Como proteger seus bancos de dados PostgreSQL de ataques cibernéticos com o SQL Firewall

Como funciona o firewall do SQL

Configurando o ambiente

Observação

Etapa 1:Instalando o PostgreSQL 10

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# yum install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm -y

# yum install postgresql10-server postgresql10 -y

# /usr/pgsql-10/bin/postgresql-10-setup initdb

Initializing database ... OK

listen_addresses = '*'

host    all all    <our IP address range>    md5

# systemctl start postgresql-10.service
# systemctl enable postgresql-10.service

# su - postgres
-bash-4.2$ psql
psql (10.12)
Type "help" for help.

postgres=# \password
Enter new password:
Enter it again:
postgres=#

Etapa 2:restaurar bancos de dados de amostra

• Pagila : a versão PostgreSQL do popular banco de dados MySQL Sakila
• Chinook : um banco de dados sobre a loja de mídia digital

Etapa 3:criar funções e usuários

psql -d postgres -c "CREATE ROLE human_user WITH  NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN NOREPLICATION PASSWORD '<a tough password>';"
psql -d postgres -c "CREATE ROLE app_user WITH  NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN NOREPLICATION PASSWORD '<a tough password>';"

$ psql -d postgres -c "GRANT CONNECT ON DATABASE pagila, chinook TO app_user;"

$ psql -d chinook -c "GRANT USAGE ON SCHEMA public TO app_user;"
$ psql -d chinook -c "GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO app_user;"
$ psql -d chinook -c "GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, TRIGGER, REFERENCES ON ALL TABLES IN SCHEMA public TO app_user;"
$ psql -d chinook -c "GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO app_user;"

$ psql -d pagila -c "GRANT USAGE ON SCHEMA public TO app_user;"
$ psql -d pagila -c "GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO app_user;"
$ psql -d pagila -c "GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, TRIGGER, REFERENCES ON ALL TABLES IN SCHEMA public TO app_user;"
$ psql -d pagila -c "GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO app_user;"

$ psql -d postgres -c "GRANT CONNECT ON DATABASE pagila, chinook TO human_user;"

$ psql -d chinook -c "GRANT USAGE ON SCHEMA public TO human_user;"
$ psql -d chinook -c "GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO human_user;"
$ psql -d chinook -c "GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, TRIGGER, REFERENCES ON ALL TABLES IN SCHEMA public TO human_user;"
$ psql -d chinook -c "GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO human_user;"

$ psql -d pagila -c "GRANT USAGE ON SCHEMA public TO human_user;"
$ psql -d pagila -c "GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO human_user;"
$ psql -d pagila -c "GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, TRIGGER, REFERENCES ON ALL TABLES IN SCHEMA public TO human_user;"
$ psql -d pagila -c "GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO human_user;"

Etapa 4:Instalando o Firewall do SQL

# rpm -ivh postgresql10-sqlfirewall-3.0-1.el7.x86_64.rpm

warning: postgresql10-sqlfirewall-3.0-1.el7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID ******: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...

1:postgresql10-sqlfirewall-3.0-1.el################################# [100%]

shared_preload_libraries = 'sqlfirewall'

# systemctl restart postgresql-10.service

$ psql -U postgres -d chinook -c "CREATE EXTENSION sqlfirewall;"
Password for user postgres:
CREATE EXTENSION
-bash-4.2$ psql -U postgres -d pagila -c "CREATE EXTENSION sqlfirewall;"
Password for user postgres:
CREATE EXTENSION

Etapa 5:configurando o firewall do SQL

# vim /var/lib/pgsql/10/data/postgresql.conf

sqlfirewall.whitelist = 'verbose'
sqlfirewall.track = 'all'
sqlfirewall.track_utility = 'true'
sqlfirewall.save = 'true'

$ psql -U postgres -d postgres
Password for user postgres:
psql (10.12)
Type "help" for help.

postgres=# SELECT pg_reload_conf();
 pg_reload_conf
----------------
 t
(1 row)

postgres=# SELECT pg_sleep(1);
 pg_sleep
----------
(1 row)

postgres=# \connect pagila
You are now connected to database "pagila" as user "postgres".
pagila=# show sqlfirewall.whitelist;
 sqlfirewall.whitelist
-----------------------
 verbose
(1 row)

pagila=# \connect chinook;
You are now connected to database "chinook" as user "postgres".
chinook=# show sqlfirewall.whitelist;
 sqlfirewall.whitelist
-----------------------
 verbose
(1 row)

