MySQLSecurity, Privileges & User Management                  Kenny Gryp <kenny.gryp@percona.com>                 Percona L...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
Privilege SystemUsersGrantsmysql databaseResource LimitsDefault Permissions                                www.percona.com...
UsersIdentify users based on: user@host  user: username  host: hostname/ip of the client that connects     different host,...
GrantsGrant the user some kind of privilegeGrant ... to:   server,             column,                  view,   database, ...
Table/Column Level GrantsPossible:> GRANT SELECT ON db.table TO ‘lefred’@‘app’;> GRANT SELECT (col) ON db.table to ‘fr’@‘a...
PasswordExamples:> SET PASSWORD FOR ‘lefred’@‘app0001’ =PASSWORD(‘pass’);> SELECT PASSWORD(pass)GPASSWORD(pass):*196BDEDE2...
Grants  Complete list of grants:CREATE                       ALTER ROUTINEDROP                         CREATE ROUTINEGRANT...
GrantsCREATE                    ALTER ROUTINEDROP                      CREATE ROUTINEGRANT OPTION              EXECUTELOCK...
SHOW GRANTS> SHOW GRANTS;+----------------------------------------------------------------+| Grants for root@localhost    ...
GRANT OPTIONUser with ‘GRANT OPTION’ can give grants to otherusersonly for the grants he has already                      ...
FILERead/Write Files with:> SELECT ... INTO OUTFILE> LOAD DATA INFILE ...Are you sure you want to give FILE?Restrict with ...
FILEExample:> CREATE TABLE passwd(user varchar(255),pass varchar(255),useridinteger,`group` integer,gecos varchar(255),hom...
LOAD DATA LOCALJust like LOAD DATA, but takes a file from the clientMust have config on server: local-infile=0More a secur...
PROCESSSee complete SHOW PROCESSLIST for every user> SHOW GRANTS;+-----------------------------------------------+| Grants...
PROCESSAnd....:> SHOW ENGINE INNODB STATUSG...=====================================120110 21:44:00 INNODB MONITOR OUTPUT==...
RELOADReload all kinds of log files, not so bad...But:  FLUSH MASTER: remove all binary logs  FLUSH SLAVE: remove all slav...
REPLICATION CLIENTSHOW MASTER STATUS;SHOW SLAVE STATUSG                        www.percona.com   19
REPLICATION SLAVERequired for slave to fetch binlogsAlso gives:SHOW BINLOG EVENTSG...    Log_name: mysql-bin.000001       ...
SHUTDOWN# mysqladmin shutdown                        www.percona.com   21
SUPERKnown to be given to app users & monitoring usersHowever,it is very powerful:  CHANGE MASTER TO, STOP SLAVE, START SL...
ALLGives ALL privileges possible (on a certain level):> GRANT ALL ON *.*> GRANT ALL ON db.*> GRANT ALL ON db.table...     ...
USAGEGives you the possibility to... loginPossible to run:  SHOW GLOBAL STATUS;  SHOW GLOBAL VARIABLES;  Set session buffe...
mysql Database> SHOW TABLES;                  | plugin                    |+---------------------------+   | proc         ...
mysql DatabaseDo not give rights for app or general usersDML statements are possible  use FLUSH PRIVILEGES to apply       ...
Resource LimitsFor every user: max_user_connections>GRANT USAGE ON db.* TO ‘lefred@localhostWITH MAX_QUERIES_PER_HOUR 1000...
Default Permissions-- Grants dumped by pt-show-grants-- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55-log ...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
User ManagementDifficult to manage when having +1 MySQL serverHow to properly manage all those users?  Version Control  Se...
Version Control Put all grants in a .txt file and put in VC use pt-show-grants:    orders grants, easy to VC    generates ...
SecuRich Tool (scripts/stored procedures) to facilitate user management Has some features MySQL does _not_ have:     passw...
Configuration ManagementUse your favorite configuration management toolPuppet example:https://github.com/DavidS/puppet-mys...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
Pluggable AuthenticationFeature Since MySQL 5.5New Grant: PROXY: act like a userPercona PAM Plugin:  http://www.mysqlperfo...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
Application SecuritySQL Injectionsuse mysql_real_escape_string()Use Prepared StatementsUse different users in the applicat...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
Network SecurityPort protectionTraffic encryptionDNS                                 www.percona.com   39
Port ProtectionFirewallbind-address=127.0.0.1No need for network connections (socket only):skip-networking                ...
Traffic EncryptionProblem:# tcpdump -w - -i lo port 3306 | strings...insert into passwd values(lefred,dim00tjen, null,null...
DNSRemember: authentication is user@hostMySQL does Reverse DNS Lookup  taking over DNS server can change grants  Killing D...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
OS Level SecuritySecurity profiles:  AppArmor  SELinuxChroot  start mysqld with --chroot                                  ...
Filesystem EncryptionLUKS/ecryptfs/...:  Disk/File/Directory encryption  Protects against ‘disk-stealing’  No protection f...
Security, Privileges & User            ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Securi...
Other MySQL Security Featuresold-passwords: Insecure 4.1 hashing  set secure-auth to avoidskip-symbolic-linksmax_connect_e...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
Data Security FunctionsPASSWORD()Crypt: ENCRYPT()/DECRYPT()AES: AES_ENCRYPT()/AES_DECRYPT()DES: DES_ENCRYPT()/DES_DECRYPT(...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
DoSmysql> show grants;+--------------------------------------+| Grants for @localhost                |+-------------------...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
PCI Compliance1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied def...
Security, Privileges & User             ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication Secur...
Kenny Gryp                 <kenny.gryp@percona.com>                                    @gryp                    Were Hirin...
Upcoming SlideShare
Loading in...5
×

