SlideShare ist ein Scribd-Unternehmen logo

MariaDB Server & MySQL Security Essentials 2016

Colin Charles
Colin Charles

This document summarizes a presentation on MariaDB/MySQL security essentials. The presentation covered historically insecure default configurations, privilege escalation vulnerabilities, access control best practices like limiting privileges to only what users need and removing unnecessary accounts. It also discussed authentication methods like SSL, PAM, Kerberos and audit plugins. Encryption at the table, tablespace and binary log level was explained as well. Preventing SQL injections and available security assessment tools were also mentioned.

Technologie
1 von 50
MariaDB/MySQL Security Essentials Colin Charles, Team MariaDB, MariaDB Corporation colin@mariadb.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter FLOSSUK 2016, London 17 March 2016
whoami • Work on MariaDB at MariaDB Corporation (SkySQL Ab) • Merged with Monty Program Ab, makers of MariaDB • Formerly MySQL AB (exit: Sun Microsystems) • Past lives include Fedora Project (FESCO), OpenOffice.org • MySQL Community Contributor of the Year Award winner 2014
Historically… • No password for the ‘root’ user • There is a default ‘test’ database • Find a password from application config files (wp- config.php, drupal’s settings.php, etc.) • Are your datadir permissions secure (/var/lib/ mysql)? • can you run strings mysql/user.MYD ?
Can you view privileges to find a user with more access? MariaDB [(none)]> SELECT host,user,password from mysql.user; +--------------+-------------------+----------+ | host | user | password | +--------------+-------------------+----------+ | localhost | root | | | sirius | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | sirius | | | +--------------+-------------------+----------+
More things to think about • Does replication connection have global permissions? • If you can start/stop mysqld process, you can reset passwords • Can you edit my.cnf? You can run a SQL file when mysqld starts with init-file
sql_mode • 5.6 default = NO_ENGINE_SUBSTITUTION • SQL_MODE = STRICT_ALL_TABLES, NO_ENGINE_SUBSTITUTION • Keeps on improving, like deprecating NO_ZERO_DATE, NO_ZERO_IN_DATE (5.6.17) and making it part of strict mode
mysql_secure_installation • Pretty basic to run, but many don’t • Remove anonymous users • Remove test database • Remove non-localhost root users • Set a root password
Creating users • The lazy way • CREATE USER ‘foo’@‘%’; • GRANT ALL ON *.* TO ‘foo’@‘%’; • The above gives you access to all tables in all databases + access from any external location • ALL gives you a lot of privileges, including SHUTDOWN, SUPER, CHANGE MASTER, KILL, USAGE, etc.
SUPER privileges • Can bypass a read_only server • Can bypass init_connect • Can disable binary logging • Can dynamically change configuration • Reached max_connections? Can still make one connection • https://dev.mysql.com/ doc/refman/5.6/en/ privileges- provided.html#priv_super • SUPER Read Only: prohibit client updates for everyone
So… only give users what they need • CREATE USER ‘foo’@‘localhost’ IDENTIFIED by ‘password’; • GRANT CREATE, SELECT, INSERT, UPDATE, DELETE on db.* to ‘foo’@‘localhost’;
And when it comes to applications… • Viewer? (read only access only) • SELECT • User? (read/write access) • SELECT, INSERT, UPDATE, DELETE • DBA? (provide access to the database) • CREATE, DROP, etc.
Installation • Using your Linux distribution… mostly gets you MariaDB when you ask for mysql-server • Except on Debian/Ubuntu • However, when you get mariadb-server, you get an authentication plugin — auth_socket for “automatic logins” • You are asked by debhelper to enter a password • You can use the APT/YUM repositories from Oracle MySQL, Percona or MariaDB • Don’t disable SELinux: system_u:system_r:mysqld_t:s0
Enable log-warnings • Enable —log_warnings=2 • Can keep track of access denied messages • Worth noting there are differences here in MySQL & MariaDB • https://dev.mysql.com/doc/refman/5.6/en/server- options.html#option_mysqld_log-warnings • https://mariadb.com/kb/en/mariadb/server-system- variables/#log_warnings
MySQL 5.6 improvements • Password expiry • ALTER USER 'foo'@'localhost' PASSWORD EXPIRE; • https://dev.mysql.com/doc/refman/5.6/en/ password-expiration-sandbox-mode.html • Password validation plugin • VALIDATE_PASSWORD_STRENGTH()
MySQL 5.6 II • mysql_config_editor - store authentication credentials in an encrypted login path file named .mylogin.cnf • http://dev.mysql.com/doc/refman/5.6/en/mysql- config-editor.html • Random ‘root’ password on install • mysql_install_db —random-passwords stored in $HOME/.mysql_secret
MySQL 5.7 • Improved password expiry — automatic password expiration available, so set default_password_lifetime in my.cnf • You can also require password to be changed every n- days • ALTER USER ‘foo'@'localhost' PASSWORD EXPIRE INTERVAL n DAY; • There is also account locking/unlocking now • ACCOUNT LOCK/ACCOUNT UNLOCK
SSL • You’re using the cloud and you’re using replication… you don’t want this in cleartext • Setup SSL (note: yaSSL vs OpenSSL can cause issues) • https://dev.mysql.com/doc/refman/5.6/en/ssl- connections.html • Worth noting 5.7 has a new tool: mysql_ssl_rsa_setup
Initialise data directory using mysqld now • mysql_install_db is deprecated in 5.7 • mysqld itself handles instance initialisation • mysqld —initialize • mysqld —initialize-insecure
MariaDB passwords • Password validation plugin (finally) exists now • https://mariadb.com/kb/en/mariadb/development/mariadb- internals-documentation/password-validation/ • simple_password_check password validation plugin • can enforce a minimum password length and guarantee that a password contains at least a specified number of uppercase and lowercase letters, digits, and punctuation characters. • cracklib_password_check password validation plugin • Allows passwords that are strong enough to pass CrackLib test. This is the same test that pam_cracklib.so does
authentication plugins
What you do today • MySQL stores accounts in the user table of the my mysql database • CREATE USER ‘foo’@‘localhost’ IDENTIFIED BY ‘password’;
select plugin_name, plugin_status from information_schema.plugins where plugin_type='authentication'; +-----------------------+---------------+ | plugin_name | plugin_status | +-----------------------+---------------+ | mysql_native_password | ACTIVE | | mysql_old_password | ACTIVE | +-----------------------+---------------+ 2 rows in set (0.00 sec)
Subtle difference w/MariaDB & MySQL usernames • Usernames in MariaDB > 5.5.31? 80 character limit (which you have to reload manually) create user 'long12345678901234567890'@'localhost' identified by 'pass'; Query OK, 0 rows affected (0.01 sec) vs ERROR 1470 (HY000): String 'long12345678901234567890' is too long for user name (should be no longer than 16)
