1. Welcome to Total Security 2. 04/25/15 robert7390@comcast.net 2 Welcome to Total Security The Ideal PostgreSQL DBA DBA Systems Administration Programming ie: C 3. 04/25/15 robert7390@comcast.net 3 Welcome to Total Security What is Security? 4. 04/25/15 robert7390@comcast.net 4 Welcome to Total Security About The Demo Environment Server ISO of Ubuntu, minimal installation http://www.ubuntu.com/download/server lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.2 LTS Release: 14.04 Codename: trusty 5. 04/25/15 robert7390@comcast.net 5 Welcome to Total Security Confirm nothing is running netstat -tlnp 6. 04/25/15 robert7390@comcast.net 6 Welcome to Total Security Debian Install Update The Install; apt-get update apt-get dist-upgrade Review Existing Packages dpkg -l apt-cache search postgres | grep -E ^postgresql | less -S Install PostgreSQL Packages: apt-get install postgresql postgresql-contrib Review Installation (9.3+) pg_lsclusters 7. 04/25/15 robert7390@comcast.net 7 Welcome to Total Security Source Code Install ($HOME account) SRC: http://www.postgresql.org/ftp/source apt-get install libreadline6-dev zlib1g-dev libssl-dev ./configure prefix=$HOME/pg93 with-openssl make install-world Update PATH environment in $HOME: pg_config Create a 2nd cluster: initdb -D $HOME/data93 -U postgres -A trust pg_ctl -D $HOME/data93 -o '-c port=10093 -c unix_socket_directories=/tmp -clogging_collector=on' start 8. 04/25/15 robert7390@comcast.net 8 Welcome to Total Security Before we continue... What did we just do? 9. 04/25/15 robert7390@comcast.net 9 Welcome to Total Security Comparision: SRC vs Debian 10. 04/25/15 robert7390@comcast.net 10 Welcome to Total Security About TCP, DOMAIN socket ports 11. 04/25/15 robert7390@comcast.net 11 Welcome to Total Security About configuration files: pg_hba.conf postgresql.conf 12. 04/25/15 robert7390@comcast.net 12 Welcome to Total Security PSQL Sessions 13. 04/25/15 robert7390@comcast.net 13 Welcome to Total Security About Authentication Authentication Methods * Trust Authentication (pg_hba.conf) * Password Authentication GSSAPI Authentication (Kerberos) SSPI Authentication (ms-windows) Kerberos Authentication (Deprecated) Ident Authentication (Deprecated: pg_ident.conf) * Peer Authentication LDAP Authentication RADIUS Authentication * Certificate Authentication (SSL) PAM Authentication 14. 04/25/15 robert7390@comcast.net 14 Welcome to Total Security About Host Based Authentication: pg_hba.conf 15. 04/25/15 robert7390@comcast.net 15 Welcome to Total Security About ROLES One Approach Among Many 16. 04/25/15 robert7390@comcast.net 16 Welcome to Total Security About ROLES DEFINING THE TYPES OF ROLES - superuser (postgres) - database owner - relations owner - role_rw (nologin) - user account roles (with login) - application, client, processes - sys administrators 17. 04/25/15 robert7390@comcast.net 17 Welcome to Total Security About ROLES CREATING THE GENERIC ROLES create role db_owner with nologin; create role db with nologin; create role db_rw with nologin; comment on role db_owner is 'The owner of the database db'; comment on role db is 'The owner of the relations on database db'; comment on role db_rw is 'The role executing all DML operations'; 18. 04/25/15 robert7390@comcast.net 18 Welcome to Total Security About ROLES CREATE USERS create role robertbernier with login Inherit Password '123' valid until '31 dec 2017' in role db_owner, db, db_rw; create role user1 with login inherit password '123' valid until '31 dec 2017' -- Do we really want this ROLE to expire? in role db_rw; comment on role robertbernier is 'user account assigned as administrator'; comment on role user1 is 'user account for the client application(s)'; 19. 04/25/15 robert7390@comcast.net 19 Welcome to Total Security About The Database ---------------------------------------------------- create database db with owner db_owner; comment on database db is 'our working demo database'; ---------------------------------------------------- c db drop schema public; create schema db authorization db; comment on schema db is 'this is where all the relations go'; alter database db set search_path='db'; 20. 04/25/15 robert7390@comcast.net 20 Welcome to Total Security About The Demo Tables set ON_ERROR_STOP on set role db; create table t1 ( id serial primary key, x float not null default random(), t_stamp timestamp not null default now() ); create table t2(like t1 including all); create table t3(like t1 including all); insert into t1 default values; insert into t1 default values; insert into t1 default values; insert into t2 default values; insert into t2 default values; insert into t2 default values; insert into t3 default values; insert into t3 default values; insert into t3 default values; 21. 