Skip to content

Commit

Permalink
Merge pull request #1522 from EnterpriseDB/sd/content/epas/DB-142
Browse files Browse the repository at this point in the history 
DB-142 Create an audit parameter to exclude or include certain user g…

Former-commit-id: 85af386
  • Loading branch information
@drothery-edb
drothery-edb authored Jul 1, 2021
2 parents 5a76eeb + a480ccf commit e1a83d2
Show file tree
Hide file tree
Showing 21 changed files with 455 additions and 52 deletions.
6 changes: 3 additions & 3 deletions product_docs/docs/epas/12/epas_compat_tools_guide/02_edb_loader.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ Where `ENV_VARIABLE` is the environment variable that is set to the directory pa
The `EDBLDR_ENV_STYLE` environment variable instructs Advanced Server to interpret environment variable references as Windows-styled references or Linux-styled references irregardless of the operating system on which EDB\*Loader resides. You can use this environment variable to create portable control files for EDB\*Loader.

- On a Windows system, set `EDBLDR_ENV_STYLE` to `linux` or `unix` to instruct Advanced Server to recognize Linux-style references within the control file.
- On a Linux system, set `EDBLDR_ENV_STYLE` to windows to instruct Advanced Server to recognize Windows-style references within the control file.
- On a Linux system, set `EDBLDR_ENV_STYLE` to `windows` to instruct Advanced Server to recognize Windows-style references within the control file.

The operating system account `enterprisedb` must have read permission on the directory and file specified by `data_file`.

Expand Down Expand Up @@ -514,7 +514,7 @@ The following is the corresponding delimiter-separated data file:
9104,"JONES, JR.",MANAGER,7839,02-APR-09,7975.00,20
```

The use of the `TRAILING NULLCOLS` clause allows the last field supplying the comm column to be omitted from the first and last records. The `comm` column is set to null for the rows inserted from these records.
The use of the `TRAILING NULLCOLS` clause allows the last field supplying the `comm` column to be omitted from the first and last records. The `comm` column is set to null for the rows inserted from these records.

The double quotation mark enclosure character surrounds the value `JONES, JR.` in the last record since the comma delimiter character is part of the field value.

Expand Down Expand Up @@ -747,7 +747,7 @@ SELECT * FROM emp WHERE empno > 9100;

**NULLIF Clause**

The following example uses the `NULLIF` clause on the sal column to set it to null for employees of job `MANAGER` as well as on the comm column to set it to null if the employee is not a `SALESMAN` and is not in department `30`. In other words, a comm value is accepted if the employee is a `SALESMAN` or is a member of department `30`.
The following example uses the `NULLIF` clause on the `sal` column to set it to null for employees of job `MANAGER` as well as on the `comm` column to set it to null if the employee is not a `SALESMAN` and is not in department `30`. In other words, a `comm` value is accepted if the employee is a `SALESMAN` or is a member of department `30`.

The following is the control file:

Expand Down
8 changes: 4 additions & 4 deletions ...pat_tools_guide/04_dynamic_runtime_instrumentation_tools_architecture_DRITA.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -830,7 +830,7 @@ The information displayed in the `DATA from pg_statio_all_tables` section includ
| `TIDX READ` | The number of toast index blocks read. |
| `TIDX HIT` | The number of toast index blocks hit. |

