STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status.

DISA Rule

SV-214121r508027_rule

Vulnerability Number

V-214121

Group Title

SRG-APP-000378-DB-000365

Rule Version

PGS9-00-008400

Severity

CAT II

CCI(s)

• CCI-001812 - The information system prohibits user installation of software without explicit privileged status.

Weight

10

Fix Recommendation

Document and obtain approval for any non-administrative users who require the ability to create, alter or replace logic modules.

Implement the approved permissions. Revoke any unapproved permissions.

Check Contents

If PostgreSQL supports only software development, experimentation and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.

Review PostgreSQL and database security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views.

To list the privileges for all tables and schemas, as the database administrator (shown here as "postgres"), run the following:

$ sudo su - postgres
$ psql -c "\dp"
$ psql -c "\dn+"

The privileges are as follows:

rolename=xxxx -- privileges granted to a role
=xxxx -- privileges granted to PUBLIC

r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
* -- grant option for preceding privilege

/yyyy -- role that granted this privilege

If any such permissions exist and are not documented and approved, this is a finding.

Vulnerability Number

V-214121

Documentable

False

Rule Version

PGS9-00-008400

Severity Override Guidance

If PostgreSQL supports only software development, experimentation and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.

Review PostgreSQL and database security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views.

To list the privileges for all tables and schemas, as the database administrator (shown here as "postgres"), run the following:

$ sudo su - postgres
$ psql -c "\dp"
$ psql -c "\dn+"

The privileges are as follows:

rolename=xxxx -- privileges granted to a role
=xxxx -- privileges granted to PUBLIC

r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
* -- grant option for preceding privilege

/yyyy -- role that granted this privilege

If any such permissions exist and are not documented and approved, this is a finding.

Check Content Reference

M

Target Key

3994

Comments