| From: | Jim Nasby <Jim(dot)Nasby(at)BlueTreble(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Simon Riggs <simon(at)2ndquadrant(dot)com>, MauMau <maumau307(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com> |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2015-01-26 21:23:15 |
| Message-ID: | 54C6B043.4030708@BlueTreble.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 1/23/15 2:15 PM, Stephen Frost wrote:
>>> > >I happen to like the idea specifically because it would allow regular
>>> > >roles to change the auditing settings (no need to be a superuser or to
>>> > >be able to modify postgresql.conf/postgresql.auto.conf)
>> >
>> >Is there really a use case for non-superusers to be able to change auditing config? That seems like a bad idea.
> What's a bad idea is having every auditor on the system running around
> as superuser..
When it comes to looking at auditing data, I agree.
When it comes to changing auditing settings, I think that needs to be very restrictive. Really, it should be more (or differently) restrictive than SU, so that you can effectively audit your superusers with minimal worries about superusers tampering with auditing.
--
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2015-01-26 21:24:58 | Hot Standby WAL reply uses heavyweight session locks, but doesn't have enough infrastructure set up |
| Previous Message | Josh Berkus | 2015-01-26 21:16:15 | Re: New CF app deployment |