77 lines
3.7 KiB
Markdown
77 lines
3.7 KiB
Markdown
---
|
|
description: Data & storage security (DB isolation, TLS, least privilege, RLS/CLS, backups, auditing)
|
|
languages:
|
|
- c
|
|
- javascript
|
|
- sql
|
|
- yaml
|
|
alwaysApply: false
|
|
---
|
|
|
|
rule_id: codeguard-0-data-storage
|
|
|
|
## Database Security Guidelines
|
|
|
|
This rule advises on securely configuring SQL and NoSQL databases to protect against data breaches and unauthorized access:
|
|
|
|
- Backend Database Protection
|
|
- Isolate database servers from other systems and limit host connections.
|
|
- Disable network (TCP) access when possible; use local socket files or named pipes.
|
|
- Configure database to bind only on localhost when appropriate.
|
|
- Restrict network port access to specific hosts with firewall rules.
|
|
- Place database server in separate DMZ isolated from application server.
|
|
- Never allow direct connections from thick clients to backend database.
|
|
|
|
- Transport Layer Security
|
|
- Configure database to only allow encrypted connections.
|
|
- Install trusted digital certificates on database servers.
|
|
- Use TLSv1.2+ with modern ciphers (AES-GCM, ChaCha20) for client connections.
|
|
- Verify digital certificate validity in client applications.
|
|
- Ensure all database traffic is encrypted, not just initial authentication.
|
|
|
|
- Secure Authentication Configuration
|
|
- Always require authentication, including from local server connections.
|
|
- Protect accounts with strong, unique passwords.
|
|
- Use dedicated accounts per application or service.
|
|
- Configure minimum required permissions only.
|
|
- Regularly review accounts and permissions.
|
|
- Remove accounts when applications are decommissioned.
|
|
- Change passwords when staff leave or compromise is suspected.
|
|
|
|
- Database Credential Storage
|
|
- Never store credentials in application source code.
|
|
- Store credentials in configuration files outside web root.
|
|
- Set appropriate file permissions for credential access.
|
|
- Never check credential files into source code repositories.
|
|
- Encrypt credential storage using built-in functionality when available.
|
|
- Use environment variables or secrets management solutions.
|
|
|
|
- Secure Permission Management
|
|
- Apply principle of least privilege to all database accounts.
|
|
- Do not use built-in root, sa, or SYS accounts.
|
|
- Do not grant administrative rights to application accounts.
|
|
- Restrict account connections to allowed hosts only.
|
|
- Use separate databases and accounts for Development, UAT, and Production.
|
|
- Grant only required permissions (SELECT, UPDATE, DELETE as needed).
|
|
- Avoid making accounts database owners to prevent privilege escalation.
|
|
- Implement table-level, column-level, and row-level permissions when needed.
|
|
|
|
- Database Configuration and Hardening
|
|
- Install required security updates and patches regularly.
|
|
- Run database services under low-privileged user accounts.
|
|
- Remove default accounts and sample databases.
|
|
- Store transaction logs on separate disk from main database files.
|
|
- Configure regular encrypted database backups with proper permissions.
|
|
- Disable unnecessary stored procedures and dangerous features.
|
|
- Implement database activity monitoring and alerting.
|
|
|
|
- Platform-Specific Hardening
|
|
- SQL Server: Disable xp_cmdshell, CLR execution, SQL Browser service, Mixed Mode Authentication (unless required).
|
|
- MySQL/MariaDB: Run mysql_secure_installation, disable FILE privilege for users.
|
|
- PostgreSQL: Follow PostgreSQL security documentation guidelines.
|
|
- MongoDB: Implement MongoDB security checklist requirements.
|
|
- Redis: Follow Redis security guide recommendations.
|
|
|
|
Summary:
|
|
Isolate database systems, enforce encrypted connections, implement strong authentication, store credentials securely using secrets management, apply least privilege permissions, harden database configurations, and maintain regular security updates and monitoring.
|