Re: pgaudit - an auditing extension for PostgreSQL

Yeb,

* Yeb Havinga (yebhavinga@gmail.com) wrote:
> On 20/01/15 23:03, Jim Nasby wrote:> On 1/20/15 2:20 PM, Robert Haas wrote:
> > +1. In particular I'm very concerned with the idea of doing this via
> > roles, because that would make it trivial for any superuser to disable
> > auditing.
>
> Rejecting the audit administration through the GRANT system, on the
> grounds that it easy for the superuser to disable it, seems unreasonable
> to me, since superusers are different from non-superusers in a
> fundamental way.

Agreed.

> The patch as it is, is targeted at auditing user/application level
> access to the database, and as such it matches the use case of auditing
> user actions.

Right, and that's a *very* worthwhile use-case.

> Auditing superuser access means auditing beyond the running database.

Exactly! :)
Thanks!
    Stephen