SlideShare a Scribd company logo

Enhancing MySQL Security

V
Vinicius M Grippa

Security is always a challenge when its comes to data. Moreso, regulations like GDPR add a whole new layer on top of it, with rules more and more restrictive to access and manipulate data. Join us in this presentation to check security best practices as well as traditional and new features available for MySQL, including features coming with the new MySQL 8. In this talk, DBAs and sysadmins will walk through the security features available on the OS and MySQL. These features include: SO security SSL ACL TDE Audit Plugin MySQL 8 features (undo, redo, and binlog encryption) New caching_sha2_password Roles Password Management FIPS mode

Technology
1 of 65
Download to read offline
© 2019 Percona1 Enhancing MySQL Security Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
© 2019 Percona2 ▪ Support Engineer at Percona since 2017 ▪ Working with MySQL for over six years ▪ Working with databases for over nine years ▪ Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
© 2019 Percona3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
© 2019 Percona4 Agenda ▪ SO/Cloud security ▪ SSL ▪ Password management ▪ Audit plugin ▪ Percona Server encryption features ▪ MySQL 8 features (undo, redo encryption) ▪ TDE ▪ New caching_sha2_password ▪ FIPS mode ▪ Roles
© 2019 Percona5 OS/Cloud Security
© 2019 Percona6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
© 2019 Percona7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
© 2019 Percona8 OS/Cloud Security
© 2019 Percona9 OS/Cloud Security
© 2019 Percona10 OS/Cloud Security
© 2019 Percona11 SSL
© 2019 Percona12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 • mysql_ssl_rsa_setup ▪ MySQL 5.6 • openssl
© 2019 Percona13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
© 2019 Percona14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
© 2019 Percona15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
© 2019 Percona16 SSL
© 2019 Percona17 Password Management
© 2019 Percona18 Password Management • Password expiration • validate_password plugin
© 2019 Percona19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
© 2019 Percona20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
© 2019 Percona21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
© 2019 Percona22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
© 2019 Percona23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
© 2019 Percona24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
© 2019 Percona25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
© 2019 Percona26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
© 2019 Percona27 Audit Plugin
© 2019 Percona28 Audit Plugin ▪ MySQL Enterprise – Paid ▪ Percona Server (works with community version) – Free ▪ It is different from general log ▪ Filter by command / user / database
© 2019 Percona29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+
© 2019 Percona30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
© 2019 Percona31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
© 2019 Percona32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
© 2019 Percona33 Percona Server Encryption Features
© 2019 Percona34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
© 2019 Percona35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
© 2019 Percona36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
© 2019 Percona37 MySQL 8 Features (undo, redo encryption)
© 2019 Percona38 MySQL 8 - (undo, redo encryption) ▪ MySQL 8 extends tablespace encryption feature to redo log and undo log ▪ It is necessary using one of the Keyring plugins
© 2019 Percona39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
© 2019 Percona40 Transparent Data Encryption(TDE)
© 2019 Percona41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
© 2019 Percona42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
© 2019 Percona43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
© 2019 Percona44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
© 2019 Percona45 caching_sha2_password
© 2019 Percona46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client)
© 2019 Percona47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
© 2019 Percona48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------- --------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------- --------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+----------------------------- --------------+ 2 rows in set (0.00 sec)
© 2019 Percona49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
© 2019 Percona50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
© 2019 Percona51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ 2 rows in set (0.01 sec)
© 2019 Percona52 FIPS Mode
© 2019 Percona53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
© 2019 Percona54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
© 2019 Percona55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
© 2019 Percona56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------------- -----+ | Level | Code | Message | +---------+-------+------------------------------------------------------------------- -----+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------------- -----+ 1 row in set (0.00 sec)
© 2019 Percona57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
© 2019 Percona58 Roles
© 2019 Percona59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. 59
© 2019 Percona60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec) 60
© 2019 Percona61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec) 61
© 2019 Percona62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit; 62
© 2019 Percona63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time. 63
© 2019 Percona64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about 64
© 2019 Percona65 Questions?

