479317
SQL Security Policy
- Physical
- Disaster Recovery
- Ensure the disaster recovery plan is up to date
- Off-site back-up + secure
- Fireproof / Flood proof / Offline
- Ensure the disaster recovery plan is up to date
- Physical Access
- Ensure physical access to server is restricted
- Server can't be turned off / disconnected
/ plug in keyboard or USB stick
- Ensure physical access to server is restricted
- Disaster Recovery
- Software
- Anti - Virus
- Ensure that anti-virus is running
- Has been tuned correctly
- Unnecessary directories are
excluded to improve
performance
- Exclusions and test loading have
been completed
- Ensure that anti-virus is running
- Configure Firewall
- Open TCP 3306 for MySQL
- Keep as many ports closed as possible
- Use SSH tunnel for testing
as this does not expose
server across web
- Open TCP 3306 for MySQL
- Vendor Updates
- Ensue that server packs / hot fixes /
patches are applied frequently
- Both at server and MySQL level
- This fixes security risks and
loopholes Results in less risk of
intrusion
- Ensue that server packs / hot fixes /
patches are applied frequently
- Unwanted Services
- These added services could give
side-door access, introducing something
unexpected
- Linux – use “rcconf” removal tool
to remove unwanted services
- These added services could give
side-door access, introducing something
unexpected
- Anti - Virus
- Access Restrictions on Server
- Restrict remote access - SOCKET
- Socket on network layer model
- Connects two computers together
- Connects two computers together
- Linux – skip-networking
- This stops it from opening socket connections
- Ties connection down to local host
- Needs to go into .ini file
- Needs to go into .ini file
- Ties connection down to local host
- This stops it from opening socket connections
- Socket on network layer model
- Restrict remote access – LOCALHOST
- Bind-address = 127.0.0.1
- Forces SQL to listen only to localhost
- Can’t accept connections from anywhere else
- Preventing access from TCP3306 from outside source
- Preventing access from TCP3306 from outside source
- Can’t accept connections from anywhere else
- Forces SQL to listen only to localhost
- Bind-address = 127.0.0.1
- Restrict remote access – GRANT
- Defines who and where they will be hosted from
- Ties down specific database and specific user
- GRANT SELECT, INSERT
ON mydb.* TO
‘someuser’@’somehost’;
- Defines who and where they will be hosted from
- Restrict remote access - SOCKET
- Database Changes
- Disable LOCAL INFILE
- Prevents access to local files (eg.
/etc/passwd) Stops some SQL injection
attacks.
- Prevents access to local files (eg.
/etc/passwd) Stops some SQL injection
attacks.
- Change root directory
- /chroot/mysql
- socket = /chroot/mysql/tmp/mysql.sock
- /chroot/mysql
- Remove test database
- Can be test databases installed with MySQL
- Allows anonymous access to database
- Allows anonymous access to database
- DROP DATABASE test;
- Drop the test and any other unwanted databases
- Drop the test and any other unwanted databases
- Can be test databases installed with MySQL
- Remove test accounts
- SHOW GRANTS FOR ‘’@’localhost’;
- DROP USER “”;
- DROP USER “”;
- Delete account shipped with MySQL
- Make sure created accounts are
tied down to relevant tables
- SHOW GRANTS FOR ‘’@’localhost’;
- Change rootname and password
- Should upgrade to version 5 as privileges
stay on previous versions.
- MySQL > RENAME USER root TO new_user;
- Should upgrade to version 5 as privileges
stay on previous versions.
- Lower privileges
- Version 5 and above has pre-set restrictions
- Set ownership to MySQL user:
- shell>ls -l /var/lib/mysql
- Only allow MySQL and root
access: shell>ls -l /usr/bin/my
- Only allow MySQL and root
access: shell>ls -l /usr/bin/my
- shell>ls -l /var/lib/mysql
- Set ownership to MySQL user:
- Version 5 and above has pre-set restrictions
- Disable LOCAL INFILE
Want to create your own Mind Maps for free with GoConqr? Learn more.