Skip site navigation (1) Skip section navigation (2)

Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL

From: Robin Iddon <robin(at)edesix(dot)com>
To: Khangelani Gama <kgama(at)argility(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL
Date: 2012-03-14 13:03:23
Message-ID: 1331730203.5503.174.camel@elliot (view raw or flat)
Thread:
Lists: pgsql-admin
You lose if you have provided people you do not trust with root access
they can be whoever they want to be and there is nothing you can do
about it.  In my belief there is absolutely no way of making the system
safe with untrusted root users.  Don't waste your time trying.

Any attempt to create an audit trail by adding in username capture in
the software is doomed to being circumvented by anybody with root access
who doesn't want to be traced.

For example:

robin$ su - root
root# su - kgama
kgama$ su - root ... do something bad.

Now it looks like you did it, even though it was me.

Robin

On Wed, 2012-03-14 at 14:39 +0200, Khangelani Gama wrote:
> Hi, anyone with an idea based on my latest comments below? Thanks
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Khangelani Gama [mailto:kgama(at)argility(dot)com]
> Sent: Wednesday, March 14, 2012 1:25 PM
> To: 'Robin Iddon'; 'pgsql-admin(at)postgresql(dot)org'
> Subject: RE: [ADMIN] Update actions (with user name) inside PostgreSQL DB -
> any version on postgreSQL
> 
> thanks, the issue we have is that we have many Linux users having root
> access into the system. So they're able to access the DB by just going in as
> "su - superusername". If this user is able to make any updates inside the
> database it might create problems. Auditors wants PostgreSQL to tell who
> updated what inside the database besides client users that access the
> database from outside using some applications. So this common
> "superusername" doesn't tell the actual person who got into the system and
> went onto make updates inside the database because they first logged as
> their linux users before as going in as postgres user called
> "superusername".
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: pgsql-admin-owner(at)postgresql(dot)org
> [mailto:pgsql-admin-owner(at)postgresql(dot)org] On Behalf Of Robin Iddon
> Sent: Wednesday, March 14, 2012 12:54 PM
> To: pgsql-admin(at)postgresql(dot)org
> Subject: Re: [ADMIN] Update actions (with user name) inside PostgreSQL DB -
> any version on postgreSQL
> 
> What do you want to have happen to the timestamp/user?
> 
> You can obviously do:
> 
> update test set t4 = 9, user = <someuser>, timestamp = <sometimestamp> where
> t1 = 001;
> 
> I'm assuming you're trying to store the user and timestamp somewhere else,
> though?
> 
> Robin
> 
> On Wed, 2012-03-14 at 12:44 +0200, Khangelani Gama wrote:
> >
> >
> > Hi
> >
> >
> >
> >
> >
> > Is it possible to have an update query that will specify actions,
> > timestamp, user who’s making the update inside the database. Can this
> > be done without any script but just in the transaction block
> >
> >
> >
> > Example:
> >
> >
> >
> > dbtest=# UPDATE table test set t4 = 9 where t1 = 001 then specify
> > user_name,  timestamp() ;
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Thanks in advance
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > C O N F I D E N T I A L I T Y   N O T I C E
> > The contents of and attachments to this e-mail are intended for the
> > addressee only, and may contain the confidential information of
> > Argility (Proprietary) Limited and/or its subsidiaries. Any review,
> > use or dissemination thereof by anyone other than the intended
> > addressee is prohibited. If you are not the intended addressee please
> > notify the writer immediately and destroy the e-mail. Argility
> > (Proprietary) Limited and its subsidiaries distance themselves from
> > and accept no liability for unauthorised use of their e-mail
> > facilities or e-mails sent other than strictly for business purposes.
> >
> >
> >
> >
> >
> >
> >
> > CONFIDENTIALITY NOTICE
> > The contents of and attachments to this e-mail are intended for the
> > addressee only, and may contain the confidential information of Argility
> > (Proprietary) Limited and/or its subsidiaries. Any review, use or
> > dissemination thereof by anyone other than the intended addressee is
> > prohibited.
> > If you are not the intended addressee please notify the writer immediately
> > and destroy the e-mail. Argility (Proprietary) Limited and its
> > subsidiaries distance themselves from and accept no liability for
> > unauthorised use of their e-mail facilities or e-mails sent other than
> > strictly for business purposes.
> 
> 
> 
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org) To make
> changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
> 
> 
> 
> 
> CONFIDENTIALITY NOTICE
> The contents of and attachments to this e-mail are intended for the addressee only, and may contain the confidential information of Argility (Proprietary) Limited and/or its subsidiaries. Any review, use or dissemination thereof by anyone other than the intended addressee is prohibited.
> If you are not the intended addressee please notify the writer immediately and destroy the e-mail. Argility (Proprietary) Limited and its subsidiaries distance themselves from and accept no liability for unauthorised use of their e-mail facilities or e-mails sent other than strictly for business purposes.
> 
> 



In response to

Responses

pgsql-admin by date

Next:From: Scott RibeDate: 2012-03-14 13:39:39
Subject: Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL
Previous:From: Khangelani GamaDate: 2012-03-14 12:39:36
Subject: Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group