SlideShare una empresa de Scribd logo

LCJ2010-KaiGai-sepgsql

Kohei KaiGai
Kohei KaiGai

SE-PostgreSQL - system-wide consistency of access control-

TecnologíaEmpresariales
1 de 29
Descargar para leer sin conexión
SE-PostgreSQL System-wide consistency of access control NEC OSS Promotion Center KaiGai Kohei <kaigai@ak.jp.nec.com>
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 2 Self Introduction ▐ Name KaiGai Kohei ▐ Company NEC, OSS Promotion Center ▐ Works 7 years experiences of OSS development » SELinux » PostgreSQL » Memcached » Apache (mod_selinux) ▐ SE-PostgreSQL Project It enables to control accesses to database objects using a centralized security policy of SELinux. Launched at 2006, then I've worked together both of SELinux and PostgreSQL community. Now, under development as a plugin for PostgreSQL v9.1.
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 3 Agenda 1. The Goal of this project 2. Architecture of SE-PostgreSQL 3. Playing with SE-PostgreSQL (demonstration) 4. Today, and the Future
1. The Goal of this Project
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 5 An analogy on Filesystem and Database ▐ Same relationship on user processes, requests, object manager and information assets. ▐ Differences in the way to store and access them System call for Filesystem SQL for Databases ▐ Also differences in access control model. what does it make differences in the result? OS (Linux) Filesystem Permission Filesystem System call RDBMS (PostgreSQL) Database ACLs DatabaseSQL User Process Request Object manager and Resource info asset info asset
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 6 The Goal of this project (1/2) Human user Human user bash domain of classified processes classified information psql bash domain of unclassified processes unclassified information vi inter process communication channels Filesystem Networks PostgreSQLX-window Login Login psql vi Both of them tries to reference classified information, But access controls are independent. Both of them tries to reference classified information, But access controls are independent.
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 7 Lack of conductor
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 8 The Goal of this project (2/2) Human user Human user bash domain of classified processes classified information psql bash domain of unclassified processes unclassified information vi inter process communication channels Filesystem Networks PostgreSQLX-window SELinux Security Policy a centralized security server Login LoginAccess control psql vi
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 9 OT: LAMP/SELinux domain of classified processes classified information domain of unclassified processes unclassified information Apache/httpd Filesystem Networks PostgreSQLMemcached SELinux Security Policy Access control mod_selinux.so web application web application
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 10 SELinux as a Security Server (1/3) ▐ Interactions with object managers Kernel subsystems do queries via LSM. Userspace applications do queries via libselinux. Both of them control user's requests according to the decision. ▐ Security context as a common identifier system_u:system_r:postgresql_t:s0 system_u:object_r:sepgsql_table_t:s0 A short formatted text, independent from object classes. ▐ Security policy A massive set of access control rules. A rule describes a set of actions to be allowed on a pair of a security context of the subject (process being accessing) and a security context of the object being accessed.
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 11 File X File Y SELinux as a Security Server (2/3) ▐ Case of Linux Kernel user process A staff_u:staff_r:staff_t:s0 user process B user_u:user_r:user_t:s0 VFS LSM SELinux Security Policy system_u:object_r:etc_t:s0 user_u:object_r:user_home_t:s0 read(2)read(2) write(2)write(2) Linux kernel ApplicationsSubject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_home_t:s0 Target class: file Subject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_home_t:s0 Target class: file file:{getattr read write ...}file:{getattr read write ...}
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 12 Table X Table Y SELinux as a Security Server (3/3) ▐ Case of PostgreSQL user process A staff_u:staff_r:staff_t:s0 user process B user_u:user_r:user_t:s0 Query Executor SE-PgSQL SELinux Security Policy system_u:object_r:sepgsql_ro_table_t:s0 user_u:object_r:user_table_t:s0 libselinux SELECTSELECT UPDATEUPDATE Linux kernel Applications PostgreSQL Subject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_table_t:s0 Target class: db_table Subject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_table_t:s0 Target class: db_table db_table:{select update ...}db_table:{select update ...}
2. Architecture of SE-PostgreSQL
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 14 What was necessary to be enhanced PostgreSQL Linux kernel User Tables System Catalogs Query Executor Query Parser DB Authentication SE-PgSQL Plugin SELinux Security Policy libselinux SELECT * FROM t1 WHERE x = 2; Pg_seclabel 1. Security Hooks 2. Pg_seclabel system catalog 3. SQL statement support 4. An intermediator module SECURITY LABEL statement support SECURITY LABEL statement support
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 15 Idea of External Security Provider ▐ Background Earlier version of SE-PostgreSQL was launched at 2006 Not an easy path to get merged, because of ... • A large scale patch, even if minimum functionalities • Few people are familiar with SELinux in PgSQL community • Being not neutral to other security mechanism ▐ Idea of External Security Provider (ESP) Similar idea to LSM, XACE PG provides a set of security hooks which allow third party plugins to make its access control decision. • The patch can be broken up to smaller pieces. • SELinux specific code can be moved into the plugin modules. • Being open to the upcoming other security models The first version of ESP shall be bundled in v9.1.