Recommended

MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
Frederic Descamps
 
Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6
SalmenHAJJI1
 
Implementing Network Redundancy
Implementing Network RedundancyImplementing Network Redundancy
Implementing Network Redundancy
Belden Incorporated
 
FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...
FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...
FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...
Frederic Descamps
 
CNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptx
CNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptxCNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptx
CNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptx
PriyanshPriyadarshi1
 
IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016
IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016
IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016
Dhrubojit Bhattacharya
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansing
Кирилл Кекер
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 

Recommended

MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
Frederic Descamps
 
Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6
SalmenHAJJI1
 
Implementing Network Redundancy
Implementing Network RedundancyImplementing Network Redundancy
Implementing Network Redundancy
Belden Incorporated
 
FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...
FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...
FOSDEM 2022 MySQL Devroom: MySQL 8.0 - Logical Backups, Snapshots and Point-...
Frederic Descamps
 
CNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptx
CNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptxCNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptx
CNLU FRESHERS’ QUIZ 2022 FINALS WITH ANSWER.pptx
PriyanshPriyadarshi1
 
IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016
IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016
IIT Guwahati Quiz Club Orientation : Freshers Quiz 2016
Dhrubojit Bhattacharya
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansing
Кирилл Кекер
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0
Mydbops
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1
SalmenHAJJI1
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Cisco switch commands cheat sheet
Cisco switch commands cheat sheetCisco switch commands cheat sheet
Cisco switch commands cheat sheet
3Anetwork com
 
Introduction to OpenStack Cinder
Introduction to OpenStack CinderIntroduction to OpenStack Cinder
Introduction to OpenStack Cinder
Sean McGinnis
 
Mimikatz
MimikatzMimikatz
Mimikatz
rishabh sharma
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
Severalnines
 
Enigma'15 General Quiz Prelims Answers
Enigma'15 General Quiz Prelims AnswersEnigma'15 General Quiz Prelims Answers
Enigma'15 General Quiz Prelims Answers
Kapish Malhotra
 
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriDoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
BGA Cyber Security
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
Alberto Rivai
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
Frank Boldewin
 
Republic day quiz prelims
Republic day quiz prelimsRepublic day quiz prelims
Republic day quiz prelims
Quiz Society IIT Jodhpur
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
RichardsCCNA
 
Behind The Stumps
Behind The StumpsBehind The Stumps
Behind The Stumps
Sabyasachi Chatterjee
 
RTSP Analysis Wireshark
RTSP Analysis WiresharkRTSP Analysis Wireshark
RTSP Analysis Wireshark
Yoss Cohen
 
State of the ATT&CK May 2023
State of the ATT&CK May 2023State of the ATT&CK May 2023
State of the ATT&CK May 2023
Adam Pennington
 
Aruba OS 6.4 User Guide
Aruba OS 6.4 User GuideAruba OS 6.4 User Guide
Aruba OS 6.4 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPD
Vinicius M Grippa
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019
Yashada Jadhav
 

More Related Content

What's hot

Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
Severalnines
 
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriDoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
BGA Cyber Security
 

What's hot (20)

Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
 
Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0Redo log improvements MYSQL 8.0
Redo log improvements MYSQL 8.0
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Cisco switch commands cheat sheet
Cisco switch commands cheat sheetCisco switch commands cheat sheet
Cisco switch commands cheat sheet
 
Introduction to OpenStack Cinder
Introduction to OpenStack CinderIntroduction to OpenStack Cinder
Introduction to OpenStack Cinder
 
Mimikatz
MimikatzMimikatz
Mimikatz
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
 
Enigma'15 General Quiz Prelims Answers
Enigma'15 General Quiz Prelims AnswersEnigma'15 General Quiz Prelims Answers
Enigma'15 General Quiz Prelims Answers
 
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma YöntemleriDoS ve DDoS Saldırıları ve Korunma Yöntemleri
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
 
Republic day quiz prelims
Republic day quiz prelimsRepublic day quiz prelims
Republic day quiz prelims
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
 
Behind The Stumps
Behind The StumpsBehind The Stumps
Behind The Stumps
 
RTSP Analysis Wireshark
RTSP Analysis WiresharkRTSP Analysis Wireshark
RTSP Analysis Wireshark
 
State of the ATT&CK May 2023
State of the ATT&CK May 2023State of the ATT&CK May 2023
State of the ATT&CK May 2023
 
Aruba OS 6.4 User Guide
Aruba OS 6.4 User GuideAruba OS 6.4 User Guide
Aruba OS 6.4 User Guide
 

Similar to Enhancing MySQL Security

Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
Geir Høydalsvik
 

Similar to Enhancing MySQL Security (20)

Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPD
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL Security
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQL
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL Security
 
Proxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXCProxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXC
 
How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQL
 
MysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMysQL melhores práticas de seguranca
MysQL melhores práticas de seguranca
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server data
 
ProxySQL para mysql
ProxySQL para mysqlProxySQL para mysql
ProxySQL para mysql
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
 
How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebMysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
 
MySQL NoSQL APIs
MySQL NoSQL APIsMySQL NoSQL APIs
MySQL NoSQL APIs
 

More from Vinicius M Grippa

More from Vinicius M Grippa (6)

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdf
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptx
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performance
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to consider
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphs
 
K8s - Setting up minikube
K8s - Setting up minikubeK8s - Setting up minikube
K8s - Setting up minikube
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Enhancing MySQL Security

  • 1. © 2019 Percona1 Enhancing MySQL Security Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
  • 2. © 2019 Percona2 ▪ Support Engineer at Percona since 2017 ▪ Working with MySQL for over six years ▪ Working with databases for over nine years ▪ Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
  • 3. © 2019 Percona3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
  • 4. © 2019 Percona4 Agenda ▪ SO/Cloud security ▪ SSL ▪ Password management ▪ Audit plugin ▪ Percona Server encryption features ▪ MySQL 8 features (undo, redo encryption) ▪ TDE ▪ New caching_sha2_password ▪ FIPS mode ▪ Roles
  • 6. © 2019 Percona6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
  • 7. © 2019 Percona7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
  • 12. © 2019 Percona12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 • mysql_ssl_rsa_setup ▪ MySQL 5.6 • openssl
  • 13. © 2019 Percona13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
  • 14. © 2019 Percona14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
  • 15. © 2019 Percona15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
  • 18. © 2019 Percona18 Password Management • Password expiration • validate_password plugin
  • 19. © 2019 Percona19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
  • 20. © 2019 Percona20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
  • 21. © 2019 Percona21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
  • 22. © 2019 Percona22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
  • 23. © 2019 Percona23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
  • 24. © 2019 Percona24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
  • 25. © 2019 Percona25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
  • 26. © 2019 Percona26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
  • 28. © 2019 Percona28 Audit Plugin ▪ MySQL Enterprise – Paid ▪ Percona Server (works with community version) – Free ▪ It is different from general log ▪ Filter by command / user / database
  • 29. © 2019 Percona29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+
  • 30. © 2019 Percona30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
  • 31. © 2019 Percona31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
  • 32. © 2019 Percona32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
  • 33. © 2019 Percona33 Percona Server Encryption Features
  • 34. © 2019 Percona34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
  • 35. © 2019 Percona35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
  • 36. © 2019 Percona36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
  • 37. © 2019 Percona37 MySQL 8 Features (undo, redo encryption)
  • 38. © 2019 Percona38 MySQL 8 - (undo, redo encryption) ▪ MySQL 8 extends tablespace encryption feature to redo log and undo log ▪ It is necessary using one of the Keyring plugins
  • 39. © 2019 Percona39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
  • 40. © 2019 Percona40 Transparent Data Encryption(TDE)
  • 41. © 2019 Percona41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
  • 42. © 2019 Percona42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
  • 43. © 2019 Percona43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
  • 44. © 2019 Percona44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
  • 46. © 2019 Percona46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client)
  • 47. © 2019 Percona47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
  • 48. © 2019 Percona48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------- --------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------- --------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+----------------------------- --------------+ 2 rows in set (0.00 sec)
  • 49. © 2019 Percona49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
  • 50. © 2019 Percona50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
  • 51. © 2019 Percona51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ 2 rows in set (0.01 sec)
  • 53. © 2019 Percona53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
  • 54. © 2019 Percona54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
  • 55. © 2019 Percona55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
  • 56. © 2019 Percona56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------------- -----+ | Level | Code | Message | +---------+-------+------------------------------------------------------------------- -----+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------------- -----+ 1 row in set (0.00 sec)
  • 57. © 2019 Percona57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
  • 59. © 2019 Percona59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. 59
  • 60. © 2019 Percona60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec) 60
  • 61. © 2019 Percona61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec) 61
  • 62. © 2019 Percona62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit; 62
  • 63. © 2019 Percona63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time. 63
  • 64. © 2019 Percona64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about 64