Adds utility functions to harden PostgreSQL® through shared libraries and hooks.

See our blog post about aiven-gatekeeper and PostgreSQL extension security: Aiven's Blog.

The Aiven Security Agent for PostgreSQL (aiven-gatekeeper) allows controlling which privileged functions are exposed and prevents their abuse in common privilege escalation attacks.

Prevents common privilege escalation attacks, primarily at the time of extension creation. Limits access to sensitive features and functions within PostgreSQL and compliments the existing grants and superuser checks.

For detailed features and how they work, visit the documentation.

An independent, external code audit was performed and the results are available in the docs directory:

• Report letter
• Final report

To report any possible vulnerabilities or other serious issues please see our security policy.

Build and install the add on;

$ make
$ cp aiven_gatekeeper.so $postgres_lib/

# or make and install
$ make install

Configure PostgreSQL to use the library;

# edit your postgresql.conf and load the library
shared_preload_libraries = 'aiven_gatekeeper'

# restart postgresql

Aiven PostgreSQL Security is licensed under the PostgreSQL license. Full license text is available in the LICENSE file.

Please note that the project explicitly does not require a CLA (Contributor License Agreement) from its contributors.

Bug reports and patches are very welcome, please post them as GitHub issues and pull requests at https://github.com/aiven/aiven-pg-security . To report any possible vulnerabilities or other serious issues please see our security policy.

The terms Postgres and PostgreSQL are registered trademarks of the PostgreSQL Community Association of Canada.