STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214113r548752_rule
V-214113
SRG-APP-000441-DB-000378
PGS9-00-007200
CAT II
10
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.
Implement protective measures against unauthorized disclosure and modification during preparation for transmission.
To configure PostgreSQL to use SSL, as a database administrator (shown here as "postgres"), edit postgresql.conf:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
Add the following parameter:
ssl = on
To change authentication requirements for the database, as the database administrator (shown here as "postgres"), edit pg_hba.conf:
$ sudo su - postgres
$ vi ${PGDATA?}/pg_hba.conf
Edit authentication requirements to the organizational requirements. See the official documentation for the complete list of options for authentication: http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
Now, as the system administrator, reload the server with the new configuration:
# SYSTEMD SERVER ONLY
$ sudo systemctl reload postgresql-${PGVER?}
# INITD SERVER ONLY
$ sudo service postgresql-${PGVER?} reload
For more information on configuring PostgreSQL to use SSL, see supplementary content APPENDIX-G.
: If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
First, check if ssl is enabled for the database instance. As the database administrator (shown here as "postgres"), verify SSL is enabled by running the following from a command prompt:
$ sudo su - postgres
$ psql -c "SHOW ssl"
If SSL is not enabled, this is a finding.
Next, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file.
Next, verify hostssl entries in pg_hba.conf:
$ sudo su - postgres
$ grep hostssl ${PGDATA?}/pg_hba.conf
If hostssl entries do not contain clientcert=1, this is a finding.
If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.
If PostgreSQL does not employ protective measures against unauthorized disclosure and modification during preparation for transmission, this is a finding.
V-214113
False
PGS9-00-007200
: If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
First, check if ssl is enabled for the database instance. As the database administrator (shown here as "postgres"), verify SSL is enabled by running the following from a command prompt:
$ sudo su - postgres
$ psql -c "SHOW ssl"
If SSL is not enabled, this is a finding.
Next, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file.
Next, verify hostssl entries in pg_hba.conf:
$ sudo su - postgres
$ grep hostssl ${PGDATA?}/pg_hba.conf
If hostssl entries do not contain clientcert=1, this is a finding.
If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.
If PostgreSQL does not employ protective measures against unauthorized disclosure and modification during preparation for transmission, this is a finding.
M
3994