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 16 Security Hooks (1/2) ▐ ExecCheckRTPerms() It is a routine to check permissions on DMSs List of RangeTblEntry contains all the necessary information. • OID of the relation to be referenced • A flag of required privileges (e.g, ACL_SELECT, ACL_UPDATE, ...) The ESP hook allows plugins to make its access control decision. If violated, it raises and returns an error according to the spec. bool ExecCheckRTPerms(List *rangeTable, bool ereport_on_violation) { : if (ExecutorCheckPerms_hook) result = (*ExecutorCheckPerms_hook)(rangeTable, ereport_on_violation); return result; } bool sepgsql_relation_privileges(...)bool sepgsql_relation_privileges(...)
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 17 Security Hooks (2/2) ▐ SELinux provides labeled IPsec and getpeercon(3) IKE daemon delivers security context of the user process getpeercon(3) allows to retrieve the delivered security context requires: kernel >= 2.6.18, ipsec-tools >= 0.7.2 ▐ (Post) Authentication hook It allows ESP plugins to get control post database authentication. SE-PgSQL retrieve security context of the peer process, as privileges of the client. user process IKE Daemon IKE Daemon Labeled IPsec connection staff_u:staff_r:staff_t:s0 getpeercon(3)getpeercon(3) SE-PgSQL Authentication Hook PostgreSQL
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 18 Pg_seclabel system catalog postgres=# SELECT * FROM pg_catalog.pg_seclabel; reloid | objoid | subid | tag | label --------+--------+-------+---------+--------------------------------------- 1259 | 2619 | 0 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -7 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -6 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -5 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 : : : : : table X (OID = 1234) table Y (OID = 5468) Pg_class catalog system_u:object_r:sepgsql_proc_exec_t:s0089011255 system_u:object_r:sepgsql_ro_column_t:s0454681259 system_u:object_r:sepgsql_ro_table_t:s0054681259 system_u:object_r:sepgsql_table_t:s0012341259 labelsubidobjoidreloid Pg_seclabel catalog Pg_proc catalog SQL function Z (OID = 8901)
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 19 SECURITY LABEL statement ▐ This new SQL syntax provides an interface to change security label of database objects. ▐ ESP can validate the supplied label and check user's privileges. SECURITY LABEL [ FOR <provider> ] ON <objtype> <objname> IS <security label> postgres=# SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_ro_table_t:s0'; LOG: SELinux: allowed { setattr relabelfrom } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1 LOG: SELinux: allowed { relabelto } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_ro_table_t:s0 tclass=db_table name=t1 SECURITY LABEL
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 20 OT: Default security context on table creation ▐ DefineRelation() also calls ESP plugin ... 1. to check permission of table creation 2. to get security context to be assigned on the new table ▐ A table has its security context on its creation time, then user can relabel it using SECURITY LABEL statement. SQL Parser DefineRelation() ESP plugin (sepgsql.so) Classified Table New Table CREATE TABLE statement Classified Table Hook create properties of new table properties of new table ① Permission checks ② Compute a default security context ① Permission checks ② Compute a default security context User
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 21 ▐ sepgsql.so is the ESP plugin of SE-PostgreSQL ▐ It interprets a term of PgSQL into a term of SELinux OID of the table security context of the table ACL_SELECT db_table:{select} permission ▐ Then, it interprets SELinux's decision into status of PgSQL. access denied ereport(ERROR, ...) sepgsql.so selinux policy getpeercon(3) Pg_seclabel scontext tcontext invocations via hook OID of table, Query types,... OID of table, Query types,... libselinux decision query sbj: user_u:user_r:user_t:s0 obj: system_u:object_r:sepgsql_table_t:s0 class: db_table sbj: user_u:user_r:user_t:s0 obj: system_u:object_r:sepgsql_table_t:s0 class: db_table db_table:{ select update ... }db_table:{ select update ... } As an intermediator between PgSQL and SELinux
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 22 OT: Userspace access vector cache (avc) ▐ security_compute_xxx() always invokes a system-call AVC enables to cache access control decisions recently used. avc_has_perms() validation check of userspace cache /selinux/status selinux_kernel_status mmap(2) validation check of userspace cache reset avc cache make an avc entry /selinux/access /selinux/create lookup an avc entry from the cache check access permissions SELinux Security Policy invalid invalidstill valid not found stillvalidFound System call System call Memory reference Memory reference DecisionDecision QueryQuery In heuristic, the rate to hit overs 99.9% In heuristic, the rate to hit overs 99.9%
3. Playing with SE-PostgreSQL (demonstration)
4. Today and the Future
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 25 Current status of SE-PostgreSQL ▐ Under development based on the v9.1 ▐ Works in completion Security hook on DML permission checks ▐ Works in progress Pg_seclabel and security label support Security hook on authentication Security hook on table creation we have discussion on the CommitFest-2nd ▐ Source of the SE-PgSQL plugin http://code.google.com/p/sepgsql/
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 26 Future works of SE-PostgreSQL ▐ Comprehensive security hooks ▐ Backup/Restore support ▐ Trusted Procedure ▐ Security label of user tuples ▐ Row-level access control ▐ Integration with system audit
LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 27 Our Information Assets over the Cloud Web server (Apache + mod_selinux) Memcached (selinux_engine) SE-PostgreSQL Linux(SELinux) as system platform ▐ Information assets getting consolidated at somewhere in the cloud We can reference them anywhere, anytime, and anybody? ▐ Need to ensure both of data sharing and separation at the same time. System-wide consistency of access control on such a complex system Web applications
Any Questions?
Thank you!

