Re: pgaudit - an auditing extension for PostgreSQL

On 1/23/15 2:15 PM, Stephen Frost wrote:
>>> > >I happen to like the idea specifically because it would allow regular
>>> > >roles to change the auditing settings (no need to be a superuser or to
>>> > >be able to modify postgresql.conf/postgresql.auto.conf)
>> >
>> >Is there really a use case for non-superusers to be able to change auditing config? That seems like a bad idea.
> What's a bad idea is having every auditor on the system running around
> as superuser..

When it comes to looking at auditing data, I agree.

When it comes to changing auditing settings, I think that needs to be very restrictive. Really, it should be more (or
differently)restrictive than SU, so that you can effectively audit your superusers with minimal worries about
superuserstampering with auditing.
 
-- 
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com