriRcal –  Used to restore aoer aback –  Migrate, move or clone server –  Part of Audit Trail

•  Regularly Scheduled Backups

•  Monitor Backups

•  Encrypt Backups

28


ApplicaRons and CredenRals -‐ Best PracRces

•  ApplicaRons – minimize sharing credenRals (username/password) –  Finer grained the beber – don’t overload across many applicaRons/servers

•  Should enable support for credenRal rotaRon –  Do not require all passwords to be changed in synchronizaRon. –  Facilitates beber troubleshooRng and root-‐cause analysis.

•  Steps to changing credenRals should be secure and straigh~orward –  Not embedded in your code

•  Can be changed without redeploying an applicaRon •  Should never be stored in version control and must differ between environments. •  ApplicaRons should get credenRals using a secure configuraRon methodology.

29


MySQL Enterprise EdiRon

•  MySQL Enterprise AuthenRcaRon –  External AuthenRcaRon Modules

•  Microsoo AD, Linux PAMs •  MySQL Enterprise EncrypRon

–  Public/Private Key Cryptography –  Asymmetric EncrypRon –  Digital Signatures, Data ValidaRon

•  MySQL Enterprise Firewall –  Query Monitoring, White List Matching,

•  MySQL Enterprise Audit –  User AcRvity AudiRng, Regulatory Compliance

30

•  MySQL Enterprise Monitor –  Changes in Database ConfiguraRons, Users Permissions, Database Schema, Passwords

•  MySQL Enterprise Backup –  Securing Backups, AES 256 encrypRon


MySQL Enterprise Monitor

•  Enforce MySQL Security Best PracRces –  IdenRfies VulnerabilRes –  Assesses current setup against security hardening policies

•  Monitoring & AlerRng –  User Monitoring –  Password Monitoring –  Schema Change Monitoring –  Backup Monitoring –  Firewall Monitoring? for 3.1-‐ ML is Checking

•  ConfiguraRon Management –  ConfiguraRon Tuning Advice

•  Centralized User Management

31

"I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.”

Sandi Barr Sr. Sooware Engineer

Schneider Electric


Oracle Enterprise Manager for MySQL

32

Performance Security

Availability

•  Availability monitoring

•  Performance monitoring

•  ConfiguraRon monitoring

•  All available metrics collected –  Allowing for custom threshold based incident reports

•  MySQL auto-‐detecRon


MySQL Enterprise Firewall •  Real Time ProtecRon

–  Queries analyzed and matched against White List •  Blocks SQL InjecRon Abacks

–  PosiRve Security Model •  Block Suspicious Traffic

–  Out of Policy TransacRons detected & blocked

•  Learns White List –  Automated creaRon of approved list of SQL command paberns on a per user basis

•  Transparent –  No changes to applicaRon required

33

MySQL Enterprise Firewall monitoring


MySQL Enterprise Firewall • SQL InjecRon ProtecRon with PosiRve Security Model

34

•  Out of policy database transacRons detected and blocked

•  Logging & Analysis

Select *.* from employee where id=22

Select *.* from employee where id=22 or 1=1 Block & Log ✖

Allow & Log ✔

White List ApplicaAons


Firewall Overview

35

Inbound SQL traffic

Firewall Web

ApplicaRons

Internet

In Whitelist ALLOW

MySQL Instance

SQL InjecRon Aback Via Brower

Blocks SQL

Abacks

Allows Normal SQL

Results Table Table

Table

Not In Whitelist BLOCK


Firewall Workflow

36


MySQL Enterprise Firewall Details

•  Firewall operaRon is turned on at a per user level •  Per User States are

–  RECORDING

–  PROTECTING

–  OFF

37

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 38

Per User Firewall White Lists


What happens when SQL is blocked?

• The client applicaRon gets an ERROR mysql> SELECT first_name, last_name FROM customer WHERE customer_id = 1 OR TRUE; ERROR 1045 (28000): Statement was blocked by Firewall mysql> SHOW DATABASES; ERROR 1045 (28000): Statement was blocked by Firewall mysql> TRUNCATE TABLE mysql.user; ERROR 1045 (28000): Statement was blocked by Firewall • Reported to the Error Log

• Increment Counter

39


What’s the whitelist look like?

