Re: pgaudit - an auditing extension for PostgreSQL

From: David Steele <david(at)pgmasters(dot)net>
To: Fujii Masao <masao(dot)fujii(at)gmail(dot)com>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Simon Riggs <simon(at)2ndQuadrant(dot)com>
Subject: Re: pgaudit - an auditing extension for PostgreSQL
Date: 2015-02-23 16:29:24
Message-ID: 54EB5564.2030501@pgmasters.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 2/18/15 10:25 AM, David Steele wrote:
> On 2/18/15 6:11 AM, Fujii Masao wrote:
>> The pg_audit doesn't log BIND parameter values when prepared statement is used.
>> Seems this is an oversight of the patch. Or is this intentional?
>
> It's actually intentional - following the model I talked about in my
> earlier emails, the idea is to log statements only. This also follows
> on 2ndQuadrant's implementation.

Unfortunately, I think it's beyond the scope of this module to log bind
variables. I'm following not only 2ndQuadrant's implementation, but
Oracle's as well.

> Logging values is interesting, but I'm sure the user would want to
> specify which columns to log, which I felt was beyond the scope of the
> patch.
>
>> The pg_audit cannot log the statement like "SELECT 1" which doesn't access to
>> the database object. Is this intentional? I think that there are many users who
>> want to audit even such statement.
>
> I think I see how to make this work. I'll work on it for the next
> version of the patch.

This has been fixed in the v2 patch.

>> Imagine the case where you call the user-defined function which executes
>> many nested statements. In this case, pg_audit logs only top-level statement
>> (i.e., issued directly by client) every time nested statement is executed.
>> In fact, one call of such UDF can cause lots of *same* log messages. I think
>> this is problematic.
>
> I agree - not sure how to go about addressing it, though. I've tried to
> cut down on the verbosity of the logging in general, but of course it
> can still be a problem.
>
> Using security definer and a different logging GUC for the defining role
> might work. I'll add that to my unit tests and see what happens.

That didn't work - but I didn't really expect it to.

Here are two options I thought of:

1) Follow Oracle's "as session" option and only log each statement type
against an object the first time it happens in a session. This would
greatly reduce logging, but might be too little detail. It would
increase the memory footprint of the module to add the tracking.

2) Only log once per call to the backend. Essentially, we would only
log the statement you see in pg_stat_activity. This could be a good
option because it logs what the user accesses directly, rather than
functions, views, etc. which hopefully are already going through a
review process and can be audited that way.

Would either of those address your concerns?

--
- David Steele
david(at)pgmasters(dot)net

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2015-02-23 16:31:40 Re: Allow "snapshot too old" error, to prevent bloat
Previous Message David Steele 2015-02-23 15:59:18 Re: Auditing extension for PostgreSQL (Take 2)