The MariaDB audit plugin is an audit plugin that is bundled with MariaDB server. However, even though it is bundled with MariaDB, the plugin is actually compatible with MySQL as well. In this blog post, I will describe how to install the plugin with MySQL. Install the plugin Unfortunately, neither MariaDB Corporation nor MariaDB Foundation currently distribute a standalone binary ... Read More
10 Older Entries »
Using Vault with MySQL
In my previous post I discussed using GPG to secure your database credentials. This relies on a local copy of your MySQL client config, but what if you want to keep the credentials stored safely along with other super secret information? Sure, GPG could still be used, but there must be an easier way to do this.
This post will look at a way to use Vault to store your credentials in a central location and use them to access your database. For those of you that have not yet come across Vault, it is a great way to manage your secrets – securing, storing and tightly controlling access. It has the added benefits of being able to handle leasing, key revocation, key rolling and auditing.
During this blog post we’ll accomplish the following …[Read more]
It’s been a busy month for file vulnerabilities. Thanks to Dawid Golunski at legalhackers.com for giving us all the opportunity to tighten security in our MySQL, MariaDB, and Percona Server instances.
Details were released for the CVE 6663 mentioned last week and for a new CVE 6664:
Note that 6664 is dependent on 6663, and 6663 can be mitigated by turning off symbolic_links (=0). Upgrade to the latest versions also fixes the problem. Regardless, the attacker …[Read more]
It is a common auditing requirement to log user connection
events, including whether or not authentication was
There are a number of alternatives available for MySQL, but unfortunately there is no built-in functionality at the time of this writing. In this post we will discuss auditing MySQL users with McAfee plugin, which is available under GPL Version 2 license.
These apply to debian-based hosts, but instructions for red hat are similar.
1. Download latest plugin release from github.
At the time of this post for MySQL 5.5 you can get:
2. Decompress …[Read more]
At our September 2016 New York City MySQL Meetup was a demonstration of how to implement role-based security in MySQL using Hexatier. In addition, several other important security features demonstrated included role based dynamic data masking down to a per column level and full statement auditing.
Thanks to Scott Unrick, Lead Database Administrator at Teladoc for the great presentation. Slides are available here.[Read more]
Percona XtraDB Cluster 5.6.30-25.16.2 is now the current release, based on the following:
- Percona Server 5.6.30-76.3
- Galera Replication library 3.16
- Codership wsrep API version 25
This release provides a …[Read more]
- By setting malloc-lib in the configuration file access to an OS root shell can be gained.
- By using the general log a configuration file can be written in any place which is writable for the OS mysql user.
- By using SELECT...INTO DUMPFILE... it is possible to elevate privileges from a database user with the FILE privilege to any database account including root.
How it is supposed to be used
- Find an SQL Injection in a website or otherwise gain access to a MySQL account.
- Now create a …
I’ll also list which MySQL versions include the vulnerability fixes.
The website legalhackers.com contains the full, current explanation of the …[Read more]
Since MySQL 5.6.6, it became possible to store MySQL credentials in an encrypted login path file named .mylogin.cnf, using the mysql_config_editor tool. This is better than in plain text anyway.
What if I need to read this password in plain text?
Perhaps because I didn’t save it? It might be that I don’t need it for long (as I can reset it), but it’s important that I get it.
Unfortunately (or intentionally),
doesn’t allow it.
[root@db01 ~]# cat /root/.mylogin.cnf ????uUd????ٞN??3k??ǘ);??Ѻ0 ?'?(??W.???Xܽ<'?C???ha?$ ?? …[Read more]
As Peter Zaitsev mentioned recently in his blog post on database support, the data breach costs can hit both your business reputation and your bottom line. Costs vary depending on the company size and market, but recent studies estimate direct costs ranging in average from $1.6M to 7.01M. Everyone agrees leaving rising security risks and costs unchecked is a recipe for disaster.
Reducing security-based outages doesn’t have a simple answer, but can be a combination of internal and external monitoring, support contracts, enhanced security systems, and a better understanding of …[Read more]
10 Older Entries »