mariadb security features: audit plugin, authentification and roles

© MariaDB Corporation Ab

MariaDB Roadshow 2015

MariaDB Security

Anders Karlsson


MariaDB Security

• Authentication Plugins

• Encryption

• User Roles

• Password Validation Plugins

• Audit Plugin

• Security Notifications


Before we talk about Plugins

• After installing MariaDB run• shell> mysql_secure_installation

• You can

• set a password for root accounts.

• remove root accounts that are accessible from outside the local host.

• remove anonymous-user accounts.

• remove the test database, which by default can be accessed by anonymous users.


MariaDB Security

Authentication Plugins


PAM Authentication

• Authentication using /etc/shadow

• Authentication using LDAP, SSH pass phrases, password expiration, username mapping, logging every login attempt, etc…

• INSTALL PLUGIN pam SONAME 'auth_pam.so';

• CREATE USER foo@host IDENTIFIED via pam;

• REMEMBER to configure PAM (/etc/pam.d or /etc/pam.conf)

• https://mariadb.com/kb/en/pam-authentication-plugin/

https://mariadb.com/kb/en/pam-authentication-plugin/


Kerberos authentication plugin

KDC

Client MariaDB

Ticket

request1 -

Service

ticket2 -

Here is my service

ticket, authenticate me3 -

Client / Server session4 -

• GSS-API on Linux• Red Hat Directory Server

• OpenLDAP

• SSPI on Windows

• Active Directory


MariaDB Security

Encryption


Data Encryption

• Encrypts complete tablespaces

• Optional per table encryption possible with--innodb-file-per-table

• Can also encrypt

• InnoDB log files

• ARIA tables

• Temporary tables

• Idependently contributed by Google and Eperi GmbH


Configure Key Management

• Load Key Management Plugin

• plugin-load-add=file_key_management

• Choose encryption algorithm, e.g. aes_cbc

• file-key-management-encryption-algorithm=aes_cbc

• Set location of key file

• file-key-management-filename=/mnt/dfs/keys.txt

• Create keys


Activate Encryption

• Specify what to encrypt

• Innodb-encrypt-tables=ON ( OFF/FORCE )

• aria-encrypt-tables

• encrypt-tmp-disk-tables

• innodb-encrypt-log


Without Table Level Encryption

28/05/2015 11

CREATE TABLE names (

id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,

name VARCHAR(255) DEFAULT NULL);

INSERT INTO names VALUES(NULL, 'James Bond');

INSERT INTO names VALUES(NULL, 'Felix Leiter');

INSERT INTO names VALUES(NULL, 'Modesty Blaise');

$ sudo strings –n 10 data/test/names.ibd

James Bond

Felix Leiter

Modesty Blaise


With table encryption

28/05/2015 12

SET GLOBAL innodb_encrypt_tables = ON;

CREATE TABLE secret_names (


name VARCHAR(255) DEFAULT NULL);

INSERT INTO secret_names VALUES(NULL, 'James Bond');

INSERT INTO secret_names VALUES(NULL, 'Felix Leiter');

INSERT INTO secret_names VALUES(NULL, 'Modesty Blaise');

$ sudo strings –n 10 data/test/secret_names.ibd

B"u::XiXD=`


Skip encrypting a single table

28/05/2015 13

CREATE TABLE open_names (


name VARCHAR(255) DEFAULT NULL) encrypted=no;

INSERT INTO open_names VALUES(NULL, 'John Carpenter');

INSERT INTO open_names VALUES(NULL, 'Dave Clark');

INSERT INTO open_names VALUES(NULL, 'John Irving');

$ sudo strings –n 10 data/test/open_names.ibd

John Carpenter

Dave Clark

John Irving


Performance Impact of Data Encryption

TPC-C like OLTP

benchmark showing the

impact of encryption


Performance Impact of Data Encryption

New Order transactions/second

benchmark showing the impact of

encryption


Deleted Data Encryption

• Scrubbing

•Background threads periodically scan tablespaces and logs and overwrite all data that should be deleted.

