From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | raf <raf(at)raf(dot)org> |
Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
Subject: | Re: How to revoke privileged from PostgreSQL's superuser |
Date: | 2018-08-15 21:43:24 |
Message-ID: | 20180815214324.GA23987@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin pgsql-general |
On Thu, Aug 16, 2018 at 07:41:11AM +1000, raf wrote:
> Bruce Momjian wrote:
>
> > On Tue, Aug 14, 2018 at 03:59:19PM -0400, Bruce Momjian wrote:
> > > On Fri, Aug 10, 2018 at 04:06:40PM -0400, Benedict Holland wrote:
> > > > I also would take Bruce's comment with a massive grain of salt. Everything that
> > > > everyone does on a database is logged somewhere assuming proper logging. Now do
> > > > you have the person-power to go through gigs of plain text logs to find out if
> > > > someone is doing something shady... that is a question for your management
> > > > team. Also, if you suspect someone of doing something shady, you should
> > > > probably revoke their admin rights.
> > >
> > > Agreed, the best way to limit the risk of undetected DBA removal of data
> > > is secure auditing --- I should have mentioned that.
> >
> > So, how do you securely audit? You ship the logs to a server that isn't
> > controlled by the DBA, via syslog? How do you prevent the DBA from
> > turning off logging when the want to so something undetected? Do you
> > log the turning off of logging?
> >
> > --
> > Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
>
> Yes. You can set up terminal session logging with redhat's
> tlog (https://github.com/Scribery/tlog) which can record all
> terminal activity done via ssh, ship it offsite and replay it
> for auditing purposes. So if an administrator does turn off any
> logging (presumably including tlog itself), you'll at least be
> able to see them turning it off.
Ah, yes, I can see that as helpful.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
From | Date | Subject | |
---|---|---|---|
Next Message | Tim Cross | 2018-08-15 22:30:14 | Re: How to revoke privileged from PostgreSQL's superuser |
Previous Message | raf | 2018-08-15 21:41:11 | Re: How to revoke privileged from PostgreSQL's superuser |
From | Date | Subject | |
---|---|---|---|
Next Message | Tim Cross | 2018-08-15 22:30:14 | Re: How to revoke privileged from PostgreSQL's superuser |
Previous Message | raf | 2018-08-15 21:41:11 | Re: How to revoke privileged from PostgreSQL's superuser |