Hi,<br>We are installing a new stack of Software Appliance gateways onto RHEL servers and the MySQL8 database will be on the same server as gateway.<br>I'm looking for specific MySQL hardening to safeguard the installation. Does anyone has information about that ?

Layer7 API Management

View Only

Software gateway hardening MySQL

Marco Zwetsloot posted Feb 22, 2021 11:41 AM

Hi,
We are installing a new stack of Software Appliance gateways onto RHEL servers and the MySQL8 database will be on the same server as gateway.
I'm looking for specific MySQL hardening to safeguard the installation. Does anyone has information about that ?

Broadcom Employee Jay MacDonald posted Feb 22, 2021 06:00 PM

I'm not familiar with any specific documents addressing this, but I would start with studying the configuration used in the appliance Gateway my.cnf file and also the access permissions set within the database. I'm attaching a copy of the my.cnf in case you don't have access to an appliance Gateway. WRT the permissions, they basically limit root access to the localhost interface only:

mysql> SELECT user,host FROM mysql.user;
+------------------+-------------------------+
| user | host |
+------------------+-------------------------+
| gateway | % |
| gateway | localhost |
| mysql.infoschema | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
| gateway | localhost.localdomain |
| gateway | localhost6 |
| gateway | localhost6.localdomain6 |
+------------------+-------------------------+
9 rows in set (0.00 sec)

mysql>

My only complaint about this configuration is that the gateway user, which is added when the database is created via the ssgconfig menu, has no restrictions in terms of source host (gateway@'%'). This was a compromise done way back in the early days of the API Gateway to simplify joining new gateways to the cluster. If you know that only the localhost API Gateway will be accessing the database, you can safely remove that entry. You can also remove it for a cluster configuration but the onus will be on you to add a rule for every API Gateway node that may be connecting to the database.

Let me know if you have further questions.

Cheers!

JayMac

Attachment View in library

my.cnf.zip 1 KB

Marco Zwetsloot posted Feb 23, 2021 04:55 AM

Thanks for the quick reply @Jay MacDonald, will consider this.

Philip Mead posted Sep 22, 2021 10:15 AM

This is late, but there is a "STIG" at https://www.mysql.com/products/enterprise/stig.html which discusses good security practice.

Laurent LANDREAU posted Sep 22, 2021 09:35 PM

@Marco Zwetsloot
To do the installation of the Software Appliance gateways onto RHEL servers, which installation package did you use?
ssg-10.1.00-11620.noarch.rpm
or
Layer7_API_Gateway_v10.1.00.11620.L7P

I have used the former, and I find that the items of the main menu do not correspond to the ones documented on the web site.

Regards, Laurent
Integration Architect, Brisbane, Australia