Database Security Hardening
Security configurations for PostgreSQL, MySQL, MongoDB: encryption, access control, audit logging, compliance.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 25 files
📖 Documentation Preview README excerpt
Database Security Hardening
A hands-on hardening kit for PostgreSQL and MySQL/MariaDB: least-privilege
roles, TLS and host-based authentication, audit logging, row-level security,
column encryption, secrets management, and CIS-style checklists you can actually
run. Everything here is copy-paste runnable SQL, real config snippets, and two
small tools — no agents, no SaaS, no external dependencies.
This kit exists because most "secure your database" advice stops at "use a strong
password." Real hardening is a stack of controls so that one mistake — a leaked
credential, a stolen disk, an injected query — stays contained instead of turning
into a breach. Each file targets a specific layer of that stack.
Who this is for
- Backend engineers and DBAs standing up a new PostgreSQL/MySQL instance.
- Teams preparing for a security review or SOC 2 / ISO 27001 control mapping.
- Anyone who inherited a database where "the app connects as the superuser."
You should be comfortable running psql/mysql as an admin and editing server
config files. You do not need any paid tooling.
Contents
database-security-hardening/
├── README.md
├── LICENSE
├── sql/
│ ├── postgres-roles-grants.sql # layered NOLOGIN groups + LOGIN roles, default privileges
│ ├── postgres-row-level-security.sql # multi-tenant RLS with FORCE + WITH CHECK
│ ├── postgres-audit-logging.sql # pgAudit + append-only row-history trigger
│ ├── postgres-encryption-pgcrypto.sql # AES-256 column encryption, HMAC lookup, bcrypt passwords
│ ├── mysql-users-grants.sql # roles, host-pinned TLS accounts, resource limits
│ └── mysql-audit-logging.sql # plugin notes + universal trigger-based trail
├── config/
│ ├── postgresql.conf.ssl # TLS, SCRAM, logging, DoS guards
│ ├── pg_hba.conf # hostssl rules, cert auth, explicit deny
│ └── my.cnf # TLS, auth plugin, secure_file_priv, audit
├── scripts/
│ ├── privilege_audit.py # offline grant auditor (stdlib only, has --demo)
│ ├── pg_privilege_audit.sql # export queries that feed the auditor
│ └── check_tls.sh # verify a live endpoint's TLS + certificate
└── docs/
├── cis-postgres-checklist.md # L1/L2 hardening checklist, PostgreSQL
├── cis-mysql-checklist.md # L1/L2 hardening checklist, MySQL/MariaDB
├── threat-model.md # STRIDE breakdown + attacker walkthrough
├── secrets-management.md # keep credentials out of code; rotate safely
└── encryption-guide.md # at-rest + in-transit, layer by layer
Prerequisites
- PostgreSQL 13–16 or MySQL 8.0/8.4 / MariaDB 10.6+.
... continues with setup instructions, usage examples, and more.