Skip site navigation (1) Skip section navigation (2)

Re: Feature request: permissions change history for auditing

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Thom Brown <thombrown(at)gmail(dot)com>
Cc: Glyn Astill <glynastill(at)yahoo(dot)co(dot)uk>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Feature request: permissions change history for auditing
Date: 2009-11-30 14:00:01
Message-ID: 4B13CFE1.2060602@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers

Thom Brown wrote:
> 2009/11/30 Glyn Astill <glynastill(at)yahoo(dot)co(dot)uk 
> <mailto:glynastill(at)yahoo(dot)co(dot)uk>>
>
>     --- On Mon, 30/11/09, Thom Brown <thombrown(at)gmail(dot)com
>     <mailto:thombrown(at)gmail(dot)com>> wrote:
>
>     > As far as I am aware, there is no way to tell when a
>     > user/role was granted permissions or had permissions
>     > revoked, or who made these changes.  I'm wondering if
>     > it would be useful for security auditing to maintain a
>     > history of permissions changes only accessible to
>     > superusers?
>
>     I'd have thought you could keep track of this in the logs by
>     setting log_statement >= ddl ?
>
>     I'm pretty sure this is a feature that's not wanted, but the
>     ability to add triggers to these sorts of events would surely make
>     more sense than a specific auditing capability.
>
>
> I concede your suggestion of the ddl log output.  I guess that could 
> then be filtered to obtain the necessary information.
>
>

This could probably be defeated by making the permissions changes in a 
stored function. Or even a DO block, I suspect, unless you had 
log_statement = all set.

I do agree with Glyn, though, that making provision for auditing one 
particular event is not desirable.

cheers

andrew

In response to

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2009-11-30 14:03:21
Subject: Re: Patch: Remove gcc dependency in definition of inline functions
Previous:From: Thom BrownDate: 2009-11-30 13:46:00
Subject: Re: Feature request: permissions change history for auditing

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group