Releasing first version of KloudDB Shield – MySQL CIS benchmarks

Table of Contents

What is klouddb_shield ?

Klouddb_Shield is an open source security tool that checks for CIS compliance. Currently we check for about 45 controls(MySQL) and we plan to add more checks soon

We tested this tool on CentOS and Ubuntu ( MySQL 8) – It will work for both Enterprise and Community versions

How to run this tool on my server ?

You can directly download the package from releases section of repo https://github.com/klouddb/klouddbshield and install the package (for example – rpm for centos ; deb package for Ubuntu etc..) Below is an example for rpm install

Once you install the package , you need to edit the sample config file located at /etc/mysqlcollector/cisconfig.toml (sample config below). You can skip username and password in config file (if you don’t want to store the credentials in config file, it will prompt for those during runtime)

[database]
host="localhost" – Hostname
port="3306" - port
user="mysqluser" - Can be skipped and it will prompt at runtime
password="mysqlpassword" - Can be skipped and it will prompt at runtime

Once the config file is populated you can run the command ‘ciscollector -r ’ and it will produce a security scorecard and a json file “mysqlsecreport.json”

How to interpret the scorecard report ?

Once you run the program you should see a scorecard like below . It gives a score by section and finally overall score . Overall score is 51% but Section 7 has a higher score of 83.3% in below example . It also produces an output file called ‘mysqlsecreport.json”

How to read the json output file generated ?

For each control we have an entry in the json file(mysqlsecreport.json) . For example below is the result for 1.4 , you can see the description and status as “pass”

If a control fails you would see something like below. You will also see FailReason to explain why the control failed

What are the controls included in this release ?

There are about 45 controls as of today . We will keep adding more in future releases

Section 1 – Operating System level config

Section 2 – Installation and Planning

Section 3 – File Permissions

Section 4 – General

Section 5 – MySQL Permissions

Section 6 – Auditing and Logging

Section 7 – Authentication

Section 8 – Network

Section 9 – Replication

I am trying to use this tool but running into some issues , Can you help?

Please open an issue on repo or email us at support@klouddb.io

Summary

We released the first version of KloudDB Shield today . Please give it a try and pass your feedback . We spent ton of time to develop this tool and we plan to enhance this tool based on user feedback

Also read our MySQL articles on “Innodb cluster “ , “ALTER TABLE Internals” , “Innodb history length” ,”RDS MySQL” , “Vitess” etc..

Share this Post :