Re: pgaudit - an auditing extension for PostgreSQL

From: Neil Tiffin <neilt(at)neiltiffin(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: pgaudit - an auditing extension for PostgreSQL
Date: 2014-05-06 12:46:36
Message-ID: 4F296EB5-3832-44A7-A5B4-8B6DAAEAD4CF@neiltiffin.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


On May 4, 2014, at 5:27 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> * Neil Tiffin (neilt(at)neiltiffin(dot)com) wrote:
>> On May 4, 2014, at 3:17 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>>> Any system where there exists a role similar to 'superuser' in the PG
>>> sense (a user who is equivilant to the Unix UID under which the rest of
>>> the system is run) would be hard-pressed to provide a solution to this
>>> issue.
>>
>> Not sure I understand which issue you are referring to. If you are referring to 'cannot be turned off', I would think a reasonable first pass would be to handle it similar to '--data-checksums' in 'initdb'. For example, "This option can only be set during initialization, and cannot be changed later. If set, basic auditing is on for all objects, in all databases."
>
> Well, except that a superuser *could* effectively turn off checksums by
> changing the the control file and doing a restart (perhaps modulo some
> other hacking; I've not tried). That kind of trivial 'hole' isn't
> acceptable from a security standpoint though and given that we couldn't
> prevent a superuser from doing an LD_PRELOAD and overriding any system
> call we make from the backend, it's kind of hard to see how we could
> plug such a hole.
>

Ah, I thought it would be more difficult than that for checksums, but PostgreSQL does not have to prevent hacking in my experience, that is the responsibility of other systems and procedures. If the core code was such that once on, formal logging could not be turned off with any changes to config files, settings, or SQL then in my experience that would suffice.

>>> With SELinux it may be possible and I'd love to see an example
>>> from someone who feels they've accomplished it. That said, if we can
>>> reduce the need for a 'superuser' role sufficiently by having the
>>> auditing able to be managed independently, then we may have reached the
>>> level of "considerable headache".
>>>
>>> As many have pointed out previously, there is a certain amount of risk
>>> associated with running without *any* superuser role in the system
>>
>> If all of the superuser's actions are logged and it's not possible to turn off the logging (without considerable headache) then it may not matter what the superuser can do. If the superuser makes changes and they are logged then the auditors have sufficient information to see if the correct procedures were followed. Validated systems are based on tracking, not necessarily prohibiting. Select individuals that should be able to be trusted (which should apply to superusers) should be able to perform the actions necessary to support the organization.
>
> Fair enough- the question is just a matter of what exactly that level of
> "headache" is.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2014-05-06 12:48:57 Re: possible dsm bug in dsm_attach()
Previous Message Andres Freund 2014-05-06 12:43:34 possible dsm bug in dsm_attach()