• More info:

https://mariadb.com/kb/en/mariadb/xtradb-innodb-data-scrubbing/


MariaDB Security

User Roles


Role-Based Access Control

Database

Tables

MariaDB 10

Role: DBA

Permissions:● Update Schema

● View Statistics

● Create DatabaseDBA

Developer

Sysadmin


Roles

CREATE ROLE journalist;

GRANT SHOW DATABASES ON *.* TO journalist;

GRANT ALL ON db1.* TO journalist;

GRANT journalist to user1;

SET DEFAULT ROLE journalist;

https://mariadb.com/kb/en/mariadb/roles-overview/

https://mariadb.com/kb/en/mariadb/roles-overview/


MariaDB Security

Password Validation Plugins


Password validation plugins

• Password validation plugin API

• https://mariadb.com/kb/en/password-validation/

• simple_password_check plugin

• Can enforce a minimum password length and guarantee that a password contains at least a specified number of upper and lowercase letters, digits, and punctuation characters

• https://mariadb.com/kb/en/simple_password_check/

• cracklib_password_check plugin

• A widely used library

• Stop users from choosing easy to guess passwords. It includes checks for not allowing passwords based on the username or a dictionary word etc.

• https://mariadb.com/kb/en/cracklib_password_check/

https://mariadb.com/kb/en/password-validation/

https://mariadb.com/kb/en/simple_password_check/

https://mariadb.com/kb/en/cracklib_password_check/


Simple password validation

INSTALL PLUGIN simple_password_check

SONAME 'simple_password_check.so';

SET PASSWORD = PASSWORD(’pwd’);

ERROR 1819 (HY000): Your password does not

satisfy the current policy requirements

SET PASSWORD = PASSWORD('AaBbCc$1');

Query OK, 0 rows affected (0.00 sec)


MariaDB Security

Audit Plugin


Why is auditing needed?

• Monitoring System Access

• Locating Errors

• Discovering Frauds

• Improvement of Internal Control

• Proving the fulfillment of security standards

• And more


What to Monitor

CONNECTION

QUERY

CONNECT

DDL

DISCONNECT

FAILED CONNECT

DML+TCL

OBJECT

DATABASE

TABLES

TIMESTAMP

HOST

USER

(SESSION)

DCL


MariaDB Audit Plugin

• Open Source

• Support available

• Auditing to

• File (comma delimited format)

• Syslog

• Modified Plugin API in MariaDB

• Audit Plugin compatible with MySQL Server

• Allows to monitor table level events (MariaDB)


MariaDB Audit Plugin

• Load plugin via SQL command

or my.cnf

• Enable Auditing

INSTALL PLUGIN server_audit SONAME 'server_audit.so'

[mysqld]

plugin-load=server_audit=server_audit.so

SET server_audit_logging = ON


MariaDB Audit Plugin LogExample for CONNECT

20130810 00:05:30,SkySQLNode1,root,MariaDBMgr,2,0,CONNECT,db1,,0

20130810 00:05:53,SkySQLNode1,root,MariaDBMgr,2,0,DISCONNECT,,,0

20130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,FAILED_CONNECT,,,1045

20130810 00:06:28,SkySQLNode1,unknownuser,MariaDBMgr,3,0,DISCONNECT,,,0

Serverhost User Client-Host

Session-IDDB opened on

connectDB opened on

connect

Failed Connect

with Error Code


MariaDB Security

Security Notifications


MariaDB Security Vulnerability Process

• Disclosure of a MariaDB Security Vulnerability

• Handling of MySQL Security Vulnerabilities

• MariaDB Security Listings

• Full list of security fixes https://mariadb.org/security

• Security fixes in 10.0: https://mariadb.com/kb/en/mariadb/what-is-mariadb-100

• Release notes also have a specific list for security fixes

• Informing customers about fixed security vulnerabilities

https://mariadb.org/security

https://mariadb.com/kb/en/mariadb/what-is-mariadb-100

The question is not “What is

the answer?”, the question is

“What is the question?”.

Henri Poincaré

Questions? Answers!

mariadb security features: audit plugin, authentification and roles

Software