STIGQter: STIG Summary: EDB Postgres Advanced Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The EDB Postgres Advanced Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

DISA Rule

SV-213562r508024_rule

Vulnerability Number

V-213562

Group Title

SRG-APP-000023-DB-000001

Rule Version

PPS9-00-000700

Severity

CAT II

CCI(s)

• CCI-000015 - The organization employs automated mechanisms to support the information system account management functions.

Weight

10

Fix Recommendation

Identify any user that is using “trust”, “md5”, or “password” as allowable access methods.

> cat <postgresql data directory>/pg_hba.conf | egrep –I ‘(trust|md5|password)’ | grep –v ‘#’

Document any rows that have "trust", "md5", or "password" specified for the "METHOD" column and obtain appropriate approval for each user specified in the "USER" column (i.e., all DBMS managed accounts).

For any users that are not documented and approved as DBMS managed accounts, change the "METHOD" column to one of the externally managed (not "trust", "md5", or "password") options defined here:

http://www.postgresql.org/docs/9.5/static/auth-methods.html

(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)

Check Contents

Verify that pg_hba.conf is not using: “trust”, “md5”, or “password” as allowable access methods.

> cat <postgresql data directory>/pg_hba.conf | egrep –I ‘(trust|md5|password)’ | grep –v ‘#’

If any output is produced, verify the users are documented as being authorized to use one of these access methods.

If the users are not authorized to use these access methods, this is a finding.

(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)

Vulnerability Number

V-213562

Documentable

False

Rule Version

PPS9-00-000700

Severity Override Guidance

Verify that pg_hba.conf is not using: “trust”, “md5”, or “password” as allowable access methods.

> cat <postgresql data directory>/pg_hba.conf | egrep –I ‘(trust|md5|password)’ | grep –v ‘#’

If any output is produced, verify the users are documented as being authorized to use one of these access methods.

If the users are not authorized to use these access methods, this is a finding.

(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)

Check Content Reference

M

Target Key

3988

Comments