STIGQter STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

DISA Rule

SV-214148r508027_rule

Vulnerability Number

V-214148

Group Title

SRG-APP-000340-DB-000304

Rule Version

PGS9-00-011700

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure PostgreSQL security to protect all privileged functionality.

If pl/R and pl/Python are used, document their intended use, document users that have access to pl/R and pl/Python, as well as their business use case, such as data-analytics or data-mining. Because of the risks associated with using pl/R and pl/Python, their use must have AO risk acceptance.

To remove unwanted extensions, use:

DROP EXTENSION <extension_name>

To remove unwanted privileges from a role, use the REVOKE command.

See the PostgreSQL documentation for more details: http://www.postgresql.org/docs/current/static/sql-revoke.html

Check Contents

Review the system documentation to obtain the definition of the PostgreSQL functionality considered privileged in the context of the system in question.

Review the PostgreSQL security configuration and/or other means used to protect privileged functionality from unauthorized use.

If the configuration does not protect all of the actions defined as privileged, this is a finding.

If PostgreSQL instance uses procedural languages, such as pl/Python or pl/R, without AO authorization, this is a finding.

Vulnerability Number

V-214148

Documentable

False

Rule Version

PGS9-00-011700

Severity Override Guidance

Review the system documentation to obtain the definition of the PostgreSQL functionality considered privileged in the context of the system in question.

Review the PostgreSQL security configuration and/or other means used to protect privileged functionality from unauthorized use.

If the configuration does not protect all of the actions defined as privileged, this is a finding.

If PostgreSQL instance uses procedural languages, such as pl/Python or pl/R, without AO authorization, this is a finding.

Check Content Reference

M

Target Key

3994

Comments