Better encryption & security with MariaDB 10.1 & MySQL 5.7

MariaDB (MySQL) Security
Essentials (aka better encryption
& security w/MariaDB 10.1)
Colin Charles, Team MariaDB, MariaDB Corporation
colin@mariadb.org / byte@bytebot.net
http://bytebot.net/blog/ | @bytebot on Twitter
NYC MySQL Meetup Group, New York, USA
9 September 2015

whoami
• Work on MariaDB at MariaDB Corporation (SkySQL
Ab)
• Merged with Monty Program Ab, makers of MariaDB
• Formerly MySQL AB (exit: Sun Microsystems)
• Past lives include Fedora Project (FESCO),
OpenOfﬁce.org
• MySQL Community Contributor of the Year Award
winner 2014

Historically…
• No password for the ‘root’ user
• There is a default ‘test’ database
• Find a password from application config files (wp-
config.php, drupal’s settings.php, etc.)
• Are your datadir permissions secure (/var/lib/
mysql)?
• can you run strings mysql/user.MYD ?

More things to think about
• Does replication connection have global
permissions?
• If you can start/stop mysqld process, you can
reset passwords
• Can you edit my.cnf? You can run a SQL ﬁle
when mysqld starts with init-ﬁle

sql_mode
• 5.6 default = NO_ENGINE_SUBSTITUTION
• SQL_MODE = STRICT_ALL_TABLES,
NO_ENGINE_SUBSTITUTION
• Keeps on improving, like deprecating
NO_ZERO_DATE, NO_ZERO_IN_DATE (5.6.17)
and making it part of strict mode

mysql_secure_installation
• Pretty basic to run, but many don’t
• Remove anonymous users
• Remove test database
• Remove non-localhost root users
• Set a root password

Creating users
• The lazy way
• CREATE USER ‘foo’@‘%’;
• GRANT ALL ON *.* TO ‘foo’@‘%’;
• The above gives you access to all tables in all
databases + access from any external location
• ALL gives you a lot of privileges, including
SHUTDOWN, SUPER, CHANGE MASTER, KILL,
USAGE, etc.

SUPER privileges
• Can bypass a read_only server
• Can bypass init_connect
• Can disable binary logging
• Can dynamically change conﬁguration
• Reached max_connections? Can still make one
connection
• https://dev.mysql.com/doc/refman/5.6/en/privileges-
provided.html#priv_super

So… only give users what
they need
• CREATE USER ‘foo’@‘localhost’ IDENTIFIED by
‘password’;
• GRANT CREATE, SELECT, INSERT, UPDATE,
DELETE on db.* to ‘foo’@‘localhost’;

And when it comes to
applications…
• Viewer? (read only access only)
• SELECT
• User? (read/write access)
• SELECT, INSERT, UPDATE, DELETE
• DBA? (provide access to the database)
• CREATE, DROP, etc.

Installation
• Using your Linux distribution… mostly gets you MariaDB when you
ask for mysql-server
• Except on Debian/Ubuntu
• However, when you get mariadb-server, you get an
authentication plugin — auth_socket for “automatic logins”
• You are asked by debhelper to enter a password
• You can use the APT/YUM repositories from Oracle MySQL,
Percona or MariaDB
• Don’t disable SELinux: system_u:system_r:mysqld_t:s0

Enable log-warnings
• Enable —log_warnings=2
• Can keep track of access denied messages
• Worth noting there are differences here in MySQL &
MariaDB
• https://dev.mysql.com/doc/refman/5.6/en/server-
options.html#option_mysqld_log-warnings
• https://mariadb.com/kb/en/mariadb/server-system-
variables/#log_warnings

MySQL 5.6 improvements
• Password expiry
• ALTER USER 'foo'@'localhost' PASSWORD
EXPIRE;
• https://dev.mysql.com/doc/refman/5.6/en/
password-expiration-sandbox-mode.html
• Password validation plugin
• VALIDATE_PASSWORD_STRENGTH()

MySQL 5.6 II
• mysql_config_editor - store authentication
credentials in an encrypted login path ﬁle
named .mylogin.cnf
• http://dev.mysql.com/doc/refman/5.6/en/mysql-
conﬁg-editor.html
• Random ‘root’ password on install
• mysql_install_db —random-passwords stored in
$HOME/.mysql_secret

MySQL 5.7
• Improved password expiry — automatic password
expiration available, so set
default_password_lifetime in my.cnf
• You can also require password to be changed every n-
days
• ALTER USER ‘foo'@'localhost' PASSWORD EXPIRE
INTERVAL n DAY;
• There is also account locking/unlocking now
• ACCOUNT LOCK/ACCOUNT UNLOCK

