On 2019-04-13 22:22:16 -0500, Ron wrote:
> In our case, another looming Auditor requirement is to be able to instantly
> kick off -- or at least send a warning email -- when certain roles log in
> from unapproved IP addresses or programs. For example, service accounts
> should only be able to log in from IP addresses and certain applications.
> Humans logging in via service accounts using pgAdmin should, for example, be
> instantly kicked off.
If you want to prevent a user from logging in (which is functionally
equivalent but a bit stronger than "instantly kick off"), then this is
definitely something that could and should be implemented via PAM (I'm
not sure what information is passed to PAM, so you might get the IP
address but not the application name (the latter can't be trusted
anyway), for example).
If you just want to send an email, I would just monitor the logs. Just
run a cronjob every minute that checks for suspicious activity. Or if
you collect your logfiles in something like ELKS (you probably want to
do that if you have auditing requirements, you can probably configure
that to send notifications.
If the "instantly kick off" doesn't have to be really instantly, you
could also monitor pg_stat_activity every second or so and terminate any
suspicious session. But note that this rather insecure: A session which
lasts for much less than a second has a good chance of flying under the
radar.
hp
--
_ | Peter J. Holzer | we build much bigger, better disasters now
|_|_) | | because we have much more sophisticated
| | | hjp@hjp.at | management tools.
__/ | http://www.hjp.at/ | -- Ross Anderson <https://www.edge.org/>