STIGQter STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The audit information produced by PostgreSQL must be protected from unauthorized deletion.

DISA Rule

SV-214068r508027_rule

Vulnerability Number

V-214068

Group Title

SRG-APP-000120-DB-000061

Rule Version

PGS9-00-002300

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

#### stderr Logging

With stderr logging enabled, as the database owner (shown here as "postgres"), set the following parameter in postgresql.conf:

$ vi ${PGDATA?}/postgresql.conf
log_file_mode = 0600

To change the owner and permissions of the log files, run the following:

$ chown postgres:postgres ${PGDATA?}/<log directory name>
$ chmod 0700 ${PGDATA?}/<log directory name>
$ chmod 600 ${PGDATA?}/<log directory name>/*.log

#### syslog Logging

If PostgreSQL is configured to use syslog for logging, the log files must be configured to be owned by root with 0600 permissions.

$ chown root:root <log directory name>/<log_filename>
$ chmod 0700 <log directory name>
$ chmod 0600 <log directory name>/*.log

Check Contents

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.

Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.

#### stderr Logging

If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database administrator (shown here as "postgres") with a default permissions level of 0600. The permissions can be configured in postgresql.conf.

To check the permissions for log files in postgresql.conf, as the database administrator (shown here as "postgres"), run the following command:

$ sudo su - postgres

$ grep "log_file_mode" ${PGDATA?}/postgresql.conf

If the permissions are not 0600, this is a finding.

Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database administrator (shown here as "postgres"):

$ sudo su - postgres

$ grep "log_directory" ${PGDATA?}/postgresql.conf

With the log directory identified, as the database administrator (shown here as "postgres"), list the permissions of the logs:

$ sudo su - postgres

$ ls -la ${PGDATA?}/pg_log

If logs are not owned by the database administrator (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.

#### syslog Logging

If the PostgreSQL server is configured to use syslog for logging, consult organization syslog setting for permissions and ownership of logs

Vulnerability Number

V-214068

Documentable

False

Rule Version

PGS9-00-002300

Severity Override Guidance

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.

Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.

#### stderr Logging

If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database administrator (shown here as "postgres") with a default permissions level of 0600. The permissions can be configured in postgresql.conf.

To check the permissions for log files in postgresql.conf, as the database administrator (shown here as "postgres"), run the following command:

$ sudo su - postgres

$ grep "log_file_mode" ${PGDATA?}/postgresql.conf

If the permissions are not 0600, this is a finding.

Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database administrator (shown here as "postgres"):

$ sudo su - postgres

$ grep "log_directory" ${PGDATA?}/postgresql.conf

With the log directory identified, as the database administrator (shown here as "postgres"), list the permissions of the logs:

$ sudo su - postgres

$ ls -la ${PGDATA?}/pg_log

If logs are not owned by the database administrator (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.

#### syslog Logging

If the PostgreSQL server is configured to use syslog for logging, consult organization syslog setting for permissions and ownership of logs

Check Content Reference

M

Target Key

3994

Comments