STIGQter STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must protect its audit configuration from unauthorized modification.

DISA Rule

SV-214152r508027_rule

Vulnerability Number

V-214152

Group Title

SRG-APP-000122-DB-000203

Rule Version

PGS9-00-012200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Apply or modify access controls and permissions (both within PostgreSQL and in the file system/operating system) to tools used to view or modify audit log data. Tools must be configurable by authorized personnel only.

$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
log_file_mode = 0600

Next, as the database administrator (shown here as "postgres"), change the ownership and permissions of configuration files in PGDATA:

$ sudo su - postgres
$ chown postgres:postgres ${PGDATA?}/*.conf
$ chmod 0600 ${PGDATA?}/*.conf

Check Contents

All configurations for auditing and logging can be found in the postgresql.conf configuration file. By default, this file is owned by the database administrator account.

To check that the permissions of the postgresql.conf are owned by the database administrator with permissions of 0600, run the following as the database administrator (shown here as "postgres"):

$ sudo su - postgres
$ ls -la ${PGDATA?}

If postgresql.conf is not owned by the database administrator or does not have 0600 permissions, this is a finding.

#### stderr Logging

To check that logs are created with 0600 permissions, check the postgresql.conf file for the following setting:

$ sudo su - postgres
$ psql -c "SHOW log_file_mode"

If permissions are not 0600, this is a finding.

#### syslog Logging

If PostgreSQL is configured to use syslog, verify that the logs are owned by root and have 0600 permissions. If they are not, this is a finding.

Vulnerability Number

V-214152

Documentable

False

Rule Version

PGS9-00-012200

Severity Override Guidance

All configurations for auditing and logging can be found in the postgresql.conf configuration file. By default, this file is owned by the database administrator account.

To check that the permissions of the postgresql.conf are owned by the database administrator with permissions of 0600, run the following as the database administrator (shown here as "postgres"):

$ sudo su - postgres
$ ls -la ${PGDATA?}

If postgresql.conf is not owned by the database administrator or does not have 0600 permissions, this is a finding.

#### stderr Logging

To check that logs are created with 0600 permissions, check the postgresql.conf file for the following setting:

$ sudo su - postgres
$ psql -c "SHOW log_file_mode"

If permissions are not 0600, this is a finding.

#### syslog Logging

If PostgreSQL is configured to use syslog, verify that the logs are owned by root and have 0600 permissions. If they are not, this is a finding.

Check Content Reference

M

Target Key

3994

Comments