```Text
```text
DATA from pg_stat_all_indexes

SCHEMA RELATION INDEX
Expand Down Expand Up @@ -1059,7 +1059,7 @@ function_name(<beginning_id>, <ending_id>, <top_n>, <scope>)

`scope`

scope determines which tables the function returns statistics about. Specify `SYS`, `USER` or `ALL`:
`scope` determines which tables the function returns statistics about. Specify `SYS`, `USER` or `ALL`:

- `SYS` indicates that the function should return information about system defined tables. A table is considered a system table if it is stored in one of the following schemas: `pg_catalog`, `information_schema`, or `sys`.
- `USER` indicates that the function should return information about user-defined tables.
Expand Down Expand Up @@ -1186,7 +1186,7 @@ statio_tables_rpt(<beginning_id>, <ending_id>, <top_n>, <scope>)

`scope`

scope determines which tables the function returns statistics about. Specify `SYS`, `USER` or `ALL`:
`scope` determines which tables the function returns statistics about. Specify `SYS`, `USER` or `ALL`:

- `SYS` indicates that the function should return information about system defined tables. A table is considered a system table if it is stored in one of the following schemas: `pg_catalog`, `information_schema`, or `sys`.
- `USER` indicates that the function should return information about user-defined tables.
Expand Down Expand Up @@ -1273,7 +1273,7 @@ stat_indexes_rpt(<beginning_id>, <ending_id>, <top_n>, <scope>)

`scope`

scope determines which tables the function returns statistics about. Specify `SYS`, `USER` or `ALL`:
`scope` determines which tables the function returns statistics about. Specify `SYS`, `USER` or `ALL`:

- `SYS` indicates that the function should return information about system defined tables. A table is considered a system table if it is stored in one of the following schemas: `pg_catalog, information_schema`, or `sys`.
- `USER` indicates that the function should return information about user-defined tables.
Expand Down
6 changes: 2 additions & 4 deletions product_docs/docs/epas/12/epas_compat_tools_guide/index.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,8 @@ The EDB\*Plus command line client provides a user interface to Advanced Server t
- Execute OS commands
- Record output

For detailed installation and usage information about EDB\*Plus, see the EDB\*Plus User's Guide, available from the EnterpriseDB website at:

[https://www.enterprisedb.com/docs/p/edbplus](/epas/latest/edb_plus/)
For detailed installation and usage information about EDB\*Plus, see the [EDB\*Plus User's Guide](https://www.enterprisedb.com/docs/epas/12/edb_plus/) available from EnterpriseDB website.

For detailed information about the features supported by Advanced Server, consult the complete library of Advanced Server guides available at:

[https://www.enterprisedb.com/docs](/epas/latest/)
[https://www.enterprisedb.com/docs](/epas/12/)
2 changes: 1 addition & 1 deletion ...stration/01_configuration_parameters/02_summary_of_configuration_parameters.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ The following table shows the summary of configuration parameters:
| `log_temp_files` | Session | Immediate | Superuser | Log the use of temporary files larger than this number of kilobytes. | |
| `log_timezone` | Cluster | Reload | EPAS service account | Sets the time zone to use in log messages. | |
| `log_truncate_on_rotation` | Cluster | Reload | EPAS service account | Truncate existing log files of same name during log rotation. | |
| `logging_collector` | Cluster | Restart | EPAS service account | Start a subprocess to capture stderr output and/or csvlogs into log files. | |
| `logging_collector` | Cluster | Restart | EPAS service account | Start a subprocess to capture stderr output and/or csv logs into log files. | |
| `maintenance_work_mem` | Session | Immediate | User | Sets the maximum memory to be used for maintenance operations. | |
| `max_connections` | Cluster | Restart | EPAS service account | Sets the maximum number of concurrent connections. | |
| `max_files_per_process` | Cluster | Restart | EPAS service account | Sets the maximum number of simultaneously open files for each server process. | |
Expand Down
3 changes: 3 additions & 0 deletions ...ministration/05_edb_audit_logging/01_audit_logging_configuration_parameters.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,4 +60,7 @@ Use the following configuration parameters to control database auditing. See [Su

Set to `syslog` to use the syslog process and its location as configured in the `/etc/syslog.conf` file. The `syslog` setting is valid for Advanced Server running on a Linux host and is not supported on Windows systems. **Note:** In recent Linux versions, syslog has been replaced by `rsyslog` and the configuration file is in `/etc/rsyslog.conf`.

!!! Note
Advanced Server allows administrative users associated with administrative privileges to audit statements by any user, group, or role. By auditing specific users, you can minimize the number of audit records generated. For information, see the examples under [Selecting SQL Statements to Audit](../05_edb_audit_logging/02_selecting_sql_statements_to_audit/#selecting_sql_statements_to_audit).

The following section describes selection of specific SQL statements for auditing using the `edb_audit_statement` parameter.
202 changes: 201 additions & 1 deletion ...se_administration/05_edb_audit_logging/02_selecting_sql_statements_to_audit.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,7 @@ The following is an example where `edb_audit_connect` and `edb_audit_statement`

```text
edb_audit_connect = 'all'
edb_audit_statement = create view,create materialized view,create sequence,grant'
edb_audit_statement = 'create view,create materialized view,create sequence,grant'
```

Thus, only SQL statements invoked by the `CREATE VIEW`, `CREATE MATERIALIZED VIEW`, `CREATE SEQUENCE` and `GRANT` commands are audited.
Expand Down Expand Up @@ -373,6 +373,206 @@ The `CREATE VIEW` and `CREATE MATERIALIZED VIEW` statements are audited. Note th

The `CREATE SEQUENCE` and `GRANT` statements are audited since those values are included in the `edb_audit_statement` parameter.

**Example 3**

The following is an example where `edb_audit_connect` and `edb_audit_statement` are set with the following non-default values:

```text
logging_collector = 'on'
edb_audit_connect = 'all'
edb_audit_statement = 'none'
```

The session for users who connect as `ADMIN` or `SYSDBA` can be fully audited. An admin user is connected to a database `auditdb` as `ADMINUSER`, the following `ALTER USER` command specifies that `ADMINUSER` is to be audited.

```text
ALTER USER adminuser SET edb_audit_statement = "all";
```

Setting the `edb_audit_statement` parameter to `all` allows auditing all of the SQL statements for an admin user.

The database session that occurs is the following:

```text
$ psql auditdb adminuser
Password for user adminuser:
psql.bin (12.0.0)
Type "help" for help.
auditdb=# SHOW edb_audit_connect;
edb_audit_connect
-------------------
all
(1 row)
auditdb=# SHOW edb_audit_statement;
edb_audit_statement
---------------------
all
(1 row)
auditdb=# SET search_path TO edb;
SET
auditdb=> CREATE TABLE dept
auditdb-> (deptno NUMBER(2),
auditdb(> dname VARCHAR2(14),
auditdb(> loc VARCHAR2(13) );
CREATE TABLE
auditdb=> INSERT INTO dept VALUES (10, 'ACCOUNTING', 'NEW YORK');
INSERT 0 1
auditdb=> INSERT INTO dept VALUES (20, 'RESEARCH', 'DALLAS');
INSERT 0 1
auditdb=> INSERT INTO dept VALUES (30, 'SALES', 'CHICAGO');
INSERT 0 1
auditdb=> UPDATE dept SET loc = 'BEDFORD' WHERE deptno = 20;
UPDATE 1
auditdb=> SELECT * FROM dept;
deptno | dname | loc
--------+------------+----------
10 | ACCOUNTING | NEW YORK
30 | SALES | CHICAGO
20 | RESEARCH | BEDFORD
(3 rows)
auditdb=> DELETE FROM emp WHERE deptno = 40;
ERROR: relation "emp" does not exist
LINE 1: DELETE FROM emp WHERE deptno = 40;
^
auditdb=> DELETE FROM dept WHERE deptno = 10;
DELETE 1
auditdb=> SELECT * FROM dept;
deptno | dname | loc
--------+----------+---------
30 | SALES | CHICAGO
20 | RESEARCH | BEDFORD
(2 rows)
```

The resulting audit log file contains the following.

Each audit log entry has been split and displayed across multiple lines, and a blank line has been inserted between the audit log entries for more clarity in the appearance of the results.