Percona Live 2012PPT:mysql-security-privileges-and-user-management

5,909
-1

Published on

Percona Live 2012PPT:mysql-security-privileges-and-user-management

Published in: Technology, News & Politics
0 Comments
14 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,909
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
14
Embeds 0
No embeds

No notes for slide

Percona Live 2012PPT:mysql-security-privileges-and-user-management

  1. 1. MySQLSecurity, Privileges & User Management Kenny Gryp <kenny.gryp@percona.com> Percona Live Washington DC / 2012-01-11
  2. 2. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 2
  3. 3. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 3
  4. 4. Privilege SystemUsersGrantsmysql databaseResource LimitsDefault Permissions www.percona.com 4
  5. 5. UsersIdentify users based on: user@host user: username host: hostname/ip of the client that connects different host, different user, different ‘grants’Examples:‘fred’@‘localhost’, ‘root’@‘localhost’‘lefred’@‘app0001’, ‘kampen’@‘192.168.%’‘lekampen’@‘192.168.1__’, ‘fred’@‘app.fq.dn’Creating A User:>CREATE USER lefred@app0001;Drop user: change CREATE into DROP www.percona.com 5
  6. 6. GrantsGrant the user some kind of privilegeGrant ... to: server, column, view, database, trigger, index table, stored procedure,Example: INSERT, SELECT, UPDATE, DELETESQL Command:>GRANT SELECT ON db.* TO ‘lefred’@‘app0001’;>GRANT INSERT ON *.* TO ‘lefred’@‘app0001’;Revoking privileges: change GRANT into REVOKE www.percona.com 6
  7. 7. Table/Column Level GrantsPossible:> GRANT SELECT ON db.table TO ‘lefred’@‘app’;> GRANT SELECT (col) ON db.table to ‘fr’@‘app’;Too much columns might make authentication slower www.percona.com 7
  8. 8. PasswordExamples:> SET PASSWORD FOR ‘lefred’@‘app0001’ =PASSWORD(‘pass’);> SELECT PASSWORD(pass)GPASSWORD(pass):*196BDEDE2AE4F84CA44C47D54D78478C7E2BD7B7> SET PASSWORD FOR ‘lefred’@‘app0001’ =‘*196BDEDE2...’;> CREATE USER ‘lefred’@‘app0001’ IDENTIFIEDBY ‘pass’;> CREATE USER ‘fred’@‘app’ IDENTIFIED BYPASSWORD ‘*196BDEDE2...’;> GRANT SELECT ON db.* TO ‘fred’@‘app’IDENTIFIED BY ‘pass’; www.percona.com 8
  9. 9. Grants Complete list of grants:CREATE ALTER ROUTINEDROP CREATE ROUTINEGRANT OPTION EXECUTELOCK TABLES FILEEVENT CREATE USERALTER PROCESSDELETE PROXYINDEX RELOADINSERT REPLICATION CLIENTSELECT REPLICATION SLAVEUPDATE SHOW DATABASESCREATE TEMPORARY TABLES SHUTDOWNTRIGGER SUPERCREATE VIEW ALL [PRIVILEGES]SHOW VIEW USAGE www.percona.com 9
  10. 10. GrantsCREATE ALTER ROUTINEDROP CREATE ROUTINEGRANT OPTION EXECUTELOCK TABLES FILEEVENT CREATE USERALTER PROCESSDELETE PROXYINDEX RELOADINSERT REPLICATION CLIENTSELECT REPLICATION SLAVEUPDATE SHOW DATABASESCREATE TEMPORARY TABLES SHUTDOWNTRIGGER SUPERCREATE VIEW ALL [PRIVILEGES]SHOW VIEW USAGE www.percona.com 10
  11. 11. SHOW GRANTS> SHOW GRANTS;+----------------------------------------------------------------+| Grants for root@localhost |+----------------------------------------------------------------+| GRANT ALL PRIVILEGES ON *.* TO root@localhost IDENTIFIED BY||PASSWORD *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B WITH GRANT || OPTION |+----------------------------------------------------------------+> SHOW GRANTS FOR lefred@app0001;+----------------------------------------------+| Grants for lefred@app0001 |+----------------------------------------------+| GRANT INSERT ON *.* TO lefred@app0001 || GRANT SELECT ON `db`.* TO lefred@app0001 |+----------------------------------------------+ www.percona.com 11
  12. 12. GRANT OPTIONUser with ‘GRANT OPTION’ can give grants to otherusersonly for the grants he has already www.percona.com 12
