Home > mailing lists

Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From	Stephen Frost
Subject	Re: pgaudit - an auditing extension for PostgreSQL
Date	February 17, 2015 17:44:05
Msg-id	20150217144359.GP6717@tamriel.snowman.net Whole thread Raw
In response to	Re: pgaudit - an auditing extension for PostgreSQL (Yeb Havinga <yebhavinga@gmail.com>)
Responses	Re: pgaudit - an auditing extension for PostgreSQL (Simon Riggs <simon@2ndQuadrant.com>)
List	pgsql-hackers

Tree view

Yeb,

* Yeb Havinga (yebhavinga@gmail.com) wrote:
> On 20/01/15 23:03, Jim Nasby wrote:> On 1/20/15 2:20 PM, Robert Haas wrote:
> > +1. In particular I'm very concerned with the idea of doing this via
> > roles, because that would make it trivial for any superuser to disable
> > auditing.
>
> Rejecting the audit administration through the GRANT system, on the
> grounds that it easy for the superuser to disable it, seems unreasonable
> to me, since superusers are different from non-superusers in a
> fundamental way.

Agreed.

> The patch as it is, is targeted at auditing user/application level
> access to the database, and as such it matches the use case of auditing
> user actions.

Right, and that's a *very* worthwhile use-case.

> Auditing superuser access means auditing beyond the running database.

Exactly! :)
Thanks!
    Stephen

pgsql-hackers by date:

From: Oskari Saarenmaa
Date: 17 February 2015, 17:11:43
Subject: Re: __attribute__ for non-gcc compilers

From: Petr Jelinek
Date: 17 February 2015, 17:50:50
Subject: Re: Add min and max execute statement time in pg_stat_statement

Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

Previous

Next