Re: pgaudit - an auditing extension for PostgreSQL

* Abhijit Menon-Sen (ams(at)2ndQuadrant(dot)com) wrote:
> At 2015-01-20 21:47:02 -0500, sfrost(at)snowman(dot)net wrote:
> > Review the opening of this email though and consider that we could
> > look at "what privileges has the audit role granted to the current
> > role?" as defining what is to be audited.
>
> Right, I understand now how that would work. I'll try to find time to
> (a) implement this, (b) remove the backwards-compatibility code, and
> (c) split up the USE_DEPARSE_FUNCTIONS stuff.

Great! Thanks!

> > > For example, what if I want to see all the tables created and
> > > dropped by a particular user?
> >
> > I hadn't been intending to address that with this scheme, but I think
> > we have that by looking for privilege grants where the audit role is
> > the grantee and the role-to-be-audited the grantor.
>
> For CREATE, yes, with a bit of extra ACL-checking code in the utility
> hook; but I don't think we'll get very far without the ability to log
> ALTER/DROP too. :-) So there has to be some alternative mechanism for
> that, and I'm hoping Robert (or anyone!) has something in mind.

ALTER/DROP can be logged based on the USAGE privilege for the schema.
We can't differentiate those cases but we can at least handle them as a
group.

Thanks!

Stephen