Re: pgaudit - an auditing extension for PostgreSQL - Mailing list pgsql-hackers

From Jim Nasby
Subject Re: pgaudit - an auditing extension for PostgreSQL
Date
Msg-id 54E3D12D.1070004@BlueTreble.com
Whole thread Raw
In response to Re: pgaudit - an auditing extension for PostgreSQL  (Stephen Frost <sfrost@snowman.net>)
Responses Re: pgaudit - an auditing extension for PostgreSQL
List pgsql-hackers
On 2/17/15 1:10 PM, Stephen Frost wrote:
>> What I'd prefer to see is a way to decouple the OS account from any
>> >DB account. Clearly that doesn't protect us from the OS user doing
>> >something bad, but at least then there's no way for them to just
>> >silently run SQL commands.
> If the DB account isn't a superuser then everything changes.  There's no
> point fighting with the OS user- they can run some other PG binary which
> they've copied over locally and run SQL with that, or copy all the files
> over to another server which they have complete access to.  The fact
> that they can also connect to the DB and run SQL isn't really an issue.

I disagree. The difference here is that the OS can audit whatever 
commands they're running, but not what happens inside something like 
psql. Even if you did run a keylogger, trying to use that to interpret a 
psql session would be a real pain, if not impossible. So I don't think 
we can rely on the OS to audit SQL at all. But obviously if they did 
something like copy the files somewhere else, or bring in a new binary, 
the OS would at least have record that that happened.

Though... I wonder if there's some way we could disallow *all* superuser 
access to the database, and instead create a special non-interactive 
CLI. That would allow us to throw the problem over the wall to the OS.

In any case, I think it's clear that there's a lot of value in at least 
handling the non-SU case, so we should try and do that now. Even if it's 
only in contrib.

One thing that does occur to me though... perhaps we should specifically 
disable auditing of SU activities, so we're not providing a false sense 
of security.
-- 
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com



pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: Commit fest 2015-12 enters money time
Next
From: Jim Nasby
Date:
Subject: Re: Configurable location for extension .control files