| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | oleg yusim <olegyusim(at)gmail(dot)com> |
| Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Jerry Sievers <gsievers19(at)comcast(dot)net>, Scott Mead <scottm(at)openscg(dot)com>, John R Pierce <pierce(at)hogranch(dot)com>, PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Loggingt psql meta-commands |
| Date: | 2015-12-10 22:03:31 |
| Message-ID: | 5669F6B3.10401@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 12/10/2015 01:36 PM, oleg yusim wrote:
> Adrian,
>
> What I hope to achieve is to meet this requirement from Database SRG:
So some aspect of this:
https://www.stigviewer.com/stig/database_security_requirements_guide/
Can you be more specific?
>
> /Review DBMS documentation to verify that audit records can be produced
> when privileges/permissions/role memberships are retrieved./
That is a tall order, that is an almost constant process.
> /
> /
> To do that I would need to enable logging of such commands as \du, \dp,
> \z. At the same time, I do not want to get 20 GB of logs on the daily
> basis, by setting log_statement = 'all'. So, I'm trying to find a way in
> between.
Any way you look at this is going to require pulling in and analyzing a
great deal of information. That is why I asked for the specific
requirement, to help determine exactly what is being required?
>
> Thanks,
>
> Oleg
>
>
>
> On Thu, Dec 10, 2015 at 3:29 PM, Adrian Klaver
> <adrian(dot)klaver(at)aklaver(dot)com <mailto:adrian(dot)klaver(at)aklaver(dot)com>> wrote:
>
> On 12/10/2015 12:56 PM, oleg yusim wrote:
>
> So what I want to accomplish is logging queries for roles/privileges
> with minimal increasing volume of logs along the way. The idea I got
> from responses in this thread so far is:
>
> 1) Set log_statement on postgresql.conf to 'mod'
> 2) Raise log_statement to 'all' but only for postgres superuser
>
> What seems to be open questions to me with this model:
>
> 1) Way to check what log_statement set to on per user basis
> (what table
> should I query?)
> 2) Way to ensure that only superuser can run meta commands, such
> as \du,
> \dp, \z
>
>
> Maybe if you tell us what you hope to achieve, monitoring or access
> denial and to what purpose, it might be possible to come up with a
> more complete answer.
>
>
> Thanks,
>
> Oleg
>
> On Thu, Dec 10, 2015 at 2:50 PM, David G. Johnston
> <david(dot)g(dot)johnston(at)gmail(dot)com <mailto:david(dot)g(dot)johnston(at)gmail(dot)com>
> <mailto:david(dot)g(dot)johnston(at)gmail(dot)com
> <mailto:david(dot)g(dot)johnston(at)gmail(dot)com>>> wrote:
>
> On Thu, Dec 10, 2015 at 1:46 PM, oleg yusim
> <olegyusim(at)gmail(dot)com <mailto:olegyusim(at)gmail(dot)com>
> <mailto:olegyusim(at)gmail(dot)com
> <mailto:olegyusim(at)gmail(dot)com>>>wrote:
>
> Hi David,
>
> Can you, please, give me example?
>
>
> Not readily...maybe others can. Putting forth specific
> examples of
> what you want to accomplish may help.
>
> David J.
>
>
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com <mailto:adrian(dot)klaver(at)aklaver(dot)com>
>
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2015-12-10 22:06:06 | Re: [JDBC] plpgsql function with RETURNS SETOF refcursor in JAVA |
| Previous Message | John R Pierce | 2015-12-10 21:49:54 | Re: Loggingt psql meta-commands |