Postgres 10 and older versions security features

1. Securing Data in Postgres
Payal Singh
@pallureshu
OmniTI Computer Consulting
https://omniti.com 1

2. Agenda
Host Based Authentication
Access Control Lists
Row-Level Security
SSL/TLS
Auditing
Encryption
PCI Compliance
Upcoming Features in pg10
Desired Features
2

3. Host Based Authentication
3

4. HBA
Host Based Authentication
4

5. HBA
Reloading authentication changes - pg_reload_conf()
5

6. HBA
Monitoring authentication - tail_n_mail
[1] (from line 262,856)
2017-05-30 17:35:39 EDT [[local]] [13667]: [2-1] user=marion,db=postgres,
e=28P01 FATAL: password authentication failed for user "marion" e=28P01
DETAIL: Connection matched pg_hba.conf line 18: "local all all md5"
6

7. HBA
Password file - .pgpass in $HOME
postgres@thinkpad ~ $ whoami
postgres
postgres@thinkpad ~ $ pwd
/home/postgres
postgres@thinkpad~ $ ls -l .pgpass
-rw------- 1 postgres postgres 29 Jul 9 11:23 .pgpass
postgres@thinkpad ~ $ cat .pgpass
*:*:*:postgres:HuyYheDAfqVq7
7

8. Access Control Lists
8

9. ACL
Access Control List
“list of permissions attached to an object. An ACL specifies which users or system processes are granted access to
objects, as well as what operations are allowed on given objects.”
GRANT - define access privileges
REVOKE - revoke access privileges
https://www.postgresql.org/docs/current/static/sql-grant.html
9

10. ACL
10

11. ACL
ACL commands are transactional in Postgres:
11

12. ACL
Not so much in MySQL:
12

13. ACL
Passwords In MySQL:
Passwords In Postgres:
13

14. ACL
SHOW GRANTS in MySQL
14

15. ACL
Roles and role membership
A role has privileges of all roles it is a member of
15

16. ACL
SET DEFAULT PRIVILEGES
ALTER DEFAULT PRIVILEGES IN SCHEMA <schema_name> GRANT <privilege> ON TABLES TO <role>;
Only applies to objects created in future
16

17. ACL
USAGE:
Roles must have usage on schema to access tables, functions
Usage on public schema granted by default to public role
Usage granted by default on all roles in MySQL
17

18. ACL - USAGE Example
18

19. Column Level ACLs
Grant privileges only on specific column(s)
NOTE: UPDATE privilege in practice requires SELECT as well
19

20. Row-Level Security
20

21. RLS
User-based or command-based row level access restrictions
Disabled by default
Exceptions - TRUNCATE, REFERENCES
Not a SQL Standard
Watch for performance improvements in pg10!
21

22. RLS
When enabled, all traffic goes through policies
22

23. RLS
Default Policy - all deny
23

24. RLS
Does not apply to table owner unless forced
BYPASSRLS attribute
24

25. RLS
In case of multiple policies, access is determined if any one or more of the policies
allow it (OR)
Referential integrity checks - covert channel leaks should be avoided
Race conditions - e.g. SELECT … FOR UPDATE
Solutions - SELECT … FOR SHARE; Exclusive locks on referenced
table
25

26. SSL/TLS
26

27. SSL/TLS
ssl = on # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on # (change requires restart)
#ssl_ecdh_curve = 'prime256v1' # (change requires restart)
ssl_cert_file = '/etc/ssl/postgres/starry.io.crt' # (change requires restart)
ssl_key_file = '/etc/ssl/postgres/starry.io.key' # (change requires restart)
ssl_ca_file = '' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
27

28. SSL/TLS
Requirement: OpenSSL
At build time: --with-openssl
Authentication without encryption overhead: NULL-SHA or NULL-MD5
Not recommended: less secure
Overhead is minimal compared to authentication overhead
Certificate file permissions must be 600
Restart required for certs change
28

29. Event Triggers
29

30. Event Triggers
Database wide DDL event capture
Useful for:
Auditing
Unwanted modification of data
Accidental data loss
Trigger-based replication
http://tapoueh.org/images/confs/Fosdem2013_Event_Triggers.pdf
30

31. Event Triggers
31

32. Event Triggers
32

33. Event Triggers
Events:
ddl_command_start
ddl_command_end
sql_drop
table_rewrite in pg10!
33

34. Auditing
34

35. Auditing
Trigger based diff tracking
35

36. Auditing
Hstore - delta capture
36

37. Auditing
Delta function:
GIST and GIN index support for most operations
BTree and Hash index support useful for equivalence operations
37

38. Auditing
pgAudit extension
38

39. Auditing
PgAudit:
Shared_preload_libraries
Postgres development packages
Installation is a bit weird
39

40. Encryption and PCI Compliance
40

41. Encryption
pg_crypto extension - encrypts data
Encrypted backups
Postgres instance-level Encryption - 3rd party patch!
https://www.postgresql.org/message-
id/CA%2BCSw_tb3bk5i7if6inZFc3yyf%2B9HEVNTy51QFBoeUk7UE_V%3Dw@mail.gmail.com
http://www.cybertec.at/postgresql-instance-level-encryption/
SSL/TLS
41

42. PCI Compliance
pg_stat_statements extension
42

43. PCI Compliance
Monitors
43

44. PCI Compliance
Monitored queries:
44

45. PCI Compliance
pg_crypto
Key management
45

46. Upcoming Features in PG10
46

47. Upcoming
SSL - reload instead of a restart
SCRAM-SHA-256 authentication
Restrictive RLS Policies (AND)
New monitoring roles:
pg_monitor, pg_read_all_settings, pg_read_all_stats, and pg_stat_scan_tables
pg_hba_file_rules view
47

48. Desired Features
48

49. Desired
Data Redaction
Active Directory support
Oracle TDE - key management
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
SHOW GRANTS
49

50. Thank you!
Questions?
50
Twitter: @pallureshu
Email: payal@omniti.com