← Back to all products

Database Security Hardening

$39

Security configurations for PostgreSQL, MySQL, MongoDB: encryption, access control, audit logging, compliance.

📁 25 files
MarkdownShellPythonSQLPostgreSQL

📄 Product Preview

Try the interactive reader and demo tools below, or get the full product with all content unlocked.

📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample

📁 File Structure 25 files

database-security-hardening/ ├── LICENSE ├── README.md ├── config/ │ ├── my.cnf │ ├── pg_hba.conf │ └── postgresql.conf.ssl ├── docs/ │ ├── cis-mysql-checklist.md │ ├── cis-postgres-checklist.md │ ├── encryption-guide.md │ ├── secrets-management.md │ └── threat-model.md ├── free-sample.zip ├── guide/ │ ├── 01_who-this-is-for.md │ ├── 02_prerequisites.md │ ├── 03_file-by-file-guide.md │ └── 04_license.md ├── index.html ├── scripts/ │ ├── check_tls.sh │ ├── pg_privilege_audit.sql │ └── privilege_audit.py └── sql/ ├── mysql-audit-logging.sql ├── mysql-users-grants.sql ├── postgres-audit-logging.sql ├── postgres-encryption-pgcrypto.sql ├── postgres-roles-grants.sql └── postgres-row-level-security.sql

📖 Documentation Preview README excerpt

Database Security Hardening

A hands-on hardening kit for PostgreSQL and MySQL/MariaDB: least-privilege

roles, TLS and host-based authentication, audit logging, row-level security,

column encryption, secrets management, and CIS-style checklists you can actually

run. Everything here is copy-paste runnable SQL, real config snippets, and two

small tools — no agents, no SaaS, no external dependencies.

This kit exists because most "secure your database" advice stops at "use a strong

password." Real hardening is a stack of controls so that one mistake — a leaked

credential, a stolen disk, an injected query — stays contained instead of turning

into a breach. Each file targets a specific layer of that stack.


Who this is for

  • Backend engineers and DBAs standing up a new PostgreSQL/MySQL instance.
  • Teams preparing for a security review or SOC 2 / ISO 27001 control mapping.
  • Anyone who inherited a database where "the app connects as the superuser."

You should be comfortable running psql/mysql as an admin and editing server

config files. You do not need any paid tooling.


Contents


database-security-hardening/
├── README.md
├── LICENSE
├── sql/
│   ├── postgres-roles-grants.sql        # layered NOLOGIN groups + LOGIN roles, default privileges
│   ├── postgres-row-level-security.sql  # multi-tenant RLS with FORCE + WITH CHECK
│   ├── postgres-audit-logging.sql       # pgAudit + append-only row-history trigger
│   ├── postgres-encryption-pgcrypto.sql # AES-256 column encryption, HMAC lookup, bcrypt passwords
│   ├── mysql-users-grants.sql           # roles, host-pinned TLS accounts, resource limits
│   └── mysql-audit-logging.sql          # plugin notes + universal trigger-based trail
├── config/
│   ├── postgresql.conf.ssl              # TLS, SCRAM, logging, DoS guards
│   ├── pg_hba.conf                      # hostssl rules, cert auth, explicit deny
│   └── my.cnf                           # TLS, auth plugin, secure_file_priv, audit
├── scripts/
│   ├── privilege_audit.py               # offline grant auditor (stdlib only, has --demo)
│   ├── pg_privilege_audit.sql           # export queries that feed the auditor
│   └── check_tls.sh                     # verify a live endpoint's TLS + certificate
└── docs/
    ├── cis-postgres-checklist.md        # L1/L2 hardening checklist, PostgreSQL
    ├── cis-mysql-checklist.md           # L1/L2 hardening checklist, MySQL/MariaDB
    ├── threat-model.md                  # STRIDE breakdown + attacker walkthrough
    ├── secrets-management.md            # keep credentials out of code; rotate safely
    └── encryption-guide.md              # at-rest + in-transit, layer by layer

Prerequisites

  • PostgreSQL 13–16 or MySQL 8.0/8.4 / MariaDB 10.6+.

... continues with setup instructions, usage examples, and more.

📄 Code Sample .py preview

scripts/privilege_audit.py #!/usr/bin/env python3 """Database privilege auditor -- flag risky roles, grants, and account settings. This is an OFFLINE analyzer: it does not connect to any database. You export the cluster's role/grant inventory to CSV (using the companion queries in ``scripts/pg_privilege_audit.sql`` for PostgreSQL, or the equivalent ``information_schema`` query for MySQL noted there), then run this tool against the CSV. Keeping it offline means it is safe to run anywhere, needs no drivers, and the same report can be diffed in CI over time. Expected CSV columns (header row required; extra columns are ignored): engine "postgres" | "mysql" role role / user name host source host pattern (MySQL) or "" for PostgreSQL can_login "t"/"f" (PostgreSQL rolcanlogin, or "t" for every MySQL user) is_superuser "t"/"f" can_create_role "t"/"f" can_create_db "t"/"f" bypass_rls "t"/"f" (PostgreSQL rolbypassrls; "f" for MySQL) requires_tls "t"/"f" (MySQL ssl_type != '' ; PostgreSQL: from pg_hba) password_set "t"/"f" valid_until ISO date or "" (no expiry) grants semicolon-separated grant strings, e.g. "SELECT ON app_db.*;ALL ON *.*" Run the built-in demo (no CSV needed) to see the output format: python3 privilege_audit.py --demo Audit a real export and fail CI on HIGH findings: python3 privilege_audit.py --csv inventory.csv --fail-on high Exit codes: 0 = no findings at/above the threshold, 2 = findings, 1 = error. """ from __future__ import annotations import argparse import csv import io import logging import sys from dataclasses import dataclass, field from enum import IntEnum from pathlib import Path LOG = logging.getLogger("privilege_audit") # Severity ordering so we can compare and threshold. # ... 271 more lines ...
Buy Now — $39 Back to Products