Installing plugins • MariaDB: INSTALL SONAME ‘auth_socket’ • MySQL: INSTALL PLUGIN auth_socket SONAME ‘auth_socket.so’
auth_socket • Authenticates against the Unix socket file • Uses so_peercred socket option to obtain information about user running client • CREATE USER ‘foo’@‘localhost’ IDENTIFIED with auth_socket; • Refuses connection of any other user but foo from connecting
sha256_password • Default in 5.6, needs SSL-built MySQL (if using it, best to set it in my.cnf) • default-authentication-plugin=sha256_password • Default SSL is yaSSL, but with OpenSSL you get RSA encryption • client can transmit passwords to RSA server during connection • There exists key paths for private/public keys • Passwords never exposed as cleartext when connecting
PAM Authentication • MySQL PAM • Percona PAM (auth_pam & auth_pam_compat) • MariaDB PAM (pam)
Let’s get somethings out of the way • PAM = Pluggable Authentication Module • Use pam_ldap to to authenticate credentials against LDAP server — configure /etc/ pam_ldap.conf (you also obviously need /etc/ ldap.conf) • Simplest way is of course /etc/shadow auth
Percona Server INSTALL PLUGIN auth_pam SONAME ‘auth_pam.so'; CREATE USER byte IDENTIFIED WITH auth_pam; In /etc/pam.d/mysqld: auth required pam_warn.so auth required pam_unix.so audit account required pam_unix.so audit
MariaDB INSTALL SONAME ‘auth_pam’; CREATE USER byte IDENTIFIED via pam USING ‘mariadb’; Edit /etc/pam.d/mariadb: auth required pam_unix.so account required pam_unix.so
For MySQL compatibility • Just use —pam-use-cleartext-plugin for MySQL to use mysql_cleartext_password instead of dialog plugin
Possible errors • Connectors don’t support it: • Client does not support authentication protocol requested by server; consider upgrading MySQL client. • You may have to re-compile connector using libmysqlclient to have said support
Kerberos • Every participant in authenticated communication is known as a ‘principal’ (w/unique name) • Principals belong to administrative groups called realms. Kerberos Distribution Centre maintains a database of principal in realm + associated secret keys • Client requests a ticket from KDC for access to a specific asset. KDC uses the client’s secret and the server’s secret to construct the ticket which allows the client and server to mutually authenticate each other, while keeping the secrets hidden.
MariaDB Kerberos plugin • User principals: <username>@<KERBEROS REALM> • CREATE USER 'byte' IDENTIFIED VIA kerberos AS ‘byte/mariadb@lp'; • so that is <username>/ <instance>@<KERBEROS REALM> • Store Service Principal Name (SPN) is an option in a config file
Works where? • GSSAPI-based Kerberos widely used & supported on Linux • Windows supports SSPI authentication and the plugin supports it • Comes with MariaDB Server 10.1
5.7 mysql_no_login • mysql_no_login - prevents all client connections to an account that uses it • https://dev.mysql.com/doc/refman/5.7/en/mysql- no-login-plugin.html
audit plugins
SQL Error Logging Plugin • Log errors sent to clients in a log file that can be analysed later. Log file can be rotated (recommended) • a MYSQL_AUDIT_PLUGIN install plugin SQL_ERROR_LOG soname 'sql_errlog.so';
Audit Plugin • Log server activity - who connects to the server, what queries run, what tables touched - rotating log file or syslogd • MariaDB has extended the audit API, so user filtering is possible • a MYSQL_AUDIT_PLUGIN INSTALL PLUGIN server_audit SONAME ‘server_audit.so’;
Roles • Bundles users together, with similar privileges - follows the SQL standard CREATE ROLE audit_bean_counters; GRANT SELECT ON accounts.* to audit_bean_counters; GRANT audit_bean_counters to ceo;
Encryption • Encryption: tablespace and table level encryption with support for rolling keys using the AES algorithm • table encryption — PAGE_ENCRYPTION=1 • tablespace encryption — encrypts everything including log files • New file_key_management_filename, file_key_management_filekey, file_key_management_encryption_algorithm • Well documented — https://mariadb.com/kb/en/mariadb/data-at- rest-encryption/
Encryption II • The key file contains encryption keys identifiers (32-bit numbers) and hex-encoded encryption keys (128-256 bit keys), separated by a semicolon. • don’t forget to create keys! • eg. openssl enc -aes-256-cbc -md sha1 -k secret -in keys.txt -out keys.enc
my.cnf config [mysqld] plugin-load-add=file_key_management.so file-key-management file-key-management-filename = /home/mdb/keys.enc innodb-encrypt-tables innodb-encrypt-log innodb-encryption-threads=4 aria-encrypt-tables=1 # PAGE row format encrypt-tmp-disk-tables=1 # this is for Aria
Encryption III CREATE TABLE customer ( customer_id bigint not null primary key, customer_name varchar(80), customer_creditcard varchar(20)) ENGINE=InnoDB page_encryption=1 page_encryption_key=1;
Encryption IV • Tablespace encryption (Google) • again, you need to pick an encryption algorithm • specify what to encrypt: innodb-encrypt-tables, aria, aria-encrypt-tables, encrypt-tmp- disk-tables, innodb-encrypt-log • don’t forget key rotation: • innodb-encryption-threads=4 • innodb-encryption-rotate-key-age=1800
Encryption V • we also have tablespace scrubbing • background process that regularly scans through the tables and upgrades the encryption keys • scrubbing works for tablespaces and logs • —encrypt-tmp-files • —encrypt-binlog
Encryption VI • /etc/my.cnf.d/enable_encryption.preset • Consider using Eperi Gateway for Databases • MariaDB Enterprise will have a plugin for Amazon Key Management Server (KMS) • mysqlbinlog has no way to read (i.e. decrypt) an encrypted binlog • This does not work with MariaDB Galera Cluster yet (gcache is not encrypted yet), and also xtrabackup needs additional work (i.e. if you encrypt the redo log)
Preventing SQL Injections • MySQL Enterprise Firewall ($$$) • http://mysqlserverteam.com/new-mysql-enterprise- firewall-prevent-sql-injection-attacks/ • MaxScale Database Firewall filter (write your own regex) • https://mariadb.com/kb/en/mariadb-enterprise/ maxscale/maxscale-database-firewall-filter/ • https://mariadb.com/blog/maxscale-firewall-filter
Resources • oak-security-audit • https://openarkkit.googlecode.com/svn/trunk/ openarkkit/doc/html/oak-security-audit.html • Securich • http://www.securich.com/ • Encrypting MySQL Data at Google - Jeremy Cole & Jonas Oreland • http://bit.ly/google_innodb_encryption
Thank you! Colin Charles colin@mariadb.org / byte@bytebot.net http://bytebot.net/blog | @bytebot on twitter slides: slideshare.net/bytebot

