n Wed, Jan 13, 2016 at 4:04 PM, Kevin Grittner wrote:
> On Wed, Jan 13, 2016 at 3:54 PM, oleg yusim wrote:
>
> > Answer "postgres" would suffice.
>
> But the user would not always be "postgres". To be accurate, it is
> the user which owns the files for
, Jan 13, 2016 at 2:37 PM, oleg yusim wrote:
>
>> OK, Kevin, David,
>>
>> Thanks you very much for explanation. Now who is the owner of this
>> process? My understanding is, data then located physically in RAM, in the
>> memory stack assigned by OS to this
, David G. Johnston <
david.g.johns...@gmail.com> wrote:
> On Wed, Jan 13, 2016 at 2:19 PM, Kevin Grittner wrote:
>
>> On Wed, Jan 13, 2016 at 2:57 PM, oleg yusim wrote:
>>
>> > Say, I got network package. The package was decrypted by OpenSSL. Where
>> this
&g
, Jan 12, 2016 at 10:00 PM, oleg yusim wrote:
>
> > Important: let's assume data at rest is encrypted using EFS and data at
> > transit is encrypted using ciphers, provided by OpenSSL.
> >
> > So, with that in mind, please, help me to understand movement and
> locat
Appologies, for posting it again, but I didn't get any responses so far.
Looks like I posted it too late in the evening and it went not noticed.
Oleg
-- Forwarded message --
From: oleg yusim
Date: Tue, Jan 12, 2016 at 10:00 PM
Subject: Data Packaging/Data Unpacki
Greetings,
I have matching couple of security requirements, speaking about preserving
data confidentiality and integrity in PostgreSQL DB during packaging for
transmission / unpacking from transmission.
Important: let's assume data at rest is encrypted using EFS and data at
transit is encrypted u
Hi Adrian,
Thank you very much for that link. It confirms what JD and John said, plus
explains couple other moments to me.
Thanks,
Oleg
On Tue, Jan 5, 2016 at 7:04 PM, Adrian Klaver
wrote:
> On 01/05/2016 04:12 PM, oleg yusim wrote:
> > Hi Adrian,
> >
> > I meant a s
Hi Joe,
Exactly how I marked it :)
Thanks,
Oleg
On Tue, Jan 5, 2016 at 6:50 PM, Joe Conway wrote:
> On 01/05/2016 04:32 PM, John R Pierce wrote:
> > On 1/5/2016 4:12 PM, oleg yusim wrote:
> >> I meant a scenario, when user is trying to connect to database
> >> (do
John,
Thanks, what you are saying makes sense. I agree, it would cause all user
to go through authentication/authorization loop all over and terminate all
running transactions too.
Thanks,
Oleg
On Tue, Jan 5, 2016 at 6:32 PM, John R Pierce wrote:
> On 1/5/2016 4:12 PM, oleg yusim wr
e can
potentially encounter the situation when database fails into state where
user is given greater privileges than he/she should or even authenticated,
when he/she shouldn't.
Thanks,
Oleg
On Tue, Jan 5, 2016 at 5:34 PM, Adrian Klaver
wrote:
> On 01/05/2016 03:21 PM, oleg yusim wrote:
&
Thanks JD.
Let me confirm I got you right. So, by exception you mean the
authentication/authorization/validation functions would return false in
case of DB failure?
Thanks,
Oleg
On Tue, Jan 5, 2016 at 5:33 PM, Joshua D. Drake
wrote:
> On 01/05/2016 03:21 PM, oleg yusim wrote:
>
>&g
sing. If security controls can throw exceptions, they must be very
clear about exactly what that condition means. "
Right?
Thanks,
Oleg
On Tue, Jan 5, 2016 at 5:14 PM, Joshua D. Drake
wrote:
> On 01/05/2016 03:09 PM, oleg yusim wrote:
>
>
>>
>> The question here, what is Po
Greetings,
One more security requirement I'm battling with:
The DBMS must fail to a secure state if system initialization fails,
shutdown fails, or aborts fail.
Failure to a known state can address safety or security in accordance with
the mission/business needs of the organization.
Failure t
Thank you very much George, that is exactly the piece of information I was
missing.
Oleg
On Wed, Dec 23, 2015 at 10:55 AM, George Neuner
wrote:
> Hi Oleg,
>
> On Wed, 23 Dec 2015 07:07:31 -0600, oleg yusim
> wrote:
>
> >May we run into situation, when attacker dumps memor
postgres server processes have access to
this shared memory segment"
It helped me to understand terminology used by other reponders better.
Thanks,
Oleg
On Wed, Dec 23, 2015 at 10:48 AM, John R Pierce wrote:
> On 12/23/2015 8:16 AM, oleg yusim wrote:
>
>>
>> To my kn
ch
get's used by database processes, but doesn't belong to database permanent
storage?
