Thread: I want to know how to improve the security of postgresql
Hi guys,can you give me some advices about how to improve the security of postgresql?
Now I major in the security of postgresql and the destination is create a database with security level of B1(TCSEC),what should I do now,what program language should I use?
Thanks!
Sting
""xiapw"" <xiapw@lreis.ac.cn> wrote > Hi guys,can you give me some advices about how to improve the security of > postgresql? > Now I major in the security of postgresql and the destination is create a > database with security level of B1(TCSEC),what should I do now,what > program language should I use? > Thanks! > Sting PostgreSQL has a very good fame of security in real-world applications, but frankly it is at most in C2 level according to TCSEC standards (the in-core support of "auditing" is missing). So to support B1, there are some non-trivial work ahead I am afraid :-( I would suggest you have a look at the TCSEC standards and list the *exact* functionalities that we don't provide so far. Regards, Qingqing
> Hi guys,can you give me some advices about how to improve the > security of postgresql? > > Now I major in the security of postgresql and the destination is > create a database with security level of B1(TCSEC),what should I do > now,what program language should I use? Well, since PostgreSQL is implemented in C, the language you obviously need to use is... C. You may want to do more checking as to what you actually want to do. I don't think the NSA is continuing to do TPEP evaluations, which is where the C1-C3, B1-B3, A1 levels of the Rainbow books came in. It would be an unfortunate waste of effort to try to conform to a standard that is no longer considered of commercial importance. Remember that TCSEC was published in 1985, and there haven't been any new evaluations since 2000. Mind you, there may be some principles to be found in looking at the evaluation done of Sybase Adaptive Server 6.0.2 against the "Common Criterion." -- (format nil "~S@~S" "cbbrowne" "acm.org") http://linuxdatabases.info/info/wp.html "Never insult seven men, when all you're packin' is a six gun" --- Zane Gray
Sting, I'm not entirely sure what you mean by improving the security of postgresql but if you want to implement smart, efficient row-level security you could take a look at Veil http://pgfoundry.org/projects/veil/ Check the project home page for documentation. Veil is still an alpha release but I am prepared to work with any potential users to bring it up to a production release. __ Marc On Thu, 2005-12-29 at 06:48 -0400, pgsql-general-owner@postgresql.org wrote: > Date: Thu, 29 Dec 2005 10:09:01 +0800 > From: "xiapw" <xiapw@lreis.ac.cn> > To: <pgsql-general@postgresql.org> > Subject: I want to know how to improve the security of postgresql > Message-ID: <001201c60c1c$d5e414f0$4503a8c0@sting> > > Hi guys,can you give me some advices about how to improve the security > of postgresql? > Now I major in the security of postgresql and the destination is > create a database with security level of B1(TCSEC),what should I do > now,what program language should I use? > Thanks! > Sting > > [Attachment of type text/html removed.] >
Attachment
On Thu, Dec 29, 2005 at 09:22:09AM -0800, Marc Munro wrote: > http://pgfoundry.org/projects/veil/ Marc, is there a higher level written summary available somewhere to be read to understand conceptually how you implemented row level security ? We will (in GNUmed) eventually have to implement row level security. The current thinking is by restricting access to the tables and setting up views that always do "... where user=current_user" to limit the viewable data set. Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
On Sat, Dec 31, 2005 at 05:18:19PM +0100, Karsten Hilbert wrote: > We will (in GNUmed) eventually have to implement row level > security. The current thinking is by restricting access to > the tables and setting up views that always do "... where > user=current_user" to limit the viewable data set. Which is - roughly speaking - what Veil does anyways :-) I'll link Veil with our TODO item on that part. Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
Karsten, The project homepage has a reference to the project documentation. It can be found here: http://veil.projects.postgresql.org/curdocs/index.html If this does not contain what you are looking for, please explain what you need to know as I'd like to improve the documentation. I'm guessing that you'd like a conceptual overview. I intended this to be provided in the section Overview: a quick introduction to Veil buit maybe it falls short. If there is a better way to introduce the concepts, I'd like to hear any ideas. Feel free to contact me directly if you have any questions at all. I'd be pleased to help GNUmed. __ Marc On Sat, 2005-12-31 at 16:49 -0400, pgsql-general-owner@postgresql.org wrote: > Date: Sat, 31 Dec 2005 17:18:19 +0100 > From: Karsten Hilbert <Karsten.Hilbert@gmx.net> > To: pgsql-general@postgresql.org > Subject: Re: I want to know how to improve the security of postgresql > Message-ID: <20051231161819.GS5677@merkur.hilbert.loc> > > On Thu, Dec 29, 2005 at 09:22:09AM -0800, Marc Munro wrote: > > > http://pgfoundry.org/projects/veil/ > Marc, is there a higher level written summary available > somewhere to be read to understand conceptually how you > implemented row level security ? > > We will (in GNUmed) eventually have to implement row level > security. The current thinking is by restricting access to > the tables and setting up views that always do "... where > user=current_user" to limit the viewable data set. > > Karsten > -- > GPG key ID E4071346 @ wwwkeys.pgp.net > E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346 >