Empfohlen

Meet MariaDB 10.1 at the Bulgaria Web Summit
Meet MariaDB 10.1 at the Bulgaria Web SummitMeet MariaDB 10.1 at the Bulgaria Web Summit
Meet MariaDB 10.1 at the Bulgaria Web SummitColin Charles
 
Lessons from database failures
Lessons from database failuresLessons from database failures
Lessons from database failuresColin Charles
 
MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)
MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)
MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)Colin Charles
 
The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016Colin Charles
 
Tuning Linux for your database FLOSSUK 2016
Tuning Linux for your database FLOSSUK 2016Tuning Linux for your database FLOSSUK 2016
Tuning Linux for your database FLOSSUK 2016Colin Charles
 
Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015Colin Charles
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataColin Charles
 
MariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB Meetup
MariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB MeetupMariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB Meetup
MariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB MeetupColin Charles
 

Empfohlen

Meet MariaDB 10.1 at the Bulgaria Web Summit
Meet MariaDB 10.1 at the Bulgaria Web SummitMeet MariaDB 10.1 at the Bulgaria Web Summit
Meet MariaDB 10.1 at the Bulgaria Web SummitColin Charles
 
Lessons from database failures
Lessons from database failuresLessons from database failures
Lessons from database failuresColin Charles
 
MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)
MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)
MariaDB - the "new" MySQL is 5 years old and everywhere (LinuxCon Europe 2015)Colin Charles
 
The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016Colin Charles
 
Tuning Linux for your database FLOSSUK 2016
Tuning Linux for your database FLOSSUK 2016Tuning Linux for your database FLOSSUK 2016
Tuning Linux for your database FLOSSUK 2016Colin Charles
 
Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015Colin Charles
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataColin Charles
 
MariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB Meetup
MariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB MeetupMariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB Meetup
MariaDB 10.1 what's new and what's coming in 10.2 - Tokyo MariaDB MeetupColin Charles
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Colin Charles
 
Distributions from the view a package
Distributions from the view a packageDistributions from the view a package
Distributions from the view a packageColin Charles
 
Databases in the hosted cloud
Databases in the hosted cloudDatabases in the hosted cloud
Databases in the hosted cloudColin Charles
 
Lessons from database failures
Lessons from database failuresLessons from database failures
Lessons from database failuresColin Charles
 
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High AvailabilityBest practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High AvailabilityColin Charles
 
The Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialThe Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialColin Charles
 
Cool MariaDB Plugins
Cool MariaDB Plugins Cool MariaDB Plugins
Cool MariaDB Plugins Colin Charles
 
My first moments with MongoDB
My first moments with MongoDBMy first moments with MongoDB
My first moments with MongoDBColin Charles
 
MySQL features missing in MariaDB Server
MySQL features missing in MariaDB ServerMySQL features missing in MariaDB Server
MySQL features missing in MariaDB ServerColin Charles
 
MariaDB Server Compatibility with MySQL
MariaDB Server Compatibility with MySQLMariaDB Server Compatibility with MySQL
MariaDB Server Compatibility with MySQLColin Charles
 
MariaDB 10: The Complete Tutorial
MariaDB 10: The Complete TutorialMariaDB 10: The Complete Tutorial
MariaDB 10: The Complete TutorialColin Charles
 
