CNDBA社区
1 配置审计
openGauss将用户对数据库的所有操作写入审计日志。数据库安全管理员可以利用这些日志信息,重现导致数据库现状的一系列事件,找出非法操作的用户、时间和内容等。
几点注意事项:
- 审计总开关audit_enabled 是sighup 参数,修改后需要重启才能生效。默认值为on,表示开启审计功能。
- 除了审计总开关,各个审计项也有对应的开关。只有开关开启,对应的审计功能才能生效。大部分都是是sighup 参数,修改后需要重启才能生效。
审计相关参数如下:
openGauss=# select name,setting,context,source from pg_settings where name like '%audit%';
name | setting | context | source
-----------------------------+-----------------------------------+------------+--------------------
audit_copy_exec | 1 | sighup | default
audit_data_format | binary | postmaster | default
audit_database_process | 1 | sighup | default
audit_directory | /var/log/omm/omm/pg_audit/dn_6001 | postmaster | configuration file
audit_dml_state | 0 | sighup | default
audit_dml_state_select | 0 | sighup | default
audit_enabled | on | sighup | configuration file
audit_file_remain_threshold | 1048576 | sighup | default
audit_file_remain_time | 90 | sighup | default
audit_function_exec | 0 | sighup | default
audit_grant_revoke | 1 | sighup | default
audit_login_logout | 7 | sighup | default
audit_resource_policy | on | sighup | default
audit_rotation_interval | 1440 | sighup | default
audit_rotation_size | 10240 | sighup | default
audit_set_parameter | 0 | sighup | default
audit_space_limit | 1048576 | sighup | default
audit_system_function_exec | 0 | sighup | default
audit_system_object | 67121159 | sighup | default
audit_thread_num | 1 | postmaster | default
audit_user_locked | 1 | sighup | default
audit_user_violation | 0 | sighup | default
audit_xid_info | 0 | sighup | default
full_audit_users | | sighup | default
no_audit_client | | sighup | default
(25 rows)
openGauss=#
关于这些参数的说明,参考官方手册:
[dave@www.cndba.cn ~]$ gsql -p 15500 -d postgres -U omm -W omm@123456 -r
gsql ((openGauss 5.0.0 build a07d57c3) compiled at 2023-03-29 03:07:56 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=# SHOW audit_enabled;
audit_enabled
---------------
on
(1 row)
修改参数:
[dave@www.cndba.cn ~]$ gs_guc set -N all -I all -c "audit_enabled=off"
The gs_guc run with the following arguments: [gs_guc -N all -I all -c audit_enabled=off set ].
Begin to perform the total nodes: 3.
Popen count is 3, Popen success count is 3, Popen failure count is 0.
Begin to perform gs_guc for datanodes.
Command count is 3, Command success count is 3, Command failure count is 0.
Total instances: 3. Failed instances: 0.
ALL: Success to perform gs_guc!
[dave@www.cndba.cn ~]$
更多参数修改的内容参考之前的博客:
openGauss 5.0.0 参数 查看 与 修改
https://www.cndba.cn/dave/article/116536
2 查看审计
只有拥有AUDITADMIN属性的用户才可以查看审计记录。
omm 默认是有权限的,如果是其他用户,则需要使用alter user 命令修改:
openGauss=# SELECT * FROM pg_authid where rolname='omm';
-[ RECORD 1 ]----+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
rolname | omm
rolsuper | t
rolinherit | t
rolcreaterole | t
rolcreatedb | t
rolcatupdate | t
rolcanlogin | t
rolreplication | t
rolauditadmin | t
rolsystemadmin | t
rolconnlimit | -1
rolpassword | sha256302cf0388eedd3c823b25d0501ee1b146d7d0a525105a8d89a4a9ebd2187f4b8dfee41653e829e62f98fb63733f01f92fa2859f73cbd5feeb8336420f97286e402a8c612b316abf408cb6ba40b34120b83d59b9a95553866afcea18d649149deecdfecefade
rolvalidbegin |
rolvaliduntil |
rolrespool | default_pool
roluseft | t
rolparentid | 0
roltabspace |
rolkind | n
rolnodegroup | 0
roltempspace |
rolspillspace |
rolexcpdata |
rolmonitoradmin | t
roloperatoradmin | t
rolpolicyadmin | t
rolpasswordext |
