[debian-mysql] MySQL "hardening?"

Ralf G. R. Bergs Ralf+Debian at bergs.biz
Sat Apr 4 11:54:28 UTC 2015


Hi Otto.

Thank you for your response and the info given therein.

On 2015-04-03 20:03 , Otto Kekäläinen wrote:
> In Debian we used to apply the hardening-wrapper package/tool in
> mysql-5.5 and mariadb-5.5 packages until if was deprecated in the
> Debian policy. In mysql-5.6 and mariadb-10.0 we are using the new
> compiler flags based hardening. See e.g. the rules file
> https://github.com/ottok/mariadb-10.0/blob/master/debian/rules
To be honest I didn't even think about that kind of (build) hardening,
but of course it is a benefit to "defend" against potential attacks.

What I was thinking about -- and sorry for not being more specific -- is
"config hardening" in a way that "dangerous" features might be disabled
by default (e. g. might only listen on Unix domain socket and not TCP
socket by default, or /if/ TCP socket is active by default the daemon
might only bind to the loopback interface), rate limiting and other
usage restrictions (ulimit?) might be enabled for the pre-defined MySQL
database users or the MySQL system user to prevent DoS attacks, etc.

So basically config changes which can serve to increase security,
compared to the "stock" MySQL config that comes from upstream.

I assume that you can't (and probably don't even want to) make any
statements re. the "stock" config, so I will search on the upstream
MySQL site as well.
> If you are an expert in this area or even just somebody with basic
> skills and have time to research it, I am sure everybody would be glad
> to get contributions on how to improve the current situation.
I'm always a strong supporter of giving back to the community, but
unfortunately I'm currently not in the position to do so. On the
contrary I need support myself because I'm undergoing a security
assessment/audit and must "prove" that our systems are secure. ;-)

Kind regards,

Ralf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20150404/3fe71b2a/attachment.html>


More information about the pkg-mysql-maint mailing list