Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL

In Linux you can setup and use the "sudo" option. For those whom you don't
wish to have root access, simply make them sudousers, then change the root
password. This will force those users to simply type "sudo" (w/o quotes) at
the beginning of each command they want to run (i.e. sudo psql db_name
"insert into...."). The user will then be prompted for THEIR password. If
there userid is in the sudouser file, the command will run with root
privileges. It also logs their actions in a log file (usually in /var/log -
but that is configurable) which has only read permissions for root.

Once the first sudo command is run, the sudousers can continue to run
commands with root privileges for 10 minutes in that shell (time is
adjustable). We use it at my office and it has been effective.

You can then scour the log file to see what activities have been carried
out by your sudousers...a possible work around to this problem.

Dave

On Wed, Mar 14, 2012 at 9:03 AM, Robin Iddon <robin(at)edesix(dot)com> wrote:

> You lose if you have provided people you do not trust with root access
> they can be whoever they want to be and there is nothing you can do
> about it. In my belief there is absolutely no way of making the system
> safe with untrusted root users. Don't waste your time trying.
>
> Any attempt to create an audit trail by adding in username capture in
> the software is doomed to being circumvented by anybody with root access
> who doesn't want to be traced.
>
> For example:
>
> robin$ su - root
> root# su - kgama
> kgama$ su - root ... do something bad.
>
> Now it looks like you did it, even though it was me.
>
> Robin
>
> On Wed, 2012-03-14 at 14:39 +0200, Khangelani Gama wrote:
> > Hi, anyone with an idea based on my latest comments below? Thanks
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Khangelani Gama [mailto:kgama(at)argility(dot)com]
> > Sent: Wednesday, March 14, 2012 1:25 PM
> > To: 'Robin Iddon'; 'pgsql-admin(at)postgresql(dot)org'
> > Subject: RE: [ADMIN] Update actions (with user name) inside PostgreSQL
> DB -
> > any version on postgreSQL
> >
> > thanks, the issue we have is that we have many Linux users having root
> > access into the system. So they're able to access the DB by just going
> in as
> > "su - superusername". If this user is able to make any updates inside the
> > database it might create problems. Auditors wants PostgreSQL to tell who
> > updated what inside the database besides client users that access the
> > database from outside using some applications. So this common
> > "superusername" doesn't tell the actual person who got into the system
> and
> > went onto make updates inside the database because they first logged as
> > their linux users before as going in as postgres user called
> > "superusername".
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: pgsql-admin-owner(at)postgresql(dot)org
> > [mailto:pgsql-admin-owner(at)postgresql(dot)org] On Behalf Of Robin Iddon
> > Sent: Wednesday, March 14, 2012 12:54 PM
> > To: pgsql-admin(at)postgresql(dot)org
> > Subject: Re: [ADMIN] Update actions (with user name) inside PostgreSQL
> DB -
> > any version on postgreSQL
> >
> > What do you want to have happen to the timestamp/user?
> >
> > You can obviously do:
> >
> > update test set t4 = 9, user = <someuser>, timestamp = <sometimestamp>
> where
> > t1 = 001;
> >
> > I'm assuming you're trying to store the user and timestamp somewhere
> else,
> > though?
> >
> > Robin
> >
> > On Wed, 2012-03-14 at 12:44 +0200, Khangelani Gama wrote:
> > >
> > >
> > > Hi
> > >
> > >
> > >
> > >
> > >
> > > Is it possible to have an update query that will specify actions,
> > > timestamp, user who’s making the update inside the database. Can this
> > > be done without any script but just in the transaction block
> > >
> > >
> > >
> > > Example:
> > >
> > >
> > >
> > > dbtest=# UPDATE table test set t4 = 9 where t1 = 001 then specify
> > > user_name, timestamp() ;
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Thanks in advance
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > C O N F I D E N T I A L I T Y N O T I C E
> > > The contents of and attachments to this e-mail are intended for the
> > > addressee only, and may contain the confidential information of
> > > Argility (Proprietary) Limited and/or its subsidiaries. Any review,
> > > use or dissemination thereof by anyone other than the intended
> > > addressee is prohibited. If you are not the intended addressee please
> > > notify the writer immediately and destroy the e-mail. Argility
> > > (Proprietary) Limited and its subsidiaries distance themselves from
> > > and accept no liability for unauthorised use of their e-mail
> > > facilities or e-mails sent other than strictly for business purposes.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > CONFIDENTIALITY NOTICE
> > > The contents of and attachments to this e-mail are intended for the
> > > addressee only, and may contain the confidential information of
> Argility
> > > (Proprietary) Limited and/or its subsidiaries. Any review, use or
> > > dissemination thereof by anyone other than the intended addressee is
> > > prohibited.
> > > If you are not the intended addressee please notify the writer
> immediately
> > > and destroy the e-mail. Argility (Proprietary) Limited and its
> > > subsidiaries distance themselves from and accept no liability for
> > > unauthorised use of their e-mail facilities or e-mails sent other than
> > > strictly for business purposes.
> >
> >
> >
> > --
> > Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org) To make
> > changes to your subscription:
> > http://www.postgresql.org/mailpref/pgsql-admin
> >
> >
> >
> >
> > CONFIDENTIALITY NOTICE
> > The contents of and attachments to this e-mail are intended for the
> addressee only, and may contain the confidential information of Argility
> (Proprietary) Limited and/or its subsidiaries. Any review, use or
> dissemination thereof by anyone other than the intended addressee is
> prohibited.
> > If you are not the intended addressee please notify the writer
> immediately and destroy the e-mail. Argility (Proprietary) Limited and its
> subsidiaries distance themselves from and accept no liability for
> unauthorised use of their e-mail facilities or e-mails sent other than
> strictly for business purposes.
> >
> >
>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>

--
Dave Ondrejik - Senior Hydrologist
National Weather Service
Middle Atlantic River Forecast Center
328 Innovation Blvd, Suite #330
State College, PA 16870
(814) 231-2403
david(dot)ondrejik(at)noaa(dot)gov

See us on the web at:
http://www.weather.gov/marfc