postgres_data_security_2017
•Als PPTX, PDF herunterladen•
1 gefällt mir•258 views
Postgres 10 and older versions security features
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (19)
Ähnlich wie postgres_data_security_2017
Ähnlich wie postgres_data_security_2017 (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
postgres_data_security_2017
- 1. Securing Data in Postgres Payal Singh @pallureshu OmniTI Computer Consulting https://omniti.com 1
- 2. Agenda Host Based Authentication Access Control Lists Row-Level Security SSL/TLS Auditing Encryption PCI Compliance Upcoming Features in pg10 Desired Features 2
- 5. HBA Reloading authentication changes - pg_reload_conf() 5
- 6. HBA Monitoring authentication - tail_n_mail [1] (from line 262,856) 2017-05-30 17:35:39 EDT [[local]] [13667]: [2-1] user=marion,db=postgres, e=28P01 FATAL: password authentication failed for user "marion" e=28P01 DETAIL: Connection matched pg_hba.conf line 18: "local all all md5" 6
- 7. HBA Password file - .pgpass in $HOME postgres@thinkpad ~ $ whoami postgres postgres@thinkpad ~ $ pwd /home/postgres postgres@thinkpad~ $ ls -l .pgpass -rw------- 1 postgres postgres 29 Jul 9 11:23 .pgpass postgres@thinkpad ~ $ cat .pgpass *:*:*:postgres:HuyYheDAfqVq7 7
- 9. ACL Access Control List “list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.” GRANT - define access privileges REVOKE - revoke access privileges https://www.postgresql.org/docs/current/static/sql-grant.html 9
- 10. ACL 10
- 11. ACL ACL commands are transactional in Postgres: 11
- 12. ACL Not so much in MySQL: 12
- 13. ACL Passwords In MySQL: Passwords In Postgres: 13
- 14. ACL SHOW GRANTS in MySQL 14
- 15. ACL Roles and role membership A role has privileges of all roles it is a member of 15
- 16. ACL SET DEFAULT PRIVILEGES ALTER DEFAULT PRIVILEGES IN SCHEMA <schema_name> GRANT <privilege> ON TABLES TO <role>; Only applies to objects created in future 16
- 17. ACL USAGE: Roles must have usage on schema to access tables, functions Usage on public schema granted by default to public role Usage granted by default on all roles in MySQL 17
- 18. ACL - USAGE Example 18
- 19. Column Level ACLs Grant privileges only on specific column(s) NOTE: UPDATE privilege in practice requires SELECT as well 19
- 21. RLS User-based or command-based row level access restrictions Disabled by default Exceptions - TRUNCATE, REFERENCES Not a SQL Standard Watch for performance improvements in pg10! 21
- 22. RLS When enabled, all traffic goes through policies 22
- 23. RLS Default Policy - all deny 23
- 24. RLS Does not apply to table owner unless forced BYPASSRLS attribute 24
- 25. RLS In case of multiple policies, access is determined if any one or more of the policies allow it (OR) Referential integrity checks - covert channel leaks should be avoided Race conditions - e.g. SELECT … FOR UPDATE Solutions - SELECT … FOR SHARE; Exclusive locks on referenced table 25
- 26. SSL/TLS 26
- 27. SSL/TLS ssl = on # (change requires restart) #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers #ssl_prefer_server_ciphers = on # (change requires restart) #ssl_ecdh_curve = 'prime256v1' # (change requires restart) ssl_cert_file = '/etc/ssl/postgres/starry.io.crt' # (change requires restart) ssl_key_file = '/etc/ssl/postgres/starry.io.key' # (change requires restart) ssl_ca_file = '' # (change requires restart) #ssl_crl_file = '' # (change requires restart) 27
- 28. SSL/TLS Requirement: OpenSSL At build time: --with-openssl Authentication without encryption overhead: NULL-SHA or NULL-MD5 Not recommended: less secure Overhead is minimal compared to authentication overhead Certificate file permissions must be 600 Restart required for certs change 28
- 30. Event Triggers Database wide DDL event capture Useful for: Auditing Unwanted modification of data Accidental data loss Trigger-based replication http://tapoueh.org/images/confs/Fosdem2013_Event_Triggers.pdf 30
- 34. Auditing 34
- 35. Auditing Trigger based diff tracking 35
- 36. Auditing Hstore - delta capture 36
- 37. Auditing Delta function: GIST and GIN index support for most operations BTree and Hash index support useful for equivalence operations 37
- 39. Auditing PgAudit: Shared_preload_libraries Postgres development packages Installation is a bit weird 39
- 40. Encryption and PCI Compliance 40
- 41. Encryption pg_crypto extension - encrypts data Encrypted backups Postgres instance-level Encryption - 3rd party patch! https://www.postgresql.org/message- id/CA%2BCSw_tb3bk5i7if6inZFc3yyf%2B9HEVNTy51QFBoeUk7UE_V%3Dw@mail.gmail.com http://www.cybertec.at/postgresql-instance-level-encryption/ SSL/TLS 41
- 46. Upcoming Features in PG10 46
- 47. Upcoming SSL - reload instead of a restart SCRAM-SHA-256 authentication Restrictive RLS Policies (AND) New monitoring roles: pg_monitor, pg_read_all_settings, pg_read_all_stats, and pg_stat_scan_tables pg_hba_file_rules view 47
- 49. Desired Data Redaction Active Directory support Oracle TDE - key management http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf SHOW GRANTS 49
- 50. Thank you! Questions? 50 Twitter: @pallureshu Email: payal@omniti.com