STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-224176r508023_rule
V-224176
SRG-APP-000211-DB-000122
EP11-00-005100
CAT II
10
Configure EDB Postgres Advanced Server to separate database administration and general user functionality.
Use the ALTER ROLE SQL command to remove "SUPERUSER", "CREATE Role", "Create DB", or "Bypass RLS" privileges from user and group roles that are not authorized for those roles.
For example:
ALTER ROLE <username> NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;
Check EDB Postgres Advanced Server permission settings to verify that administrative functionality is kept separate from user functionality.
As a database superuser user (e.g., enterprisedb), list the user and group roles and their permissions in an EDB Postgres Advanced Server instance; execute the following command in psql:
\du
If any non-administrative role has the attribute "Superuser", "Create role", "Create DB" or "Bypass RLS", this is a finding.
If administrator and general user functionality is not separated either physically or logically, this is a finding.
V-224176
False
EP11-00-005100
Check EDB Postgres Advanced Server permission settings to verify that administrative functionality is kept separate from user functionality.
As a database superuser user (e.g., enterprisedb), list the user and group roles and their permissions in an EDB Postgres Advanced Server instance; execute the following command in psql:
\du
If any non-administrative role has the attribute "Superuser", "Create role", "Create DB" or "Bypass RLS", this is a finding.
If administrator and general user functionality is not separated either physically or logically, this is a finding.
M
4107