/
security_routines.html
207 lines (200 loc) · 11.8 KB
/
security_routines.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>security_routines: common_schema documentation</title>
<meta name="description" content="security_routines: common_schema" />
<meta name="keywords" content="security_routines: common_schema" />
<link rel="stylesheet" type="text/css" href="css/style.css" />
</head>
<body>
<div id="main">
<div id="header">
<h1>common_schema</h1> <strong>2.2</strong> documentation
<div class="subtitle">DBA's framework for MySQL</div>
</div>
<div id="contentwrapper">
<div id="content">
<h2><a href="security_routines.html">security_routines</a></h2>
<h3>SYNOPSIS</h3>
<p>
Security routines: stored functions managing security and privileges information.
<ul>
<li><a href="duplicate_grantee.html">duplicate_grantee()</a>: Create new account (grantee), identical to given account.</li>
<li><a href="grant_access.html">grant_access()</a>: (META) Grant SELECT & EXECUTE to all grantees on common_schema.</li>
<li><a href="killall.html">killall()</a>: Kill connections with by matching GRANTEE, user or host.</li>
<li><a href="match_grantee.html">match_grantee()</a>: Match an existing account based on user+host.</li>
<li><a href="mysql_grantee.html">mysql_grantee()</a>: Return a qualified MySQL grantee (account) based on user and host.</li>
<li><a href="security_audit.html">security_audit()</a>: Generate a server's security audit report.</li>
</ul>
</p>
<h3>EXAMPLES</h3>
<p>
Kill all connections made by the <strong>'analytics`</strong> user:
</p>
<blockquote><pre>mysql> CALL killall('analytics');
</pre></blockquote>
<p>
Duplicate (Copy+Paste) an existing account into a new one:
</p>
<blockquote><pre>mysql> CALL duplicate_grantee('apps@localhost', 'apps@10.0.0.%');
</pre></blockquote>
<p>
Audit server's security:
</p>
<blockquote><pre>mysql> CALL security_audit();
+------------------------------------------------------------------------------+
| report |
+------------------------------------------------------------------------------+
| |
| Checking for non-local root accounts |
| ==================================== |
| Recommendation: limit following root accounts to local machines |
| > rename 'root'@'central' to 'root'@'localhost' |
| |
| Checking for anonymous users |
| ============================ |
| OK |
| |
| Looking for accounts accessible from any host |
| ============================================= |
| Recommendation: limit following accounts to specific hosts/subnet |
| > rename user 'apps'@'%' to 'apps'@'<specific host>' |
| > rename user 'world_user'@'%' to 'world_user'@'<specific host>' |
| |
| Checking for accounts with empty passwords |
| ========================================== |
| Recommendation: set a decent password to these accounts. |
| > set password for 'apps'@'%' = PASSWORD(...) |
| > set password for 'world_user'@'localhost' = PASSWORD(...) |
| > set password for 'wu'@'localhost' = PASSWORD(...) |
| |
| Looking for accounts with identical (non empty) passwords |
| ========================================================= |
| Different users should not share same password. |
| Recommendation: Change passwords for accounts listed below. |
| |
| The following accounts share the same password: |
| 'temp'@'10.0.%' |
| 'temp'@'10.0.0.%' |
| 'gromit'@'localhost' |
| |
| The following accounts share the same password: |
| 'replication'@'10.0.0.%' |
| 'shlomi'@'localhost' |
| |
| The following accounts share the same password: |
| 'shlomi'@'127.0.0.1' |
| 'monitoring_user'@'localhost' |
| |
| Looking for (non-root) accounts with admin privileges |
| ===================================================== |
| Normal users should not have admin privileges, such as |
| SUPER, SHUTDOWN, RELOAD, PROCESS, CREATE USER, REPLICATION CLIENT. |
| Recommendation: limit privileges to following accounts. |
| > GRANT <non-admin-privileges> ON *.* TO 'monitoring_user'@'localhost' |
| > GRANT <non-admin-privileges> ON *.* TO 'shlomi'@'localhost' |
| |
| Looking for (non-root) accounts with global DDL privileges |
| ========================================================== |
| OK |
| |
