STIGQter: STIG Summary: EDB Postgres Advanced Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-213633r557394_rule
V-213633
SRG-APP-000441-DB-000378
PPS9-00-009500
CAT II
10
To configure EDB Postgres Advanced Server to use SSL, open the ”postgresql.conf" file in an editor. Note that the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf for a running EDB Postgres instance can be found using the following command run from a command prompt:
psql -d <database name> -U <database superuser name> -c “SHOW config_file”
Where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS).
In the postgresql.conf file, set the “ssl” parameter as follows:
ssl = on
Make sure the parameter is uncommented.
In order to start an EDB Postgres Advanced Server instance in SSL mode, files containing the server certificate and private key must exist. By default, these files are expected to exist in the Postgres data directory and are expected to be named server.crt and server.key, respectively. Update the ssl_cert_file and ssl_cert_key parameters in the postgresql.conf file if the files are placed in a different location or are named differently.
Note that changes to the SSL parameter setting and any of the other SSL-related parameters require a database server restart to be put the changes into effect.
To restart the database on a systemd server, issue the following command as the root user or a user with sudo access:
systemctl restart edb-as-<EPAS version>
Where, “<EPAS version>” is the major version of the EDB Postgres Advanced Server instance (e.g., 9.6).
To restart the database on an initd server, issue the following command as the root user or a user with sudo access:
service edb-as-<EDB Postgres version> restart
Where, “<EPAS version>” is the major version of the EDB Postgres Advanced Server instance (e.g., 9.6).
After verifying SSL is enabled for the database, open the pg_hba.conf file in an editor to configure the host-based authentication settings. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found using the following command run from a command prompt:
psql -d <database name> -U <database superuser name> -c "SHOW hba_file"
Where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS).
Obtain approval and document any uncommented entries with corresponding justification that are not of type hostssl and do not include the “clientcert=1” option.
For any entries that are not of type hostssl authentication with the “clientcert=1” option and not documented and approved, change the "TYPE" column to “hostssl” and add the “clientcert=1” authentication method option.
Note that changes to the host-based authentication settings require a database reload in order to apply the updated settings.
To reload the database on a systemd server, issue the following command as the root user or a user with sudo access:
systemctl reload edb-as-<EPAS version>
Where, “<EPAS version>” is the major version of the EDB Postgres Advanced Server instance (e.g., 9.6).
To reload the database on an initd server, issue the following command as the root user or a user with sudo access:
service edb-as-<EDB Postgres version> reload
Where, “<EPAS version>” is the major version of the EDB Postgres Advanced Server instance (e.g., 9.6).
For more information on configuring PostgreSQL to use SSL, consult the following documentation:
https://www.postgresql.org/docs/current/ssl-tcp.html
If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
Open "<postgresql data directory>/pg_hba.conf" in a viewer or editor. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)
If any rows do not have TYPE of "hostssl" as well as a METHOD of "cert", this is a finding.
V-213633
False
PPS9-00-009500
If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
Open "<postgresql data directory>/pg_hba.conf" in a viewer or editor. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)
If any rows do not have TYPE of "hostssl" as well as a METHOD of "cert", this is a finding.
M
3988