select * from pg_query_audit('2021-03-04 08:00:00','2021-03-04 17:00:00');
alter user 对dave 用户添加auditadmin的角色:
https://docs.opengauss.org/zh/docs/5.0.0/docs/SQLReference/ALTER-USER.html
openGauss=# alter user dave auditadmin;
ALTER ROLE
openGauss=# SELECT * FROM pg_authid where rolname='dave';
-[ RECORD 1 ]----+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
rolname | dave
rolsuper | f
rolinherit | t
rolcreaterole | f
rolcreatedb | f
rolcatupdate | f
rolcanlogin | t
rolreplication | f
rolauditadmin | t
rolsystemadmin | f
rolconnlimit | -1
rolpassword | sha256a591306a59881f86e0459a64a51d8fe2808c45e68938d9daa3574db1e7f9b1cb24c4000fa281decc774a5dbc4fd8bc2654485d451c8972ddbcb9db6c1e7991883f67b4916608e4a52644b67115e9142e06d302735c4c64902f6cc528179f67b4ecdfecefade
rolvalidbegin |
rolvaliduntil |
rolrespool | default_pool
roluseft | f
rolparentid | 0
roltabspace |
rolkind | n
rolnodegroup |
roltempspace |
rolspillspace |
rolexcpdata |
rolmonitoradmin | f
roloperatoradmin | f
rolpolicyadmin | f
rolpasswordext |
openGauss=#
审计查询命令是数据库提供的sql函数pg_query_audit:
pg_query_audit(timestamptz startime,timestamptz endtime,audit_log)
- 参数startime和endtime分别表示审计记录的开始时间和结束时间
- audit_log表示所查看的审计日志信息所在的物理文件路径,当不指定audit_log时,默认查看连接当前实例的审计日志信息。
startime和endtime的差值代表要查询的时间段,其有效值为从startime日期中的00:00:00开始到endtime日期中的23:59:59之间的任何值。请正确指定这两个参数,否则将查不到需要的审计信息。
[dave@www.cndba.cn ~]$ gsql -p 15500 -d postgres -U omm -W omm@123456 -r
gsql ((openGauss 5.0.0 build a07d57c3) compiled at 2023-03-29 03:07:56 commit 0 last mr )
Non-SSL connection (SSL connection is recommended when requiring high-security)
Type "help" for help.
openGauss=# /x
Expanded display is on.
openGauss=# select * from pg_query_audit('2023-04-19 00:00:00','2023-04-19 17:00:00');
-[ RECORD 1 ]---+------------------------------------------------------------
time | 2023-04-19 00:00:00+08
type | internal_event
result | ok
userid | 0
username | [unknown]
database | [unknown]
client_conninfo | dn_6001@[unknown]
object_name | file
detail_info | create a new audit file
node_name | dn_6001_6002_6003
thread_id | 139750563641088@735148800600816
local_port | 15500
remote_port | (null)
-[ RECORD 2 ]---+------------------------------------------------------------
time | 2023-04-19 00:00:01+08
type | login_success
result | ok
userid | 10
username | omm
database | postgres
client_conninfo | cm_agent@192.168.56.105
object_name | postgres
detail_info | login db(postgres) success,the current user is:omm, SSL=off
node_name | dn_6001_6002_6003
thread_id | 139750878471936@735148801352916
local_port | 15501
remote_port | 53954
-[ RECORD 3 ]---+------------------------------------------------------------
time | 2023-04-19 00:00:01+08
type | user_logout
result | ok
userid | 10
username | omm
database | postgres
client_conninfo | cm_agent@192.168.56.105
object_name | postgres
detail_info | session timeout, logout db(postgres) success
node_name | dn_6001_6002_6003
thread_id | 139750878471936@735148801354325
local_port | 15501
……
使用绝对路径:
openGauss=# SHOW audit_directory;
-[ RECORD 1 ]---+----------------------------------
audit_directory | /var/log/omm/omm/pg_audit/dn_6001
[dave@www.cndba.cn ~]$ cd /var/log/omm/omm/pg_audit/dn_6001
[dave@www.cndba.cn dn_6001]$ ll
总用量 95520
-rw-------. 1 omm dbgrp 2529671 4月 7 23:59 0_adt
-rw------- 1 omm dbgrp 5934653 4月 17 23:59 10_adt
-rw------- 1 omm dbgrp 5962217 4月 19 16:55 11_adt
-rw------- 1 omm dbgrp 5304128 4月 19 16:51 12_adt
-rw------- 1 omm dbgrp 5344489 4月 8 23:59 1_adt
-rw------- 1 omm dbgrp 5341368 4月 9 23:59 2_adt
-rw------- 1 omm dbgrp 5582839 4月 10 23:59 3_adt
-rw------- 1 omm dbgrp 6863864 4月 11 23:59 4_adt
-rw------- 1 omm dbgrp 7561818 4月 12 23:59 5_adt
-rw------- 1 omm dbgrp 7647500 4月 13 23:59 6_adt
-rw------- 1 omm dbgrp 7585293 4月 14 23:59 7_adt
-rw------- 1 omm dbgrp 7671760 4月 15 23:59 8_adt
-rw------- 1 omm dbgrp 7671855 4月 16 23:59 9_adt
drwx------. 2 omm dbgrp 6 4月 7 10:55 done
-rw-------. 1 omm dbgrp 16777456 4月 19 16:51 index_table_new
[dave@www.cndba.cn dn_6001]$
openGauss=# select * from pg_query_audit('2023-04-01 00:00:00','2023-04-19 17:00:00','/var/log/omm/omm/pg_audit/dn_6001');
3 维护审计日志
审计日志管理的参数有如下几个:
- audit_directory: 审计文件的存储目录。
- audit_resource_policy:审计日志的保存策略。on(表示使用空间配置策略)
- audit_space_limit:审计文件占用的磁盘空间总量。1GB
- audit_file_remain_time:审计日志文件的最小保存时间。
- audit_file_remain_threshold:审计目录下审计文件的最大数量。
3.1 设置自动删除审计日志
审计文件占用的磁盘空间或者审计文件的个数超过指定的最大值时,系统将删除最早的审计文件,并记录审计文件删除信息到审计日志中。
审计文件占用的磁盘空间大小默认值为1024MB,用户可以根据磁盘空间大小重新设置参数。
配置审计文件占用磁盘空间的大小(audit_space_limit)。
openGauss=# SHOW audit_space_limit;
-[ RECORD 1 ]-----+----
audit_space_limit | 1GB
openGauss=#
修改参数:
[dave@www.cndba.cn ~]$ gs_guc reload -N all -I all -c "audit_space_limit=2048MB"
The gs_guc run with the following arguments: [gs_guc -N all -I all -c audit_space_limit=2048MB reload ].
Begin to perform the total nodes: 3.
Popen count is 3, Popen success count is 3, Popen failure count is 0.
Begin to perform gs_guc for datanodes.
Command count is 3, Command success count is 3, Command failure count is 0.
Total instances: 3. Failed instances: 0.
ALL: Success to perform gs_guc!
openGauss 5.0.0 参数 查看 与 修改
https://www.cndba.cn/dave/article/116536
3.2 配置审计文件个数的最大值
查看已配置的参数。
openGauss=# SHOW audit_file_remain_threshold;
-[ RECORD 1 ]---------------+--------
audit_file_remain_threshold | 1048576
修改参数,取值范围:100 .. 1048576
[dave@www.cndba.cn ~]$ gs_guc reload -N all -I all -c "audit_file_remain_threshold=2048576"
The gs_guc run with the following arguments: [gs_guc -N all -I all -c audit_file_remain_threshold=2048576 reload ].
ERROR: The value 2048576 is outside the valid range for parameter "audit_file_remain_threshold" (100 .. 1048576).
ERROR: The value "2048576" for parameter "audit_file_remain_threshold" is incorrect, requires a integer value
Try "gs_guc --help" for more information.
[dave@www.cndba.cn ~]$ gs_guc reload -N all -I all -c "audit_file_remain_threshold=1048576"
The gs_guc run with the following arguments: [gs_guc -N all -I all -c audit_file_remain_threshold=1048576 reload ].
Begin to perform the total nodes: 3.
Popen count is 3, Popen success count is 3, Popen failure count is 0.
Begin to perform gs_guc for datanodes.
Command count is 3, Command success count is 3, Command failure count is 0.
Total instances: 3. Failed instances: 0.
ALL: Success to perform gs_guc!
3.3 手动备份审计文件
当审计文件占用的磁盘空间或者审计文件的个数超过配置文件指定的值时,系统将会自动删除较早的审计文件,可以周期性地对比较重要的审计日志进行保存。
使用show命令获得审计文件所在目录(audit_directory)。
openGauss=# SHOW audit_directory;
-[ RECORD 1 ]---+----------------------------------
audit_directory | /var/log/omm/omm/pg_audit/dn_6001
直接将审计目录整个拷贝出来即可。
3.4 手动删除审计日志
当不再需要某时段的审计记录时,可以使用审计接口命令pg_delete_audit进行手动删除。
openGauss=# SELECT pg_delete_audit('2023-04-18 00:00:00','2023-04-18 23:59:59');
-[ RECORD 1 ]---+-
pg_delete_audit |
版权声明:本文为博主原创文章,未经博主允许不得转载。