Recomendados

Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Selinux
SelinuxSelinux
SelinuxAnkit Raj
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)How to use SELINUX (No I don't mean turn it off)
How to use SELINUX (No I don't mean turn it off)Chuck Reeves
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Security Enhanced Linux Overview
Security Enhanced Linux OverviewSecurity Enhanced Linux Overview
Security Enhanced Linux OverviewEmre Can Kucukoglu
 

Más contenido relacionado

La actualidad más candente

Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsDavidlohr Bueso
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 

La actualidad más candente (20)

Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Selinux
SelinuxSelinux
Selinux
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core Systems
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
System Integrity
System IntegritySystem Integrity
System Integrity
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
SELinux introduction
SELinux introductionSELinux introduction
SELinux introduction
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 

Destacado

Row-level Security
Row-level SecurityRow-level Security
Row-level SecurityKohei KaiGai
 
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxLAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxKohei KaiGai
 
Security Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access controlSecurity Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access controlKohei KaiGai
 
PG-Strom - GPU Accelerated Asyncr
PG-Strom - GPU Accelerated AsyncrPG-Strom - GPU Accelerated Asyncr
PG-Strom - GPU Accelerated AsyncrKohei KaiGai
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Haganderpgdayrussia
 
DoS Attacks Using Sql Wildcards
DoS Attacks Using Sql WildcardsDoS Attacks Using Sql Wildcards
DoS Attacks Using Sql WildcardsFerruh Mavituna
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 

Destacado (7)

Row-level Security
Row-level SecurityRow-level Security
Row-level Security
 
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxLAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinux
 
Security Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access controlSecurity Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access control
 
PG-Strom - GPU Accelerated Asyncr
PG-Strom - GPU Accelerated AsyncrPG-Strom - GPU Accelerated Asyncr
PG-Strom - GPU Accelerated Asyncr
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
 
