PMM Advisors MySQL Security Checks

Percona Monitoring and Management (PMM)
1

Hi everyone,

I’m interested in the PMM Advisors module (ex Security Threat tool). As stated here Advisor checks for PMM - Percona Platform the PMM is capable of executing security checks and, in particular for MySQL, I would like to know which types of checks it carries out. Is there available a list of all MySQL security checks?
In addition, are the check queries heavy? I’m afraid they can slow down the DBs.

Thank you

1 Like
2

@ttemployee,
On the page you listed, there is literally a long table listing out all the security checks. The queries are not heavy at all. They will not slow down the database in any way.

1 Like
3

@matthewb

Thank you for the reply. However, IMHO, the page is not so detailed. For example MySQL User Check and MySQL Security Check report the same description, i.e. “Runs a detailed check on user setup”. What are these “checks”?
In addition, is the Advisors module capable of altering you if suspicious queries are being executed?

1 Like
4

The checks are looking for duplicate users, duplicate passwords, users without passwords, etc. The checks are simple SQL against the users table.

No, the advisors are not watching any SQL from your application.

1 Like
5

@matthewb

I’ve just received an email from Percona, stating:

The Security Threat Tool helps:

  • Reduce possible data exposures with Query Analytics to examine all of the queries hitting your database, helping you to quickly identify unexpected queries to determine if they are valid or malicious requests (who is asking and what data they are trying to get)
  • Increase database security by quickly identifying and mitigating common database security risks for all of your open source databases (MySQL, PostgreSQL, MongoDB, MariaDB), helping you to save time and reduce potential risks
  • Ensure compliance with the ability to run regular security checks for all of your open source databases, get alerts when databases do not pass, and audit your security check history, enabling you to show that all databases are up to date with details on any remediation actions taken

Isn’t the first point, “Query Analytics to examine all of the queries”, in contradiction with what you said (“No, the advisors are not watching any SQL from your application”)?

6

No, because the tool is not analyzing the contents of the SQL itself. The Query ANalytics tool only gathers statistics information about the execution of your queries. It does not perform any “security” checks on the content of the queries themselves. Because the QAN has stats/records of all queries executed, you can search for queries that might be malicious, thus allowing you to reduce any possible data exposures.

1 Like
7

Hello, sorry for joining the conversation,

I also want to know about the Advisor Check for the databases, on the documentation - List of Check, there are anonymous, registered and paid tier.
So if we want to get all or some advance DB advisor checking we need to get the paid tier? is there any information about this tier?

Regards,

Stan

1 Like
8

hello @Stan_beta
Let me try to answer your question. Percona advisor checks have 3 tiers.
If you enabled the feature in PMM Setting and check Advisors list, there will be already a set of them provided for you as an anonymous user. These advisors are checking mostly for database versions, are there users without passwords etc.
To get registered set of checks you will have to create a Percona account on https://portal.percona.com/ and connect your PMM with the Percona Platform. Your list of advisors will get more advanced ones for security, configuration and performance.
These two categories are completely free for all our users.
But Percona paid advisors as best practices from our database experts are available for our customers who have an active contract with Percona.

3 Likes