end to end encryption too is not very straightforward.
Sadly, we had our databases managed via configuration management system, which also dictated role creation, db access, pg_hba changes etc.
the git history of cfg mgmt tool was our audit :)
Basically, we did not allow any admin to make any changes locally, but use the cfg mgmt tool to make any access changes.
The newer versions are integrating hashicorp vault to manage roles and access, and audit is still managed externally.
On Fri, 7 May 2021 at 01:42, Holger Jakobs <holger@xxxxxxxxxx> wrote:
Am 6. Mai 2021 21:52:00 MESZ schrieb Vipin Madhusoodanan <vipin.madhusoodanan@xxxxxxxxx>:Hi Team,Please advise on the possibilities to retrieve “last password change date” for a PostgreSQL user account. We have an audit requirement to identify the password change details for local PostgreSQL user accounts. We are able to track AD users using AD Group Policy, but unable to fetch these details for local user accounts. Tried to explore pg_users and pg_shadow catalog views, but this information was not available.Please advise.Thank you,Vipin--Thanks,Vipin
Actually, opposed to the opinion of people having lived under a stone for the last couple of years, it's absolutely not advisable to have a regular password changing scheme.
These were in fashion in the 1990s and early 2000s
--
Holger Jakobs, Bergisch Gladbach
+49 178 9759012
- sent from mobile, therefore short -
Thanks,
Vijay
Mumbai, India