Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From Abhijit Menon-Sen
Subject Re: pgaudit - an auditing extension for PostgreSQL
Date
Msg-id 20140504152158.GF22288@toroid.org
Whole thread Raw
In response to Re: pgaudit - an auditing extension for PostgreSQL  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
At 2014-05-04 11:03:56 -0400, sfrost@snowman.net wrote:
>
> Another reloption is one option, or an extension on the ACL system
> (for that piece of it), or we could make a new catalog for it (ala
> pg_seclabel), or perhaps add it on to one (pg_seclabel but rename
> it to pg_security..?).

I'll look into those possibilities, thanks.

> Perhaps it could be a role-level permission instead of one which is
> per-table, but I don't think this should be superuser-only.

I like the idea of a role-level permission, or a (db,role)-level
permission (i.e. "role x is auditor for database y"), but I don't
feel I know enough about real-world auditing requirements to make
an informed decision here.

Ian did some research into how auditing is handled in other systems.
He's on vacation right now, and I'm not sure how much detail his report
has on this particular subject, but I'll have a look and try to present
a summary soon.

-- Abhijit



pgsql-hackers by date:

Previous
From: Euler Taveira
Date:
Subject: Re: pg_shmem_allocations view
Next
From: Magnus Hagander
Date:
Subject: Re: 9.4 release notes