设置统一审计策略

背景信息

传统审计会产生大量的审计日志，且不支持定制化的访问对象和访问来源配置，不方便数据库安全管理员对审计日志的分析。而统一审计策略支持绑定资源标签、配置数据来源输出审计日志，可以提升安全管理员对数据库监控的效率。

操作步骤

1. 执行以下命令开启统一审计开关。

   gs_guc reload -Z coordinator -N all -I all -c "enable_security_policy=on"
   

2. 操作系统root用户进行rsyslog配置。

   在操作系统后台服务配置文件/etc/rsyslog.conf中添加：

   local0.* /var/log/localmessages  
   

   重启rsyslog服务使配置生效。

   sudo systemctl restart rsyslog
   

3. 安全策略管理员登录数据库，配置资源标签，对于安全策略管理员的相关操作参考管理员章节，审计策略参数参考SQL语法描述。

   -- 初始化资源
   DROP TABLE IF EXISTS table_security_auditing;
   CREATE TABLE table_security_auditing(id int,name char(10));
   create user user001 password '********';
   create user user002 password '********';
   grant all privileges to user001;
   
   -- 新建资源标签
   DROP RESOURCE LABEL IF EXISTS rl_security_auditing;
   CREATE RESOURCE LABEL rl_security_auditing ADD TABLE(table_security_auditing);
   
   -- 创建审计策略，审计用户user001在资源标签rl_security_auditing上的DDL、DML操作
   CREATE AUDIT POLICY audit_security_priall PRIVILEGES all on LABEL(rl_security_auditing) FILTER ON ROLES(user001);
   CREATE AUDIT POLICY audit_security_accall ACCESS all on LABEL(rl_security_auditing) FILTER ON ROLES(user001);
   

4. 使用用户user001登录数据库，执行如下操作, 触发审计策略。

   -- DML
   insert into table_security_auditing values(1,'22');
   update table_security_auditing set name=234123 where id=1;
   delete from table_security_auditing where id=1;
   truncate table table_security_auditing;
   -- DDL
   GRANT INSERT ON TABLE table_security_auditing TO user002;
   revoke insert on table table_security_auditing from user002;
   

5. 使用操作系统root用户查看审计日志/var/log/localmessage。

   Oct  9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [INSERT], policy id: [16423], table: [public.table_security_auditi           ng], result: [OK]
   Oct  9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [UPDATE], policy id: [16423], table: [public.table_security_auditi           ng], result: [OK]
   Oct  9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [DELETE], policy id: [16423], table: [public.table_security_auditi           ng], result: [OK]
   Oct  9 15:38:12 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [TRUNCATE], policy id: [16423], table: [public.table_security_audi           ting], result: [OK]
   Oct  9 15:49:41 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], privilege type: [GRANT ON TABLE postgres.public.table_security_auditing TO user002], poy id: [16408], result: [OK]
   Oct  9 15:49:53 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], privilege type: [REVOKE ON TABLE postgres.public.table_security_auditing FROM user002],licy id: [16408], result: [OK]
   

6. 如不需要继续对特定资源进行审计，可移除审计策略。

   drop audit policy audit_security_priall;  
   drop audit policy audit_security_accall; 
   

统一审计日志字段说明

Oct  9 15:38:12 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [TRUNCATE], policy id: [16423], table: [public.table_security_auditing], result: [OK]

以如上TRUNCATE操作触发的审计日志为例，字段说明如下:

|时间戳|主机名|事件类型|用户名|触发客户端|客户端IP|操作类型|策略ID|列名称|执行结果|

注意： 在使用DATABASE LINK功能的场景下，客户端发起的DATABASE LINK请求，实际的发送方是服务端，发送端ip地址等相关的属性将是服务端的值。