Search Postgresql Archives

Re: Logging statement having any threat?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Apr 20, 2024 at 10:02 PM Adrian Klaver <adrian.klaver@xxxxxxxxxxx> wrote:

Have you tried?:

https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT

"
log_statement (enum)

   <...>

The default is none. Only superusers and users with the appropriate SET
privilege can change this setting.
"

Or

https://www.postgresql.org/docs/current/functions-admin.html#FUNCTIONS-ADMIN-SET

set_config ( setting_name text, new_value text, is_local boolean ) → text


>
> Now when we reach out to the infrastructure team , they are saying these
> variables(pg_cluster_log_statement,pg_instance_log_statement) were

Where are those variables coming from? I can not find them in RDS or
Terraform docs.


 Thank You Adrian. 

Actually I was trying to understand if the auto_explain can only work and help us see the slow sql statements in the log, only after we set the "log_statement" parameter to non default values (like all, mod, ddl)? 

And what is the exact threat with the logging these queries , and i think ,I got the point as you mentioned , having access to database  itself is making someone to see the object details, however do you agree that in case of RDS logs are available through different mediums like cloud watch, data dog agent etc , so that may pose additional threats as because , may be some person doesn't have access to database directly but still having permission to see the logs, so the appropriate access control need to put in place?

And additionally I was trying to execute the "SELECT set_config('log_statement', 'all', true);" but it says "permission denied to set parameter "log_statement".".So might be it needs a higher privileged user to run it.

To answer your question on the variable those we have on the terraform module, the terraform module is customized by the database infra team so that might be why we are seeing those there which may not be exactly the same as its showing in RDS docs for postgres.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.Concepts.PostgreSQL.html

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux