STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must maintain the confidentiality and integrity of information during reception.

DISA Rule

SV-214073r548754_rule

Vulnerability Number

V-214073

Group Title

SRG-APP-000442-DB-000379

Rule Version

PGS9-00-003000

Severity

CAT II

CCI(s)

• CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.

Weight

10

Fix Recommendation

Implement protective measures against unauthorized disclosure and modification during reception.

To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for instructions on enabling SSL.

Check Contents

If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
First, check if ssl is enabled for the database instance. As the database administrator (shown here as "postgres"), verify SSL is enabled by running the following from a command prompt:

$ sudo su - postgres
$ psql -c "SHOW ssl"

If SSL is not enabled, this is a finding.
Next, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file.

Next, verify hostssl entries in pg_hba.conf:

$ sudo su - postgres
$ grep hostssl ${PGDATA?}/pg_hba.conf

If hostssl entries do not contain clientcert=1, this is a finding.
If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.
If PostgreSQL, associated applications, and infrastructure do not employ protective measures against unauthorized disclosure and modification during reception, this is a finding.

Vulnerability Number

V-214073

Documentable

False

Rule Version

PGS9-00-003000

Severity Override Guidance

If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
First, check if ssl is enabled for the database instance. As the database administrator (shown here as "postgres"), verify SSL is enabled by running the following from a command prompt:

$ sudo su - postgres
$ psql -c "SHOW ssl"

If SSL is not enabled, this is a finding.
Next, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file.

Next, verify hostssl entries in pg_hba.conf:

$ sudo su - postgres
$ grep hostssl ${PGDATA?}/pg_hba.conf

If hostssl entries do not contain clientcert=1, this is a finding.
If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.
If PostgreSQL, associated applications, and infrastructure do not employ protective measures against unauthorized disclosure and modification during reception, this is a finding.

Check Content Reference

M

Target Key

3994

Comments