Open rbeckwith-oddball opened 2 years ago
@td-usds or @troymosher
Wondering if either of you has any background on the origin of this request?
It would be good to know if there are any external requirements or dependencies. If there are epics or initiatives that this work relates to, that would also be very helpful.
Thank you!
cc: @mchelen-gov @ph-One
As a security engineer, I need to have the ability to audit any and all queries performed against any database by a principal that's been granted temporary read-access.
Scenario
Developer DEV does not have access to talk to the database DB directly DEV requests access to DB in environment E and sufficiently justifies access request Access is discussed and Security Team is looped in to evaluate DEV is given an equivalent to the 'sudo lecture'(*) and explicitly confirms understanding of and adherence to lecture's intent and spirit Minimally sufficient access is granted DEV performs commands against the DB and completes their tasks DEV signals end to their need for elevated privileges Access is revoked, DEV is back in initial state The full listing of executed commands is timestamped and preserved in a secure location for at least 90 days; the listing is spot-checked for any outlier-commands.
Requirements
As a security engineer, I need a full and complete listing of any and every command issued by DEV against any database they connected to, this is (among things) for non-repudiation reasons. I need to know any and every DML or DDL statement executed by this principal during their session(s), including any attempts at running a pg_dump or equivalent. I want to be able to replay the entire session of principal DEV, ideally including the output. This will enhance our non-repudiation abilities when it comes to DB access as well as help with individuals trying to lift data from a database onto an unauthorized system.
Sudo lecture
(*) The default sudo lecture is: