Re: How to revoke privileged from PostgreSQL's superuser

On Wed, 15 Aug 2018 at 13:50, Evan Rempel <erempel(at)uvic(dot)ca> wrote:

> In my opinion that is exactly why you log to syslog. The syslog
> infrastructure can also
> forward in real time the log events to a remote log collector that the
> DBAs don't even
> have access to. This method provides for a secure and prestine log
> stream for archiving
> and audit review processes.
>
> Evan.
>
> On 08/14/2018 08:44 PM, dangal wrote:
> > From what I saw pgaudit records the postgres log, any dba can modify
> that log
> >
> >
> >
> > --
> > Sent from:
> http://www.postgresql-archive.org/PostgreSQL-admin-f2076596.html
> >
>
> +1 wrt syslog and remote logging. In any environment where security and
> access monitoring is important should always have logs copied to a remote,
> secure server with access limited to individuals who are not also
> responsible for administering key systems, such as the database server.
>

When compromising a system, it is normal to attempt to cover up your
activity by modifying or deleting log files. Having these copied to a
separate system means the threat actor has to now compromise multiple
servers.

Another useful setup is the 'ELK' stack, which uses logstash and eleastic
search to provide a powerful log storage and querying infrastructure (which
can also unify logs from different sources). This can make auditing and
monitoring much more powerful.

Tim

--
regards,

Tim

--
Tim Cross