cytopia/mysqldump-secure cytopia/mysqldump-secure

  • Stars
    star
    141
  • Rank 259,971 (Top 6 %)
  • Language
    Shell
  • Created over 9 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cytopia/mysqldump-secure
github

cytopia

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

[sh] Encrypted mysqldump script with compression, logging, blacklisting and Nagios/Icinga monitoring integration

MySQLDumpSecure mysqldump-secure

ATTENTION

Please upgrade to the latest version in order to be notified about the OpenSSL SMIME Bug in case you are affected.

GIT NOTE:

WHEN CLONING VIA GIT, MAKE SURE TO ALWAYS CHECK OUT THE LATEST TAG. THE MASTER BRANCH IS ALWAYS UNDER DEVELOPMENT AND THEREFORE UNSTABLE.

Features | Installation | Configuration | Usage | Documentation | Contribution | License | Version

Build Status Latest Stable Version Total Downloads Latest Unstable Version License POSIX Type

Mysqldump-secure is a POSIX compliant wrapper script for mysqldump with many features and very strong security in mind. It will backup every available database (which is readable by the specified user) as a separate file with the possibility to opt out via blacklisting. Dumped databases can optionally be piped directly to gzip or openssl in order to compress and/or encrypt the backup. Encryption is done before the file is written to disk to avoid possible race conditions (See documentation for more info about security measurements).

Find the project website at https://mysqldump-secure.org Find the whole post at https://www.everythingcli.org

Runs on

FreeBSD RedHat CentOS Debian ArchLinux Ubuntu OSX

(If the script runs on any other system not mentioned here, please drop me a note.)

Rock-stable and well tested

Every push to mysqldump-secure triggers travis-ci which will run hundreds of all kinds of tests against the new code and stress the tool in every possible way with every possible config.

You can find the tests within the test folder including an automated setup to get a master-slave server with SSL encryption setup. Thoses tests can also be run locally.

See https://travis-ci.org/cytopia/mysqldump-secure for checks in action and test for a description about the tests.

1. Features

Primary Features

  • Encryption (hybrid encryption: RSA and AES via openssl smime - no password needed)
  • Compression (gzip, pigz, bzip2, pbzip2, lzop, lzma, xz)
  • Tmpwatch integration (tmpwatch or tmpreaper)
  • Transaction-safe / Consistent backups across tables (for DBs with: InnoDB only-, mixed- and non-InnoDB- tables)
  • Conditional mysqldump options (e.g.: apply --quick only on DBs > 200MB)
  • Security (various built-in checks and precautions)
  • SSL Remote Backups
  • Nagios / Icinga monitoring integration (via check_mysqldump-secure)

Secondary Features

  • Custom mysqldump options
  • Master/Slave recognition
  • Blacklisting
  • Whitelisting
  • File logging
  • Self validation
  • Rock stable (see travis for hundreds of checks)
  • 100% POSIX compliant

2. Installation

2.1 Linux, BSD and OSX

wget https://github.com/cytopia/mysqldump-secure/archive/0.16.5.tar.gz -O - | tar -xz
cd mysqldump-secure
./configure
make
sudo make install

2.2 OSX

brew tap cytopia/tap
brew install mysqldump-secure

For more detailed instructions go to the Install guidelines

3. Configuration

There are two separate configuration files:

The first one is to setup the MySQL credentials and the second one configures the behavior of how to backup the databases.

You do not need to worry about file permissions or directories. The script will auto-check the following options and adjust them as required:

  • Logfile exists
  • Logfile is writeable
  • Auto creation of logfile
  • Logging turned off automatically
  • Destination dir exists
  • Destination dir is writeable
  • Auto creation of destination dir
  • Required system binaries exist
  • MySQL credentials are valid

For more detailed instructions go to the Setup guidelines

4. Usage

4.1 Usage

Usage: mysqldump-secure [--conf] [--cron] [--test] [-v[v]]
       mysqldump-secure --help
       mysqldump-secure --version

When invoked without any arguments, it will start dumping databases as
defined in mysqldump-secure.conf.

  --conf          Pass a different configuration file than the default one.
                  E.g.: --conf=/etc/mysqldump-secure-alt.conf

  --cron          Use for cron run. It will only output errors and warnings
                  and will silence all info, debug and trace output.

  --test          Test requirements and exit.
                  Combine with -v or -vv for more verbose output.

  -v              Show debug output.
                  Specify twice (-vv) to also show trace output.
                  Can be combined with --conf  and --test

  -vv             Show debug and trace output.
                  Can be combined with --conf  and --test

  --help          Show this help screen.

  --version       Show version information.


