The document provides guidance on securing MySQL deployments. It outlines steps to harden a MySQL installation after installation, including running mysql_secure_installation, generating SSL keys, enabling query logging and backups. It also recommends removing unnecessary accounts and plugins. Additional security measures discussed include using SSL, external authentication, and login paths. The document notes new security features in MySQL 5.7 such as an audit log plugin and automatic password expiration.

1. Protect Your Server
Dos and Don’ts of secure MySQL
Deployment.

2. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.2
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.

3. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.3
Agenda
 The post-install situation
 How to harden it ?
 More security
 Security related changes in MySQL 5.7

4. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.4
• Former banking IT Manager
• Veteran software developer
• Leading the MySQL Server General
development team
• Been with MySQL since 2006
• Regular MySQL conference speaker
About Me

5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.5
The Post-Install Situation :
MySQL Server security in
OpenSuse 13.1

6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.6
The Good News

7. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.7
MySQL 5.6.12
The Good News
 Only 5 MRUs away from dev.mysql.com/downloads !
– New authentication method sha256_password
– Manual password expiration : ALTER USER EXPIRE
– Password strength verification plugin and API
– Login paths
– Support SSL CRLs and key files with pass phrases
– Use SSL library’s random generator
– Obfuscate passwords in logs

8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.8
Installation Layout
 MySQL server service not on by default
 Separate mysql-community-server-test rpm
 Separate mysql-community-server-tools rpm
 No pre-packaged database
 No remote access by default
The Good News

9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.9
The Not So Good News

10. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.10
MySQL 5.6.12
 3 CPUs and 24 CVE reported security bugs away from 5.6.15 (last
CVE)
 More than 500 other bugs away from 5.6.18 (current)
 Lacks the advanced AES function modes
The Not So Good News

11. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.11
Installation layout
 mysql_secure_installation not run
– Anybody can connect as root
– Anonymous access to the server allowed
– No password strength checks
– Empty passwords for the default accounts
– Anybody gets full access to the test database
 mysql_config_editor not in mysql-community-server-client
The Not So Good News

12. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.12
Installation layout. Continued.
 Federated plugin installed by default
 Archive plugin actually not needed (error on startup)
 Some testing only authentication plugins installed by mysql-
community-server
 No SSL certificates. Even self-signed ones
 secure_file_priv set to NULL
– grants SQL read and write access to the full OS file system
The Not So Good News

13. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.13
Installation layout. The Sequel.
 sha256_password plugin under-configured: no RSA keys
 No query logging: neither audit nor query log
 mysqld listens on all network interfaces
The Not So Good News

14. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.14
Random (Not So) Funny Story
Recognize the pattern ?
New
Code

15. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.15
WHAT YOU GET IS
A DEVELOPMENT
INSTALLATION !

16. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.16
How to Harden Your MySQL
installation ?

17. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.17
Post Server Installation
 Run mysql_secure_installation ! Now !
 Review and restrict the network interfaces that the server listens on
 Generate SSL keys and make sure the server can “talk” SSL
 Enable query logging. Create a log backup policy.
 Remove extra user accounts and privileges
 Remove unneeded files and packages
 Schedule regular backups !
Hardening your MySQL installation

18. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.18
Post Application(s) Installation
 Remove extra user accounts. Restrict the remaining ones
 Review and maximally restrict the grants
 Make sure the user accounts authenticate using a reliable method
 Clean up extra temp files
 Make sure backups are still on and cover the new objects
 Remove unneeded files and packages
 Audit the server configuration for changes. Revert the bogus ones
Hardening your MySQL installation

19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.19
Daily MySQL Use
 Keep your installation up to date
 Monitor your server logs. Set alerts for “unusual” patterns.
 Monitor security related stats. Set alerts for “unusual” patterns.
 Monitor the server configuration.
 Monitor and verify the backups and their integrity
 Regularly probe your “defenses” by trying bad things on purpose
 Perform regular emergency drills
 Set procedures on maintaining your user account base
Hardening your MySQL installation

20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.20
More Security

21. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.21
Harden your MySQL Server Instance
 Consider turning off TCP/IP if your setup allows it
 Use and enforce SSL if you need TCP/IP
– Even self-signed will do. Part of PKI is better
 Use SSL certificate requirements for users
– GRANT … TO …. REQUIRE [CIPHER | ISSUER | SUBJECT] …
 Be careful with your directories
– tmpdir, datadir, secure-file-priv, plugin-dir
Additional steps

22. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.22
Harden your MySQL Server Instance
 Monitor and keep the logs
– Consider using an auditing plugin
– put extra protection on sensitive tables: custom logging triggers etc
 Consider using external authentication
– PAM, LDAP, windows domain
 Harden your password policy
– MySQL has a plugin for that !
 Use login paths for your scripts
Even more steps

23. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.23
Harden your MySQL Server Instance
Parameter Recommended Value
secure_file_priv Designated directory
symbolic_links Boolean NO
default-storage-engine InnoDB
general-log Boolean ON
log-raw Default : OFF
skip-networking ON, if you can afford it.
ssl options Set to valid values
Useful parameters to set

24. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.24
Harden your MySQL Server Instance
Parameter Recommended Value
plugin-dir Designated read-only directory
chroot Designated directory, if you can afford it
core-file OFF
des-key-file File with DES keys
read_only ON for slaves !
sha256_password RSA key RSA public private keys if can’t use SSL
tmpdir Designated directory out of secure-file-priv
Useful parameters to set

25. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.25
New Security Features in
MySQL 5.7 DMRs

26. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.26
Security Features in 5.7 DMRs
 Audit log plugin works with Audit Vault
 Login paths and mysql_config_editor
 --syslog option to mysql
 Mark mysql_old_password (pre- 4.1 password format) as deprecated
5.7.1: 23 April 2013

27. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.27
Security Features in 5.7 DMRs
 Require explicit authentication plugin for all user accounts
 Rewrite mysql_secure_installation to C and harden it
– Enables password strength validation
– Generates random password for root and marks it as expired
– Restricts the root user so it can login only from localhost
 Deprecate ENCODE()/DECODE()
 --error-log-verbosity control
 Client side protocol tracing plugins in libmysql
5.7.2: 21 Sep 2013

28. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.28
Security Features in 5.7 DMRs
 Redefine the meaning of the –ssl option
– --ssl on the client enforces SSL now
– Other –ssl options enable ssl, but not enforce it
 Proper connection state reset : mysql_reset_connection()
5.7.3: 3 Dec 2013

29. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.29
Security Features in 5.7 DMRs
 RPM packages secure by default
– The effect of mysql_secure_installation by default
– Separate packages for non-essential tools and utilities
 Automatic timed password expiration
– Per site and per user
 AES_ENCRYPT()/AES_DECRYPT() now support block modes and
larger key sizes
 Strong crypto random SQL function added: RANDOM_BYTES()
5.7.4: 31 Mar 2014

30. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.30
Questions ? Suggestions ?

31. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.31