On 12/10/2015 03:02 PM, oleg yusim wrote:
Adrian,
I used all those settings you suggested already, and I will suggest to
use logrotate or syslog on top of it, so no more than day worth of log
would be kept in the system. Still, I view it as a big drawback. Do you
know of any third party tools (l
On 12/10/2015 02:58 PM, oleg yusim wrote:
> John,
>
> I can answer that - Oracle and MS SQL do, or at least there were able to
> convince DISA that they do (STIGs for them are present here:
> http://iase.disa.mil/stigs/Pages/a-z.aspx). That actually benefits those
> products greatly - from the
On Thu, Dec 10, 2015 at 02:52:38PM -0800, John R Pierce wrote:
> thats a rather insane bunch of requirements. Reads like a wish list by
> academic security researchers.
Well, I don't know. Might be a wish list by insurance adjusters who
want to minimise liability. At least in the United States
Adrian,
I used all those settings you suggested already, and I will suggest to use
logrotate or syslog on top of it, so no more than day worth of log would be
kept in the system. Still, I view it as a big drawback. Do you know of any
third party tools (log monitoring/analyze software, you mentione
Thanks Tom, I get what you are saying and that seems to be final at this
stage. I will write pg_audit down, though.
Oleg
On Thu, Dec 10, 2015 at 4:41 PM, Tom Lane wrote:
> oleg yusim writes:
> > What I hope to achieve is to meet this requirement from Database SRG:
> > *Review DBMS documentatio
John,
I can answer that - Oracle and MS SQL do, or at least there were able to
convince DISA that they do (STIGs for them are present here:
http://iase.disa.mil/stigs/Pages/a-z.aspx). That actually benefits those
products greatly - from the point of view of security they, once hardened,
meet Feder
On 12/10/2015 2:03 PM, Adrian Klaver wrote:
So some aspect of this:
https://www.stigviewer.com/stig/database_security_requirements_guide/
thats a rather insane bunch of requirements. Reads like a wish list by
academic security researchers.
for instance
https://www.stigviewer.com/stig/dat
On 12/10/2015 02:13 PM, oleg yusim wrote:
Adrian,
You seemed to be familiar with the STIG world, so how about V-ID from
No, I am just familiar with how search engines work:)
Database SRG? I'm looking into STIG ID: SRG-APP-91-DB-66 right
now. Now, I do not really think it is a tall or
oleg yusim writes:
> What I hope to achieve is to meet this requirement from Database SRG:
> *Review DBMS documentation to verify that audit records can be produced
> when privileges/permissions/role memberships are retrieved.*
> To do that I would need to enable logging of such commands as \du,
Adrian,
You seemed to be familiar with the STIG world, so how about V-ID from
Database SRG? I'm looking into STIG ID: SRG-APP-91-DB-66 right now.
Now, I do not really think it is a tall order, since the requirement speaks
about explicit calls for privilege/permission/role membership inform
On 12/10/2015 01:36 PM, oleg yusim wrote:
Adrian,
What I hope to achieve is to meet this requirement from Database SRG:
So some aspect of this:
https://www.stigviewer.com/stig/database_security_requirements_guide/
Can you be more specific?
/Review DBMS documentation to verify that audit r
On 12/10/2015 12:56 PM, oleg yusim wrote:
2) Way to ensure that only superuser can run meta commands, such as
\du, \dp, \z
Those metacommands only exist in the psql command line tool, so to only
restrict access to them, you'd need to modify that tool. however, that
wouldn't stop users from di
Adrian,
What I hope to achieve is to meet this requirement from Database SRG:
*Review DBMS documentation to verify that audit records can be produced
when privileges/permissions/role memberships are retrieved.*
To do that I would need to enable logging of such commands as \du, \dp, \z.
At the sa
On 12/10/2015 12:56 PM, oleg yusim wrote:
So what I want to accomplish is logging queries for roles/privileges
with minimal increasing volume of logs along the way. The idea I got
from responses in this thread so far is:
1) Set log_statement on postgresql.conf to 'mod'
2) Raise log_statement to
On Thu, Dec 10, 2015 at 1:56 PM, oleg yusim wrote:
> So what I want to accomplish is logging queries for roles/privileges with
> minimal increasing volume of logs along the way. The idea I got from
> responses in this thread so far is:
>
> 1) Set log_statement on postgresql.conf to 'mod'
> 2) Rai
So what I want to accomplish is logging queries for roles/privileges with
minimal increasing volume of logs along the way. The idea I got from
responses in this thread so far is:
1) Set log_statement on postgresql.conf to 'mod'
2) Raise log_statement to 'all' but only for postgres superuser
What
On Thu, Dec 10, 2015 at 1:46 PM, oleg yusim wrote:
> Hi David,
>
> Can you, please, give me example?
