pgaudit icon indicating copy to clipboard operation
pgaudit copied to clipboard

clear text password in log by pgaudit when create user mapping options user password

Open Jamespsql opened this issue 4 years ago • 2 comments

pgaudit 1.5, postgres 13.4

pgaudit.log_catalog='on' pgaudit.log_level='log' pgaudit.log_parameter=on pgaudit.log_statement_once=off pgaudit.log='all, -misc' pgaudit.log='ddl,role'

when create role password, or alter role password , pgaudit works as expected and make password <REDACTED>. but when create user mapping for postgres_fdw , clear text got audit in log by pgaudit.

CREATE USER MAPPING FOR test SERVER foreign_server OPTIONS (user 'test', password 'testfdwpass'); AUDIT: SESSION,1,1,DDL,CREATE USER MAPPING,USER MAPPING,test on server foreign_server,"CREATE USER MAPPING FOR test SERVER foreign_server OPTIONS (user 'test', password 'testfdwpass');" <<< here password is clear text instead of <REDACTED>

,

Jamespsql avatar Dec 22 '21 08:12 Jamespsql

add a control similar to create and alter role to pgaudit.c to "switch (stackItem->auditEvent.commandTag)" case T_CreateRoleStmt: case T_AlterRoleStmt: /* Add the case of create and alter user mapping passwords * leak control
*/ case T_CreateUserMappingStmt: case T_AlterUserMappingStmt:

tested that in my local Redhat8 Postgresql 13.4 that works, hopefully that could be merged to REL_13_STABLE.

Jamespsql avatar Jan 09 '22 12:01 Jamespsql

The best way to get a patch reviewed is to submit a PR.

dwsteele avatar Jul 21 '22 21:07 dwsteele

Are there any plans to include this for user mapping? I can see pull requests, but they are closed and the label is invalid.

andrzejwiselka avatar Dec 15 '22 09:12 andrzejwiselka

Which pull requests?

dwsteele avatar Dec 15 '22 11:12 dwsteele

https://github.com/pgaudit/pgaudit/pull/167 https://github.com/pgaudit/pgaudit/pull/168

andrzejwiselka avatar Dec 15 '22 15:12 andrzejwiselka

@andrzejwiselka Looks like these were closed by the submitter.

dwsteele avatar Dec 17 '22 07:12 dwsteele

@Jamespsql, are you planning to reopen pull request?

andrzejwiselka avatar Jan 02 '23 14:01 andrzejwiselka

Andrzejwiselka, https://github.com/pgaudit/pgaudit/pull/197 was opened

Jamespsql avatar Feb 23 '23 08:02 Jamespsql

@dwsteele, can this be merged ?

Jamespsql avatar Feb 23 '23 08:02 Jamespsql