Saturday, June 30, 2018

Lock Down: Enforcing SELinux with Percona XtraDB Cluster

Why do I spend time blogging about security frameworks? Because although there are some resources available on the Web, none apply to Percona XtraDB Cluster (PXC) directly. Actually, I rarely encounter a MySQL setup where SELinux is enforced and never when Percona XtraDB Cluster (PXC) or another Galera replication implementation is used. As we'll see, there are good reasons for that. I originally thought this article would be a simple "how to," but it ended up with a push request to modify the SST script and a few other surprises.

Some Context

These days, with all the major security breaches of the last few years, the importance of security in IT cannot be highlighted enough. For that reason, security in MySQL has been progressively tightened from version to version, and the default parameters are much more restrictive than they used to be. That's all good, but it is only at the MySQL level if there is still a breach allowing access to MySQL, someone could in theory do everything the mysql user is allowed to do. To prevent such a situation, the operations that mysqld can do should be limited to only what it really needs to do. SELinux' purpose is exactly that. You'll find SELinux on RedHat/Centos and their derived distributions. Debian, Ubuntu, and OpenSuse uses another framework, AppArmor, which is functionally similar to SELinux. I'll talk about AppArmor in a future post, but let's focus for now on SELinux.



from DZone.com Feed https://ift.tt/2tOrT33

No comments:

Post a Comment