Lessons from database failures
Lessons from database failures Lessons from database failures
Lessons from database failures Colin Charles
 
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleThe Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleColin Charles
 
MariaDB 10 Tutorial - 13.11.11 - Percona Live London
MariaDB 10 Tutorial - 13.11.11 - Percona Live LondonMariaDB 10 Tutorial - 13.11.11 - Percona Live London
MariaDB 10 Tutorial - 13.11.11 - Percona Live LondonIvan Zoratti
 
A beginners guide to MariaDB
A beginners guide to MariaDBA beginners guide to MariaDB
A beginners guide to MariaDBColin Charles
 
The Complete MariaDB Server Tutorial - Percona Live 2015
The Complete MariaDB Server Tutorial - Percona Live 2015The Complete MariaDB Server Tutorial - Percona Live 2015
The Complete MariaDB Server Tutorial - Percona Live 2015Colin Charles
 
Differences between MariaDB 10.3 & MySQL 8.0
Differences between MariaDB 10.3 & MySQL 8.0Differences between MariaDB 10.3 & MySQL 8.0
Differences between MariaDB 10.3 & MySQL 8.0Colin Charles
 
Why MariaDB?
Why MariaDB?Why MariaDB?
Why MariaDB?Colin Charles
 
The MySQL ecosystem - understanding it, not running away from it!
The MySQL ecosystem - understanding it, not running away from it! The MySQL ecosystem - understanding it, not running away from it!
The MySQL ecosystem - understanding it, not running away from it! Colin Charles
 
MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)Colin Charles
 
Forking Successfully - or is a branch better?
Forking Successfully - or is a branch better?Forking Successfully - or is a branch better?
Forking Successfully - or is a branch better?Colin Charles
 
MariaDB and Cassandra Interoperability
MariaDB and Cassandra InteroperabilityMariaDB and Cassandra Interoperability
MariaDB and Cassandra InteroperabilityColin Charles
 

Weitere ähnliche Inhalte

Was ist angesagt?

Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Colin Charles
 
Distributions from the view a package
Distributions from the view a packageDistributions from the view a package
Distributions from the view a packageColin Charles
 
Databases in the hosted cloud
Databases in the hosted cloudDatabases in the hosted cloud
Databases in the hosted cloudColin Charles
 
Lessons from database failures
Lessons from database failuresLessons from database failures
Lessons from database failuresColin Charles
 
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High AvailabilityBest practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High AvailabilityColin Charles
 
The Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialThe Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialColin Charles
 
Cool MariaDB Plugins
Cool MariaDB Plugins Cool MariaDB Plugins
Cool MariaDB Plugins Colin Charles
 
My first moments with MongoDB
My first moments with MongoDBMy first moments with MongoDB
My first moments with MongoDBColin Charles
 
MySQL features missing in MariaDB Server
MySQL features missing in MariaDB ServerMySQL features missing in MariaDB Server
MySQL features missing in MariaDB ServerColin Charles
 
MariaDB Server Compatibility with MySQL
MariaDB Server Compatibility with MySQLMariaDB Server Compatibility with MySQL
MariaDB Server Compatibility with MySQLColin Charles
 
MariaDB 10: The Complete Tutorial
MariaDB 10: The Complete TutorialMariaDB 10: The Complete Tutorial
MariaDB 10: The Complete TutorialColin Charles
 
Lessons from database failures
Lessons from database failures Lessons from database failures
Lessons from database failures Colin Charles
 
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleThe Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleColin Charles
 
MariaDB 10 Tutorial - 13.11.11 - Percona Live London
MariaDB 10 Tutorial - 13.11.11 - Percona Live LondonMariaDB 10 Tutorial - 13.11.11 - Percona Live London
MariaDB 10 Tutorial - 13.11.11 - Percona Live LondonIvan Zoratti
 
A beginners guide to MariaDB
A beginners guide to MariaDBA beginners guide to MariaDB
A beginners guide to MariaDBColin Charles
 
The Complete MariaDB Server Tutorial - Percona Live 2015
The Complete MariaDB Server Tutorial - Percona Live 2015The Complete MariaDB Server Tutorial - Percona Live 2015
The Complete MariaDB Server Tutorial - Percona Live 2015Colin Charles
 
Differences between MariaDB 10.3 & MySQL 8.0
Differences between MariaDB 10.3 & MySQL 8.0Differences between MariaDB 10.3 & MySQL 8.0
Differences between MariaDB 10.3 & MySQL 8.0Colin Charles
 
The MySQL ecosystem - understanding it, not running away from it!
The MySQL ecosystem - understanding it, not running away from it! The MySQL ecosystem - understanding it, not running away from it!
The MySQL ecosystem - understanding it, not running away from it! Colin Charles
 
MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)Colin Charles
 

Was ist angesagt? (20)

Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7
 
Distributions from the view a package
Distributions from the view a packageDistributions from the view a package
Distributions from the view a package
 
Databases in the hosted cloud
Databases in the hosted cloudDatabases in the hosted cloud
Databases in the hosted cloud
 
Lessons from database failures
Lessons from database failuresLessons from database failures
Lessons from database failures
 
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High AvailabilityBest practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High Availability
 
The Complete MariaDB Server tutorial
The Complete MariaDB Server tutorialThe Complete MariaDB Server tutorial
The Complete MariaDB Server tutorial
 
Cool MariaDB Plugins
Cool MariaDB Plugins Cool MariaDB Plugins
Cool MariaDB Plugins
 
My first moments with MongoDB
My first moments with MongoDBMy first moments with MongoDB
My first moments with MongoDB
 
MySQL features missing in MariaDB Server
MySQL features missing in MariaDB ServerMySQL features missing in MariaDB Server
MySQL features missing in MariaDB Server
 