  13. 13. FILERead/Write Files with:> SELECT ... INTO OUTFILE> LOAD DATA INFILE ...Are you sure you want to give FILE?Restrict with secure_file_priv=/path/ www.percona.com 13
  14. 14. FILEExample:> CREATE TABLE passwd(user varchar(255),pass varchar(255),useridinteger,`group` integer,gecos varchar(255),home varchar(255),shellvarchar(255));Query OK, 0 rows affected (0.05 sec)> LOAD DATA INFILE /etc/passwd INTO TABLE passwd FIELDSTERMINATED BY ":";Query OK, 40 rows affected (0.05 sec)> SELECT user, pass, userid, `group`, gecos FROM passwd;+-------------------+------+--------+-------+------------------------------------+| user | pass | userid | group | gecos |+-------------------+------+--------+-------+------------------------------------+| root |x | 0| 0 | root || daemon |x | 1| 1 | daemon || bin |x | 2| 2 | bin || sys |x | 3| 3 | sys || sync |x | 4 | 65534 | sync || games |x | 5| 60 | games || man |x | 6| 12 | man || lp |x | 7| 7 | lp || mail |x | 8| 8 | mail || news |x | 9| 9 | news | www.percona.com 14
  15. 15. LOAD DATA LOCALJust like LOAD DATA, but takes a file from the clientMust have config on server: local-infile=0More a security problem on the client: local-infile=0 to [client] recompile library with DENABLED_LOCAL_INFILE=1 www.percona.com 15
  16. 16. PROCESSSee complete SHOW PROCESSLIST for every user> SHOW GRANTS;+-----------------------------------------------+| Grants for process@localhost |+-----------------------------------------------+| GRANT PROCESS ON *.* TO process@localhost |+-----------------------------------------------+>SHOW FULL PROCESSLISTG...*************************** 3. row *************************** Id: 6163 User: root Host: localhost db: testCommand: Query Time: 63 State: Locked Info: insert into passwd values (lefred,iLikeDim0,null,null,null,null) www.percona.com 16
  17. 17. PROCESSAnd....:> SHOW ENGINE INNODB STATUSG...=====================================120110 21:44:00 INNODB MONITOR OUTPUT=====================================Per second averages calculated from the last 37 seconds...------------TRANSACTIONS------------...---TRANSACTION 0, not started, process no 955, OS thread id140712801937152mysql tables in use 1, locked 1MySQL thread id 6163, query id 273 localhost root Table lockinsert into passwd values (lefred,iLikeDim0,null,null,null,null)... www.percona.com 17
  18. 18. RELOADReload all kinds of log files, not so bad...But: FLUSH MASTER: remove all binary logs FLUSH SLAVE: remove all slave configuration FLUSH TABLES WITH READ LOCK: lock tables www.percona.com 18
  19. 19. REPLICATION CLIENTSHOW MASTER STATUS;SHOW SLAVE STATUSG www.percona.com 19
  20. 20. REPLICATION SLAVERequired for slave to fetch binlogsAlso gives:SHOW BINLOG EVENTSG... Log_name: mysql-bin.000001 Pos: 175 Event_type: Query Server_id: 9999End_log_pos: 312 Info: use `test`; insert into passwdvalues (lefred,iLikeDim0,null,null,null,null,null) www.percona.com 20
  21. 21. SHUTDOWN# mysqladmin shutdown www.percona.com 21
  22. 22. SUPERKnown to be given to app users & monitoring usersHowever,it is very powerful: CHANGE MASTER TO, STOP SLAVE, START SLAVE KILL any thread SET GLOBAL ... BINLOG When read_only=on SUPER users can still write Set DEFINER with Stored Procedures/Views to account of choice Have the extra login when max_connections is reached www.percona.com 22
  23. 23. ALLGives ALL privileges possible (on a certain level):> GRANT ALL ON *.*> GRANT ALL ON db.*> GRANT ALL ON db.table... www.percona.com 23
  24. 24. USAGEGives you the possibility to... loginPossible to run: SHOW GLOBAL STATUS; SHOW GLOBAL VARIABLES; Set session buffers/variables (see next chapter) www.percona.com 24
