This document outlines security best practices and guidelines for deploying and using TenangDB in production environments.
TenangDB is designed with security as a core principle. This guide covers essential security measures to protect your database backups and ensure secure operations.
Create Dedicated User:
# Create tenangdb user with minimal privileges
sudo useradd -r -s /bin/false -d /opt/tenangdb tenangdb
sudo mkdir -p /opt/tenangdb
sudo chown tenangdb:tenangdb /opt/tenangdbDatabase User Permissions:
-- Create backup user with minimal required privileges
CREATE USER 'tenangdb_backup'@'localhost' IDENTIFIED BY 'strong_password_here';
-- Grant only necessary permissions
GRANT SELECT, LOCK TABLES, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'tenangdb_backup'@'localhost';
GRANT RELOAD, SUPER ON *.* TO 'tenangdb_backup'@'localhost';
-- For specific databases only (recommended)
GRANT SELECT, LOCK TABLES, SHOW VIEW, EVENT, TRIGGER ON database_name.* TO 'tenangdb_backup'@'localhost';
FLUSH PRIVILEGES;Note: The install.sh script creates and configures the necessary directories. The commands below are for verification or manual setup.
Directory Permissions:
# Secure configuration directory
sudo mkdir -p /etc/tenangdb
sudo chown root:tenangdb /etc/tenangdb
sudo chmod 750 /etc/tenangdb
# Secure backup directory
sudo mkdir -p /var/backups/tenangdb
sudo chown tenangdb:tenangdb /var/backups/tenangdb
sudo chmod 750 /var/backups/tenangdb
# Set configuration file permissions
sudo chmod 640 /etc/tenangdb/config.yaml
sudo chown root:tenangdb /etc/tenangdb/config.yamlBinary Security:
# Place binary in secure location
sudo cp tenangdb /opt/tenangdb/
sudo chown root:root /opt/tenangdb/tenangdb
sudo chmod 755 /opt/tenangdb/tenangdb
# Verify binary integrity (optional)
sha256sum /opt/tenangdb/tenangdbEnhanced Service Security:
[Unit]
Description=TenangDB Backup Service
After=network.target mysqld.service
Requires=mysqld.service
[Service]
Type=oneshot
User=tenangdb
Group=tenangdb
WorkingDirectory=/opt/tenangdb
ExecStart=/opt/tenangdb/tenangdb backup --config /etc/tenangdb/config.yaml
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/backups/tenangdb /var/log/tenangdb
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
RestrictRealtime=true
ProtectHostname=true
ProtectClock=true
# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
# Network security
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
[Install]
WantedBy=multi-user.targetSecure Password Storage:
# Use strong passwords (minimum 16 characters)
database:
username: tenangdb_backup
password: "Use-Strong-Password-With-Special-Characters-123!"Environment Variables (Recommended):
# Set sensitive data via environment variables
export TENANGDB_DB_PASSWORD="your-secure-password"
export TENANGDB_ENCRYPTION_KEY="your-encryption-key"Configuration in code:
database:
username: tenangdb_backup
password: "${TENANGDB_DB_PASSWORD}"Secure MySQL Defaults File:
# Create secure defaults file
sudo cat > /etc/tenangdb/.my.cnf << 'EOF'
[client]
user=tenangdb_backup
password=your-secure-password
host=localhost
port=3306
[mydumper]
user=tenangdb_backup
password=your-secure-password
EOF
# Secure the file
sudo chown root:tenangdb /etc/tenangdb/.my.cnf
sudo chmod 640 /etc/tenangdb/.my.cnfDatabase Connection Security:
database:
host: localhost # Use localhost when possible
port: 3306
# Enable SSL if available
ssl_mode: "PREFERRED"
ssl_ca: "/path/to/ca.pem"
ssl_cert: "/path/to/client-cert.pem"
ssl_key: "/path/to/client-key.pem"Encrypt Backup Files:
# Enable compression with encryption
backup:
directory: /var/backups/tenangdb
compression: gzip
encryption: true
encryption_key: "${TENANGDB_ENCRYPTION_KEY}"Secure Backup Directory:
# Set restrictive permissions on backup files
find /var/backups/tenangdb -type f -exec chmod 640 {} \;
find /var/backups/tenangdb -type d -exec chmod 750 {} \;Secure Rclone Configuration:
# Create encrypted rclone config
sudo mkdir -p /etc/tenangdb
sudo rclone config create s3backup s3 \