```text
2021-06-23 06:06:59.027 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,1,"authentication",2021-06-23 06:06:59 IST,4/19,0,AUDIT,00000,"connection authorized:
user=adminuser database=auditdb",,,,,,,,,"","client backend",,"","","connect"
2021-06-23 06:07:33.192 IST,"adminuser","auditdb",66316,"[local]",60daab0c.
1030c,2,"idle",2021-06-23 06:07:33 IST,4/16,0,AUDIT,00000,"statement: SHOW edb_audit_connect;
",,,,,,,,,"psql","client backend",,"SHOW","","sql statement"
2021-06-23 06:08:12.474 IST,"adminuser","auditdb",66316,"[local]",60daab0c.
1030c,3,"idle",2021-06-23 06:08:12 IST,4/17,0,AUDIT,00000,"statement: SHOW edb_audit_statement;
",,,,,,,,,"psql","client backend",,"SHOW","","sql statement"
2021-06-23 06:08:20.519 IST,"adminuser","auditdb",66922,"[local]",60dab036.
1056a,4,"idle",2021-06-23 06:08:20 IST,4/15,0,AUDIT,00000,"statement: SET search_path TO edb;
",,,,,,,,,"psql","client backend",,"SET","","set"
2021-06-23 06:09:27.613 IST,"adminuser","auditdb",60218,"[local]",60dab117.
10602,5,"idle",2021-06-23 06:09:59 IST,4/21,0,AUDIT,00000,"statement: CREATE TABLE dept
(deptno NUMBER(2),
dname VARCHAR2(14),
loc VARCHAR2(13) );",,,,,,,,,"psql","client backend",,"CREATE TABLE","","create"
2021-06-23 06:09:39.238 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,6,"idle",2021-06-23 06:09:29 IST,4/22,0,AUDIT,00000,"statement: INSERT INTO
dept VALUES (10, 'ACCOUNTING', 'NEW YORK');",,,,,,,,,"psql","client backend",,"INSERT","","insert"
2021-06-23 06:09:39.242 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,7,"idle",2021-06-23 06:09:29 IST,4/23,0,AUDIT,00000,"statement: INSERT INTO
dept VALUES (20, 'RESEARCH', 'DALLAS');",,,,,,,,,"psql","client backend",,"INSERT","","insert"
2021-06-23 06:09:39.247 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,8,"idle",2021-06-23 06:08:35 IST,4/24,0,AUDIT,00000,"statement: INSERT INTO
dept VALUES (30, 'SALES', 'CHICAGO');",,,,,,,,,"psql","client backend",,"INSERT","","insert"
2021-06-23 06:10:04.849 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,9,"idle",2021-06-23 06:08:59 IST,4/25,0,AUDIT,00000,"statement: UPDATE dept SET loc = 'BEDFORD'
WHERE deptno = 20;",,,,,,,,,"psql","client backend",,"UPDATE","","update"
2021-06-23 06:10:16.045 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,10,"idle",2021-06-23 06:08:59 IST,4/26,0,AUDIT,00000,"statement: SELECT * FROM dept;",,,,,,,,,
"psql","client backend",,"SELECT","","select"
2021-06-23 06:10:40.593 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,11,"idle",2021-06-23 06:08:59 IST,4/27,0,AUDIT,00000,"statement: DELETE FROM emp WHERE deptno = 40;
",,,,,,,,,"psql","client backend",,"DELETE","","delete"
2021-06-23 06:10:40.594 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,12,"DELETE",2021-06-23 06:08:59 IST,4/27,0,ERROR,42P01,"relation ""emp"" does not exist",,,,,,
"DELETE FROM emp WHERE deptno = 40;",13,,"psql","client backend",,"DELETE","","error"
2021-06-23 06:11:02.563 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,13,"idle",2021-06-23 06:08:59 IST,4/28,0,AUDIT,00000,"statement: DELETE FROM dept WHERE deptno = 10;
",,,,,,,,,"psql","client backend",,"DELETE","","delete"
2021-06-23 06:11:14.585 IST,"adminuser","auditdb",60218,"[local]",60d3083b.
eb3a,14,"idle",2021-06-23 06:08:59 IST,4/29,0,AUDIT,00000,"statement: SELECT * FROM dept;",,,,,,,,,
"psql","client backend",,"SELECT","","select"
```

**Example 4**

The following is an example where `edb_audit_connect` and `edb_audit_statement` are set with the following non-default values:

```text
logging_collector = 'on'
edb_audit_connect = 'all'
edb_audit_statement = 'all'
```

The audit session for a user `carol` can be fully blocked by the database administrators using the `ALTER USER` command:

