| From: | "MauMau" <maumau307(at)gmail(dot)com> |
|---|---|
| To: | "Robert Haas" <robertmhaas(at)gmail(dot)com>, "Stephen Frost" <sfrost(at)snowman(dot)net> |
| Cc: | "Abhijit Menon-Sen" <ams(at)2ndquadrant(dot)com>, "Alvaro Herrera" <alvherre(at)2ndquadrant(dot)com>, "Fujii Masao" <masao(dot)fujii(at)gmail(dot)com>, "Ian Barwick" <ian(at)2ndquadrant(dot)com>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2014-07-01 12:39:27 |
| Message-ID: | 3C1EF1239BE94020A9D0224AC4BC8623@maumau |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I'm sorry to interrupt you, but I feel strong sympathy with Stephen-san.
From: "Robert Haas" <robertmhaas(at)gmail(dot)com>
> I don't think that's a valid objection. If we someday have auditing
> in core, and if it subsumes what pgaudit does, then whatever
> interfaces pgaudit implements can be replaced with wrappers around the
> core functionality, just as we did for text search.
Won't it be burden and a headache to maintain pgaudit code when it becomes
obsolete in the near future?
> But personally, I think this patch deserves to be reviewed on its own
> merits, and not the extent to which it satisfies your requirements, or
> those of NIST 800-53. As I said before, I think auditing is a
> complicated topic and there's no guarantee that one solution will be
> right for everyone. As long as we keep those solutions out of core,
> there's no reason that multiple solutions can't coexist; people can
> pick the one that best meets their requirements. As soon as we start
> talking about something putting into core, the bar is a lot higher,
> because we're not going to put two auditing solutions into core, so if
> we do put one in, it had better be the right thing for everybody. I
> don't even think we should be considering that at this point; I think
> the interesting (and under-discussed) question on this thread is
> whether it even makes sense to put this into contrib. That means we
> need some review of the patch for what it is, which there hasn't been
> much of, yet.
Then, what is this auditing capability for? I don't know whether various
regulations place so different requirements on auditing, but how about
targeting some real requirements? What would make many people happy? PCI
DSS?
I bet Japanese customers are severe from my experience, and I'm afraid they
would be disappointed if PostgreSQL provides auditing functionality which
does not conform to any real regulations like PCI DSS, NIST, etc, now that
other major vendors provide auditing for years. They wouldn't want to
customize contrib code because DBMS development is difficult. I wish for
in-core serious auditing functionality.
Regards
MauMau
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Stark | 2014-07-01 13:02:28 | Re: Fresh initdb contains a few deleted B-Tree pages |
| Previous Message | Peter Eisentraut | 2014-07-01 12:33:05 | Re: PostgreSQL for VAX on NetBSD/OpenBSD |