Re: [HACKERS] pgaudit - an auditing extension for PostgreSQL

Sun, 04 May 2014 15:28:27 -0700 

* Neil Tiffin (ne...@neiltiffin.com) wrote:
> On May 4, 2014, at 3:17 PM, Stephen Frost <sfr...@snowman.net> wrote:
> > Any system where there exists a role similar to 'superuser' in the PG
> > sense (a user who is equivilant to the Unix UID under which the rest of
> > the system is run) would be hard-pressed to provide a solution to this
> > issue.
> 
> Not sure I understand which issue you are referring to.  If you are referring 
> to 'cannot be turned off', I would think a reasonable first pass would be to 
> handle it similar to '--data-checksums' in 'initdb'.  For example, "This 
> option can only be set during initialization, and cannot be changed later. If 
> set, basic auditing is on for all objects, in all databases."

Well, except that a superuser *could* effectively turn off checksums by
changing the the control file and doing a restart (perhaps modulo some
other hacking; I've not tried).  That kind of trivial 'hole' isn't
acceptable from a security standpoint though and given that we couldn't
prevent a superuser from doing an LD_PRELOAD and overriding any system
call we make from the backend, it's kind of hard to see how we could
plug such a hole.

> >  With SELinux it may be possible and I'd love to see an example
> > from someone who feels they've accomplished it.  That said, if we can
> > reduce the need for a 'superuser' role sufficiently by having the
> > auditing able to be managed independently, then we may have reached the
> > level of "considerable headache".
> > 
> > As many have pointed out previously, there is a certain amount of risk
> > associated with running without *any* superuser role in the system
> 
> If all of the superuser's actions are logged and it's not possible to turn 
> off the logging (without considerable headache) then it may not matter what 
> the superuser can do.  If the superuser makes changes and they are logged 
> then the auditors have sufficient information to see if the correct 
> procedures were followed.  Validated systems are based on tracking, not 
> necessarily prohibiting. Select individuals that should be able to be trusted 
> (which should apply to superusers) should be able to perform the actions 
> necessary to support the organization.

Fair enough- the question is just a matter of what exactly that level of
"headache" is.

        Thanks!

                Stephen

Attachment: signature.asc
Description: Digital signature

Reply via email to