MariaDB Server Compatibility with MySQL
MariaDB Server Compatibility with MySQLMariaDB Server Compatibility with MySQL
MariaDB Server Compatibility with MySQL
 
MariaDB 10: The Complete Tutorial
MariaDB 10: The Complete TutorialMariaDB 10: The Complete Tutorial
MariaDB 10: The Complete Tutorial
 
Lessons from database failures
Lessons from database failures Lessons from database failures
Lessons from database failures
 
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScaleThe Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
The Proxy Wars - MySQL Router, ProxySQL, MariaDB MaxScale
 
MariaDB 10 Tutorial - 13.11.11 - Percona Live London
MariaDB 10 Tutorial - 13.11.11 - Percona Live LondonMariaDB 10 Tutorial - 13.11.11 - Percona Live London
MariaDB 10 Tutorial - 13.11.11 - Percona Live London
 
A beginners guide to MariaDB
A beginners guide to MariaDBA beginners guide to MariaDB
A beginners guide to MariaDB
 
The Complete MariaDB Server Tutorial - Percona Live 2015
The Complete MariaDB Server Tutorial - Percona Live 2015The Complete MariaDB Server Tutorial - Percona Live 2015
The Complete MariaDB Server Tutorial - Percona Live 2015
 
Differences between MariaDB 10.3 & MySQL 8.0
Differences between MariaDB 10.3 & MySQL 8.0Differences between MariaDB 10.3 & MySQL 8.0
Differences between MariaDB 10.3 & MySQL 8.0
 
Why MariaDB?
Why MariaDB?Why MariaDB?
Why MariaDB?
 
The MySQL ecosystem - understanding it, not running away from it!
The MySQL ecosystem - understanding it, not running away from it! The MySQL ecosystem - understanding it, not running away from it!
The MySQL ecosystem - understanding it, not running away from it!
 
MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)MariaDB: in-depth (hands on training in Seoul)
MariaDB: in-depth (hands on training in Seoul)
 

Andere mochten auch

Forking Successfully - or is a branch better?
Forking Successfully - or is a branch better?Forking Successfully - or is a branch better?
Forking Successfully - or is a branch better?Colin Charles
 
MariaDB and Cassandra Interoperability
MariaDB and Cassandra InteroperabilityMariaDB and Cassandra Interoperability
MariaDB and Cassandra InteroperabilityColin Charles
 
A Simple Multi-player Video Game Framework for Experimenting and Teaching C...
A Simple Multi-player Video Game Framework for Experimenting and Teaching C...A Simple Multi-player Video Game Framework for Experimenting and Teaching C...
A Simple Multi-player Video Game Framework for Experimenting and Teaching C...Mindtrek
 
The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016sys army
 
Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...
Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...
Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...Mindtrek
 
Undelete (and more) rows from the binary log
Undelete (and more) rows from the binary logUndelete (and more) rows from the binary log
Undelete (and more) rows from the binary logFrederic Descamps
 
Lessons from {distributed,remote,virtual} communities and companies
Lessons from {distributed,remote,virtual} communities and companiesLessons from {distributed,remote,virtual} communities and companies
Lessons from {distributed,remote,virtual} communities and companiesColin Charles
 
Hoppala at O'Reilly Where 2.0 Conference
Hoppala at O'Reilly Where 2.0 ConferenceHoppala at O'Reilly Where 2.0 Conference
Hoppala at O'Reilly Where 2.0 ConferenceMarc René Gardeya
 
The MySQL Server Ecosystem in 2016
The MySQL Server Ecosystem in 2016The MySQL Server Ecosystem in 2016
The MySQL Server Ecosystem in 2016Colin Charles
 

Andere mochten auch (9)

Forking Successfully - or is a branch better?
Forking Successfully - or is a branch better?Forking Successfully - or is a branch better?
Forking Successfully - or is a branch better?
 
MariaDB and Cassandra Interoperability
MariaDB and Cassandra InteroperabilityMariaDB and Cassandra Interoperability
MariaDB and Cassandra Interoperability
 
A Simple Multi-player Video Game Framework for Experimenting and Teaching C...
A Simple Multi-player Video Game Framework for Experimenting and Teaching C...A Simple Multi-player Video Game Framework for Experimenting and Teaching C...
A Simple Multi-player Video Game Framework for Experimenting and Teaching C...
 
The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016The MySQL Server ecosystem in 2016
The MySQL Server ecosystem in 2016
 
Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...
Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...
Otto Kekäläinen - Forking in Open Source: Case Study of MySQL/MariaDB - Mindt...
 
Undelete (and more) rows from the binary log
Undelete (and more) rows from the binary logUndelete (and more) rows from the binary log
Undelete (and more) rows from the binary log
 
Lessons from {distributed,remote,virtual} communities and companies
Lessons from {distributed,remote,virtual} communities and companiesLessons from {distributed,remote,virtual} communities and companies
Lessons from {distributed,remote,virtual} communities and companies
 
Hoppala at O'Reilly Where 2.0 Conference
Hoppala at O'Reilly Where 2.0 ConferenceHoppala at O'Reilly Where 2.0 Conference
Hoppala at O'Reilly Where 2.0 Conference
 
The MySQL Server Ecosystem in 2016
The MySQL Server Ecosystem in 2016The MySQL Server Ecosystem in 2016
The MySQL Server Ecosystem in 2016
 

Ähnlich wie MariaDB Server & MySQL Security Essentials 2016

Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldDave Stokes
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!SolarWinds
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPOscar Merida
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Harin Vadodaria
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityChris Bell
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!SolarWinds
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsBen Krug
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
Adm02. IBM Connections Adminblast
Adm02. IBM Connections AdminblastAdm02. IBM Connections Adminblast
Adm02. IBM Connections Adminblastpanagenda
 
