Security

1. Authentication

LeanXcale supports two ways to handle authentication, with native support, or using an external authentication server that can be an LDAP server or a PAM server. Native support is used via standard SQL.

1.1. Native Authentication

1.1.1. Predefined Users

There are two predefined users:

It is the superuser of the system. Its password is set during the installation.

  • LXADMIN: This is the predefined user with admin rights over all databases defined.

  • NONE: This is a predefined user with only rights to connect to the database. Only useful to test that the connection to the database works.

The predefined user rights cannot be delete nor its rights can be changed.

1.1.2. Users & Schemas

In LeanXcale each database has always a predefined schema APP. Each created user has an associated schema with the same name as the user. Deleting a user, deletes the associated schema as well.

1.1.3. Predefined Database & Schema

In LeanXcale there are one predefined database DB that has a predefined schema APP. They are provided to ease the use of the database. None of them can be dropped.

1.1.4. Creating & Dropping Databases

New databases can be created by means of the CREATE DATABASE SQL statement:

createDatabaseStatement=
	CREATE DATABASE databaseName [USER userName IDENTIFIED BY stringLiteral]*

Only the LXADMIN user can create and drop databases. When creating the database it becomes possible to associate a user as owner of the provided database in the optional USER clause, where its name and password are provided.

To drop a database it can be done by the DROP DATABASE statement:

dropDatabaseStatement=
	DROP DATABASE databaseName

2. User Authorization

2.1. Permissions

User authorization is achieved by standard SQL GRANT and REVOKE statements. Permissions are expressed by the action and the database object. A GRANT statement gives one or more permissions to one or more users:

grantStatement=
	GRANT permissionList TO userList
permissionList=
	permission [, permission]*
permission=
	action databaseObject

Where action can be

action=
	CREATE | ALTER | DROP | SELECT | USAGE | INSERT | DELETE | UPDATE | REFERENCES
	| COMMENT | BACKUP | BECOME ANY USER | ALL PRIVILEGES

And database objects are:

databaseObjects=
	TABLE | INDEX | VIEW | SEQUENCE | TRIGGER | PROCEDURE | ANY

2.2. Roles

Roles are also supported to enable to systematize the permissions given to users depending on their role. A role is just a collection of permissions. In that sense they are similar to a user. The syntax is:

createRoleStatement=
	CREATE ROLE roleName IDENTIFIED BY 'password'

Permissions can be granted to a role and a user can be granted roles that is equivalent to grant to the user each of the permissions in the role.

A role can be deleted with:

dropRoleStatement=
	DROP ROLE roleName

3. Encryption

4. Hardening Guide

4.1. Network Security

The host in which resides LeanXcale should only have opened the ports for connecting client applications with LeanXcale. The firewall of the host has to be exclusively opened to the IPs from the hosts where the client application(s) are running. It must not be opened to anyone in the Internet. In Ubuntu, you can set up and manage the firewall using a utility called ufw (Uncomplicated Firewall), which provides a straightforward command-line interface for configuring firewall rules.

In here you can find how to setup the ubuntu firewall: https://ubuntu.com/server/docs/security-firewall

4.2. Least Privilege Principle

Each role in your organization should get only the minimum privileges for performing his/her role, and no more. LXADMIN access should be limited to the administrators of the database. Create roles for each different activity on the database, such as developer, user, etc. Each person should have a different user. Strong password selection should be enforced.

4.3. Change Defaults

A good practice is to change the default ports, so the attacker has harder time to identify them. You can change the default ports in the configuration file. In particular, the network address used by LeanXcale to listen for client connections is 14420. You can change the port indicating in the configuration file which port you want to use for the query engine (lxque), for instance, port 3444:

host atlantis
    lxqe
        addr atlantis!3444

4.4. Use Encryption

Use encryption in the client-server communication activating TLS. It will prevent an attacker that gained access to your network from seeing the contents of the messages exchanged between your application and the database server.

You can enforce to always used encryption to communicate with LeanXcale setting the tls global property in the configuration file when installing:

tls
host atlantis

Or it can be indicated as a parameter when installing with lxinst:

unix$ lxinst tls /usr/local/leanxcale

This will enforce to SQL console to use TLS in its connection.

Client applications should use the 'tls=yes' property in the driver connection string.

Activate storage encryption to prevent that an attacker getting access to the device physically or through the host to see the stored data.

4.5. Regular Patching

Apply critical security updates and patches is highly recommended to eliminate fixed vulnerabilities.