I am trying to find out what PostgreSQL does when it cannot write to its SYSLOG file, whether it is permissions or the file system where the log resides is full is the problem. Does PostgreSQL stall, does it rollback the transaction it cannot log to the SYSLOG, or does it continue on as if there isnot an issue? I am writing Security controls and since I am using the SYSLOG for auditing purposes and I need to document what happens in case therewas a failure in writing to the SYSLOG. For instance, Oracle rollbacks any transactions that are being audited it cannot write to its audit logs. Just want to know what PostgreSQL does.

Thanks,

Sandra Arnold
Senior Database Administrator
Contractor to DOE/OSTI
Information International Associates (IIA)
Oak Ridge, TN
(865) 576-0054 (work)
(865) 567-7553 (cell)
arnolds (AT) osti (DOT) gov<mailto:a...osti (DOT) gov>

On 07/10/2012 01:08 PM, Arnold, Sandra wrote:
PostgreSQL doesn't write to a SYSLOG file. It sends it to the syslog
daemon. (if you are indeed using syslog)

This is a non-issue in terms of transactions and operations.


You should probably look at tablelog for auditing. It automates it.
Syslog is not really a good way to handle that.

Sincerely,

Joshua D. Drake


--
Command Prompt, Inc. - http://www.commandprompt.com/
PostgreSQL Support, Training, Professional Services and Development
The PostgreSQL Conference - http://www.postgresqlconference.org/
@cmdpromptinc - @postgresconf - 509-416-6579



--
Sent via pgsql-admin mailing list (pgsql-admin (AT) postgresql (DOT) org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Tablelog would be ok for keeping up with transactions for tables. However,we also need to audit who connects successfully and unsuccessfully. As far as I am aware, if a user fails to log in successfully, say three times, PostgreSQL is not able to lock the account for 9.0. Is this the case for 9.1 as well? This is the version that I will be installing that I am writingthe Security controls for. There are several events that I have to Audit and table transactions are just a small part of it. The events I need to audit are listed below:

- Unauthorized User Access
- Changes to User Privileges
- Changes to Audit Policy
- Reset User Password
- New User created in Database
- Users dropped from Database
- Invalid Login Attempts

Sandra Arnold
Senior Database Administrator
Contractor to DOE/OSTI
Information International Associates (IIA)



-----Original Message-----
From: Joshua D. Drake [mailto:jd (AT) commandprompt (DOT) com]
Sent: Tuesday, July 10, 2012 4:31 PM
To: Arnold, Sandra
Cc: pgsql-admin (AT) postgresql (DOT) org
Subject: Re: [ADMIN] What happens when PostgreSQL fails to log to SYSLOG


On 07/10/2012 01:08 PM, Arnold, Sandra wrote:
PostgreSQL doesn't write to a SYSLOG file. It sends it to the syslog daemon.. (if you are indeed using syslog)

This is a non-issue in terms of transactions and operations.


You should probably look at tablelog for auditing. It automates it.
Syslog is not really a good way to handle that.

Sincerely,

Joshua D. Drake


--
Command Prompt, Inc. - http://www.commandprompt.com/ PostgreSQL Support, Training, Professional Services and Development The PostgreSQL Conference - http://www.postgresqlconference.org/
@cmdpromptinc - @postgresconf - 509-416-6579



--
Sent via pgsql-admin mailing list (pgsql-admin (AT) postgresql (DOT) org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

"Arnold, Sandra" <ArnoldS (AT) osti (DOT) gov> writes:
If you want custom authorization rules like that, the usual
recommendation is to use PAM authentication; you can set up pretty much
anything you want with a few PAM modules.

regards, tom lane

--
Sent via pgsql-admin mailing list (pgsql-admin (AT) postgresql (DOT) org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

On Wed, Jul 11, 2012 at 10:47 AM, Arnold, Sandra <ArnoldS (AT) osti (DOT) gov> wrote:


This is off topic for your question, but locking an account after a small
number of failures is a bad security practice. It's an invitation for a
denial-of-service attack. Anyone who knows anyone else's account name can
lock them out. Anyone who gets a list of accounts can lock up the whole
system.

Craig