DoS Attacks Using Sql Wildcards
DoS Attacks Using Sql WildcardsDoS Attacks Using Sql Wildcards
DoS Attacks Using Sql Wildcards
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 

Similar a LCJ2010-KaiGai-sepgsql

LCJ2010-KaiGai-Memcached
LCJ2010-KaiGai-MemcachedLCJ2010-KaiGai-Memcached
LCJ2010-KaiGai-MemcachedKohei KaiGai
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsmiaemedu
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overviewdaisuke_tanabe
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure InfrastructuresShawn Wells
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Joel W. King
 
Uniface 9.7 en PostgreSQL
Uniface 9.7 en PostgreSQLUniface 9.7 en PostgreSQL
Uniface 9.7 en PostgreSQLArjen van Vliet
 
Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...
Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...
Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...Nikhil Jain
 
Introduction to PostgreSQL for System Administrators
Introduction to PostgreSQL for System AdministratorsIntroduction to PostgreSQL for System Administrators
Introduction to PostgreSQL for System AdministratorsJignesh Shah
 
2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap PresentationShawn Wells
 
Linux Assignment 3
Linux Assignment 3Linux Assignment 3
Linux Assignment 3Diane Allen
 
SLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformSLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformYoshitake Kobayashi
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)David Sweigert
 
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoStorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoAlluxio, Inc.
 
Devicemgmt
DevicemgmtDevicemgmt
Devicemgmtxyxz
 

Similar a LCJ2010-KaiGai-sepgsql (20)

LCJ2010-KaiGai-Memcached
LCJ2010-KaiGai-MemcachedLCJ2010-KaiGai-Memcached
LCJ2010-KaiGai-Memcached
 
Process behaviour modelling using lsm
Process behaviour modelling using lsmProcess behaviour modelling using lsm
Process behaviour modelling using lsm
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Check Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course OverviewCheck Point CCSA NGX R71 Course Overview
Check Point CCSA NGX R71 Course Overview
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
Uniface 9.7 en PostgreSQL
Uniface 9.7 en PostgreSQLUniface 9.7 en PostgreSQL
Uniface 9.7 en PostgreSQL
 
Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...
Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...
Second phase report on "ANALYZING THE EFFECTIVENESS OF THE ADVANCED ENCRYPTIO...
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 
Introduction to PostgreSQL for System Administrators
Introduction to PostgreSQL for System AdministratorsIntroduction to PostgreSQL for System Administrators
Introduction to PostgreSQL for System Administrators
 
2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation2008-01-22 Red Hat (Security) Roadmap Presentation
2008-01-22 Red Hat (Security) Roadmap Presentation
 
Linux Assignment 3
Linux Assignment 3Linux Assignment 3
Linux Assignment 3
 
SLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformSLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure Platform
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoStorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
 
Devicemgmt
DevicemgmtDevicemgmt
Devicemgmt
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 

Más de Kohei KaiGai

20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_HistoryKohei KaiGai
 
20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_APIKohei KaiGai
 
20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrowKohei KaiGai
 
20210928_pgunconf_hll_count
20210928_pgunconf_hll_count20210928_pgunconf_hll_count
20210928_pgunconf_hll_countKohei KaiGai
 
20210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.020210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.0Kohei KaiGai
 
20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCacheKohei KaiGai
 
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_IndexKohei KaiGai
 
20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGISKohei KaiGai
 
20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGISKohei KaiGai
 
20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_ProcessingKohei KaiGai
 
20200828_OSCKyoto_Online
20200828_OSCKyoto_Online20200828_OSCKyoto_Online
20200828_OSCKyoto_OnlineKohei KaiGai
 
20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdwKohei KaiGai
 
20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_FdwKohei KaiGai
 
20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_TokyoKohei KaiGai
 
20191115-PGconf.Japan
20191115-PGconf.Japan20191115-PGconf.Japan
20191115-PGconf.JapanKohei KaiGai
 
20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_BetaKohei KaiGai
 
20190925_DBTS_PGStrom
20190925_DBTS_PGStrom20190925_DBTS_PGStrom
20190925_DBTS_PGStromKohei KaiGai
 
