STIGQter STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

DISA Rule

SV-224175r508023_rule

Vulnerability Number

V-224175

Group Title

SRG-APP-000180-DB-000115

Rule Version

EP11-00-005000

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure all logins are uniquely identifiable and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of application, operating system, and EDB Postgres Advanced Server configuration settings. Verify server documentation to ensure accounts are documented and unique.

Check Contents

Review documentation, EDB Postgres Advanced Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system.

EDB Postgres Advanced Server uniquely identifies and authenticates Postgres users through the use of DBMS roles.

To list the user and group roles in an EDB Postgres Advanced Server instance, execute the following command in psql as the enterprisedb user:

\du

If accounts are determined to be shared, determine if individuals are first individually authenticated. Where an application connects to EDB Postgres Advanced Server using a standard, shared account, ensure it also captures the individual user identification, and passes it to EDB Postgres Advanced Server.

If the EDB session audit log tagging feature is being used to capture individual user identification and organizational affiliation, review the EDB audit log to verify that the information documented as being required is logged to the "audit_tag" field. If the required information is not logged, this is a finding.

If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.

If non-organizational users are not uniquely identified and authenticated, this is a finding.

Vulnerability Number

V-224175

Documentable

False

Rule Version

EP11-00-005000

Severity Override Guidance

Review documentation, EDB Postgres Advanced Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system.

EDB Postgres Advanced Server uniquely identifies and authenticates Postgres users through the use of DBMS roles.

To list the user and group roles in an EDB Postgres Advanced Server instance, execute the following command in psql as the enterprisedb user:

\du

If accounts are determined to be shared, determine if individuals are first individually authenticated. Where an application connects to EDB Postgres Advanced Server using a standard, shared account, ensure it also captures the individual user identification, and passes it to EDB Postgres Advanced Server.

If the EDB session audit log tagging feature is being used to capture individual user identification and organizational affiliation, review the EDB audit log to verify that the information documented as being required is logged to the "audit_tag" field. If the required information is not logged, this is a finding.

If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.

If non-organizational users are not uniquely identified and authenticated, this is a finding.

Check Content Reference

M

Target Key

4107

Comments