Drupal security
Drupal securityDrupal security
Drupal securityJozef Toth
 
Mysql 8 vs Mariadb 10.4 Highload++ 2019
Mysql 8 vs Mariadb 10.4 Highload++ 2019Mysql 8 vs Mariadb 10.4 Highload++ 2019
Mysql 8 vs Mariadb 10.4 Highload++ 2019Alkin Tezuysal
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeGeorgi Kodinov
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.xFabio Codebue
 

Ähnlich wie MariaDB Server & MySQL Security Essentials 2016 (20)

Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server Security
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHP
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
 
Adm02. IBM Connections Adminblast
Adm02. IBM Connections AdminblastAdm02. IBM Connections Adminblast
Adm02. IBM Connections Adminblast
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Mysql 8 vs Mariadb 10.4 Highload++ 2019
Mysql 8 vs Mariadb 10.4 Highload++ 2019Mysql 8 vs Mariadb 10.4 Highload++ 2019
Mysql 8 vs Mariadb 10.4 Highload++ 2019
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source Code
 
MySQL 5.7 + Java
MySQL 5.7 + JavaMySQL 5.7 + Java
MySQL 5.7 + Java
 
MySQL highav Availability
MySQL highav AvailabilityMySQL highav Availability
MySQL highav Availability
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.x
 

Mehr von Colin Charles

What is MariaDB Server 10.3?
What is MariaDB Server 10.3?What is MariaDB Server 10.3?
What is MariaDB Server 10.3?Colin Charles
 
Databases in the hosted cloud
Databases in the hosted cloud Databases in the hosted cloud
Databases in the hosted cloud Colin Charles
 
Databases in the Hosted Cloud
Databases in the Hosted CloudDatabases in the Hosted Cloud
Databases in the Hosted CloudColin Charles
 
Best practices for MySQL High Availability Tutorial
Best practices for MySQL High Availability TutorialBest practices for MySQL High Availability Tutorial
Best practices for MySQL High Availability TutorialColin Charles
 
Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)
Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)
Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)Colin Charles
 
Capacity planning for your data stores
Capacity planning for your data storesCapacity planning for your data stores
Capacity planning for your data storesColin Charles
 

Mehr von Colin Charles (6)

What is MariaDB Server 10.3?
What is MariaDB Server 10.3?What is MariaDB Server 10.3?
What is MariaDB Server 10.3?
 
Databases in the hosted cloud
Databases in the hosted cloud Databases in the hosted cloud
Databases in the hosted cloud
 
Databases in the Hosted Cloud
Databases in the Hosted CloudDatabases in the Hosted Cloud
Databases in the Hosted Cloud
 
Best practices for MySQL High Availability Tutorial
Best practices for MySQL High Availability TutorialBest practices for MySQL High Availability Tutorial
Best practices for MySQL High Availability Tutorial
 
Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)
Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)
Percona ServerをMySQL 5.6と5.7用に作るエンジニアリング(そしてMongoDBのヒント)
 
Capacity planning for your data stores
Capacity planning for your data storesCapacity planning for your data stores
Capacity planning for your data stores
 

Kürzlich hochgeladen

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

MariaDB Server & MySQL Security Essentials 2016

  • 1. MariaDB/MySQL Security Essentials Colin Charles, Team MariaDB, MariaDB Corporation colin@mariadb.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter FLOSSUK 2016, London 17 March 2016
  • 2. whoami • Work on MariaDB at MariaDB Corporation (SkySQL Ab) • Merged with Monty Program Ab, makers of MariaDB • Formerly MySQL AB (exit: Sun Microsystems) • Past lives include Fedora Project (FESCO), OpenOffice.org • MySQL Community Contributor of the Year Award winner 2014
  • 3. Historically… • No password for the ‘root’ user • There is a default ‘test’ database • Find a password from application config files (wp- config.php, drupal’s settings.php, etc.) • Are your datadir permissions secure (/var/lib/ mysql)? • can you run strings mysql/user.MYD ?
  • 4. Can you view privileges to find a user with more access? MariaDB [(none)]> SELECT host,user,password from mysql.user; +--------------+-------------------+----------+ | host | user | password | +--------------+-------------------+----------+ | localhost | root | | | sirius | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | sirius | | | +--------------+-------------------+----------+
  • 5. More things to think about • Does replication connection have global permissions? • If you can start/stop mysqld process, you can reset passwords • Can you edit my.cnf? You can run a SQL file when mysqld starts with init-file
  • 6. sql_mode • 5.6 default = NO_ENGINE_SUBSTITUTION • SQL_MODE = STRICT_ALL_TABLES, NO_ENGINE_SUBSTITUTION • Keeps on improving, like deprecating NO_ZERO_DATE, NO_ZERO_IN_DATE (5.6.17) and making it part of strict mode
  • 7. mysql_secure_installation • Pretty basic to run, but many don’t • Remove anonymous users • Remove test database • Remove non-localhost root users • Set a root password
  • 8. Creating users • The lazy way • CREATE USER ‘foo’@‘%’; • GRANT ALL ON *.* TO ‘foo’@‘%’; • The above gives you access to all tables in all databases + access from any external location • ALL gives you a lot of privileges, including SHUTDOWN, SUPER, CHANGE MASTER, KILL, USAGE, etc.
  • 9. SUPER privileges • Can bypass a read_only server • Can bypass init_connect • Can disable binary logging • Can dynamically change configuration • Reached max_connections? Can still make one connection • https://dev.mysql.com/ doc/refman/5.6/en/ privileges- provided.html#priv_super • SUPER Read Only: prohibit client updates for everyone
  • 10. So… only give users what they need • CREATE USER ‘foo’@‘localhost’ IDENTIFIED by ‘password’; • GRANT CREATE, SELECT, INSERT, UPDATE, DELETE on db.* to ‘foo’@‘localhost’;
  • 11. And when it comes to applications… • Viewer? (read only access only) • SELECT • User? (read/write access) • SELECT, INSERT, UPDATE, DELETE • DBA? (provide access to the database) • CREATE, DROP, etc.
  • 12. Installation • Using your Linux distribution… mostly gets you MariaDB when you ask for mysql-server • Except on Debian/Ubuntu • However, when you get mariadb-server, you get an authentication plugin — auth_socket for “automatic logins” • You are asked by debhelper to enter a password • You can use the APT/YUM repositories from Oracle MySQL, Percona or MariaDB • Don’t disable SELinux: system_u:system_r:mysqld_t:s0
  • 13. Enable log-warnings • Enable —log_warnings=2 • Can keep track of access denied messages • Worth noting there are differences here in MySQL & MariaDB • https://dev.mysql.com/doc/refman/5.6/en/server- options.html#option_mysqld_log-warnings • https://mariadb.com/kb/en/mariadb/server-system- variables/#log_warnings
  • 14. MySQL 5.6 improvements • Password expiry • ALTER USER 'foo'@'localhost' PASSWORD EXPIRE; • https://dev.mysql.com/doc/refman/5.6/en/ password-expiration-sandbox-mode.html • Password validation plugin • VALIDATE_PASSWORD_STRENGTH()
  • 15. MySQL 5.6 II • mysql_config_editor - store authentication credentials in an encrypted login path file named .mylogin.cnf • http://dev.mysql.com/doc/refman/5.6/en/mysql- config-editor.html • Random ‘root’ password on install • mysql_install_db —random-passwords stored in $HOME/.mysql_secret
  • 16. MySQL 5.7 • Improved password expiry — automatic password expiration available, so set default_password_lifetime in my.cnf • You can also require password to be changed every n- days • ALTER USER ‘foo'@'localhost' PASSWORD EXPIRE INTERVAL n DAY; • There is also account locking/unlocking now • ACCOUNT LOCK/ACCOUNT UNLOCK
  • 17. SSL • You’re using the cloud and you’re using replication… you don’t want this in cleartext • Setup SSL (note: yaSSL vs OpenSSL can cause issues) • https://dev.mysql.com/doc/refman/5.6/en/ssl- connections.html • Worth noting 5.7 has a new tool: mysql_ssl_rsa_setup
  • 18. Initialise data directory using mysqld now • mysql_install_db is deprecated in 5.7 • mysqld itself handles instance initialisation • mysqld —initialize • mysqld —initialize-insecure
  • 19. MariaDB passwords • Password validation plugin (finally) exists now • https://mariadb.com/kb/en/mariadb/development/mariadb- internals-documentation/password-validation/ • simple_password_check password validation plugin • can enforce a minimum password length and guarantee that a password contains at least a specified number of uppercase and lowercase letters, digits, and punctuation characters. • cracklib_password_check password validation plugin • Allows passwords that are strong enough to pass CrackLib test. This is the same test that pam_cracklib.so does
  • 21. What you do today • MySQL stores accounts in the user table of the my mysql database • CREATE USER ‘foo’@‘localhost’ IDENTIFIED BY ‘password’;
  • 22. select plugin_name, plugin_status from information_schema.plugins where plugin_type='authentication'; +-----------------------+---------------+ | plugin_name | plugin_status | +-----------------------+---------------+ | mysql_native_password | ACTIVE | | mysql_old_password | ACTIVE | +-----------------------+---------------+ 2 rows in set (0.00 sec)
  • 23. Subtle difference w/MariaDB & MySQL usernames • Usernames in MariaDB > 5.5.31? 80 character limit (which you have to reload manually) create user 'long12345678901234567890'@'localhost' identified by 'pass'; Query OK, 0 rows affected (0.01 sec) vs ERROR 1470 (HY000): String 'long12345678901234567890' is too long for user name (should be no longer than 16)
  • 24. Installing plugins • MariaDB: INSTALL SONAME ‘auth_socket’ • MySQL: INSTALL PLUGIN auth_socket SONAME ‘auth_socket.so’
