Re: pgaudit - an auditing extension for PostgreSQL

* Jim Nasby (Jim(dot)Nasby(at)BlueTreble(dot)com) wrote:
> On 1/23/15 12:16 PM, Stephen Frost wrote:
> >Just to clarify- this concept isn't actually mine but was suggested by a
> >pretty sizable PG user who has a great deal of familiarity with other
> >databases. I don't mean to try and invoke the 'silent majority' but
> >rather to make sure folks don't think this is my idea alone or that it's
> >only me who thinks it makes sense.:) Simon had weighed in earlier
> >with, iirc, a comment that he thought it was a good approach also,
> >though that was a while ago and things have changed.
>
> I know there's definitely demand for auditing. I'd love to see us support it.
>
> >I happen to like the idea specifically because it would allow regular
> >roles to change the auditing settings (no need to be a superuser or to
> >be able to modify postgresql.conf/postgresql.auto.conf)
>
> Is there really a use case for non-superusers to be able to change auditing config? That seems like a bad idea.

What's a bad idea is having every auditor on the system running around
as superuser..

> Also, was there a solution to how to configure auditing on specific objects with a role-based mechanism? I think we really do need something akin to role:action:object tuples, and I don't see how to do that with roles alone.

That is supported with the grant-based proposal.

> BTW, I'm starting to feel like this needs a wiki page to get the design pulled together.

I agree with that and was planning to offer help with the documentation
and building of such a wiki with examples, etc, once the implementation
was far enough along to demonstrate that the design will actually work..

Thanks!

Stephen