MySQL DB Security
==================
a> Password maagement - OS/DB level //Authentication
b> Access management - OS level //Authorization
c> Privileges management - DB level //Authorization
1> No test/blank database. And No user with '%' host or without password.
2> Backups should be encrypted.
- Either using zip utility. It asks for password while taking backups.
- Or using gpg utility. For that we've to create private/public key-pair first.
- Or using openssl
3> No root/password storage management at OS level. And Password should be encrypted (if stored at some file).
4> History at OS level should be disabled. ~/.bashrc and ~/.bash_history
5> MySQL should be running at some OS level user (other than root)
[mysqld]
user=mysql
6> Make sure that the only Unix user account with read or write privileges in the database directories is the account that is used for running mysqld.
7> Don't grant the FILE privilege to any non-administrative user. Else can write a file anywhere in the file system with the privileges of the mysqld daemon.
8> Do not grant the PROCESS or SUPER privilege to nonadministrative users. Else that can see the output of SHOW PROCESSLIST which shows the text of any statements currently being executed.
9> SSL/TLS encryption between (Client and Server) / (Master and Slave).
10> Database firewall. (To protect from SQL injection attacks).
11> Seperate DB user for DML/DDL operations. Let application connects to DB via dml_user. And let DDL changes been handled by some sys_user
12> DB Auditing (only in case of MySQL Enterprise). Or else use some 3rd party tools.
==================
a> Password maagement - OS/DB level //Authentication
b> Access management - OS level //Authorization
c> Privileges management - DB level //Authorization
1> No test/blank database. And No user with '%' host or without password.
2> Backups should be encrypted.
- Either using zip utility. It asks for password while taking backups.
- Or using gpg utility. For that we've to create private/public key-pair first.
- Or using openssl
3> No root/password storage management at OS level. And Password should be encrypted (if stored at some file).
4> History at OS level should be disabled. ~/.bashrc and ~/.bash_history
5> MySQL should be running at some OS level user (other than root)
[mysqld]
user=mysql
6> Make sure that the only Unix user account with read or write privileges in the database directories is the account that is used for running mysqld.
7> Don't grant the FILE privilege to any non-administrative user. Else can write a file anywhere in the file system with the privileges of the mysqld daemon.
8> Do not grant the PROCESS or SUPER privilege to nonadministrative users. Else that can see the output of SHOW PROCESSLIST which shows the text of any statements currently being executed.
9> SSL/TLS encryption between (Client and Server) / (Master and Slave).
10> Database firewall. (To protect from SQL injection attacks).
11> Seperate DB user for DML/DDL operations. Let application connects to DB via dml_user. And let DDL changes been handled by some sys_user
12> DB Auditing (only in case of MySQL Enterprise). Or else use some 3rd party tools.
No comments:
Post a Comment