20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGaiKohei KaiGai
 
20190516_DLC10_PGStrom
20190516_DLC10_PGStrom20190516_DLC10_PGStrom
20190516_DLC10_PGStromKohei KaiGai
 
20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdwKohei KaiGai
 

Más de Kohei KaiGai (20)

20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History
 
20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API
 
20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow
 
20210928_pgunconf_hll_count
20210928_pgunconf_hll_count20210928_pgunconf_hll_count
20210928_pgunconf_hll_count
 
20210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.020210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.0
 
20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache
 
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
 
20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS
 
20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS
 
20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing
 
20200828_OSCKyoto_Online
20200828_OSCKyoto_Online20200828_OSCKyoto_Online
20200828_OSCKyoto_Online
 
20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw
 
20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw
 
20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo
 
20191115-PGconf.Japan
20191115-PGconf.Japan20191115-PGconf.Japan
20191115-PGconf.Japan
 
20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta
 
20190925_DBTS_PGStrom
20190925_DBTS_PGStrom20190925_DBTS_PGStrom
20190925_DBTS_PGStrom
 
20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai
 
20190516_DLC10_PGStrom
20190516_DLC10_PGStrom20190516_DLC10_PGStrom
20190516_DLC10_PGStrom
 
20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw
 

Último

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 

Último (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 

LCJ2010-KaiGai-sepgsql

  • 1. SE-PostgreSQL System-wide consistency of access control NEC OSS Promotion Center KaiGai Kohei <kaigai@ak.jp.nec.com>
  • 2. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 2 Self Introduction ▐ Name KaiGai Kohei ▐ Company NEC, OSS Promotion Center ▐ Works 7 years experiences of OSS development » SELinux » PostgreSQL » Memcached » Apache (mod_selinux) ▐ SE-PostgreSQL Project It enables to control accesses to database objects using a centralized security policy of SELinux. Launched at 2006, then I've worked together both of SELinux and PostgreSQL community. Now, under development as a plugin for PostgreSQL v9.1.
  • 3. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 3 Agenda 1. The Goal of this project 2. Architecture of SE-PostgreSQL 3. Playing with SE-PostgreSQL (demonstration) 4. Today, and the Future
  • 4. 1. The Goal of this Project
  • 5. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 5 An analogy on Filesystem and Database ▐ Same relationship on user processes, requests, object manager and information assets. ▐ Differences in the way to store and access them System call for Filesystem SQL for Databases ▐ Also differences in access control model. what does it make differences in the result? OS (Linux) Filesystem Permission Filesystem System call RDBMS (PostgreSQL) Database ACLs DatabaseSQL User Process Request Object manager and Resource info asset info asset
  • 6. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 6 The Goal of this project (1/2) Human user Human user bash domain of classified processes classified information psql bash domain of unclassified processes unclassified information vi inter process communication channels Filesystem Networks PostgreSQLX-window Login Login psql vi Both of them tries to reference classified information, But access controls are independent. Both of them tries to reference classified information, But access controls are independent.
  • 7. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 7 Lack of conductor
  • 8. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 8 The Goal of this project (2/2) Human user Human user bash domain of classified processes classified information psql bash domain of unclassified processes unclassified information vi inter process communication channels Filesystem Networks PostgreSQLX-window SELinux Security Policy a centralized security server Login LoginAccess control psql vi
  • 9. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 9 OT: LAMP/SELinux domain of classified processes classified information domain of unclassified processes unclassified information Apache/httpd Filesystem Networks PostgreSQLMemcached SELinux Security Policy Access control mod_selinux.so web application web application
