* Bruce Momjian (br...@momjian.us) wrote: > On Sun, May 4, 2014 at 11:12:57AM -0400, Tom Lane wrote: > > Stephen Frost <sfr...@snowman.net> writes: > > > * Abhijit Menon-Sen (a...@2ndquadrant.com) wrote: > > >> 1. I wish it were possible to prevent even the superuser from disabling > > >> audit logging once it's enabled, so that if someone gained superuser > > >> access without authorisation, their actions would still be logged. > > >> But I don't think there's any way to do this. > > > > > Their actions should be logged up until they disable auditing and > > > hopefully those logs would be sent somewhere that they're unable to > > > destroy (eg: syslog). Of course, we make that difficult by not > > > supporting log targets based on criteria (logging EVERYTHING to syslog > > > would suck). > > > > > I don't see a way to fix this, except to minimize the amount of things > > > requiring superuser to reduce the chances of it being compromised, which > > > is something I've been hoping to see happen for a long time. > > > > Prohibiting actions to the superuser is a fundamentally flawed concept. > > If you do that, you just end up having to invent a new "more super" > > kind of superuser who *can* do whatever it is that needs to be done. > > We did create a "replication" role that could only read data, right? Is > that similar?
Not sure which of the above discussions you're suggesting it's 'similar'
to, but a 'read-only' role (which is specifically *not* a superuser)
would definitely help reduce the number of things which need to run as
an actual 'superuser' (eg: pg_dump).
The above discussion was around having auditing which the superuser
couldn't change, which isn't really possible as a superuser can change
the code that's executing (modulo things like SELinux changing the
game, but that's outside PG to some extent).
Thanks,
Stephen
signature.asc
Description: Digital signature
