[Security] Harden pgaudit For Vets-api Database in Prod

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:

https://depo-platform-documentation.scrollhelp.site/index.html

284 stars 206 forks source link

[Security] Harden pgaudit For Vets-api Database in Prod #94644

Open Efe-Oddball opened 1 month ago

Efe-Oddball commented 1 month ago

Description

DB scans from July reported that pgaudit.conf needs to be reviewed and updated to ensure we capture everything needed. These updates have been implemented in the Dev and Staging environments for the Vets-Api database.

Acceptance Criteria

[ ] pgaudit.conf configured and hardened for vets-api database prod
[ ] Ensure DB scans captures the necessary audit data

Refinement Guidance - Check the following before working on this issue:

[ ] Epic assigned (if needed)
[ ] Estimated (points assigned)
[ ] Sprint assigned (once planned)
[ ] Team member(s) assigned
[ ] Understands how this work aligns with the overall platform

Efe-Oddball commented 1 month ago

https://github.com/department-of-veterans-affairs/devops/pull/14765

Efe-Oddball commented 3 weeks ago

Working to schedule a reboot for the vets-api prod database. Once reboot is complete, I will work with the security team to re-scan and ensure that the patch does what is intended

Efe-Oddball commented 2 weeks ago

Due to the effects of the audit logs to the functionality of the database, we have to go back to the drawing board to discuss what needs to be done with adding audit logs to the prod databases. The audit logs tend to fill up the database memory really really fast. This ticket will be on hold, until we discuss the way forward with the team.

Efe-Oddball commented 2 weeks ago

Due to the effect of audit logs on database storage, I am moving this ticket to a blocked state until the database discovery ticket attached to this issue is resolved