From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Benedict Holland <benedict(dot)m(dot)holland(at)gmail(dot)com> |
Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, "bejita0409(at)yahoo(dot)co(dot)jp" <bejita0409(at)yahoo(dot)co(dot)jp>, "pgsql-admin(at)lists(dot)postgresql(dot)org" <pgsql-admin(at)lists(dot)postgresql(dot)org>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: How to revoke privileged from PostgreSQL's superuser |
Date: | 2018-08-15 14:59:12 |
Message-ID: | 20180815145912.GA11573@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin pgsql-general |
On Tue, Aug 14, 2018 at 03:59:19PM -0400, Bruce Momjian wrote:
> On Fri, Aug 10, 2018 at 04:06:40PM -0400, Benedict Holland wrote:
> > I also would take Bruce's comment with a massive grain of salt. Everything that
> > everyone does on a database is logged somewhere assuming proper logging. Now do
> > you have the person-power to go through gigs of plain text logs to find out if
> > someone is doing something shady... that is a question for your management
> > team. Also, if you suspect someone of doing something shady, you should
> > probably revoke their admin rights.
>
> Agreed, the best way to limit the risk of undetected DBA removal of data
> is secure auditing --- I should have mentioned that.
So, how do you securely audit? You ship the logs to a server that isn't
controlled by the DBA, via syslog? How do you prevent the DBA from
turning off logging when the want to so something undetected? Do you
log the turning off of logging?
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
From | Date | Subject | |
---|---|---|---|
Next Message | Daniel Blanch Bataller | 2018-08-15 15:52:49 | Re: increase insert into local table from remote oracle table preformance |
Previous Message | Andrew Kerber | 2018-08-15 11:42:37 | Re: increase insert into local table from remote oracle table preformance |
From | Date | Subject | |
---|---|---|---|
Next Message | Evan Rempel | 2018-08-15 16:05:51 | Re: How to revoke privileged from PostgreSQL's superuser |
Previous Message | 김세훈 | 2018-08-15 14:09:58 | using graph model with PostgreSQL |