STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-224200r508023_rule
V-224200
SRG-APP-000378-DB-000365
EP11-00-008400
CAT II
10
Document and obtain approval for any non-administrative users who require the ability to create, alter, or replace logic modules.
Implement the approved permissions. Revoke (or deny) any unapproved permissions and remove any unauthorized role memberships.
Use the REVOKE SQL command to remove privileges from databases and schemas.
For example, to revoke create privileges on a database:
REVOKE CREATE ON DATABASE <database_name > FROM <role_name>;
To revoke create privileges on a database:
REVOKE CREATE ON SCHEMA <schema_name> FROM <role_name>;
If EDB Postgres supports only software development, experimentation, and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.
Review the EDB Postgres security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. These following commands, which are run using psql, can help with showing existing permissions of databases and schemas:
\l
\dn+
Permissions of concern in this respect include the following, and possibly others:
- any database or schema with "C" (create) or "w" (update) privileges that are not necessary
If any such permissions exist and are not documented and approved, this is a finding.
V-224200
False
EP11-00-008400
If EDB Postgres supports only software development, experimentation, and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.
Review the EDB Postgres security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. These following commands, which are run using psql, can help with showing existing permissions of databases and schemas:
\l
\dn+
Permissions of concern in this respect include the following, and possibly others:
- any database or schema with "C" (create) or "w" (update) privileges that are not necessary
If any such permissions exist and are not documented and approved, this is a finding.
M
4107