| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2014-05-04 15:12:57 |
| Message-ID: | 24636.1399216377@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Abhijit Menon-Sen (ams(at)2ndquadrant(dot)com) wrote:
>> 1. I wish it were possible to prevent even the superuser from disabling
>> audit logging once it's enabled, so that if someone gained superuser
>> access without authorisation, their actions would still be logged.
>> But I don't think there's any way to do this.
> Their actions should be logged up until they disable auditing and
> hopefully those logs would be sent somewhere that they're unable to
> destroy (eg: syslog). Of course, we make that difficult by not
> supporting log targets based on criteria (logging EVERYTHING to syslog
> would suck).
> I don't see a way to fix this, except to minimize the amount of things
> requiring superuser to reduce the chances of it being compromised, which
> is something I've been hoping to see happen for a long time.
Prohibiting actions to the superuser is a fundamentally flawed concept.
If you do that, you just end up having to invent a new "more super"
kind of superuser who *can* do whatever it is that needs to be done.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Euler Taveira | 2014-05-04 15:13:31 | Re: pg_shmem_allocations view |
| Previous Message | Amit Kapila | 2014-05-04 15:09:01 | Re: Per table autovacuum vacuum cost limit behaviour strange |