Can you give me more details here, so I would understand the actual mapping
and scale of the issue?
Thanks,
Oleg
On Wed, Dec 23, 2015 at 9:55 AM, Jim Nasby wrote:
> On 12/23/15 7:55 AM, oleg
uring
the session into memory, reserved by session process? I'm trying to
determine, basically, does it even worth a talk - maybe there is nothing at
all valuable.
Thanks,
Oleg
On Wed, Dec 23, 2015 at 7:41 AM, David Wilson wrote:
> On Wed, Dec 23, 2015 at 07:07:31AM -0600, oleg yusim wro
HI George,
Thanks, this information clears the situation. Now, question to you and
David.
May we run into situation, when attacker dumps memory and analyses it for
valuable content, instead of reserving it for own process, where it would
be zeroed? My understanding, it is a possibility. Does kern
but I would
like to find out if this gates are opened too or not.
Thanks,
Oleg
On Tue, Dec 22, 2015 at 8:48 PM, Jim Nasby wrote:
> On 12/22/15 6:03 PM, oleg yusim wrote:
>
>> Absolutely. But we are not talking about that type of data leakage here.
>> We are talking about potent
emory (memory
would be a common resource here).
Thanks,
Oleg
On Tue, Dec 22, 2015 at 5:28 PM, John R Pierce wrote:
> On 12/22/2015 2:52 PM, oleg yusim wrote:
>
>
> *The DBMS must prevent unauthorized and unintended information transfer
> via shared system resources.*
>
>
&g
Greetings,
I'm looking at the following security control right now:
*The DBMS must prevent unauthorized and unintended information transfer via
shared system resources.*
The purpose of this control is to prevent information, including encrypted
representations of information, produced by the act
Thanks Michael, you are right, that is a very good alternative solution.
Oleg
On Tue, Dec 22, 2015 at 6:27 AM, Michael Paquier
wrote:
> On Tue, Dec 22, 2015 at 1:42 AM, Stephen Frost wrote:
> > Oleg,
> >
> > * oleg yusim (olegyu...@gmail.com) wrote:
> >
R
> current_query = '' to kill stagnant connections.
>
> On Mon, Dec 21, 2015 at 11:42 AM, Stephen Frost
> wrote:
>
>> Oleg,
>>
>> * oleg yusim (olegyu...@gmail.com) wrote:
>> > tcp_keepalives_idle = 900
>> > tcp_keepalives_interval=
believe the
> tcp_keepalives_count
> should be 1, otherwise it will take 45 minutes minutes to timeout. Then
> again, I could be wrong.
>
> On Sun, Dec 20, 2015 at 12:28 PM, Tom Lane wrote:
>
>> oleg yusim writes:
>> > Got it, thanks... Now, is it any protection in place c
On Sun, Dec 20, 2015 at 1:38 PM, Andrew Sullivan
wrote:
> On Sun, Dec 20, 2015 at 11:25:45AM -0600, oleg yusim wrote:
> > Thanks you very much Melvin, once again, very useful. So, let me see if I
> > got it right, following configuration should cause my database connection
> &g
So Pavel, are are saying there is no such thing as Session ID in PostgreSQL
DB at all? Everything is tight to the process, session is accociated with,
so in essence pid is session id?
Oleg
On Sun, Dec 20, 2015 at 11:40 AM, Pavel Stehule
wrote:
>
>
> 2015-12-20 18:37 GMT+01:00 o
ake 45 minutes minutes to timeout. Then
> again, I could be wrong.
>
> On Sun, Dec 20, 2015 at 12:28 PM, Tom Lane wrote:
>
>> oleg yusim writes:
>> > Got it, thanks... Now, is it any protection in place currently against
>> > replacing Session ID (my understandi
case, here we would be dealing with Session IDs belonging to DB itself, not
OpenSSL.
Please, correct me if I'm wrong.
Thanks,
Oleg
On Sun, Dec 20, 2015 at 11:28 AM, Tom Lane wrote:
> oleg yusim writes:
> > Got it, thanks... Now, is it any protection in place currently against
w all available parameters in the postgresql.conf, as
> it will probably answer some additional questions for you.
>
> On Sun, Dec 20, 2015 at 12:02 PM, Pavel Stehule
> wrote:
>
>>
>>
>> 2015-12-20 17:52 GMT+01:00 oleg yusim :
>>
>>> Hi Pavel,
>>
)?
