Documentation Home
MySQL Enterprise Monitor 8.0 Manual
Related Documentation Download this Manual
PDF (US Ltr) - 6.0Mb
PDF (A4) - 6.0Mb


21.12 Security Advisors

This section describes the following Security advisors:

MySQL Enterprise Audit Plugin

Note

For more information on the MySQL Enterprise Audit Plugin, see MySQL Enterprise Audit.

This advisor enables you to configure event generation for the audit log plugin. This advisor has the following parameters:

  • Events Lost Threshold: generates events for audit events which are lost due to setting the server's audit_log_strategy to PERFORMANCE. Enter a number of lost messages per threshold.

  • Write Wait Percent Thresholds: generates events for the number of audit log write waits. The percentage is calculated as write waits versus writes.

  • Events Filtered Threshold: generates events for the number of audit events which are filtered out by the audit log configuration

  • Detect Filtering Configurations: if set to Yes, generates events for any configuration which filters audit log events. If set to No, such configurations are ignored.

MySQL Enterprise Firewall

Note

For more information on the MySQL Enterprise Firewall, see MySQL Enterprise Firewall.

This advisor enables you to configure event generation for the MySQL Enterprise Firewall. This advisor has the following parameters:

  • Firewall Enabled Threshold: generates events if the firewall is installed, but not enabled. To change the level of the alert, move the value 0 (representing "OFF") to the required threshold.

  • Access Denied Threshold: generates events for the number of times statements were denied by the firewall. Enter the number of denials in the required thresholds.

  • Access Suspicious Threshold: generates events for the number of times statements were deemed suspicious by the firewall.

MySQL User Account

Analyzes the configuration of MySQL user accounts on a server and alerts when the following problems have been detected:

  • Broad Host Specifier Exclusion Regex:

    The MySQL server has user accounts with overly broad host specifiers. A MySQL account is identified by both a username and a host name, which are found in the User and Host columns of the mysql.user table. The User value is the name that a client must supply when connecting to the server. The Host value indicates the host or hosts from which the user is allowed to connect. If this is a literal host name, the account is limited to connections only from that host. If the host name contains the % wildcard character, the user can connect from any host that matches the wildcard character and potentially from any host at all.

    Literal host values are best and % is worst. Accounts that have Host values containing wildcards are more susceptible to attack than accounts with literal host values, because attackers can attempt to connect from a broader range of machines.

    For example, if an account has user and host values of root and %, it means that you can connect as the root user from any machine if you know the password. By contrast, if the host name is localhost or 127.0.0.1, the attacker can only attempt to connect as the root user from the server host.

    The advisor enables you to specify an exclusion list, using a regular expression, of users allowed to use % for their host entry in the mysql.user table. No events are generated for users matching this pattern.

    For example:

    ^(user1|user2)$

    permits only user1 or user2 to use % for their host entry in the mysql.user table. An event is generated for any other user with % for their host entry.

  • Global Privilege User Exclusion Regex:

    A MySQL server may have user accounts with privileges on all databases and tables (*.*). In most cases global privileges should be allowed only for the MySQL root user, and possibly for users that you trust or use for backup purposes. Global privileges such as DROP, ALTER, DELETE, UPDATE, INSERT, and LOCK TABLES may be dangerous as they may cause other users to be affected adversely.

    This advisor enables you to define a regular expression describing the users allowed to have global privileges on the mysql.user table (ALTER, DELETE, DROP, INSERT, LOCK_TABLES, or UPDATE). For example:

    ^(user1@host1|user2@host2)$

    permits only user1 on host1, or user2 on host2, to have global privileges on the mysql.user table. An event is generated for any other user with those privileges.

  • Strong MySQL Privilege User Exclusion Regex:

    This advisor enables you to define a regular expression describing the users allowed to have global privileges on the mysql.user table (CREATE_USER, FILE, GRANT, PROCESS, LOCK_TABLES, SHUTDOWN, SUPER or RELOAD). For example:

    ^(user1@host1|user2@host2)$

    permits only user1 on host1, or user2 on host2, to have strong privileges on the mysql.user table. An event is generated for any other user with those privileges.

  • Database Level Privileges On All Databases User Exclusion Regex:

    Privileges such as SELECT, INSERT, and ALTER, allow a user to view and change data. Such operations should be limited to only those databases to which a user needs access.

    This advisor enables you to define a regular expression that describes those user accounts that are allowed to have database level privileges on all databases in the mysql.user table (ALTER, CREATE, DELETE, DROP, INDEX, INSERT, SELECT, UPDATE). For example:

    ^(user1@host1|user2@host2)$

    permits only user1 on host1, or user2 on host2, to have database-level privileges on all databases in the mysql.user table. An event is generated for any other user with those privileges.

Note

The regular expressions can be applied per instance, per server (all instances running on the server), per group (all instances in the group), or globally (all instances), depending on the asset selected.

For more information, see Group and Host Menu.