From: | David Steele <david(at)pgmasters(dot)net> |
---|---|
To: | Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Simon Riggs <simon(at)2ndquadrant(dot)com> |
Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
Date: | 2015-02-26 17:31:36 |
Message-ID: | 54EF5878.5030801@pgmasters.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2/26/15 1:00 AM, Fujii Masao wrote:
> On Thu, Feb 26, 2015 at 1:40 PM, Alvaro Herrera
>> Clearly if you log only DROP TABLE, and then the malicious user hides
>> one such call inside a function that executes the drop (which is called
>> via a SELECT top-level SQL), you're not going to be happy.
>
> Yep, so what SQL should be logged in this case? Only "targeted" nested DDL?
> Both top and nested ones? Seems the later is better to me.
>
> What about the case where the function A calls the function B executing DDL?
> Every ancestor SQLs of the "targeted" DDL should be logged? Probably yes.
Currently only the targeted nested DDL would be logged. However, it
would log the top-level statement as well as the object that was dropped.
Here's an example from the unit tests:
do $$
begin
create table test_block (id int);
drop table test_block;
end; $$
When pg_audit.log = 'function, ddl' the output will be:
AUDIT: SESSION,FUNCTION,DO,,,do $$ begin create table test_block (id
int); drop table test_block; end; $$
AUDIT: SESSION,DDL,CREATE TABLE,TABLE,public.test_block,do $$ begin
create table test_block (id int); drop table test_block; end; $$
AUDIT: SESSION,DDL,DROP TABLE,TABLE,public.test_block,do $$ begin
create table test_block (id int); drop table test_block; end; $$
You can see that in the create and drop audit entries the
fully-qualified name is given. The statement comes from
debug_query_string so it shows the top-level statement, even though more
detail is given in the other fields when possible.
If pg_audit.log = 'ddl' then the DO entry would not be logged even
though statements under it were logged.
At least, that's the way it works currently.
--
- David Steele
david(at)pgmasters(dot)net
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2015-02-26 17:31:46 | plpgsql versus domains |
Previous Message | Andrew Dunstan | 2015-02-26 17:23:37 | Re: Precedence of standard comparison operators |