255 Star 650 Fork 464

GVPopenGauss / openGauss-server

 / 详情

【业务范畴:开源】【测试类型:SQL功能】【测试活动:社区】【测试版本:2.0.0】【特性名称:资料描述】【环境:裸机】统一审计当仅审计grant操作时,执行grant语句后,审计日志中查不到grant操作记录;当审计grant,revoke操作时,执行grant,revoke语句后,可审计日志中审计到grant操作,但是未审计到revoke操作

Canceled
Bug
Opened this issue  
2021-09-15 18:30

【标题描述】:
统一审计当仅审计grant操作时,执行grant语句后,审计日志中查不到grant操作记录;当审计grant,revoke操作时,执行grant,revoke语句后,可审计日志中审计到grant操作,但是未审计到revoke操作
【测试类型:SQL功能/存储功能/接口功能/工具功能/性能/并发/压力长稳/故障注入/安全/资料/编码规范】【测试版本:2.0.0】 问题描述

【操作系统和硬件信息】(查询命令: cat /etc/system-release, uname -a):
CentOS Linux release 7.6.1810 (Core)
Linux ctupopenga00019 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
【测试环境】(单机/1主x备x级联备):
一主两备
【被测功能】:
统一审计
【测试类型】:
功能测试
【数据库版本】(查询命令: gaussdb –V):
gaussdb (openGauss 2.0.0 build 3386e30c) compiled at 2021-09-10 20:04:25 commit 0 last mr
【预置条件】:
1.数据库状态normal
2.开启审计开关enable_security_policy=on
3.配置日志归档,在/etc/rsyslog.conf文件中配置local0.* /var/log/postgresql(查看syslog_facility的值也是local0,必须一致),重启服务:service rsyslog restart
【操作步骤】(请填写详细的操作步骤):
1.系统管理员用户创建两个用户
create user user001 password 'Test@123';
create user user002 password 'Test@123';
create user user003 password 'Test@123';
2.系统管理员用户创建表,并赋予用户权限
DROP TABLE IF EXISTS table_security_auditing;
CREATE TABLE table_security_auditing(id int,name char(10));
grant all privileges to user001;
grant all privileges to user002;
3.系统管理员用户创建资源标签
DROP RESOURCE LABEL IF EXISTS rl_security_auditing;
CREATE RESOURCE LABEL rl_security_auditing ADD TABLE(table_security_auditing);
4.系统管理员用户创建统一审计策略,审计GRANT操作,过滤用户1
DROP AUDIT POLICY IF EXISTS audit_security_auditing;
CREATE AUDIT POLICY audit_security_auditing PRIVILEGES GRANT ON LABEL(rl_security_auditing) FILTER ON ROLES(user001);
5.user001用户登录数据库执行语句,查看c审计日志/var/log/postgresql
GRANT INSERT ON TABLE table_security_auditing TO user002;
6.系统管理员用户创建统一审计策略,审计GRANT、REVOKE操作,过滤用户1
DROP AUDIT POLICY IF EXISTS audit_security_auditing;
CREATE AUDIT POLICY audit_security_auditing PRIVILEGES GRANT, REVOKE ON LABEL(rl_security_auditing) FILTER ON ROLES(user001);
7.user001用户登录数据库执行语句,查看c审计日志/var/log/postgresql
GRANT INSERT ON TABLE table_security_auditing TO user002;

【预期输出】:
5.审计日志中记录grant操作信息
7.审计日志中记录grant、revoke操作信息
【实际输出】:
5.审计日志中未记录grant操作信息
7.审计日志中仅记录grant操作信息,未记录revoke操作信息
【原因分析】:

  1. 这个问题的根因
  2. 问题推断过程
  3. 还有哪些原因可能造成类似现象
  4. 该问题是否有临时规避措施
  5. 问题解决方案
  6. 预计修复问题时间

【日志信息】(请附上日志文件、截图、coredump信息):
输入图片说明

【测试代码】:

Comments (1)

wan005 created缺陷
wan005 set related repository to openGauss/openGauss-server
Expand operation logs

Hey @wan005 , Welcome to openGauss Community.
All of the projects in openGauss Community are maintained by @opengauss-bot .
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/opengauss/community/blob/master/contributors/command.en.md to find the details.

wan005 set assignee to 薛蒙恩
wan005 added
 
kind/bug
label
wan005 set priority to Main
wan005 changed issue state from 待办的 to 已取消

Sign in to comment

Status
Assignees
Projects
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
Duration (hours)
Confirm
参与者(2)
5622128 opengauss bot 1581905080
C++
1
https://gitee.com/opengauss/openGauss-server.git
git@gitee.com:opengauss/openGauss-server.git
opengauss
openGauss-server
openGauss-server

Search

141041 ab9339c7 1850385 141043 25c028d5 1850385