Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: pgaudit - an auditing extension for PostgreSQL
Date
Msg-id 20150121122659.GG3062@tamriel.snowman.net
Whole thread Raw
In response to Re: pgaudit - an auditing extension for PostgreSQL  (Abhijit Menon-Sen <ams@2ndQuadrant.com>)
List pgsql-hackers
* Abhijit Menon-Sen (ams@2ndQuadrant.com) wrote:
> At 2015-01-20 21:47:02 -0500, sfrost@snowman.net wrote:
> > Review the opening of this email though and consider that we could
> > look at "what privileges has the audit role granted to the current
> > role?" as defining what is to be audited.
>
> Right, I understand now how that would work. I'll try to find time to
> (a) implement this, (b) remove the backwards-compatibility code, and
> (c) split up the USE_DEPARSE_FUNCTIONS stuff.

Great!  Thanks!

> > > For example, what if I want to see all the tables created and
> > > dropped by a particular user?
> >
> > I hadn't been intending to address that with this scheme, but I think
> > we have that by looking for privilege grants where the audit role is
> > the grantee and the role-to-be-audited the grantor.
>
> For CREATE, yes, with a bit of extra ACL-checking code in the utility
> hook; but I don't think we'll get very far without the ability to log
> ALTER/DROP too. :-) So there has to be some alternative mechanism for
> that, and I'm hoping Robert (or anyone!) has something in mind.

ALTER/DROP can be logged based on the USAGE privilege for the schema.
We can't differentiate those cases but we can at least handle them as a
group.
Thanks!
    Stephen

pgsql-hackers by date:

Previous
From: Amit Langote
Date:
Subject: Re: Parallel Seq Scan
Next
From: Alvaro Herrera
Date:
Subject: Re: Re: [COMMITTERS] pgsql: Disable -faggressive-loop-optimizations in gcc 4.8+ for pre-9.2