STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must map the PKI-authenticated identity to an associated user account.

DISA Rule

SV-214149r508027_rule

Vulnerability Number

V-214149

Group Title

SRG-APP-000177-DB-000069

Rule Version

PGS9-00-011800

Severity

CAT II

CCI(s)

• CCI-000187 - The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.

Weight

10

Fix Recommendation

Configure PostgreSQL to map authenticated identities directly to PostgreSQL user accounts.

For information on configuring PostgreSQL to use SSL, see supplementary content APPENDIX-G.

Check Contents

The cn (Common Name) attribute of the certificate will be compared to the requested database user name, and if they match the login will be allowed.

To check the cn of the certificate, using openssl, do the following:

$ openssl x509 -noout -subject -in client_cert

If the cn does not match the users listed in PostgreSQL and no user mapping is used, this is a finding.

User name mapping can be used to allow cn to be different from the database user name. If User Name Maps are used, run the following as the database administrator (shown here as "postgres"), to get a list of maps used for authentication:

$ sudo su - postgres
$ grep "map" ${PGDATA?}/pg_hba.conf

With the names of the maps used, check those maps against the user name mappings in pg_ident.conf:

$ sudo su - postgres
$ cat ${PGDATA?}/pg_ident.conf

If user accounts are not being mapped to authenticated identities, this is a finding.

If the cn and the username mapping do not match, this is a finding.

Vulnerability Number

V-214149

Documentable

False

Rule Version

PGS9-00-011800

Severity Override Guidance

The cn (Common Name) attribute of the certificate will be compared to the requested database user name, and if they match the login will be allowed.

To check the cn of the certificate, using openssl, do the following:

$ openssl x509 -noout -subject -in client_cert

If the cn does not match the users listed in PostgreSQL and no user mapping is used, this is a finding.

User name mapping can be used to allow cn to be different from the database user name. If User Name Maps are used, run the following as the database administrator (shown here as "postgres"), to get a list of maps used for authentication:

$ sudo su - postgres
$ grep "map" ${PGDATA?}/pg_hba.conf

With the names of the maps used, check those maps against the user name mappings in pg_ident.conf:

$ sudo su - postgres
$ cat ${PGDATA?}/pg_ident.conf

If user accounts are not being mapped to authenticated identities, this is a finding.

If the cn and the username mapping do not match, this is a finding.

Check Content Reference

M

Target Key

3994

Comments