Re: [EXTERNAL] Re: Detect who ran DROP schema

On 2024-Jul-24, Wetmore, Matthew (CTR) wrote:

> This is a major issue in the DBA world as enterprise management lawyers get more popular.
>
> At a large company I was at, there was only one elevated user, (which several people had user/pass) and then our personal accounts cannot do much due to modern corporate governance. This is how it was set up.
>
> As the DBA I couldn’t even log into the linux box where postgres was installed.
>
> I couldn’t even change any logging without a two day ticket to do the work.
>
> Not specifically this issue, but this is more the norm now-a-days then not.

Yeah. This is an important if there are any potential attackers at all,
which given today's Internet, you can be pretty sure is always the case.

A database where people are allowed to connect as superuser is a sure
way to get in trouble sooner rather than later. Having layered security
is one of the first things you should be thinking about.

FWIW I think even that one elevated user to which several people have
user/pass is a bad idea; forensics would require to know who used the
password when. It's better to have one elevated user _without login privs_,
to which people can SET ROLE when they require it. This leaves a better
trail.

If you add something like pgAudit to the mix and direct its logs (or all
Postgres logs) to a remote server where they can't easily be tampered
with by attackers, you'll have a better trail of who did what, when,
with what credentials.

--
Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/
"I can't go to a restaurant and order food because I keep looking at the
fonts on the menu. Five minutes later I realize that it's also talking
about food" (Donald Knuth)