  25. 25. mysql Database> SHOW TABLES; | plugin |+---------------------------+ | proc || Tables_in_mysql | | procs_priv |+---------------------------+ | proxies_priv || columns_priv | | servers || db | | slow_log || event | | tables_priv || func | | time_zone || general_log | | time_zone_leap_second || help_category | | time_zone_name || help_keyword | | time_zone_transition || help_relation | | time_zone_transition_type || help_topic | | user || host | +---------------------------+| ndb_binlog_index | 24 rows in set (0.00 sec) www.percona.com 25
  26. 26. mysql DatabaseDo not give rights for app or general usersDML statements are possible use FLUSH PRIVILEGES to apply www.percona.com 26
  27. 27. Resource LimitsFor every user: max_user_connections>GRANT USAGE ON db.* TO ‘lefred@localhostWITH MAX_QUERIES_PER_HOUR 1000MAX_UPDATES_PER_HOUR 999MAX_CONNECTIONS_PER_HOUR 100MAX_USER_CONNECTIONS 5;FLUSH USER_RESOURCES;Not commonly used www.percona.com 27
  28. 28. Default Permissions-- Grants dumped by pt-show-grants-- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55-log at 2012-01-11 03:36:25-- Grants for root@127.0.0.1GRANT ALL PRIVILEGES ON *.* TO root@127.0.0.1 WITH GRANTOPTION;-- Grants for root@desktopGRANT ALL PRIVILEGES ON *.* TO root@desktop WITH GRANT OPTION;-- Grants for root@localhostGRANT ALL PRIVILEGES ON *.* TO root@localhost WITH GRANTOPTION;-- Grants for ‘’@‘localhost’GRANT USAGE ON *.* TO ‘’@‘localhost’;# mysql_secure_installationSet root password? [Y/n] yRemove anonymous users? [Y/n] yDisallow root login remotely? [Y/n] yRemove test database and access to it? [Y/n] y www.percona.com 28
  29. 29. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 29
  30. 30. User ManagementDifficult to manage when having +1 MySQL serverHow to properly manage all those users? Version Control SecuRich Configuration Management www.percona.com 30
  31. 31. Version Control Put all grants in a .txt file and put in VC use pt-show-grants: orders grants, easy to VC generates revoke statements -- Grants dumped by pt-show-grants -- Dumped from server Localhost via UNIX socket, MySQL 5.5.17-55-log at 2012-01-10 23:52:18 -- Grants for debian-sys-maint@localhost GRANT ALL PRIVILEGES ON *.* TO debian-sys-maint@localhost IDENTIFIED BY PASSWORD *C86BAB1C913CE0D310B662846E830230C51DA954 WITH GRANT OPTION; -- Grants for lefred@app0001 GRANT INSERT ON *.* TO lefred@app0001; GRANT SELECT ON `db`.* TO lefred@app0001; -- Grants for lefred@localhost GRANT SELECT, SELECT (user) ON `test`.`passwd` TO lefred@localhost; GRANT USAGE ON *.* TO lefred@localhost;http://www.percona.com/doc/percona-toolkit/2.0/pt-show-grants.html www.percona.com 31
  32. 32. SecuRich Tool (scripts/stored procedures) to facilitate user management Has some features MySQL does _not_ have: password expiry block users (even throws out users) password history password complexity checkshttp://www.securich.com/ www.percona.com 32
  33. 33. Configuration ManagementUse your favorite configuration management toolPuppet example:https://github.com/DavidS/puppet-mysql www.percona.com 33
  34. 34. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 34
  35. 35. Pluggable AuthenticationFeature Since MySQL 5.5New Grant: PROXY: act like a userPercona PAM Plugin: http://www.mysqlperformanceblog.com/2011/12/05/announcing-pam-authentication- plugin-for-mysql-early-access-release/Oracle PAM Plugin: commercial pluginClear text password will be sent: use secureconnections www.percona.com 35
  36. 36. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 36
  37. 37. Application SecuritySQL Injectionsuse mysql_real_escape_string()Use Prepared StatementsUse different users in the application (read/write/...)Don’t give app users permissions they should nothave (see this presentation) www.percona.com 37
  38. 38. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 38
  39. 39. Network SecurityPort protectionTraffic encryptionDNS www.percona.com 39
  40. 40. Port ProtectionFirewallbind-address=127.0.0.1No need for network connections (socket only):skip-networking www.percona.com 40
  41. 41. Traffic EncryptionProblem:# tcpdump -w - -i lo port 3306 | strings...insert into passwd values(lefred,dim00tjen, null,null,null,null)HSolution: Built-in SSL Secure Tunnels www.percona.com 41
  42. 42. DNSRemember: authentication is user@hostMySQL does Reverse DNS Lookup taking over DNS server can change grants Killing DNS server can cause stalls (next to the default dns cache in MySQL or nscd): both security and performance problem use skip-name-resolve www.percona.com 42
  43. 43. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 43
  44. 44. OS Level SecuritySecurity profiles: AppArmor SELinuxChroot start mysqld with --chroot www.percona.com 44
  45. 45. Filesystem EncryptionLUKS/ecryptfs/...: Disk/File/Directory encryption Protects against ‘disk-stealing’ No protection for user ‘root’Gazzang ezNcrypt (http://www.gazzang.com) Commercial tool Uses ecryptfs Off-Site Key Management kernel module ACL Only certain binary, with a certain hash can access the encrypted files www.percona.com 45
  46. 46. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 46
  47. 47. Other MySQL Security Featuresold-passwords: Insecure 4.1 hashing set secure-auth to avoidskip-symbolic-linksmax_connect_errors: default=10 Error: Host host_name is blocked FLUSH HOSTSskip-grant-tables: ignore authentication recover lost root passwordAudit Plugin interface (since 5.5) www.percona.com 47
  48. 48. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 48
  49. 49. Data Security FunctionsPASSWORD()Crypt: ENCRYPT()/DECRYPT()AES: AES_ENCRYPT()/AES_DECRYPT()DES: DES_ENCRYPT()/DES_DECRYPT()Hashing: MD5(), SHA2()Statement Based Replication includes the SQLstatement in the binary log: Use Row BasedSame counts for general/slowlogMaybe encrypt in application www.percona.com 49
  50. 50. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 50
  51. 51. DoSmysql> show grants;+--------------------------------------+| Grants for @localhost |+--------------------------------------+| GRANT USAGE ON *.* TO @localhost |+--------------------------------------+1 row in set (0.00 sec)Disk:mysql> use information_schema;mysql> select a.* FROM CHARACTER_SETS a, CHARACTER_SETS b, -> CHARACTER_SETS c, CHARACTER_SETS d, CHARACTER_SETS e;Memory:mysql> SELECT REPEAT(a, 1024*1024) INTO @a1;Query OK, 1 row affected (0.01 sec)..mysql> SELECT REPEAT(a, 1024*1024) INTO @a99;Query OK, 1 row affected (0.01 sec) www.percona.com 51
  52. 52. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 52
  53. 53. PCI Compliance1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and othersecurity parameters3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks5. Use and regularly update anti-virus software on all systems commonlyaffected by malware6. Develop and maintain secure systems and applications7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data10. Track and monitor all access to network resources and cardholderdata11. Regularly test security systems and processes12. Maintain a policy that addresses information securityhttp://en.wikipedia.org/wiki/PCI_DSS www.percona.com 53
  54. 54. Security, Privileges & User ManagementPrivilege SystemUser ManagementPluggable AuthenticationApplication SecurityNetwork SecurityOS Level SecurityOther MySQL Security FeaturesData Security FunctionsDoSPCI Compliance www.percona.com 54
  55. 55. Kenny Gryp <kenny.gryp@percona.com> @gryp Were Hiring!www.percona.com/about-us/careers/

×