Exit codes

  0               All fine, no fatals, no errors and no warnings occured.
  1               Warnings occured, but all dumps were successfull.
  2               Errors occured, but all dumps were successfull.
  3               Failed. Mysqldump encountered errors.
  4               Abort. The program aborted, due to missing requirements,
                  wrong arguments or a misconfiguration.

Further reading

See 'man mysqldump-secure' for more help.
Visist http://mysqldump-secure.org and browse documentation.

4.2 Default

Test if everything is configured correctly:

mysqldump-secure --test -vv

Manual run from commmand line:

mysqldump-secure -v

Run from within cron

mysqldump-secure --cron

4.3 Custom config

It is possible to have multiple instances of mysqldump-secure on your machine via different config files. Imagine the case you want to have some sensitive dumps encrypted and others should be dumped in plain. You can achieve this by using two configuration files and the IGNORE blocks of each respective config to exclude the other ones.

Test if everything is configured correctly in the specified config:

mysqldump-secure --test --config=/etc/mysqldump-secure.encrypted.conf

Manual run from commmand line:

mysqldump-secure --config=/etc/mysqldump-secure.encrypted.conf

Run from within cron

mysqldump-secure --cron --config=/etc/mysqldump-secure.encrypted.conf

4.4 Test run

$ mysqldump-secure --test -v
[INFO]  (OPT): Logging enabled
[DEBUG] (OPT): Log level: 3
[DEBUG] (OPT): Logfile: /var/log/mysqldump-secure.log
[DEBUG] (CFG): Destination dir: /var/mysqldump-secure
[DEBUG] (CFG): Using file Prefix: 2016-03-09_10-07__
[INFO]  (OPT): MySQL SSL connection enabled
[DEBUG] (OPT): MySQL SSL arguments: --ssl-ca=/etc/mysql.ca.pem.
[INFO]  (OPT): Compression enabled
[DEBUG] (OPT): Compression arguments: gzip -9 --stdout
[INFO]  (OPT): Encryption enabled
[DEBUG] (OPT): Encryption algorithm: -aes256
[INFO]  (OPT): Deletion enabled
[DEBUG] (OPT): Deleting files older than 2 days. Using: tmpwatch
[INFO]  (OPT): Nagios log enabled
[DEBUG] (OPT): Nagios logfile: /var/log/mysqldump-secure.nagios.log
[DEBUG] (SRV): MySQL server connection: 127.0.0.1 via TCP/IP
[DEBUG] (SRV): MySQL server connection: Using SSL (Cipher in use is DHE-RSA-AES256-GCM-SHA384)
[DEBUG] (SRV): MySQL server version:    MariaDB 10.1.11-MariaDB-log Homebrew
[DEBUG] (SRV): MySQL server hostname:   notebook.home.lan:3306
[DEBUG] (SRV): MySQL server rep type:   master