  • 25. auth_socket • Authenticates against the Unix socket file • Uses so_peercred socket option to obtain information about user running client • CREATE USER ‘foo’@‘localhost’ IDENTIFIED with auth_socket; • Refuses connection of any other user but foo from connecting
  • 26. sha256_password • Default in 5.6, needs SSL-built MySQL (if using it, best to set it in my.cnf) • default-authentication-plugin=sha256_password • Default SSL is yaSSL, but with OpenSSL you get RSA encryption • client can transmit passwords to RSA server during connection • There exists key paths for private/public keys • Passwords never exposed as cleartext when connecting
  • 27. PAM Authentication • MySQL PAM • Percona PAM (auth_pam & auth_pam_compat) • MariaDB PAM (pam)
  • 28. Let’s get somethings out of the way • PAM = Pluggable Authentication Module • Use pam_ldap to to authenticate credentials against LDAP server — configure /etc/ pam_ldap.conf (you also obviously need /etc/ ldap.conf) • Simplest way is of course /etc/shadow auth
  • 29. Percona Server INSTALL PLUGIN auth_pam SONAME ‘auth_pam.so'; CREATE USER byte IDENTIFIED WITH auth_pam; In /etc/pam.d/mysqld: auth required pam_warn.so auth required pam_unix.so audit account required pam_unix.so audit
  • 30. MariaDB INSTALL SONAME ‘auth_pam’; CREATE USER byte IDENTIFIED via pam USING ‘mariadb’; Edit /etc/pam.d/mariadb: auth required pam_unix.so account required pam_unix.so
  • 31. For MySQL compatibility • Just use —pam-use-cleartext-plugin for MySQL to use mysql_cleartext_password instead of dialog plugin
  • 32. Possible errors • Connectors don’t support it: • Client does not support authentication protocol requested by server; consider upgrading MySQL client. • You may have to re-compile connector using libmysqlclient to have said support
  • 33. Kerberos • Every participant in authenticated communication is known as a ‘principal’ (w/unique name) • Principals belong to administrative groups called realms. Kerberos Distribution Centre maintains a database of principal in realm + associated secret keys • Client requests a ticket from KDC for access to a specific asset. KDC uses the client’s secret and the server’s secret to construct the ticket which allows the client and server to mutually authenticate each other, while keeping the secrets hidden.
  • 34. MariaDB Kerberos plugin • User principals: <username>@<KERBEROS REALM> • CREATE USER 'byte' IDENTIFIED VIA kerberos AS ‘byte/mariadb@lp'; • so that is <username>/ <instance>@<KERBEROS REALM> • Store Service Principal Name (SPN) is an option in a config file
  • 35. Works where? • GSSAPI-based Kerberos widely used & supported on Linux • Windows supports SSPI authentication and the plugin supports it • Comes with MariaDB Server 10.1
  • 36. 5.7 mysql_no_login • mysql_no_login - prevents all client connections to an account that uses it • https://dev.mysql.com/doc/refman/5.7/en/mysql- no-login-plugin.html
  • 38. SQL Error Logging Plugin • Log errors sent to clients in a log file that can be analysed later. Log file can be rotated (recommended) • a MYSQL_AUDIT_PLUGIN install plugin SQL_ERROR_LOG soname 'sql_errlog.so';
  • 39. Audit Plugin • Log server activity - who connects to the server, what queries run, what tables touched - rotating log file or syslogd • MariaDB has extended the audit API, so user filtering is possible • a MYSQL_AUDIT_PLUGIN INSTALL PLUGIN server_audit SONAME ‘server_audit.so’;
  • 40. Roles • Bundles users together, with similar privileges - follows the SQL standard CREATE ROLE audit_bean_counters; GRANT SELECT ON accounts.* to audit_bean_counters; GRANT audit_bean_counters to ceo;
  • 41. Encryption • Encryption: tablespace and table level encryption with support for rolling keys using the AES algorithm • table encryption — PAGE_ENCRYPTION=1 • tablespace encryption — encrypts everything including log files • New file_key_management_filename, file_key_management_filekey, file_key_management_encryption_algorithm • Well documented — https://mariadb.com/kb/en/mariadb/data-at- rest-encryption/
  • 42. Encryption II • The key file contains encryption keys identifiers (32-bit numbers) and hex-encoded encryption keys (128-256 bit keys), separated by a semicolon. • don’t forget to create keys! • eg. openssl enc -aes-256-cbc -md sha1 -k secret -in keys.txt -out keys.enc
  • 43. my.cnf config [mysqld] plugin-load-add=file_key_management.so file-key-management file-key-management-filename = /home/mdb/keys.enc innodb-encrypt-tables innodb-encrypt-log innodb-encryption-threads=4 aria-encrypt-tables=1 # PAGE row format encrypt-tmp-disk-tables=1 # this is for Aria
  • 44. Encryption III CREATE TABLE customer ( customer_id bigint not null primary key, customer_name varchar(80), customer_creditcard varchar(20)) ENGINE=InnoDB page_encryption=1 page_encryption_key=1;
  • 45. Encryption IV • Tablespace encryption (Google) • again, you need to pick an encryption algorithm • specify what to encrypt: innodb-encrypt-tables, aria, aria-encrypt-tables, encrypt-tmp- disk-tables, innodb-encrypt-log • don’t forget key rotation: • innodb-encryption-threads=4 • innodb-encryption-rotate-key-age=1800
  • 46. Encryption V • we also have tablespace scrubbing • background process that regularly scans through the tables and upgrades the encryption keys • scrubbing works for tablespaces and logs • —encrypt-tmp-files • —encrypt-binlog
  • 47. Encryption VI • /etc/my.cnf.d/enable_encryption.preset • Consider using Eperi Gateway for Databases • MariaDB Enterprise will have a plugin for Amazon Key Management Server (KMS) • mysqlbinlog has no way to read (i.e. decrypt) an encrypted binlog • This does not work with MariaDB Galera Cluster yet (gcache is not encrypted yet), and also xtrabackup needs additional work (i.e. if you encrypt the redo log)
  • 48. Preventing SQL Injections • MySQL Enterprise Firewall ($$$) • http://mysqlserverteam.com/new-mysql-enterprise- firewall-prevent-sql-injection-attacks/ • MaxScale Database Firewall filter (write your own regex) • https://mariadb.com/kb/en/mariadb-enterprise/ maxscale/maxscale-database-firewall-filter/ • https://mariadb.com/blog/maxscale-firewall-filter
  • 49. Resources • oak-security-audit • https://openarkkit.googlecode.com/svn/trunk/ openarkkit/doc/html/oak-security-audit.html • Securich • http://www.securich.com/ • Encrypting MySQL Data at Google - Jeremy Cole & Jonas Oreland • http://bit.ly/google_innodb_encryption
  • 50. Thank you! Colin Charles colin@mariadb.org / byte@bytebot.net http://bytebot.net/blog | @bytebot on twitter slides: slideshare.net/bytebot