SSL
• You’re using the cloud and you’re using
replication… you don’t want this in cleartext
• Setup SSL (note: yaSSL vs OpenSSL can cause
issues)
• https://dev.mysql.com/doc/refman/5.6/en/ssl-
connections.html
• Worth noting 5.7 has a new tool:
mysql_ssl_rsa_setup

Initialise data directory using
mysqld now
• mysql_install_db is deprecated in 5.7
• mysqld itself handles instance initialisation
• mysqld —initialize
• mysqld —initialize-insecure

MariaDB passwords
• Password validation plugin (ﬁnally) exists now
• https://mariadb.com/kb/en/mariadb/development/mariadb-
internals-documentation/password-validation/
• simple_password_check password validation plugin
• can enforce a minimum password length and guarantee that a
password contains at least a speciﬁed number of uppercase
and lowercase letters, digits, and punctuation characters.
• cracklib_password_check password validation plugin
• Allows passwords that are strong enough to pass CrackLib test.
This is the same test that pam_cracklib.so does

What you do today
• MySQL stores accounts in the user table of the
my mysql database
• CREATE USER ‘foo’@‘localhost’
IDENTIFIED BY ‘password’;

Subtle difference w/MariaDB
& MySQL usernames
• Usernames in MariaDB > 5.5.31? 80 character limit (which you
have to reload manually)
create user
'long12345678901234567890'@'localhost'
identified by 'pass';
Query OK, 0 rows affected (0.01 sec)
vs
ERROR 1470 (HY000): String
'long12345678901234567890' is too long for user
name (should be no longer than 16)

Installing plugins
• MariaDB: INSTALL SONAME ‘auth_socket’
• MySQL: INSTALL PLUGIN auth_socket
SONAME ‘auth_socket.so’

auth_socket
• Authenticates against the Unix socket ﬁle
• Uses so_peercred socket option to obtain
information about user running client
• CREATE USER ‘foo’@‘localhost’
IDENTIFIED with auth_socket;
• Refuses connection of any other user but foo
from connecting

sha256_password
• Default in 5.6, needs SSL-built MySQL (if using it, best to set it
in my.cnf)
• default-authentication-plugin=sha256_password
• Default SSL is yaSSL, but with OpenSSL you get RSA
encryption
• client can transmit passwords to RSA server during
connection
• There exists key paths for private/public keys
• Passwords never exposed as cleartext when connecting

PAM Authentication
• MySQL PAM
• Percona PAM (auth_pam & auth_pam_compat)
• MariaDB PAM (pam)

Let’s get somethings out of
the way
• PAM = Pluggable Authentication Module
• Use pam_ldap to to authenticate credentials
against LDAP server — conﬁgure /etc/
pam_ldap.conf (you also obviously need /etc/
ldap.conf)
• Simplest way is of course /etc/shadow auth

Percona Server
INSTALL PLUGIN auth_pam SONAME ‘auth_pam.so';
CREATE USER byte IDENTIFIED WITH auth_pam;
In /etc/pam.d/mysqld:
auth required pam_warn.so
auth required pam_unix.so audit
account required pam_unix.so audit

MariaDB
INSTALL SONAME ‘auth_pam’;
CREATE USER byte IDENTIFIED via pam USING
‘mariadb’;
Edit /etc/pam.d/mariadb:
auth required
pam_unix.so
account required
pam_unix.so

For MySQL compatibility
• Just use —pam-use-cleartext-plugin for
MySQL to use mysql_cleartext_password
instead of dialog plugin

Possible errors
• Connectors don’t support it:
• Client does not support authentication
protocol requested by server; consider
upgrading MySQL client.
• You may have to re-compile connector using
libmysqlclient to have said support

Kerberos
• Every participant in authenticated communication is
known as a ‘principal’ (w/unique name)
• Principals belong to administrative groups called
realms. Kerberos Distribution Centre maintains a
database of principal in realm + associated secret keys
• Client requests a ticket from KDC for access to a
speciﬁc asset. KDC uses the client’s secret and the
server’s secret to construct the ticket which allows the
client and server to mutually authenticate each other,
while keeping the secrets hidden.

MariaDB Kerberos plugin
• User principals: <username>@<KERBEROS
REALM>
• CREATE USER 'byte' IDENTIFIED VIA
kerberos AS ‘byte/mariadb@lp';
• so that is <username>/
<instance>@<KERBEROS REALM>
• Store Service Principal Name (SPN) is an option in
a conﬁg ﬁle

Works where?
• GSSAPI-based Kerberos widely used &
supported on Linux
• Windows supports SSPI authentication and the
plugin supports it
• Comes in 10.1
• Works with the MariaDB Java Client only at the
moment

5.7 mysql_no_login
• mysql_no_login - prevents all client connections
to an account that uses it
• https://dev.mysql.com/doc/refman/5.7/en/mysql-
no-login-plugin.html