4.5 Example run

$ mysqldump-secure -v
[INFO]  (OPT): Logging enabled
[DEBUG] (OPT): Log level: 3
[DEBUG] (OPT): Logfile: /var/log/mysqldump-secure.log
[DEBUG] (CFG): Destination dir: /var/mysqldump-secure
[DEBUG] (CFG): Using file Prefix: 2016-03-09_10-13__
[INFO]  (OPT): MySQL SSL connection enabled
[DEBUG] (OPT): MySQL SSL arguments: --ssl-ca=/etc/mysql.ca.pem.
[INFO]  (OPT): Compression enabled
[DEBUG] (OPT): Compression arguments: gzip -9 --stdout
[INFO]  (OPT): Encryption enabled
[DEBUG] (OPT): Encryption algorithm: -aes256
[INFO]  (OPT): Deletion enabled
[DEBUG] (OPT): Deleting files older than 2 days. Using: tmpwatch
[INFO]  (OPT): Nagios log enabled
[DEBUG] (OPT): Nagios logfile: /var/log/mysqldump-secure.nagios.log
[DEBUG] (SRV): MySQL server connection: 127.0.0.1 via TCP/IP
[DEBUG] (SRV): MySQL server connection: Using SSL (Cipher in use is DHE-RSA-AES256-GCM-SHA384)
[DEBUG] (SRV): MySQL server version:    MariaDB 10.1.11-MariaDB-log Homebrew
[DEBUG] (SRV): MySQL server hostname:   notebook.home.lan:3306
[DEBUG] (SRV): MySQL server rep type:   master
[DEBUG] (SQL): Retrieving list of databases... 9
[INFO]  (SQL): 1/9 Dumping:  db_InnoDB_and_MyISAM (19.90 MB) (compressed) (encrypted) (--lock-tables) (--skip-quick) 0 sec
[INFO]  (SQL): 2/9 Dumping:  db_InnoDB_only (10.52 MB) (compressed) (encrypted) (--single-transaction) (--skip-quick) 1 sec
[INFO]  (SQL): 3/9 Dumping:  db_MyISAM_only (9.38 MB) (compressed) (encrypted) (--lock-tables) (--skip-quick) 0 sec
[INFO]  (SQL): 4/9 Skipping: information_schema (ignored)
[INFO]  (SQL): 5/9 Skipping: my_empty_db1 (DB is empty)
[INFO]  (SQL): 6/9 Skipping: my_empty_db2 (DB is empty)
[INFO]  (SQL): 7/9 Dumping:  mysql (0.62 MB) (compressed) (encrypted) (--lock-tables) (--skip-quick) 0 sec
[INFO]  (SQL): 8/9 Skipping: performance_schema (ignored)
[INFO]  (SQL): 9/9 Skipping: test (DB is empty)
[DEBUG] (RUN): Dumping finished (OK: 4 dbs, IGN: 5 dbs, ERR: 0, TOTAL: 9)
[DEBUG] (RUN): Took 2 seconds
[DEBUG] (RUN): Total size dumped: 40.42 MB
[INFO]  (RUN): Deleting files older than 2 days ... 4
[INFO]  removing file /var/mysqldump-secure/2016-03-07_01-52__db_InnoDB_and_MyISAM.sql.gz.enc
[INFO]  removing file /var/mysqldump-secure/2016-03-07_01-52__db_InnoDB_only.sql.gz.enc
[INFO]  removing file /var/mysqldump-secure/2016-03-07_01-52__db_MyISAM_only.sql.gz.enc
[INFO]  removing file /var/mysqldump-secure/2016-03-07_01-52__mysql.sql.gz.enc
[DEBUG] (RUN): Writing nagios logfile
[OK]    Finished successfully

5. Documentation

File Description
https://mysqldump-secure.org Project homepage
https://www.everythingcli.org Blog post: General thoughts and initial idea for this project.
Installation Different ways to install mysqldump-secure
Requirements What tools are required to run mysqldump-secure
Configuration How to configure mysqldump-secure
Security Information and usage about security measurements
Compression Information and usage about compression
Encryption Information and usage about the used encryption
Examples Some command line examples such as mass importing databases back into the server

6. Contribution

Contributors are welcome.

If the script runs on an operating system productively, which is currently not yet included at the top of this document, please let me know, so I can add it for reference.

If you use the script, star it or let me know somehow.

If you like have a look at the Contributing Guidelines and see if there is anything you would like to take care of.

7. License

license

8. Version

For a complete list of verion see CHANGELOG

More Repositories

1

devilbox

A modern Docker LAMP stack and MEAN stack for local development
PHP
4,153
star
2

ffscreencast

ffscreencast - ffmpeg screencast/desktop-recording with video overlay and multi monitor support
Shell
1,742
star
3

pwncat

pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE)
Shell
1,624
star
4

linux-timemachine

Rsync-based OSX-like time machine for Linux, MacOS and BSD for atomic and resumable local and remote backups
Shell
674
star
5

awesome-ci

Awesome Continuous Integration - Lot's of tools for git, file and static source code analysis.
Shell
322
star
6

badchars

Bad char generator to instruct encoders such as shikata-ga-nai to transform those to other chars.
Python
221
star
7

docker-ansible

Alpine-based multistage-build version of Ansible for reproducible usage in CI
Makefile
188
star
8

urlbuster

Powerful mutable web directory fuzzer to bruteforce existing and/or hidden files or directories.
Python
152
star
9

thunar-custom-actions

Custom actions for Thunar (or Nautilus) File manager
Shell
135
star
10

ansible-debian

Buildfiles: Ansible automated leight-weight and sensible Debian provisioning
Jinja
86
star
11

smtp-user-enum

SMTP user enumeration via VRFY, EXPN and RCPT with clever timeout, retry and reconnect functionality.
Python
83
star
12

coinwatch

Coinmarketcap console client to keep track of your crypto currency trades - are you winning or losing?
Python
78
star
13

docker-bind

Bind (bind9) caching DNS server on Alpine or Debian with wild-card domain support [multi-arch]
Shell
77
star
14

docker-terraform-docs

Alpine-based multistage-build version of terraform-docs and terraform-docs-replace in multiple versions to be used for CI and other reproducible automations
HCL
60
star
15

crawlpy

Scrapy python crawler/spider with post/get login (handles CSRF), variable level of recursions and optionally save to disk
Python
55
star
16