Oleg
On Sun, Dec 20, 2015 at 11:02 AM, Pavel Stehule
wrote:
>
>
> 2015-12-20 17:52 GMT+01:00 oleg yusim :
>
>> Hi Pavel,
>>
>> Thanks, for your response, it helps. Now, from my observations
>> (PostgreSQL 9.4.5, installed on Linux box), if I enter psql prompt
se not that in the future, it is always helpful to provide the exact
> version of PostgreSQL and the O/S you are working with.
>
> On Sun, Dec 20, 2015 at 11:08 AM, Pavel Stehule
> wrote:
>
>> Hi
>>
>> 2015-12-20 16:16 GMT+01:00 oleg yusim :
>>
>>>
imeout (or rather
doesn't have one), or I just happened to miss configuration option?
Thanks,
Oleg
On Sun, Dec 20, 2015 at 10:08 AM, Pavel Stehule
wrote:
> Hi
>
> 2015-12-20 16:16 GMT+01:00 oleg yusim :
>
>> Greetings!
>>
>> I'm new to PostgreSQL, working
Greetings!
I'm new to PostgreSQL, working on it from the point of view of Cyber
Security assessment. In regards to the here is my questions:
>From the security standpoint we have to assure that database invalidates
session identifiers upon user logout or other session termination (timeout
counts
mentioned),
PostgreSQL integrates nicely with?
Oleg
On Thu, Dec 10, 2015 at 4:45 PM, Adrian Klaver
wrote:
> On 12/10/2015 02:13 PM, oleg yusim wrote:
>
>> Adrian,
>>
>> You seemed to be familiar with the STIG world, so how about V-ID from
>>
>
> No, I am just f
Thanks Tom, I get what you are saying and that seems to be final at this
stage. I will write pg_audit down, though.
Oleg
On Thu, Dec 10, 2015 at 4:41 PM, Tom Lane wrote:
> oleg yusim writes:
> > What I hope to achieve is to meet this requirement from Database SRG:
> &g
John,
I can answer that - Oracle and MS SQL do, or at least there were able to
convince DISA that they do (STIGs for them are present here:
http://iase.disa.mil/stigs/Pages/a-z.aspx). That actually benefits those
products greatly - from the point of view of security they, once hardened,
meet Feder
rship information.
Internal checks, which are going on all the time do not count.
Thanks,
Oleg
On Thu, Dec 10, 2015 at 4:03 PM, Adrian Klaver
wrote:
> On 12/10/2015 01:36 PM, oleg yusim wrote:
>
>> Adrian,
>>
>> What I hope to achieve is to meet this requirement from Database
same time, I do not want to get 20 GB of logs on the daily basis, by
setting log_statement = 'all'. So, I'm trying to find a way in between.
Thanks,
Oleg
On Thu, Dec 10, 2015 at 3:29 PM, Adrian Klaver
wrote:
> On 12/10/2015 12:56 PM, oleg yusim wrote:
>
>> So w
M, David G. Johnston <
david.g.johns...@gmail.com> wrote:
> On Thu, Dec 10, 2015 at 1:46 PM, oleg yusim wrote:
>
>> Hi David,
>>
>> Can you, please, give me example?
>>
>>
> Not readily...maybe others can. Putting forth specific examples of what
> you want to accomplish may help.
>
> David J.
>
>
Hi David,
Can you, please, give me example?
Thanks,
Oleg
On Thu, Dec 10, 2015 at 2:25 PM, David G. Johnston <
david.g.johns...@gmail.com> wrote:
> On Thu, Dec 10, 2015 at 1:20 PM, oleg yusim wrote:
>
>> Also... how do we control who can run meta commands?
>>
>
&
ead writes:
>
> > On Thu, Dec 10, 2015 at 2:50 PM, oleg yusim wrote:
> >
> > Thanks John, I realized that and confirmed in my logs. What I'm
> trying to determine now, can I only log some SELECT statements, or I should
> log all of them or none
> > o
Thanks John, I realized that and confirmed in my logs. What I'm trying to
determine now, can I only log some SELECT statements, or I should log all
of them or none of them.
Oleg
On Thu, Dec 10, 2015 at 1:40 PM, John R Pierce wrote:
> On 12/10/2015 9:58 AM, oleg yusim wrote:
>
&g
Dec 10, 2015 at 12:14 PM, Andreas Kretschmer <
akretsch...@spamfence.net> wrote:
> oleg yusim wrote:
>
> > Greetings!
> >
> > I'm new to PostgreSQL, working on it from the point of view of Cyber
> Security
> > assessment. In regards to the here is
Greetings!
I'm new to PostgreSQL, working on it from the point of view of Cyber
Security assessment. In regards to the here is my question:
Is it a way to enable logging for psql prompt meta-commands, such as \du,
\dp, \z, etc?
Thanks,
Oleg
44 matches
Mail list logo
