| From: | Neil Tiffin <neilt(at)neiltiffin(dot)com> |
|---|---|
| To: | Yeb Havinga <yebhavinga(at)gmail(dot)com> |
| Cc: | Jim Nasby <Jim(dot)Nasby(at)BlueTreble(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Simon Riggs <simon(at)2ndquadrant(dot)com>, MauMau <maumau307(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com> |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2015-02-17 17:13:43 |
| Message-ID: | 5681A8FD-2E79-4307-88AE-1A042FDC3F50@neiltiffin.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On Feb 17, 2015, at 3:40 AM, Yeb Havinga <yebhavinga(at)gmail(dot)com> wrote:
>
> Hi list,
>
. . . . .
> Auditing superuser access means auditing beyond the running database.
> The superuser can dump a table, and pipe this data everywhere outside of
> the auditing domain. I cannot begin to imagine the kind of security
> restrictions you'd need to audit what happens with data after libpq has
> produced the results. My best guess would be to incorporate some kind of
> separation of duty mechanism; only allow certain superuser operations
> with two people involved.
My views are from working with FDA validated environments, and I don’t really understand the above. It is not db auditing’s job to stop or control the access to data or to log what happens to data outside of PostgreSQL. To audit a db superuser is very simple, keep a log of everything a super user does and to write that log to a write append, no read filesystem or location. Since the db superuser can do anything there is no value in configuring what to log. This should be an option that once set, cannot be changed without reinstalling the PostgreSQL binary. The responsibility for auditing/controlling any binary replacement is the operating system’s, not PostgreSQL. In this environment the db superuser will not have authorized root access for the os.
The use case examples, that I am familiar with, are that procedural policies control what the db superuser can do. If the policy says that the db superuser cannot dump a table and pipe this data someplace without being supervised by a third party auditor (building on the above), then what you want in the log is that the data was dumped by whom with a date and time. Thats it. Its up to policies, audit review, management, and third party audit tools, to pick up the violation. Auditing’s job is to keep a complete report, not prevent. Prevention is the role of security.
Neil
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim Nasby | 2015-02-17 18:00:13 | Re: Proposal : REINDEX xxx VERBOSE |
| Previous Message | Andres Freund | 2015-02-17 16:57:29 | Re: "multiple backends attempting to wait for pincount 1" |