* Neil Tiffin (ne...@neiltiffin.com) wrote: > On May 4, 2014, at 3:17 PM, Stephen Frost <sfr...@snowman.net> wrote: > > Any system where there exists a role similar to 'superuser' in the PG > > sense (a user who is equivilant to the Unix UID under which the rest of > > the system is run) would be hard-pressed to provide a solution to this > > issue. > > Not sure I understand which issue you are referring to. If you are referring > to 'cannot be turned off', I would think a reasonable first pass would be to > handle it similar to '--data-checksums' in 'initdb'. For example, "This > option can only be set during initialization, and cannot be changed later. If > set, basic auditing is on for all objects, in all databases."
Well, except that a superuser *could* effectively turn off checksums by changing the the control file and doing a restart (perhaps modulo some other hacking; I've not tried). That kind of trivial 'hole' isn't acceptable from a security standpoint though and given that we couldn't prevent a superuser from doing an LD_PRELOAD and overriding any system call we make from the backend, it's kind of hard to see how we could plug such a hole. > > With SELinux it may be possible and I'd love to see an example > > from someone who feels they've accomplished it. That said, if we can > > reduce the need for a 'superuser' role sufficiently by having the > > auditing able to be managed independently, then we may have reached the > > level of "considerable headache". > > > > As many have pointed out previously, there is a certain amount of risk > > associated with running without *any* superuser role in the system > > If all of the superuser's actions are logged and it's not possible to turn > off the logging (without considerable headache) then it may not matter what > the superuser can do. If the superuser makes changes and they are logged > then the auditors have sufficient information to see if the correct > procedures were followed. Validated systems are based on tracking, not > necessarily prohibiting. Select individuals that should be able to be trusted > (which should apply to superusers) should be able to perform the actions > necessary to support the organization. Fair enough- the question is just a matter of what exactly that level of "headache" is. Thanks! Stephen
signature.asc
Description: Digital signature