  • 10. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 10 SELinux as a Security Server (1/3) ▐ Interactions with object managers Kernel subsystems do queries via LSM. Userspace applications do queries via libselinux. Both of them control user's requests according to the decision. ▐ Security context as a common identifier system_u:system_r:postgresql_t:s0 system_u:object_r:sepgsql_table_t:s0 A short formatted text, independent from object classes. ▐ Security policy A massive set of access control rules. A rule describes a set of actions to be allowed on a pair of a security context of the subject (process being accessing) and a security context of the object being accessed.
  • 11. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 11 File X File Y SELinux as a Security Server (2/3) ▐ Case of Linux Kernel user process A staff_u:staff_r:staff_t:s0 user process B user_u:user_r:user_t:s0 VFS LSM SELinux Security Policy system_u:object_r:etc_t:s0 user_u:object_r:user_home_t:s0 read(2)read(2) write(2)write(2) Linux kernel ApplicationsSubject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_home_t:s0 Target class: file Subject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_home_t:s0 Target class: file file:{getattr read write ...}file:{getattr read write ...}
  • 12. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 12 Table X Table Y SELinux as a Security Server (3/3) ▐ Case of PostgreSQL user process A staff_u:staff_r:staff_t:s0 user process B user_u:user_r:user_t:s0 Query Executor SE-PgSQL SELinux Security Policy system_u:object_r:sepgsql_ro_table_t:s0 user_u:object_r:user_table_t:s0 libselinux SELECTSELECT UPDATEUPDATE Linux kernel Applications PostgreSQL Subject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_table_t:s0 Target class: db_table Subject: user_u:user_r:user_t:s0 Object: user_u:object_r:user_table_t:s0 Target class: db_table db_table:{select update ...}db_table:{select update ...}
  • 13. 2. Architecture of SE-PostgreSQL
  • 14. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 14 What was necessary to be enhanced PostgreSQL Linux kernel User Tables System Catalogs Query Executor Query Parser DB Authentication SE-PgSQL Plugin SELinux Security Policy libselinux SELECT * FROM t1 WHERE x = 2; Pg_seclabel 1. Security Hooks 2. Pg_seclabel system catalog 3. SQL statement support 4. An intermediator module SECURITY LABEL statement support SECURITY LABEL statement support
  • 15. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 15 Idea of External Security Provider ▐ Background Earlier version of SE-PostgreSQL was launched at 2006 Not an easy path to get merged, because of ... • A large scale patch, even if minimum functionalities • Few people are familiar with SELinux in PgSQL community • Being not neutral to other security mechanism ▐ Idea of External Security Provider (ESP) Similar idea to LSM, XACE PG provides a set of security hooks which allow third party plugins to make its access control decision. • The patch can be broken up to smaller pieces. • SELinux specific code can be moved into the plugin modules. • Being open to the upcoming other security models The first version of ESP shall be bundled in v9.1.
  • 16. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 16 Security Hooks (1/2) ▐ ExecCheckRTPerms() It is a routine to check permissions on DMSs List of RangeTblEntry contains all the necessary information. • OID of the relation to be referenced • A flag of required privileges (e.g, ACL_SELECT, ACL_UPDATE, ...) The ESP hook allows plugins to make its access control decision. If violated, it raises and returns an error according to the spec. bool ExecCheckRTPerms(List *rangeTable, bool ereport_on_violation) { : if (ExecutorCheckPerms_hook) result = (*ExecutorCheckPerms_hook)(rangeTable, ereport_on_violation); return result; } bool sepgsql_relation_privileges(...)bool sepgsql_relation_privileges(...)
  • 17. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 17 Security Hooks (2/2) ▐ SELinux provides labeled IPsec and getpeercon(3) IKE daemon delivers security context of the user process getpeercon(3) allows to retrieve the delivered security context requires: kernel >= 2.6.18, ipsec-tools >= 0.7.2 ▐ (Post) Authentication hook It allows ESP plugins to get control post database authentication. SE-PgSQL retrieve security context of the peer process, as privileges of the client. user process IKE Daemon IKE Daemon Labeled IPsec connection staff_u:staff_r:staff_t:s0 getpeercon(3)getpeercon(3) SE-PgSQL Authentication Hook PostgreSQL
