Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From MauMau
Subject Re: pgaudit - an auditing extension for PostgreSQL
Date
Msg-id 3C1EF1239BE94020A9D0224AC4BC8623@maumau
Whole thread Raw
In response to Re: pgaudit - an auditing extension for PostgreSQL  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: pgaudit - an auditing extension for PostgreSQL
List pgsql-hackers
I'm sorry to interrupt you, but I feel strong sympathy with Stephen-san.

From: "Robert Haas" <robertmhaas@gmail.com>
> I don't think that's a valid objection.  If we someday have auditing
> in core, and if it subsumes what pgaudit does, then whatever
> interfaces pgaudit implements can be replaced with wrappers around the
> core functionality, just as we did for text search.

Won't it be burden and a headache to maintain pgaudit code when it becomes 
obsolete in the near future?


> But personally, I think this patch deserves to be reviewed on its own
> merits, and not the extent to which it satisfies your requirements, or
> those of NIST 800-53.  As I said before, I think auditing is a
> complicated topic and there's no guarantee that one solution will be
> right for everyone.  As long as we keep those solutions out of core,
> there's no reason that multiple solutions can't coexist; people can
> pick the one that best meets their requirements.  As soon as we start
> talking about something putting into core, the bar is a lot higher,
> because we're not going to put two auditing solutions into core, so if
> we do put one in, it had better be the right thing for everybody.  I
> don't even think we should be considering that at this point; I think
> the interesting (and under-discussed) question on this thread is
> whether it even makes sense to put this into contrib.  That means we
> need some review of the patch for what it is, which there hasn't been
> much of, yet.

Then, what is this auditing capability for?  I don't know whether various 
regulations place so different requirements on auditing, but how about 
targeting some real requirements?  What would make many people happy?  PCI 
DSS?

I bet Japanese customers are severe from my experience, and I'm afraid they 
would be disappointed if PostgreSQL provides auditing functionality which 
does not conform to any real regulations like PCI DSS, NIST, etc, now that 
other major vendors provide auditing for years.  They wouldn't want to 
customize contrib code because DBMS development is difficult.  I wish for 
in-core serious auditing functionality.

Regards
MauMau





pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: PostgreSQL for VAX on NetBSD/OpenBSD
Next
From: Greg Stark
Date:
Subject: Re: Fresh initdb contains a few deleted B-Tree pages