| Looking for (non-root) accounts with global DML privileges |
| ========================================================== |
| OK |
| |
| Testing sql_mode |
| ================ |
| Server's sql_mode does not include NO_AUTO_CREATE_USER. |
| This means users can be created with empty passwords. |
| Recommendation: add NO_AUTO_CREATE_USER to sql_mode, |
| both in config file as well as dynamically. |
| > SET @@global.sql_mode := CONCAT(@@global.sql_mode, ',NO_AUTO_CREATE_USER') |
| |
| Testing old_passwords |
| ===================== |
| OK |
| --- |
| Report generated on '2012-09-21 11:49:52 |
+------------------------------------------------------------------------------+
</pre></blockquote>
<br/>
</div>
<div id="sidebarwrapper">
<div id="search">
Search online documentation
<form id="search_form" name="search_form" method="GET"
action="http://www.google.com/search"
onsubmit="document.forms['search_form']['q'].value = 'site:http://common-schema.googlecode.com/svn/trunk/common_schema/doc/html/ '+document.forms['search_form']['search_term'].value;">
<input type="text" name="search_term" value=""/>
<input type="hidden" name="q" value=""/>
<input type="submit" value="go"/>
</form>
</div>
<div id="menu">
<ul>
<li><a title="Introduction" href="introduction.html">Introduction</a></li>
<li><a title="Documentation" href="documentation.html">Documentation</a></li>
<li><a title="Download" href="download.html">Download</a></li>
<li><a title="Install" href="install.html">Install</a></li>
<li><a title="Risks" href="risks.html">Risks</a></li>
</ul>
<h3>QUERY SCRIPT</h3>
<ul>
<li><a title="QueryScript" href="query_script.html">QueryScript</a></li>
<li><a title="Execution" href="query_script_execution.html">Execution</a></li>
<li><a title="Flow control" href="query_script_flow_control.html">Flow control</a></li>
<li><a title="Statements" href="query_script_statements.html">Statements</a></li>
<li><a title="Expressions" href="query_script_expressions.html">Expressions</a></li>
<li><a title="Variables" href="query_script_variables.html">Variables</a></li>
</ul>
<h3>DEBUG</h3>
<ul>
<li><a title="rdebug" href="rdebug.html">rdebug</a></li>
<li><a title="rdebug API" href="rdebug_api.html">rdebug API</a></li>
<li><a title="rdebug workflow" href="rdebug_workflow.html">Workflow</a></li>
</ul>
<h3>ROUTINES</h3>
<ul>
<li><a title="Execution & flow control" href="execution_routines.html">Execution & flow control</a></li>
<li><a title="General" href="general_routines.html">General</a></li>
<li><a title="Process" href="process_routines.html">Process</a></li>
<li><a title="Query analysis" href="query_analysis_routines.html">Query analysis</a></li>
<li><a title="Schema analysis" href="schema_analysis_routines.html">Schema analysis</a></li>
<li><a title="Security" href="security_routines.html">Security</a></li>
<li><a title="Text" href="text_routines.html">Text</a></li>
<li><a title="Time & date" href="temporal_routines.html">Time & date</a></li>
<li><a title="Charting" href="charting_routines.html">Charting</a></li>
</ul>
<h3>VIEWS</h3>
<ul>
<li><a title="Schema analysis" href="schema_analysis_views.html">Schema analysis</a></li>
<li><a title="Data dimension" href="data_dimension_views.html">Data dimension</a></li>
<li><a title="Process" href="process_views.html">Process</a></li>
<li><a title="Security" href="security_views.html">Security</a></li>
<li><a title="Monitoring" href="monitoring_views.html">Monitoring</a></li>
<li><a title="InnoDB Plugin" href="innodb_plugin_views.html">InnoDB Plugin</a></li>
<li><a title="Percona server" href="percona_server_views.html">Percona Server</a></li>
<li><a title="TokuDB" href="tokudb_views.html">TokuDB</a></li>
</ul>
<h3>DATA</h3>
<ul>
<li><a title="tables" href="tables.html">Tables</a></li>
<li><a title="variables" href="variables.html">Variables</a></li>
</ul>
<h3>META</h3>
<ul>
<li><a title="Help" href="help.html">help</a></li>
<li><a title="Metadata" href="metadata.html">metadata</a></li>
<li><a title="status" href="status.html">status</a></li>
</ul>
</div>
</div>
<div class="clear"> </div>
<div id="footnote" align="center">
<a href="">common_schema</a> documentation
</div>
</div>
</div>
</body>
</html>