Colin Charles Agenda

SecuRich

I got to meet, and share a meal with a most interesting Darren Cassar at FRoSCon/OpenSQLCamp, who’s the mastermind behind SecuRich. Some sparse notes, while we await his slides. I think there’s some great potential here, and SecuRich is exciting and should be given some more love.

Designed to work with Sybase and MySQL in mind (because he’s hacking on migrating Sybase to MySQL).

How often do we audit user privileges and access levels? How often do we forget temporary elevated privileges?

What you have in MySQL today: Authentication against ‘username’@’hostname’, and the password is hashed by PASSWORD() function. There is wide range of privileges, and the granting of privileges is controlled.

What are limitations in MySQL today: Password limits are not available (password size limit, password history, password complexity meter, password minimum age), its quite complex to manage, there are no roles, it is easily unsecured (if you provide an access to the MySQL database, you can try brute force attacks, etc.). Once you drop the database, the grants are still there – obsolete grants are not removed.

SECURICH has password limits, reduces complexity to manage, has roles, is a lot more secured, and soon, there will be removal of obsolete grants.

Compatible with MySQL 5.0 and later, as it uses INFORMATION_SCHEMA extensively. It requires I_S.processlist, which is only available in MySQL 5.1 though.

I don’t see why this wouldn’t work on Windows, besides some scripts written in BASH. My only experience with this is however on Linux and OSX.