>
>
Not readily...maybe others can. Putting forth specific examples of what
you want to accomplish may help.
David J.
Hi David,
Can you, please, give me example?
Thanks,
Oleg
On Thu, Dec 10, 2015 at 2:25 PM, David G. Johnston <
david.g.johns...@gmail.com> wrote:
> On Thu, Dec 10, 2015 at 1:20 PM, oleg yusim wrote:
>
>> Also... how do we control who can run meta commands?
>>
>
> You cannot do so directly but
On Thu, Dec 10, 2015 at 1:20 PM, oleg yusim wrote:
> Also... how do we control who can run meta commands?
>
You cannot do so directly but you can control permissions to the
underlying schema that the meta-command queries touch so that attempting to
run the meta-command fails.
This is not as si
Hmm... let me see if I got it right. I can set log_statement to mod
overall, and then modify it as ALTER USER postgres SET log_statement=all;
for postgres only? Also... how do we control who can run meta commands?
Thanks,
Oleg
On Thu, Dec 10, 2015 at 2:16 PM, Jerry Sievers
wrote:
> Scott Mead
Scott Mead writes:
> On Thu, Dec 10, 2015 at 2:50 PM, oleg yusim wrote:
>
> Thanks John, I realized that and confirmed in my logs. What I'm trying to
> determine now, can I only log some SELECT statements, or I should log all of
> them or none
> of them.
>
> You can configure this to m
On 12/10/2015 11:49 AM, oleg yusim wrote:
Andreas, Andrian,
Thank you very much for both pieces of information. It was very helpful.
Now, let me ask you one more question on the same topic. Is it more
granular way to control logging PosgreSQL provides, or I pretty much
reduced to choosing betwee
On Thu, Dec 10, 2015 at 2:50 PM, oleg yusim wrote:
> Thanks John, I realized that and confirmed in my logs. What I'm trying to
> determine now, can I only log some SELECT statements, or I should log all
> of them or none of them.
>
You can configure this to multiple levels:
Global, per-user, p
2015-12-10 20:49 GMT+01:00 oleg yusim :
> Andreas, Andrian,
>
> Thank you very much for both pieces of information. It was very helpful.
> Now, let me ask you one more question on the same topic. Is it more
> granular way to control logging PosgreSQL provides, or I pretty much
> reduced to choosin
Thanks John, I realized that and confirmed in my logs. What I'm trying to
determine now, can I only log some SELECT statements, or I should log all
of them or none of them.
Oleg
On Thu, Dec 10, 2015 at 1:40 PM, John R Pierce wrote:
> On 12/10/2015 9:58 AM, oleg yusim wrote:
>
>> I'm new to Post
Andreas, Andrian,
Thank you very much for both pieces of information. It was very helpful.
Now, let me ask you one more question on the same topic. Is it more
granular way to control logging PosgreSQL provides, or I pretty much
reduced to choosing between mod and all?
The reason I'm asking is bec
On 12/10/2015 9:58 AM, oleg yusim wrote:
I'm new to PostgreSQL, working on it from the point of view of Cyber
Security assessment. In regards to the here is my question:
Is it a way to enable logging for psql prompt meta-commands, such as
\du, \dp, \z, etc?
what the other two gentlemen are t
oleg yusim wrote:
> Greetings!
>
> I'm new to PostgreSQL, working on it from the point of view of Cyber Security
> assessment. In regards to the here is my question:
>
> Is it a way to enable logging for psql prompt meta-commands, such as \du, \dp,
> \z, etc?
start psql with -E
Andreas
--
R
On 12/10/2015 09:58 AM, oleg yusim wrote:
Greetings!
I'm new to PostgreSQL, working on it from the point of view of Cyber
Security assessment. In regards to the here is my question:
Is it a way to enable logging for psql prompt meta-commands, such as
\du, \dp, \z, etc?
aklaver@killi:~> psql -
Greetings!
I'm new to PostgreSQL, working on it from the point of view of Cyber
Security assessment. In regards to the here is my question:
Is it a way to enable logging for psql prompt meta-commands, such as \du,
\dp, \z, etc?
Thanks,
Oleg
30 matches
Mail list logo
