STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020: STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:SV-233547r617333_rule
V-233547
SRG-APP-000381-DB-000361
CD12-00-004100
CAT II
10
Enable logging.
All denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.
To verify that system denies are logged when unprivileged users attempt to change database configuration, as the database administrator (shown here as "postgres"), run the following commands:
$ sudo su - postgres
$ psql
Next, create a role with no privileges, change the current role to that user and attempt to change a configuration by running the following SQL:
CREATE ROLE bob;
SET ROLE bob;
SET pgaudit.role='test';
RESET ROLE;
DROP ROLE bob;
Now check ${PGLOG?} (use the latest log):
$ cat ${PGDATA?}/${PGLOG?}/postgresql-Thu.log
< 2016-01-28 17:57:34.092 UTC bob postgres: >ERROR: permission denied to set parameter "pgaudit.role"
< 2016-01-28 17:57:34.092 UTC bob postgres: >STATEMENT: SET pgaudit.role='test';
If the denial is not logged, this is a finding.
By default PostgreSQL configuration files are owned by the postgres user and cannot be edited by non-privileged users:
$ ls -la ${PGDATA?} | grep postgresql.conf
-rw-------. 1 postgres postgres 21758 Jan 22 10:27 postgresql.conf
If postgresql.conf is not owned by the database owner and does not have read and write permissions for the owner, this is a finding.
V-233547
False
CD12-00-004100
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.
To verify that system denies are logged when unprivileged users attempt to change database configuration, as the database administrator (shown here as "postgres"), run the following commands:
$ sudo su - postgres
$ psql
Next, create a role with no privileges, change the current role to that user and attempt to change a configuration by running the following SQL:
CREATE ROLE bob;
SET ROLE bob;
SET pgaudit.role='test';
RESET ROLE;
DROP ROLE bob;
Now check ${PGLOG?} (use the latest log):
$ cat ${PGDATA?}/${PGLOG?}/postgresql-Thu.log
< 2016-01-28 17:57:34.092 UTC bob postgres: >ERROR: permission denied to set parameter "pgaudit.role"
< 2016-01-28 17:57:34.092 UTC bob postgres: >STATEMENT: SET pgaudit.role='test';
If the denial is not logged, this is a finding.
By default PostgreSQL configuration files are owned by the postgres user and cannot be edited by non-privileged users:
$ ls -la ${PGDATA?} | grep postgresql.conf
-rw-------. 1 postgres postgres 21758 Jan 22 10:27 postgresql.conf
If postgresql.conf is not owned by the database owner and does not have read and write permissions for the owner, this is a finding.
M
5254