  • 18. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 18 Pg_seclabel system catalog postgres=# SELECT * FROM pg_catalog.pg_seclabel; reloid | objoid | subid | tag | label --------+--------+-------+---------+--------------------------------------- 1259 | 2619 | 0 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -7 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -6 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 1259 | 2619 | -5 | selinux | system_u:object_r:sepgsql_sysobj_t:s0 : : : : : table X (OID = 1234) table Y (OID = 5468) Pg_class catalog system_u:object_r:sepgsql_proc_exec_t:s0089011255 system_u:object_r:sepgsql_ro_column_t:s0454681259 system_u:object_r:sepgsql_ro_table_t:s0054681259 system_u:object_r:sepgsql_table_t:s0012341259 labelsubidobjoidreloid Pg_seclabel catalog Pg_proc catalog SQL function Z (OID = 8901)
  • 19. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 19 SECURITY LABEL statement ▐ This new SQL syntax provides an interface to change security label of database objects. ▐ ESP can validate the supplied label and check user's privileges. SECURITY LABEL [ FOR <provider> ] ON <objtype> <objname> IS <security label> postgres=# SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_ro_table_t:s0'; LOG: SELinux: allowed { setattr relabelfrom } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1 LOG: SELinux: allowed { relabelto } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_ro_table_t:s0 tclass=db_table name=t1 SECURITY LABEL
  • 20. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 20 OT: Default security context on table creation ▐ DefineRelation() also calls ESP plugin ... 1. to check permission of table creation 2. to get security context to be assigned on the new table ▐ A table has its security context on its creation time, then user can relabel it using SECURITY LABEL statement. SQL Parser DefineRelation() ESP plugin (sepgsql.so) Classified Table New Table CREATE TABLE statement Classified Table Hook create properties of new table properties of new table ① Permission checks ② Compute a default security context ① Permission checks ② Compute a default security context User
  • 21. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 21 ▐ sepgsql.so is the ESP plugin of SE-PostgreSQL ▐ It interprets a term of PgSQL into a term of SELinux OID of the table security context of the table ACL_SELECT db_table:{select} permission ▐ Then, it interprets SELinux's decision into status of PgSQL. access denied ereport(ERROR, ...) sepgsql.so selinux policy getpeercon(3) Pg_seclabel scontext tcontext invocations via hook OID of table, Query types,... OID of table, Query types,... libselinux decision query sbj: user_u:user_r:user_t:s0 obj: system_u:object_r:sepgsql_table_t:s0 class: db_table sbj: user_u:user_r:user_t:s0 obj: system_u:object_r:sepgsql_table_t:s0 class: db_table db_table:{ select update ... }db_table:{ select update ... } As an intermediator between PgSQL and SELinux
  • 22. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 22 OT: Userspace access vector cache (avc) ▐ security_compute_xxx() always invokes a system-call AVC enables to cache access control decisions recently used. avc_has_perms() validation check of userspace cache /selinux/status selinux_kernel_status mmap(2) validation check of userspace cache reset avc cache make an avc entry /selinux/access /selinux/create lookup an avc entry from the cache check access permissions SELinux Security Policy invalid invalidstill valid not found stillvalidFound System call System call Memory reference Memory reference DecisionDecision QueryQuery In heuristic, the rate to hit overs 99.9% In heuristic, the rate to hit overs 99.9%
  • 23. 3. Playing with SE-PostgreSQL (demonstration)
  • 24. 4. Today and the Future
  • 25. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 25 Current status of SE-PostgreSQL ▐ Under development based on the v9.1 ▐ Works in completion Security hook on DML permission checks ▐ Works in progress Pg_seclabel and security label support Security hook on authentication Security hook on table creation we have discussion on the CommitFest-2nd ▐ Source of the SE-PgSQL plugin http://code.google.com/p/sepgsql/
  • 26. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 26 Future works of SE-PostgreSQL ▐ Comprehensive security hooks ▐ Backup/Restore support ▐ Trusted Procedure ▐ Security label of user tuples ▐ Row-level access control ▐ Integration with system audit
  • 27. LinuxCon Japan/Tokyo 2010, SE-PostgreSQL -System wide consistenct of Access control-Page 27 Our Information Assets over the Cloud Web server (Apache + mod_selinux) Memcached (selinux_engine) SE-PostgreSQL Linux(SELinux) as system platform ▐ Information assets getting consolidated at somewhere in the cloud We can reference them anywhere, anytime, and anybody? ▐ Need to ensure both of data sharing and separation at the same time. System-wide consistency of access control on such a complex system Web applications