3

Keep Your Database Secure With Percona Advisors

 1 year ago
source link: https://www.percona.com/blog/keep-your-database-secure-with-percona-advisors/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Keep Your Database Secure With Percona Advisors

The definition of Percona Advisors by ChatGPT is the following:

Percona Advisors can help organizations implement robust security measures to protect their databases and sensitive data.

It is partially true. The reason why we have Percona Advisors is to encode years of our database expertise and share it with the community, to resolve performance and security issues automatically, without human intervention.

Percona Advisors is an open source framework, meaning you can create your own checks by following our documentation. Right now even if you create your own advisors, they will overwrite existing Percona checks. So it is only for debugging and testing purposes. We plan to extend the framework to enable innovation and contributions from the community. By default Percona Monitoring and Management (PMM) comes with basic advisor checks, whereas registered and paid tiers get much more. See more about it on our subscription page.

In this blog post, I will show how Percona Advisors work and demonstrate various checks in action.

Preparation

Percona Monitoring and Management (PMM)

Install PMM by following the documentation. I will deploy it on my Kubernetes cluster with the helm chart.

Shell
helm install pmm --set service.type="LoadBalancer" percona/pmm

Create your Percona Platform account

Navigate to https://portal.percona.com to create an account if you don’t have one already. By just creating an account you will get access to more advisors for free, whereas I myself on a paid tier enjoy the full power of sophisticated checks.

This is the number of checks that PMM has by default right after installation:

DcP4XkZYrNh7YvA1BMg0wjAZ0x8cS6lMp8lUJ-qugnhaRD6VxmRlLlW9Z_XmfQshlL4w5UFLQTtDv49z5rv91Y3iqkKo13RsCAQdnfvoCHckvKJQ_loG4hxxV0Wt0U8VZHaMg3uigHoUtdGlbvdET7Fw_LJ_DvATz6dVsQGCUVQi3JZLXMq0ow4wK1uLNQ

Once PMM is connected to the Platform, PMM downloads advisors automatically. With the paid subscription I get the following list:

NzxyBLNXfBtLZvDOvLOsWXHYy8h7cidiDuDGULCCGi0hOdoilCDrTZoL1q1RMhXNlBs5H9asb79zHh73QSkTVH1QAGcg3h6XmwG3wL5MlZz782sDwfbhXxtBTukXAf6VHbVEe3XgAK_Yy2qTVo3UhJ-xKvAPIeQiuZZO1XX6VzhR-UVBlf_dErQMR5COMg

Register PMM in the Platform

The process of registering PMM in the Platform is described in the documentation. In short:

  1. Fetch the token from https://portal.percona.com/profile
  2. Add this token in the PMM Settings -> Percona Platform section.

Action

Checks in action

I will deploy a MySQL cluster with Group Replication and monitor it with PMM. For the sake of simplicity and speed, I will use Percona Operator for MySQL (based on Percona Server for MySQL which is in tech preview).

As a result, I see the following checks firing up:

S-JkfcrZiAehN563W96DnUDqTXKShBD00QOkzQc6HSRB02RjxWQqWlCQaYpnU3166JSq14DCBiSfG__elad_gOFxg-MViVp1h_Sqxl3K8-TIwAhi1o2uefr_QKXvDCedRta0Ld9yhnQmFTPEOLwPQHob5KPng48DW8aLxdF45gzK_rDnEdVfBB9AdXY8PA

For example “Passwords don’t expire, as default_password_lifetime=0” checks alerts that the password expiration is not enabled:

Please consider imposing an expiry time for passwords by setting default_password_lifetime to a positive integer, indicating how many days can go by before the user has to renew their password; This will help prevent brute force attacks and risks of data leaks.

Embed checks in your CICD pipeline

With PMM API you can easily automate database compliance checks with your existing CICD pipelines.

Get all the services with failed checks:

Shell
$ curl -k --request POST \
     --url https://PMM_SERVER/v1/management/SecurityChecks/ListFailedServices \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'Authorization: Bearer eyJrIjoiZTZxZFdyWG9GYklKNEVBZ1kwRU9OUTZIdnA4bFdlNXIiLCJuIjoidHN0IiwiaWQiOjF9'
  "result":  [
      "service_name":  "default-test-cluster-mysql-2",
      "service_id":  "/service_id/0df4c5b6-ad15-4324-a70c-05fe3900b1d2",
      "warning_count":  6,
      "notice_count":  4
      "service_name":  "default-test-cluster-mysql-1",
      "service_id":  "/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa",
      "warning_count":  6,
      "notice_count":  4
      "service_name":  "default-test-cluster-mysql-0",
      "service_id":  "/service_id/7e3cae47-3ee1-4488-883b-21b7450fb0d2",
      "error_count":  1,
      "warning_count":  6,
      "notice_count":  4

Now get all the failed checks for a specific service:

Shell
curl -k --request POST \
     --url https://PMM_SERVER/v1/management/SecurityChecks/FailedChecks \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'Authorization: Bearer eyJrIjoiZTZxZFdyWG9GYklKNEVBZ1kwRU9OUTZIdnA4bFdlNXIiLCJuIjoidHN0IiwiaWQiOjF9'
    --data '{"service_id":"/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa"}'

This is the example of a summary of one check:

Shell
      "summary":  "Passwords don't expire, as default_password_lifetime=0",
      "description":  "Please consider imposing an expiry time for passwords by setting default_password_lifetime to a positive integer, indicating how many days can go by before the user having to renew their password; This will help prevent brute force attacks and risks of data leaks.",
      "severity":  "SEVERITY_WARNING",
      "labels":  {
        "agent_id":  "/agent_id/e8528c89-8858-4591-800a-e5edde56df57",
        "agent_type":  "qan-mysql-perfschema-agent",
        "alert_id":  "/stt/a47e962529bc87c7ef98ba832e4d6ca20454ed65",
        "alertname":  "mysql_configuration_variables6",
        "cluster":  "test-cluster",
        "interval_group":  "standard",
        "node_id":  "/node_id/8abc903c-556d-47ca-85fe-8eec92cfbc66",
        "node_name":  "default-test-cluster-mysql-1",
        "node_type":  "container",
        "service_id":  "/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa",
        "service_name":  "default-test-cluster-mysql-1",
        "service_type":  "mysql",
        "severity":  "warning",
        "stt_check":  "1"
      "read_more_url":  "https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_password_lifetime",
      "service_name":  "default-test-cluster-mysql-1",
      "service_id":  "/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa",
      "check_name":  "mysql_configuration_variables6",
      "alert_id":  "/stt/a47e962529bc87c7ef98ba832e4d6ca20454ed65"

Conclusion

Day-2 operations for databases are complex. Keeping your database secure and performant before it is too late can be achieved without human intervention.  In this blog post, we showed how Percona Advisors can help with it.

Try PMM Now


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK