Thom Brown wrote:
2009/11/30 Glyn Astill <glynast...@yahoo.co.uk <mailto:glynast...@yahoo.co.uk>>--- On Mon, 30/11/09, Thom Brown <thombr...@gmail.com <mailto:thombr...@gmail.com>> wrote: > As far as I am aware, there is no way to tell when a > user/role was granted permissions or had permissions > revoked, or who made these changes. I'm wondering if > it would be useful for security auditing to maintain a > history of permissions changes only accessible to > superusers? I'd have thought you could keep track of this in the logs by setting log_statement >= ddl ? I'm pretty sure this is a feature that's not wanted, but the ability to add triggers to these sorts of events would surely make more sense than a specific auditing capability.I concede your suggestion of the ddl log output. I guess that could then be filtered to obtain the necessary information.
This could probably be defeated by making the permissions changes in a stored function. Or even a DO block, I suspect, unless you had log_statement = all set.
I do agree with Glyn, though, that making provision for auditing one particular event is not desirable.
cheers andrew -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