04/25/15 robert7390@comcast.net 21 Welcome to Total Security About The Demo Tables ---------------------------------------------------- SET PRIVILEGES grant usage on schema db to db_rw; grant select, insert, update, delete on all tables in schema db to db_rw; grant usage on all sequences in schema db to db_rw; ---------------------------------------------------- VALIDATE PERMISSIONS set role user1; insert into t1 default values; insert into t2 default values; insert into t3 default values; table t1; table t2; table t3; CAVEAT: privileges must be declared for all new relations. 22. 04/25/15 robert7390@comcast.net 22 Welcome to Total Security About The Demo Tables CONNECTION ATTEMPTS There's a double layer of authentication going on: - SQL PRIVILEGES - pg_hba.conf CAVEAT: This configuration prevents the superuser to login as the other user accounts. But he can still SET ROLE. 23. 04/25/15 robert7390@comcast.net 23 Welcome to Total Security About CERTIFICATES 24. 04/25/15 robert7390@comcast.net 24 Welcome to Total Security About CERTIFICATES, 1/2 # CREATE THE CERTIFICATE AUTHORITY (answer the questions) /usr/lib/ssl/misc/CA.pl -newca # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES CLIENT /usr/lib/ssl/misc/CA.pl -sign # RENAME KEY AND CERTIFICATE FOR POSTGRES CLIENT mv newreq.pem robertbernier_req.pem mv newkey.pem robertbernier_key.pem mv newcert.pem robertbernier_crt.pem # CREATE A PRIVATE KEY, CRT REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -newreq # SIGN THE CERTIFICATE REQUEST FOR POSTGRES SERVER /usr/lib/ssl/misc/CA.pl -sign 25. 04/25/15 robert7390@comcast.net 25 Welcome to Total Security About CERTIFICATES, 2/2 # RENAME KEY AND CERTIFICATE FOR POSTGRES SERVER mv newreq.pem postgres_req.pem mv newkey.pem postgres_key.pem mv newcert.pem postgres_crt.pem # UNLOCK KEYS / REMOVE PASSPHRASE openssl rsa -in robertbernier_key -out robertbernier.key openssl rsa -in postgres_key.pem -out postgres.key # INSTALL SERVER CERTIFICATE (you can still use snake oil as server certificate but client cannot validate server) # EDIT, postgresql.conf: ssl_key_file = '/etc/postgresql/9.3/main/cacert.pem' cp cacert.pem /etc/postgresql/9.3/main/ # INSTALL CLIENT CERTIFICATES (ROLE: "robertbernier", DIR: ".postgresql") cp robertbernier.key ~/.postgresql/postgresql.key cp robertbernier_crt.pem ~/.postgresql/postgresql.crt NOTE, alternate login: (works with any account via tcpip sockets) psql 'host=localhost dbname=db user=robertbernier sslcert=robertbernier_crt.pem sslkey=robertbernier.key' # CERTIFICATE PROPERTIES openssl x509 -purpose -inform PE -in ./demoCA/cacert.pem 2>&1 |less openssl x509 -purpose -inform PE -in robertbernier_crt.pem 2>&1 |less openssl x509 -purpose -inform PE -in postgres_crt.pem 2>&1 |less 26. 04/25/15 robert7390@comcast.net 26 Welcome to Total Security About DATA ENCRYPTION 27. 04/25/15 robert7390@comcast.net 27 Welcome to Total Security About DATA ENCRYPTION select * from pg_available_extensions; create extension pgcrypto; df -- functions of interest pgp_pub_encrypt() pgp_pub_decrypt() 28. 04/25/15 robert7390@comcast.net 28 Welcome to Total Security About DATA ENCRYPTION ABOUT PGP (Pretty Good Privacy) GPG (GNU Privacy Guard) ---------------------------------------------------- USING GPG UNIX account: robertbernier@LinuxFest ------------- gpg --gen-key ------------- gpg --list-secret-keys sec 2048R/91E94413 2015-03-14 uid Robert Bernier (DBA/Architect) ssb 2048R/5E58CCAA 2015-03-14 ------------- REMOVE PASSPHRASE FROM PRIVATE KEY RETURN BLANK WHEN ASKED TO CHANGE PASSWORD gpg --edit-key 5E58CCAA # getting the keys gpg -a --export 5E58CCAA |less gpg -a --export-secret-keys 5E58CCAA | less 29. 04/25/15 robert7390@comcast.net 29 Welcome to Total Security WORKING WITH ENCRYPTED DATA SETUP DATABASE create table gpg ( id serial primary key, type varchar, key text ); create table confidential ( id serial primary key, message varchar, message_encrypted varchar ); ------------------------------------------------------ ( #!/bin/bash set -e SECRET="$(gpg --list-secret-keys | grep -E "^sec" | cut -d / -f 2 | cut -d ' ' -f 1)" PUBLIC=$(gpg -a --export $SECRET) PRIVATE=$(gpg -a --export-secret-keys $SECRET) psql db