Executando o Firewall do SQL

Etapa 1:Noções básicas sobre as funções do firewall do SQL

• Quando estiver definido como “RECORD ”, o SQL Firewall registrará todas as instruções executadas pelo usuário na lista de permissões do usuário
  
• Quando definido como “ENFORCE ”, o SQL Firewall aplicará a lista de permissões. Qualquer declaração não incluída na lista branca causará um erro
  
• O valor de “OFF ” desativa a funcionalidade de lista de permissões para o usuário, e o usuário não poderá executar nenhuma consulta

Etapa 2:habilitar a lista de permissões para usuários

postgres=# \connect pagila
You are now connected to database "pagila" as user "postgres".
pagila=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('human_user', 'RECORD');
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

pagila=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('app_user', 'RECORD');\
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

pagila=# \connect chinook
You are now connected to database "chinook" as user "postgres".
chinook=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('human_user', 'RECORD');
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

chinook=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('app_user', 'RECORD');
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

$ psql -U postgres -d pagila -c "SELECT sqlfirewall.sqlfirewall_whitelist_users();"
Password for user postgres:
 sqlfirewall_whitelist_users
-----------------------------
 (17479,human_user,RECORD)
 (17480,app_user,RECORD)
(2 rows)

$ psql -U postgres -d chinook -c "SELECT sqlfirewall.sqlfirewall_whitelist_users();"
Password for user postgres:
 sqlfirewall_whitelist_users
-----------------------------
 (17479,human_user,RECORD)
 (17480,app_user,RECORD)
(2 rows)

Etapa 3:executando uma carga de trabalho

postgres=# \c - app_user
Password for user app_user:
You are now connected to database "postgres" as user "app_user".
postgres=> \connect pagila
You are now connected to database "pagila" as user "app_user".
pagila=> SELECT customer_id, first_name, last_name, email FROM public.customer;
...
pagila=> SELECT payment_id, customer_id, payment_date, amount FROM public.payment;
...
pagila=> SELECT staff_id, first_name, last_name, email FROM public.staff;
...
pagila=> \connect chinook;
You are now connected to database "chinook" as user "app_user".
chinook=> SELECT "CustomerId", "FirstName", "LastName", "Phone" FROM public."Customer";
...
chinook=> SELECT "EmployeeId", "FirstName", "LastName", "Phone", "Email" FROM public."Employee";
...

postgres=# \c - human_user
Password for user human_user:
You are now connected to database "postgres" as user "human_user".
postgres=> \connect pagila;
You are now connected to database "pagila" as user "human_user".
pagila=> SELECT payment_date, amount FROM public.payment;
...
pagila=> SELECT first_name, last_name, email FROM public.customer;
...
pagila=> \connect chinook;
You are now connected to database "chinook" as user "human_user".
chinook=> SELECT "FirstName", "LastName", "Phone", "Email" FROM public."Employee";
...

Etapa 4:aplicando a lista de permissões

postgres=# \connect pagila;
You are now connected to database "pagila" as user "postgres".
pagila=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('human_user', 'ENFORCE');
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

pagila=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('app_user', 'ENFORCE');
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

pagila=# \connect chinook;
You are now connected to database "chinook" as user "postgres".
chinook=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('human_user', 'ENFORCE');
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

chinook=# SELECT sqlfirewall.sqlfirewall_whitelist_mode('app_user', 'ENFORCE');
 sqlfirewall_whitelist_mode
----------------------------
 t
(1 row)

Etapa 5:Teste

chinook=# \c - human_user;
Password for user human_user:
You are now connected to database "chinook" as user "human_user".
chinook=> \connect pagila;
You are now connected to database "pagila" as user "human_user".

pagila=> SELECT payment_date, amount FROM public.payment;
...
pagila=> SELECT first_name, last_name, email FROM public.customer;
...

pagila=> SELECT payment_id, customer_id, payment_date, amount FROM public.payment;

ERROR:  Execution of non-whitelisted statement prohibited

pagila=> \c - app_user
Password for user app_user:
You are now connected to database "pagila" as user "app_user".
pagila=> DELETE FROM public.payment;
ERROR:  Execution of non-whitelisted statement prohibited

Conclusão