SQL Error Logging Plugin
• Log errors sent to clients in a log ﬁle that can be
analysed later. Log ﬁle can be rotated
(recommended)
• a MYSQL_AUDIT_PLUGIN
install plugin SQL_ERROR_LOG soname
'sql_errlog.so';

Audit Plugin
• Log server activity - who connects to the server,
what queries run, what tables touched - rotating
log ﬁle or syslogd
• MariaDB has extended the audit API, so user
ﬁltering is possible
• a MYSQL_AUDIT_PLUGIN
INSTALL PLUGIN server_audit SONAME
‘server_audit.so’;

Roles
• Bundles users together, with similar privileges -
follows the SQL standard
CREATE ROLE audit_bean_counters;
GRANT SELECT ON accounts.* to
audit_bean_counters;
GRANT audit_bean_counters to ceo;

Encryption
• Encryption: tablespace and table level encryption with support for rolling
keys using the AES algorithm
• (formerly) table encryption — PAGE_ENCRYPTION=1
• tablespace encryption — encrypts everything including log ﬁles
(10.1.5 encrypts the binlog caches)
• Overhead of ~10%
• XtraDB/InnoDB only; Aria for temporary tables
• New file_key_management plugin now
• Pushed & documented — https://mariadb.com/kb/en/mariadb/table-
encryption/

Encryption II
• The key ﬁle contains encryption keys identiﬁers
(32-bit numbers) and hex-encoded encryption
keys (128-256 bit keys), separated by a
semicolon.
• don’t forget to create keys!
• eg. openssl enc -aes-256-cbc -md
sha1 -k secret -in keys.txt -out
keys.enc

my.cnf config
Configure [mysqld]
plugin-load-add=file_key_management.so
file-key-management
file-key-management-filename = /home/mdb/keys.enc
innodb-encrypt-tables
innodb-encrypt-log
innodb-encryption-threads=4
file_key_management_encryption_algorithm=aes_cbc
file_key_management_filename = /home/mdb/keys.enc
file_key_management_filekey = secret

Encryption III
CREATE TABLE customer (
customer_id bigint not null primary key,
customer_name varchar(80),
customer_creditcard varchar(20))
ENGINE=InnoDB
ENCRYPTED=YES
ENCRYPTION_KEY_ID=17;

Encryption IV
• Tablespace encryption (Google)
• again, you need to pick an encryption algorithm
• specify what to encrypt: innodb-encrypt-tables,
aria, aria-encrypt-tables, encrypt-tmp-
disk-tables, innodb-encrypt-log
• don’t forget key rotation:
• innodb-encryption-threads=4
• innodb-encryption-rotate-key-age=1800

Encryption V
• we also have tablespace scrubbing
• background process that regularly scans
through the tables and upgrades the
encryption keys
• specify in seconds when to scrub data —
https://mariadb.com/kb/en/mariadb/xtradb-
innodb-data-scrubbing/

Encryption VI
• 10.1.3 vs 10.1.4 have changes (incompatible)
• The distinction between “tablespace encryption” and “page
encryption” was removed, now there is only one single encryption
feature.
• Per table PAGE_ENCRYPTION_KEY was renamed to
ENCRYPTION_KEY_ID.
• Global variable innodb_default_page_encryption_key become a
session innodb_default_encryption_key_id.
• Eperi code is mostly torn out. Per-table encryption implemented via
Google’s patches
• https://mariadb.com/kb/en/mariadb/table-encryption/

Encryption VII
• MariaDB 10.1.7 RC is out TODAY!
• It can now encrypt binlogs and relay logs
• encrypt-binlog to my.cnf
• Now run fully 100% encrypted

Preventing SQL Injections
• MySQL Enterprise Firewall ($$$)
• http://mysqlserverteam.com/new-mysql-enterprise-
firewall-prevent-sql-injection-attacks/
• MaxScale Database Firewall filter (write your own
regex)
• https://mariadb.com/kb/en/mariadb-enterprise/
maxscale/maxscale-database-firewall-filter/
• https://mariadb.com/blog/maxscale-firewall-filter

Resources
• oak-security-audit
• https://openarkkit.googlecode.com/svn/trunk/
openarkkit/doc/html/oak-security-audit.html
• Securich
• http://www.securich.com/
• Encrypting MySQL Data at Google - Jeremy Cole & Jonas
Oreland
• http://bit.ly/google_innodb_encryption

Thank you!
Colin Charles
colin@mariadb.org / byte@bytebot.net
http://bytebot.net/blog | @bytebot on twitter
slides: slideshare.net/bytebot

Better encryption & security with MariaDB 10.1 & MySQL 5.7

More Related Content

What's hot

Viewers also liked

Similar to Better encryption & security with MariaDB 10.1 & MySQL 5.7

More from Colin Charles

Recently uploaded

Better encryption & security with MariaDB 10.1 & MySQL 5.7