aws-export-profile

Export AWS profiles to your shell environment
Shell
46
star
17

docker-dvwa

Docker Compose setup for DVWA with all available PHP versions
Makefile
44
star
18

ansible-role-cloudformation

Ansible role to render an arbitrary number of Jinja2 templates into cloudformation files and create any number of stacks.
Python
43
star
19

aws-export-assume-profile

Export AWS profiles to your shell environment
Shell
41
star
20

i3blocks-modules

Custom modules for i3blocks status bar
Shell
40
star
21

docker-terragrunt

Alpine-based multistage-build version of Terragrunt and Terraform for reproducible usage in CI
Makefile
40
star
22

fuzza

Customizable TCP fuzzing tool to test for remote buffer overflows.
Python
32
star
23

docker-yamllint

Alpine-based multistage-build of yamllint for reproducible usage in CI
Makefile
30
star
24

autorunner

Configurable and notification aware autostart helper for minimalistic window managers like i3, openbox and others
Shell
29
star
25

check_drupal

[sh] Nagios drupal plugin to monitor the state of a drupal site (or multisite) for security updates, core errors and more
Shell
27
star
26

ansible-role-k8s

This role render an arbitrary number of Jinja2 templates and deploys or removes them to/from Kubernetes clusters.
Python
26
star
27

redmine-like-a-boss

[sh] Simple redmine installation with plugins and themes
Shell
25
star
28

makefiles

Makefile
25
star
29

linkcheck

Search for URLs in files (optionally limited by extension) and validate their HTTP status code
Shell
23
star
30

aws-ec2-sg-exporter

A dockerized Prometheus exporter that compares desired/wanted IPv4/IPv6 CIDR against currently applied inbound CIDR rules in your security group(s).
Shell
22
star
31

kusanagi

Kusanagi is a bind and reverse shell payload generator with obfuscation and badchar support.
Python
21
star
32

metrics-server-prom

Prometheus adapter to scrape from Kubernetes metrics-server
Python
21
star
33

docker-black

Alpine-based multistage-build version of Python Black for reproducible usage in CI
Roff
20
star
34

ansible-modules

Custom ansible modules
Python
18
star
35

terraform-aws-iam

This Terraform module manages AWS IAM to its full extend.
HCL
18
star
36

dotfiles

dotfiles
Shell
17
star
37

docker-phpcs

Alpine-based multistage-build version of phpcs for reproducible usage in CI
Makefile
16
star
38

kali-openbox-menu

Kali-Linux menu for openbox
16
star
39

docker-php-cs-fixer

Alpine-based multistage-build version of php-cs-fixer for reproducible usage in CI
Makefile
16
star
40

git-rewrite-author

[sh] Rewrite git author and committer history (locally and remotely)
Shell
16
star
41

docker-ansible-lint

Alpine-based multistage-build version of ansible-lint for reproducible usage in CI
Makefile
14
star
42

nginx-certwatch

[sh] certwatch cron implementation for nginx vhosts
Shell
13
star
43

awesome-nagios-plugins

A curated list of awesome nagios plugins
13
star
44

docker-file-lint

Alpine-based Docker image to perform generic file checks on your source code in order to improve consistency within your repository (e.g. for easy usage in CI).
Shell
12
star
45

terraform-aws-route53-zone

A Terraform module that handles creation of multiple Route53 zones including attachment to new or existing delegation set
HCL
12
star
46

ansible-module-diff

Ansible module to diff strings, file contents or command outputs against each other
Python
11
star
47

slidocli

Command line utility to list available questions on sli.do and automatically upvote any question specified by their id.
Shell
11
star
48

yolo

discover new commands
Shell
10
star
49

docker-gofmt

Alpine-based multistage-build version of gofmt for reproducible usage in CI
Shell
9
star
50

header-fuzz

header-fuzz allows you to fuzz any HTTP header with a wordlist and evaluate success or failure based on the returning HTTP status code.
Shell
9
star
51

ultimate-shell-template

The ultimate shell template with optional GUI support
Shell
9
star
52

check_php

[sh] Nagios plugin for PHP to check for startup errors, missing modules, wrong php.ini configurations and PHP updates.
Shell
9
star
53

check_git

Nagios plugin to monitor the state of a git repository: clean, branch, tag, gpg verified etc
Shell
9
star
54

ansible-role-aws_account_match

Ansible safe-guard role to ensure you are currently using the correct AWS account(s)
9
star
55

docker-pylint

Alpine-based multistage-build version of pylint for reproducible usage in CI
Makefile
9
star
56

