Detections
Analytics

3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled - pgaudit installed

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The PostgreSQL Audit Extension (pgAudit) provides detailed session and/or object audit logging via the standard PostgreSQL logging facility. The goal of pgAudit is to provide PostgreSQL users with the capability to produce audit logs often required to comply with government, financial, or ISO certifications.

Rationale:

Basic statement logging can be provided by the standard logging facility with log_statement = all. This is acceptable for monitoring and other uses but does not provide the level of detail generally required for an audit. It is not enough to have a list of all the operations performed against the database, it must also be possible to find particular statements that are of interest to an auditor. The standard logging facility shows what the user requested, while pgAudit focuses on the details of what happened while the database was satisfying the request.

When logging SELECT and DML statements, pgAudit can be configured to log a separate entry for each relation referenced in a statement. No parsing is required to find all statements that touch a particular table. In fact, the goal is that the statement text is provided primarily for deep forensics and should not be required for an audit.

Impact:

Depending on settings, it is possible for pgAudit to generate an enormous volume of logging. Be careful to determine exactly what needs to be audit logged in your environment to avoid logging too much.

Solution

To install and enable pgAudit, simply install the appropriate rpm from the PGDG repo:

# whoami
root
# dnf -y install pgaudit17_15
[snip]
Installed:
 pgaudit17_15-1.7-beta1_1.rhel9.x86_64

Complete!

pgAudit is now installed and ready to be configured. Next, we need to alter the postgresql.conf configuration file to:

enable pgAudit as an extension in the shared_preload_libraries parameter

indicate which classes of statements we want to log via the pgaudit.log parameter

and, finally, restart the PostgreSQL service:

$ vi ${PGDATA}/postgresql.conf

Find the shared_preload_libraries entry, and add 'pgaudit' to it (preserving any existing entries):

shared_preload_libraries = 'pgaudit'

OR

shared_preload_libraries = 'pgaudit,somethingelse'

Now, add a new pgaudit-specific entry:

# for this example we are logging the ddl and write operations
pgaudit.log='ddl,write'

Restart the PostgreSQL server for changes to take affect:

# whoami
root
# systemctl restart postgresql-15
# systemctl status postgresql-15|grep 'ago$'
 Active: active (running) since [date] 10s ago

See Also

https://workbench.cisecurity.org/files/4247

Item Details

References: CSCv7|6.2

Plugin: PostgreSQLDB

Control ID: 8abec466ddb36d57ff6640a1fd72f2922a70c218aef0d5a9096d7a6fca6fc17d