Table of Contents
What is klouddb_shield ?
Klouddb_Shield is an open source security tool that checks for CIS compliance. Currently we check for about 45 controls(MySQL) and we plan to add more checks soon
We tested this tool on CentOS and Ubuntu ( MySQL 8) – It will work for both Enterprise and Community versions
How to run this tool on my server ?
You can directly download the package from releases section of repo https://github.com/klouddb/klouddbshield and install the package (for example – rpm for centos ; deb package for Ubuntu etc..) Below is an example for rpm install
Once you install the package , you need to edit the sample config file located at /etc/mysqlcollector/cisconfig.toml (sample config below). You can skip username and password in config file (if you don’t want to store the credentials in config file, it will prompt for those during runtime)
[database] host="localhost" – Hostname port="3306" - port user="mysqluser" - Can be skipped and it will prompt at runtime password="mysqlpassword" - Can be skipped and it will prompt at runtime
Once the config file is populated you can run the command ‘ciscollector -r ’ and it will produce a security scorecard and a json file “mysqlsecreport.json”
How to interpret the scorecard report ?
Once you run the program you should see a scorecard like below . It gives a score by section and finally overall score . Overall score is 51% but Section 7 has a higher score of 83.3% in below example . It also produces an output file called ‘mysqlsecreport.json”
How to read the json output file generated ?
For each control we have an entry in the json file(mysqlsecreport.json) . For example below is the result for 1.4 , you can see the description and status as “pass”
If a control fails you would see something like below. You will also see FailReason to explain why the control failed
What are the controls included in this release ?
There are about 45 controls as of today . We will keep adding more in future releases
Section 1 – Operating System level config
Section 2 – Installation and Planning
Section 3 – File Permissions
Section 4 – General
Section 5 – MySQL Permissions
Section 6 – Auditing and Logging
Section 7 – Authentication
Section 8 – Network
Section 9 – Replication
I am trying to use this tool but running into some issues , Can you help?
Please open an issue on repo or email us at support@klouddb.io
Summary
We released the first version of KloudDB Shield today . Please give it a try and pass your feedback . We spent ton of time to develop this tool and we plan to enhance this tool based on user feedback
Also read our MySQL articles on “Innodb cluster “ , “ALTER TABLE Internals” , “Innodb history length” ,”RDS MySQL” , “Vitess” etc..