```text
ALTER USER carol SET edb_audit_statement = "none";
```

!!! Note
The database administrator can allow a specific user to audit any SQL statements by specifying the `ALTER USER` command and setting the `edb_audit_statement parameter` to any desired value.

The database session that occurs is the following:

```text
$ psql auditdb carol
Password for user carol:
psql.bin (12.0.0)
Type "help" for help.
auditdb=# SHOW edb_audit_connect;
edb_audit_connect
-------------------
all
(1 row)
auditdb=# SHOW edb_audit_statement;
edb_audit_statement
---------------------
none
(1 row)
auditdb=# SET search_path TO edb;
SET
auditdb=> CREATE TABLE salgrade
auditdb-> (grade NUMBER,
auditdb(> losal NUMBER,
auditdb(> hisal NUMBER);
CREATE TABLE
INSERT INTO salgrade VALUES (1, 700, 1200);
INSERT INTO salgrade VALUES (2, 1201, 1400);
INSERT INTO salgrade VALUES (3, 1401, 2000);
```

The resulting audit log file contains only the connection authentication information. Setting the `edb_audit_statement` parameter to `none` does not allow auditing any of the SQL statements for `carol`, and thereby no audit logs are generated.

Each audit log entry has been split and displayed across multiple lines, and a blank line has been inserted between the audit log entries for more clarity in the appearance of the results.

```text
2021-06-29 02:27:26.240 IST,"carol","auditdb",68072,"[local]",60dabd4e.
109e8,1,"authentication",2021-06-29 02:27:26 IST,4/13,0,AUDIT,00000,"connection authorized: user=carol
database=auditdb",,,,,,,,,"","client backend",,"","","connect"
```

## Data Manipulation Language Statements

This section describes the values that can be included in the `edb_audit_statement` parameter to audit DML statements.
Expand Down
2 changes: 1 addition & 1 deletion ...graphical_installer_from_the_command_line/03_reference_command_line_options.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ The EDB Postgres pgAdmin 4 provides a powerful graphical interface for database
The `--enable_acledit 1` option instructs the installer to grant permission to the user specified by the `--serviceaccount` option to access the Advanced Server binaries and `data` directory. By default, this option is disabled if `--enable_acledit 0` is specified or if the `--enable_acledit` option is completely omitted.

!!! Note
Specification of this option is valid only when installing on Windows. The `--enable_acledit 1` option should be specified when a `discretionary access control list` (DACL) needs to be set for allowing access to objects on which Advanced Server is to be installed. See the following for information on a DACL: <https://msdn.microsoft.com/en-us/library/windows/desktop/aa446597(v=vs.85>).aspx
Specification of this option is valid only when installing on Windows. The `--enable_acledit 1` option should be specified when a `discretionary access control list` (DACL) needs to be set for allowing access to objects on which Advanced Server is to be installed. See the following for information on a DACL: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446597(v=vs.85).aspx

In order to perform future operations such as upgrading Advanced Server, access to the `data` directory must exist for the service account user specified by the `--serviceaccount` option. By specifying the `--enable_acledit 1` option, access to the `data` directory by the service account user is provided.

Expand Down
2 changes: 1 addition & 1 deletion product_docs/docs/epas/12/language_pack/01_supported_database_server_versions.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ Language Pack installers are version and platform specific. Select the Language
| Windows (64-bit) | PostgreSQL `9.6`,`10`,`11`,`12` | 1.0 | Perl `5.26`, Python `3.7`, Tcl `8.8` |
| Windows (64-bit) | EDB Postgres Advanced Server `9.6`,`10`,`11`,`12` | 1.0 | Perl `5.26`, Python `3.7`, Tcl `8.6` |

For detailed information, please see the EDB Postgres Advanced Server Installation Guide for Linux, available at the [EDB website](/epas/12/).
For detailed information, please see the *EDB Postgres Advanced Server Installation Guide*, available at the [EDB website](/epas/12/).
Loading

0 comments on commit e1a83d2

Please sign in to comment.