Re: audit trail for viewed data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


> I have been asked to investigate creating an 
> "audit trail" for viewed data.
...
> My first pass attempt at a solution was to use a set returning 
> function that inserted to the audit trail...
...
> I'm sure this has to do with the function not knowing anything 
> about the join inclusion/exclusion nor the where clause, but 
> I'm wondering if this is a problem that anyone else has 
> experienced in the past. Is there a way to do this at the 
> database level or do we need to try to build something 
> into the application to do the tracking?

It's easy enough at the database level: just make all access 
go through stored procedures. In the example you gave, disallow 
direct access to table 'a' and if they need something like 
that query, make them call this:

select rows_a_join_b_id_less(4250);

Obviously you can make the functions a little more generic, 
but the golden rule is all direct table access is forbidden. 
They want something from the database, they must go through 
one of your special procs. Then you can log who viewed what 
data and when :). That's going to probably end up a /very/ 
large audit log, but without getting into a lot more 
complexity, that's the price you pay for such detailed logging.

The only other non-application option I can see is to have 
something recording things at a low-level, e.g. wireshark.
Which makes the database and application changes easy (e.g. 
no changes at all!) at the high cost of parsing the logs when 
you need to make sense of them.

- -- 
Greg Sabino Mullane greg@xxxxxxxxxxxx
End Point Corporation http://www.endpoint.com/
PGP Key: 0x14964AC8 201110290019
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8

-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAk6rfs0ACgkQvJuQZxSWSsg9AwCeKRF+lPlX+lpxIxkjOacoYXMO
1WQAn1ONgX8T9aZffHejetCY+yOq5PTP
=/54K
-----END PGP SIGNATURE-----



-- 
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux