Thread: Baseline configurations
Does PostgreSQL have any baseline security configuration documents? (Aka "hardened" configuration "benchmark" checklist.) My organization is asking for official or vendor-supported baseline configurations for all our software. I looked through the PG manual, the security page on the website, and in Google and found some discussions about customizing role permissions and SSL connections, but nothing that covered the entirety of the software like this one for MySQL: http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.mysql.102 (Center for Internet Security). I can't link directly to the document because it's behind a download form, but the TOC outline covers: OS level configuration, file system permissions, logging, general (default test databases, accounts), database/table permissions, configuration options, backup/recovery. Each recommendation specifies whether it's scoreable (verifiable by an audit program), and its tradeoffs (i.e., whether it might be too burdensome or a bad idea in various situations). If I can't find such a checklist for PostgreSQL I can write my own, but it would be more authoritative if it were an official PostgreSQL document or supported by a vendor or organization. Thanks in advance. I've been a happy PostgreSQL user for two or three years now. -- Mike Orr <sluggoster@gmail.com>
On Thu, Aug 30, 2012 at 12:18:11PM -0700, Mike Orr wrote: > Does PostgreSQL have any baseline security configuration documents? > (Aka "hardened" configuration "benchmark" checklist.) My organization > is asking for official or vendor-supported baseline configurations for > all our software. I looked through the PG manual, the security page on > the website, and in Google and found some discussions about > customizing role permissions and SSL connections, but nothing that > covered the entirety of the software like this one for MySQL: > > http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.mysql.102 > (Center for Internet Security). I can't link directly to the document > because it's behind a download form, but the TOC outline covers: OS > level configuration, file system permissions, logging, general > (default test databases, accounts), database/table permissions, > configuration options, backup/recovery. Each recommendation specifies > whether it's scoreable (verifiable by an audit program), and its > tradeoffs (i.e., whether it might be too burdensome or a bad idea in > various situations). > > If I can't find such a checklist for PostgreSQL I can write my own, > but it would be more authoritative if it were an official PostgreSQL > document or supported by a vendor or organization. > > Thanks in advance. I've been a happy PostgreSQL user for two or three years now. I have never seen such a documents. If you want to write it, perhaps on our wiki, we can then reference is for other users. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
Hello,
I think database security is quite complex issue depends on the institution requirements. I have worked with elections and voting and we had an extreme polices for security not only for authorization, authentication, and password policies. We was obligated to use database auditing to record each change (insert, update) on the data and the delete sql command was disabled for all tables. Other institution has less security requirements. A baseline for security fluctuate too much based on needs. In general, I find the following document a very a good guide to give a base line for securing the data, because it handles the issue also from management point view
Regards
From: Mike Orr <sluggoster@gmail.com>
To: pgsql-general@postgresql.org
Sent: Thursday, August 30, 2012 9:18 PM
Subject: [GENERAL] Baseline configurations
Does PostgreSQL have any baseline security configuration documents?
(Aka "hardened" configuration "benchmark" checklist.) My organization
is asking for official or vendor-supported baseline configurations for
all our software. I looked through the PG manual, the security page on
the website, and in Google and found some discussions about
customizing role permissions and SSL connections, but nothing that
covered the entirety of the software like this one for MySQL:
http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.mysql.102
(Center for Internet Security). I can't link directly to the document
because it's behind a download form, but the TOC outline covers: OS
level configuration, file system permissions, logging, general
(default test databases, accounts), database/table permissions,
configuration options, backup/recovery. Each recommendation specifies
whether it's scoreable (verifiable by an audit program), and its
tradeoffs (i.e., whether it might be too burdensome or a bad idea in
various situations).
If I can't find such a checklist for PostgreSQL I can write my own,
but it would be more authoritative if it were an official PostgreSQL
document or supported by a vendor or organization.
Thanks in advance. I've been a happy PostgreSQL user for two or three years now.
--
Mike Orr <sluggoster@gmail.com>
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Yes, a general document shouldn't be applied blindly to a specific site. It can't address the highest security or lowest security situation, but instead aim for a general middle applicable to the majority of situations. The local admin has to review each recommendation and decide whether it's (A) applicable, (B) worth the effort, (C) should be implemented differently, or (D) superceded by somebody else's better recommendation. So we have two documents, the external well-known baseline, and a local document listing how we apply each recommendation or why we ignore it or what additional requirements we have. But the baseline document is still useful as an authoritative reference. I'll look through your general database document and see if it has anything relevant. On Thu, Aug 30, 2012 at 1:33 PM, salah jubeh <s_jubeh@yahoo.com> wrote: > Hello, > > I think database security is quite complex issue depends on the institution > requirements. I have worked with elections and voting and we had an extreme > polices for security not only for authorization, authentication, and > password policies. We was obligated to use database auditing to record each > change (insert, update) on the data and the delete sql command was disabled > for all tables. Other institution has less security requirements. A baseline > for security fluctuate too much based on needs. In general, I find the > following document a very a good guide to give a base line for securing the > data, because it handles the issue also from management point view > > http://www.databasesecurity.com/dbsec/database-stig-v7r1.pdf > > > Regards > > ________________________________ > From: Mike Orr <sluggoster@gmail.com> > To: pgsql-general@postgresql.org > Sent: Thursday, August 30, 2012 9:18 PM > Subject: [GENERAL] Baseline configurations > > Does PostgreSQL have any baseline security configuration documents? > (Aka "hardened" configuration "benchmark" checklist.) My organization > is asking for official or vendor-supported baseline configurations for > all our software. I looked through the PG manual, the security page on > the website, and in Google and found some discussions about > customizing role permissions and SSL connections, but nothing that > covered the entirety of the software like this one for MySQL: > > http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.mysql.102 > (Center for Internet Security). I can't link directly to the document > because it's behind a download form, but the TOC outline covers: OS > level configuration, file system permissions, logging, general > (default test databases, accounts), database/table permissions, > configuration options, backup/recovery. Each recommendation specifies > whether it's scoreable (verifiable by an audit program), and its > tradeoffs (i.e., whether it might be too burdensome or a bad idea in > various situations). > > If I can't find such a checklist for PostgreSQL I can write my own, > but it would be more authoritative if it were an official PostgreSQL > document or supported by a vendor or organization. > > Thanks in advance. I've been a happy PostgreSQL user for two or three years > now. > > -- > Mike Orr <sluggoster@gmail.com> > > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > > -- Mike Orr <sluggoster@gmail.com>