| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Neil Tiffin <neilt(at)neiltiffin(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2014-05-06 13:03:36 |
| Message-ID: | 20140506130336.GO2556@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Neil Tiffin (neilt(at)neiltiffin(dot)com) wrote:
> On May 4, 2014, at 5:27 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Neil Tiffin (neilt(at)neiltiffin(dot)com) wrote:
> > Well, except that a superuser *could* effectively turn off checksums by
> > changing the the control file and doing a restart (perhaps modulo some
> > other hacking; I've not tried). That kind of trivial 'hole' isn't
> > acceptable from a security standpoint though and given that we couldn't
> > prevent a superuser from doing an LD_PRELOAD and overriding any system
> > call we make from the backend, it's kind of hard to see how we could
> > plug such a hole.
> >
>
> Ah, I thought it would be more difficult than that for checksums, but PostgreSQL does not have to prevent hacking in my experience, that is the responsibility of other systems and procedures. If the core code was such that once on, formal logging could not be turned off with any changes to config files, settings, or SQL then in my experience that would suffice.
We could set it up similar to how security labels work, where the
config file (which could be owned by 'root' and therefore unable to be
changed by a superuser) has an auditing setting and changing it requires
a restart (meaning that the config file would have to be modified to
change it, and the database restarted). However, it might be possible
for a superuser to configure and start an independent postmaster with a
different configuration that points to the same database (or a copy of
it).
That's for a system-wide auditing setting, but if we actually want the
auditing to only be on certain database objects, it gets worse. We
need to track what objects need the auditing and we'd do that using the
catalog, which a superuser can modify. Security labels have
more-or-less the same issue, of course.
This is why we don't try to protect against superusers (and why I'm
hopeful that we can reduce the need for a superuser role to exist).
Again, we have to consider that a superuser essentially has a full shell
on the DB server as the user that the database runs under.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2014-05-06 13:04:52 | sb_alloc: a new memory allocator for PostgreSQL |
| Previous Message | Bruce Momjian | 2014-05-06 12:55:07 | Re: pgindent run |