• mysql> SELECT userhost, substr(rule,1,80) FROM mysql.firewall_whitelist WHERE userhost= 'wpuser@localhost'; +------------------+----------------------------------------------------------------------------------+ | userhost | substr(rule,1,80) | +------------------+----------------------------------------------------------------------------------+ | wpuser@localhost | SELECT * FROM `wp_posts` WHERE ÌD` = ? LIMIT ? | | wpuser@localhost | SELECT òption_value` FROM `wp_options` WHERE òption_name` = ? LIMIT ? | | wpuser@localhost | SELECT `wp_posts` . * FROM `wp_posts` WHERE ? = ? AND `wp_posts` . ÌD` = ? AND | ... | wpuser@localhost | UPDATE `wp_posts` SET `comment_count` = ? WHERE ÌD` = ? | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | +------------------+----------------------------------------------------------------------------------+

41


MySQL Enterprise Firewall DocumentaRon

• hbp://dev.mysql.com/doc/refman/5.6/en/firewall.html • hbp://mysqlserverteam.com/new-‐mysql-‐enterprise-‐firewall-‐prevent-‐sql-‐injecRon-‐abacks/

42


MySQL Enterprise AuthenRcaRon

43

•  Integrate with Centralized AuthenRcaRon Infrastructure –  Centralized Account Management –  Password Policy Management –  Groups & Roles

•  PAM (Pluggable AuthenRcaRon Modules) –  Standard interface (Unix, LDAP, Kerberos, others) –  Windows

•  Access naRve Windows service -‐ Use to AuthenRcate users using Windows AcRve Directory or to a naRve host

Integrates MySQL with exisRng security infrastructures


MySQL Enterprise AuthenRcaRon: PAM

•  Standard Interface –  LDAP –  Unix/Linux

•  Proxy Users

44


MySQL Enterprise AuthenRcaRon: Windows

• Windows AcRve Directory

• Windows NaRve Services

45


MySQL Enterprise EncrypRon

•  MySQL encrypRon funcRons –  Symmetric encrypRon AES256 (All EdiRons) –  Public-‐key / asymmetric cryptography – RSA

•  Key management funcRons –  Generate public and private keys –  Key exchange methods: DH

•  Sign and verify data funcRons –  Cryptographic hashing for digital signing, verificaRon, & validaRon – RSA,DSA

46


MySQL DecrypRon “This is a secret”

Public Key (It only encrypts)

Private Key (It can decrypt)

Could be From Client App Within MySQL (funcAon call)

EncrypRon #@%@&#

MySQL Enterprise EncrypRon FuncRons

Can Generate Public/Private Key Pairs

(or use those generated externally – say by OpenSSL)

“This is a secret”

All within MySQL


MySQL

DecrypRon “This is a secret”



EncrypRon #@%@&#



(or use those generated externally – say by OpenSSL)


App encrypts MySQL Stores Decrypts


MySQL

DecrypRon “This is a secret”



EncrypRon #@%@&#



(or use those generated externally –

say by OpenSSL)


App encrypts MySQL Stores App Decrypts


MySQL DecrypRon “This is a secret”



EncrypRon #@%@&# “This is a secret”

Oracle (or other) Key Vault Generates Keys App Encrypts (only has public Key) MySQL Stores Decrypts


MySQL Enterprise Audit

•  Out-‐of-‐the-‐box logging of connecRons, logins, and query

•  User defined policies for filtering, and log rotaRon

•  Dynamically enabled, disabled: no server restart •  XML-‐based audit stream per Oracle Audit Vault spec

51

Adds regulatory compliance to

MySQL applicaRons (HIPAA, Sarbanes-‐Oxley, PCI, etc.)


MySQL Enterprise Audit

52

2. User Joe connects and runs a query

1. DBA enables Audit plugin

3. Joe’s connecRon & query logged


MySQL Enterprise Backup

•  Online Backup for InnoDB (scriptable interface) •  Full, Incremental, ParRal Backups (with compression) •  Strong EncrypRon (AES 256) •  Point in Time, Full, ParRal Recovery opRons

•  Metadata on status, progress, history

•  Scales – High Performance/Unlimited Database Size

•  Windows, Linux, Unix

•  CerRfied with Oracle Secure Backup, NetBackup, Tivoli, others

53


MySQL Enterprise Oracle CerRficaRons

•  Oracle Enterprise Manager for MySQL

•  Oracle Linux (w/DRBD stack) •  Oracle VM

•  Oracle Solaris

•  Oracle Solaris Clustering

•  Oracle Clusterware

•  Oracle Audit Vault and Database Firewall •  Oracle Secure Backup

•  Oracle Fusion Middleware

•  Oracle GoldenGate

•  My Oracle Support

MySQL integrates into your Oracle environment

54


Oracle Audit Vault and Database Firewall •  Oracle DB Firewall

–  Oracle, MySQL, SQL Server, IBM DB2, Sybase –  AcRvity Monitoring & Logging –  White List, Black List, ExcepRon List

•  Audit Vault –  Built-‐in Compliance Reports –  External storage for audit archive

55

mysql security 5.7

Technology

networkeavesdropping

billionyear source

audirng spoong

paymentcarddata hipaa

session elevaronofprivilege

millionidenrres exposedin2013