letsencrypt-watch

[sh] certwatch cron implementation for letsencrypt certificates
Shell
9
star
57

lsl

Colorful file labels for you terminal which are displayed in ls output.
Shell
8
star
58

docker-eslint

Alpine-based multistage-build version of eslint for reproducible usage in CI
Makefile
8
star
59

docker-yamlfmt

Alpine-based multistage-build version of yamlfmt for reproducible usage in CI
Makefile
8
star
60

docker-golint

Alpine-based multistage-build version of golint for reproducible usage in CI
Makefile
8
star
61

i3-utils-bin

Shell
7
star
62

docker-phplint

Alpine-based version of PHP for linting and reproducible usage in CI
Makefile
7
star
63

docker-linkcheck

Alpine-based multistage-build version of linkcheck for reproducible usage in CI
Makefile
7
star
64

docker-mypy

Alpine-based multistage-build version of Python mypy for reproducible usage in CI
Roff
6
star
65

terraform-aws-iam-cross-account

This Terraform module creates AWS cross-account assumable roles with multiple polcies to be specified via files
HCL
6
star
66

ansible-filter-get_attr

Ansible filter to have variable substitution in keys and values inside dictionaries
Python
6
star
67

docker-bandit

Alpine-based multistage-build version of bandit for reproducible usage in CI
Makefile
6
star
68

docker-terragrunt-fmt

Alpine-based multistage-build version of terragrunt-fmt to be used for CI and other reproducible automations
Shell
6
star
69

docker-jsonlint

Alpine-based multistage-build version of jsonlint with file globbing search for reproducible usage in CI
Makefile
6
star
70

docker-phpcbf

Alpine-based multistage-build version of phpcbf for reproducible usage in CI
Makefile
6
star
71

yii-check-translations

Shell script to check/validate yii translations in various folders
PHP
5
star
72

docker-goimports

Alpine-based multistage-build version of goimports for reproducible usage in CI
Shell
5
star
73

check_http_expect

[sh] Nagios plugin that will check a website (behind .htacess and/or behind POST login) for an expected string or regex expression.
Shell
5
star
74

vault-auto-unseal

HashiCorp Vault auto-unseal
Shell
5
star
75

jsparsy

Scan urls for javascript run-time errors
JavaScript
5
star
76

docker-checkmake

Alpine-based multistage-build version of checkmake for reproducible usage in CI
Makefile
5
star
77

dotfiles-kali

Shell
4
star
78

git-ids

Use git as an intrusion detection system for your servers
4
star
79

sweany

Sweany is a performance-orientated, self-validating and feature-rich MVC framework for PHP
PHP
4
star
80

terraform-aws-elb

This Terraform module creates an ELB with optionally a public and/or private Route53 DNS record attached to it.
HCL
4
star
81

docker-pycodestyle

Alpine-based multistage-build version of pycodestyle for reproducible usage in CI
Makefile
4
star
82

upload-artifact-verify-action

4
star
83

upload-artifact-retry-action

This action allows you to upload an artifact with retries in case the upload has failed. It wraps upload-artifact-verify-action and retries it
4
star
84

freebsd-tools

[sh] FreeBSD script collection
Shell
3
star
85

i3-utils

Some tools I use for my i3 setup
3
star
86

ecss

Exteended CSS (ECSS) is a preprocessor that easily adds constants and inheritance (single, multiple & recursive) as a language construct
PHP
3
star
87

docker-tag-action

GitHub Action to create Docker tag based on git branch or git tag
3
star
88

prometheus-redbox_exporter

Prometheus exporter that throws stuff to httpd endpoints and evaluates their response
Python
3
star
89

terraform-aws-rds

Remake of terraform-aws-modules/terraform-aws-rds without sub-modules
HCL
3
star
90

docker-pydocstyle

Alpine-based multistage-build version of pydocstyle for reproducible usage in CI
Makefile
2
star
91

asm

Assembly
2
star
92

git-tools

Shell
2
star
93

tools

Various cli tools
Shell
2
star
94

check_mysqldump-secure

[sh] Nagios Plugin to monitor mysqldump database backups
Shell
2
star
95

i3-utils-systemd

Makefile
2
star
96

docker-kubeval

Alpine-based multistage-build version of kubeval for reproducible usage in CI
Makefile
2
star
97

homebrew-tap

[ruby] Cytopia's homebrews
Ruby
2
star
98

download-artifact-retry-action

2
star
99

git-ref-matrix-action

This composite action creates a stringified JSON list of git refs to be used as a build matrix.
2
star
100

terraform-aws-iam-roles

This Terraform module creates an arbitrary number of IAM roles and policies/trusts to attach.
HCL
2
star