Skip to content

Commit

Permalink
audit log postgres session PID (#47645)
Browse files Browse the repository at this point in the history
  • Loading branch information
GavinFrazar authored Oct 22, 2024
1 parent 913f401 commit fe2536c
Show file tree
Hide file tree
Showing 6 changed files with 628 additions and 584 deletions.
4 changes: 4 additions & 0 deletions api/proto/teleport/legacy/types/events/events.proto
Original file line number Diff line number Diff line change
Expand Up @@ -2751,6 +2751,10 @@ message DatabaseSessionStart {
(gogoproto.embed) = true,
(gogoproto.jsontag) = ""
];
// PostgresPID is the Postgres backend PID that was created for a Postgres
// connection. This can be useful for backend process cancellation or
// termination and it is not a sensitive or secret value.
uint32 PostgresPID = 8 [(gogoproto.jsontag) = "postgres_pid,omitempty"];
}

// DatabaseSessionQuery is emitted when a user executes a database query.
Expand Down
1,198 changes: 615 additions & 583 deletions api/types/events/events.pb.go

Large diffs are not rendered by default.

5 changes: 4 additions & 1 deletion lib/srv/db/audit_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,10 @@ func TestAuditPostgres(t *testing.T) {
// Connect should trigger successful session start event.
psql, err := testCtx.postgresClient(ctx, "alice", "postgres", "postgres", "postgres")
require.NoError(t, err)
requireEvent(t, testCtx, libevents.DatabaseSessionStartCode)
startEvt, ok := requireEvent(t, testCtx, libevents.DatabaseSessionStartCode).(*events.DatabaseSessionStart)
require.True(t, ok)
require.NotNil(t, startEvt)
require.NotZero(t, startEvt.PostgresPID)

// Simple query should trigger the query event.
_, err = psql.Exec(ctx, "select 1").ReadAll()
Expand Down
1 change: 1 addition & 0 deletions lib/srv/db/common/audit.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ func (a *audit) OnSessionStart(ctx context.Context, session *Session, sessionErr
Status: events.Status{
Success: true,
},
PostgresPID: session.PostgresPID,
}

// If the database session wasn't started successfully, emit
Expand Down
2 changes: 2 additions & 0 deletions lib/srv/db/common/session.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ type Session struct {
LockTargets []types.LockTarget
// AuthContext is the identity context of the user.
AuthContext *authz.Context
// PostgresPID is the Postgres backend PID for the session.
PostgresPID uint32
}

// String returns string representation of the session parameters.
Expand Down
2 changes: 2 additions & 0 deletions lib/srv/db/postgres/engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,8 @@ func (e *Engine) HandleConnection(ctx context.Context, sessionCtx *common.Sessio
cancelAutoUserLease()
return trace.Wrap(err)
}
sessionCtx.PostgresPID = hijackedConn.PID
e.Log = e.Log.WithField("pg_backend_pid", hijackedConn.PID)
e.rawServerConn = hijackedConn.Conn
// Release the auto-users semaphore now that we've successfully connected.
cancelAutoUserLease()
Expand Down

0 comments on commit fe2536c

Please sign in to comment.