Re: How to revoke privileged from PostgreSQL's superuser

On Thu, Aug 16, 2018 at 07:41:11AM +1000, raf wrote:
> Bruce Momjian wrote:
>
> > On Tue, Aug 14, 2018 at 03:59:19PM -0400, Bruce Momjian wrote:
> > > On Fri, Aug 10, 2018 at 04:06:40PM -0400, Benedict Holland wrote:
> > > > I also would take Bruce's comment with a massive grain of salt. Everything that
> > > > everyone does on a database is logged somewhere assuming proper logging. Now do
> > > > you have the person-power to go through gigs of plain text logs to find out if
> > > > someone is doing something shady... that is a question for your management
> > > > team. Also, if you suspect someone of doing something shady, you should
> > > > probably revoke their admin rights. 
> > >
> > > Agreed, the best way to limit the risk of undetected DBA removal of data
> > > is secure auditing --- I should have mentioned that.
> >
> > So, how do you securely audit? You ship the logs to a server that isn't
> > controlled by the DBA, via syslog? How do you prevent the DBA from
> > turning off logging when the want to so something undetected? Do you
> > log the turning off of logging?
> >
> > --
> > Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
>
> Yes. You can set up terminal session logging with redhat's
> tlog (https://github.com/Scribery/tlog) which can record all
> terminal activity done via ssh, ship it offsite and replay it
> for auditing purposes. So if an administrator does turn off any
> logging (presumably including tlog itself), you'll at least be
> able to see them turning it off.

Ah, yes, I can see that as helpful.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +