Simplicity is a form of art...

PostgreSQL with central authentication and authorization
by Sven Vermeulen, post on Mon 25 May 2015

I have been running a PostgreSQL cluster for a while as the primary backend for many services. The database system is very robust, well supported by the community and very powerful. In this post, I'm going to show how I use central authentication and authorization with PostgreSQL.

An XCCDF skeleton for PostgreSQL
by Sven Vermeulen, post on Sat 14 December 2013

In a previous post I wrote about the documentation structure I have in mind for a PostgreSQL security best practice. Considering what XCCDF can give us, the idea is to have the following structure:

Hardening PostgreSQL
+- Basic setup
+- Instance level configuration
|  +- Pre-startup configuration
|  `- PostgreSQL internal configuration
+- Database recommendations
`- User definitions …

Documenting security best practices - XCCDF introduction
by Sven Vermeulen, post on Thu 12 December 2013

When I have some free time, I try to work on a Gentoo Security Benchmark which not only documents security best practices (loosely based on the Gentoo Security Handbook which hasn't seen much updates in the last few years) but also uses the SCAP protocols. This set of protocols allows …

What could SELinux have done to mitigate the postgresql vulnerability?
by Sven Vermeulen, post on Tue 16 April 2013

Gentoo is one of the various distributions which supports SELinux as a Mandatory Access Control system to, amongst other things, mitigate the results of a succesfull exploit against software. So what about the recent PostgreSQL vulnerability?

When correctly configured, the PostgreSQL daemon will run in the postgresql_t domain. In SELinux-speak …

How far reaching vulnerabilities can go
by Sven Vermeulen, post on Tue 09 April 2013

If you follow the news a bit, you know that PostgreSQL has had a significant security vulnerability. The PostgreSQL team announced it up front and communicated how they would deal with the vulnerability (which basically comes down to saying that it is severe, that the public repositories will be temporarily …