On 12/10/2015 02:58 PM, oleg yusim wrote: > John, > > I can answer that - Oracle and MS SQL do, or at least there were able to > convince DISA that they do (STIGs for them are present here: > http://iase.disa.mil/stigs/Pages/a-z.aspx). That actually benefits those > products greatly - from the point of view of security they, once > hardened, meet Federal security requirements and such can be used in > multiple products other DBs can't (for that very reason). Caveats apply. >From U_SQL_Server_2012_V1R8_Overview.pdf: " 1. INTRODUCTION 1.1 Executive Summary The SQL Server 2012 Overview, along with the SQL Server 2012 Security Technical Implementation Guide (STIG), provides the technical security policies, requirements and implementation details for applying security concepts to Microsoft SQL Server 2012. This document is meant to improve the security of Department of Defense (DoD) information systems. The requirements in the accompanying STIG do not necessarily prevent or mitigate all attacks against a poorly designed application which uses SQL Server. Please refer to the Application Security and Development STIG for application requirements. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment. Please note additional guidance exists that applies to SQL Server, even though it is non-SQL- specific and therefore not explicitly called out in the SQL Server 2012 STIG. This includes the Windows environment as well as the networking requirements including firewall protection, DMZ requirements, and Windows host requirements. " "..Furthermore, DISA implies no warranty that the application of all specified configurations will make a system 100% secure. ..." > > Thanks, > > Oleg > > On Thu, Dec 10, 2015 at 4:52 PM, John R Pierce <pierce@xxxxxxxxxxxx > <mailto:pierce@xxxxxxxxxxxx>> wrote: > > On 12/10/2015 2:03 PM, Adrian Klaver wrote: > > > So some aspect of this: > > https://www.stigviewer.com/stig/database_security_requirements_guide/ > > > thats a rather insane bunch of requirements. Reads like a wish > list by academic security researchers. > > for instance > https://www.stigviewer.com/stig/database_security_requirements_guide/2015-06-23/finding/V-58123 > > ??!? The database server has no clue about the difference between > an "application that it supports" and a user directly querying. The > PSQL shell, or dbadmin, is an 'application that it supports'. > > at this point, speaking purely as a interested outsider (I am in no > way representing hte PG Development Group), I'd guess PostgreSQL > probably doesn't meet 2/3rds of those 'findings'. I truly wonder > if any standard RDBMS supports all or even most of them?!? > > > > > -- > john r pierce, recycling bits in santa cruz > > > > -- > Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx > <mailto:pgsql-general@xxxxxxxxxxxxxx>) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > > -- Adrian Klaver adrian.klaver@xxxxxxxxxxx -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