provider AWS \
access_key_id your-access-key \
secret_access_key your-secret-key \
region us-east-1 \
server_side_encryption AES256
# Secure rclone config
sudo chown root:tenangdb /etc/tenangdb/rclone.conf
sudo chmod 640 /etc/tenangdb/rclone.confUpload Configuration:
upload:
enabled: true
rclone_config_path: /etc/tenangdb/rclone.conf
destination: "s3backup:your-bucket/database-backups/"
encryption: true
verify_upload: trueLog Analysis:
# Monitor for security events
sudo journalctl -u tenangdb.service -f | grep -E "(FAILED|ERROR|UNAUTHORIZED)"
# Set up log rotation
sudo cat > /etc/logrotate.d/tenangdb << 'EOF'
/var/log/tenangdb/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 tenangdb tenangdb
}
EOFPrometheus Metrics:
metrics:
enabled: true
port: 9090
path: /metrics
# Secure metrics endpoint
basic_auth:
username: prometheus
password: "${PROMETHEUS_PASSWORD}"Integrity Checks:
backup:
verify_backup: true
checksum_algorithm: sha256
test_restore: trueAutomated Testing:
#!/bin/bash
# Test backup integrity
tenangdb verify --backup-path /var/backups/tenangdb/latest
if [ $? -ne 0 ]; then
echo "ALERT: Backup verification failed!" | mail [email protected]
fi- Database User: Created with minimal required privileges
- File Permissions: All files secured with proper ownership/permissions
- Service User: Running as non-root user with restricted capabilities
- Network: Database connections use localhost or secure networks
- Encryption: Backup files encrypted at rest and in transit
- Credentials: No plaintext passwords in configuration files
- Logging: Security events logged and monitored
- Monitoring: Metrics secured and alerts configured
- Updates: System and dependencies up to date
# Verify service security
sudo systemctl show tenangdb.service | grep -E "(User|Group|NoNewPrivileges|ProtectSystem)"
# Check file permissions
ls -la /etc/tenangdb/
ls -la /var/backups/tenangdb/
# Verify database permissions
mysql -u tenangdb_backup -p -e "SHOW GRANTS;"
# Test backup encryption
file /var/backups/tenangdb/latest/*.sql.gzImmediate Actions:
- Stop the service:
sudo systemctl stop tenangdb.service - Isolate the system: Review network connections
- Check logs:
sudo journalctl -u tenangdb.service --since "1 hour ago" - Verify backup integrity: Check recent backup files
- Rotate credentials: Change database passwords immediately
Backup Verification:
# Verify backup integrity
tenangdb verify --backup-path /var/backups/tenangdb/
mysqldump --single-transaction --routines --triggers database_name | gzip > test_backup.sql.gzEmergency Restore:
# Emergency restore from secure backup
tenangdb restore --backup-path /var/backups/tenangdb/verified_backup/If you discover a security vulnerability in TenangDB:
- DO NOT open a public GitHub issue
- Email security concerns to: [[email protected]] (if available)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
- Subscribe to security announcements: GitHub Releases
- Monitor the repository for security patches
- Enable automated dependency updates
- OWASP Database Security: Database Security Guidelines
- MySQL Security: MySQL Security Best Practices
- Systemd Security: Systemd Service Hardening
- Security Scanner:
lynisfor system security auditing - File Integrity:
aidefor file integrity monitoring - Network Security:
fail2banfor intrusion prevention - Backup Testing: Regular restore testing procedures
- Principle of Least Privilege: Grant minimal necessary permissions
- Defense in Depth: Multiple layers of security controls
- Regular Updates: Keep all components updated
- Monitoring: Continuous security monitoring and alerting
- Encryption: Encrypt data at rest and in transit
- Access Control: Strict file and network permissions
- Audit Trails: Comprehensive logging for security events
- Incident Response: Prepared procedures for security incidents
Remember: Security is an ongoing process, not a one-time setup. Regularly review and update your security measures.
Last Updated: 2025-01-06 Version: 1.0 Maintainer: Abdullah Ainun Najib