| From: | "David P(dot) Quigley" <dpquigl(at)tycho(dot)nsa(dot)gov> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Chad Sellers <csellers(at)tresys(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, jd <jd(at)commandprompt(dot)com>, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Adding support for SE-Linux security |
| Date: | 2009-12-11 15:24:52 |
| Message-ID: | 1260545092.15974.32.camel@moss-terrapins.epoch.ncsc.mil |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, 2009-12-11 at 08:56 -0500, Stephen Frost wrote:
[snip...]
> I do assume we're going to do row level security, but I do not feel that
> we need to particularly put one in front of the other. I also feel that
> SEPG will be valuable even without row-level security. One of the
> realms that we discussed at BWPUG for this is PCI compliance. I'm
> hopeful Josh will have an opportunity to review the PCI compliance
> "cheat-sheet" that I recall Robert Treat offering and comes to agreement
> that SEPG w/o row-level security would greatly improve our ability to
> have a PCI compliant system backed with PG.
>
So I downloaded and read through the PCI DSS document (74 pages is
pretty light compared to NFSv4.1 hehe...) and There are several areas
there where I think strong access controls in the database will not only
fulfill the requirement but provide much stronger guarantees than can be
provided from the application server alone.
The requirements in section 7 can definitely benefit from SEPG. If you
implement these requirements in the application server and in PG access
controls alone there is still an attack vector where a malicious user
manages to steal the credentials for a particular role. With PG-ACE you
can write a security module (although SEPG already allows for this) to
restrict access to the data using the existing role-based access
controls in PG and then apply additional restrictions such as, only this
program may act as this role or access this database. This provides
better guarantees than exist in current PCI compliant implementations
using PG today.
Dave
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2009-12-11 15:39:22 | Re: Largeobject Access Controls (r2460) |
| Previous Message | Marko Kreen | 2009-12-11 15:20:23 | Re: thread safety on clients |