STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

The audit information produced by PostgreSQL must be protected from unauthorized read access.

DISA Rule

SV-233549r617333_rule

Vulnerability Number

V-233549

Group Title

SRG-APP-000118-DB-000059

Rule Version

CD12-00-004200

Severity

CAT II

CCI(s)

CCI-000162 - The information system protects audit information from unauthorized access.

Weight

Fix Recommendation

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.

#### syslog Logging

If PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log files.

#### stderr Logging

If PostgreSQL is configured to use stderr for logging, permissions of the log files can be set in postgresql.conf.

As the database administrator (shown here as "postgres"), edit the following settings of logs in the postgresql.conf file:

Note: Consult the organization's documentation on acceptable log privileges.

$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
log_file_mode = 0600

Next, as the system administrator, reload the server with the new configuration:

$ sudo systemctl reload postgresql-${PGVER?}

Check Contents

Note: The following instructions use the PGLOG environment variable. See supplementary content APPENDIX-I for instructions on configuring PGLOG.

Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.

Verify there are appropriate controls and permissions to protect the audit information from unauthorized access.

#### syslog Logging

If PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log files.

#### stderr Logging

As the database administrator (shown here as "postgres"), check the current log_file_mode configuration by running the following:

Note: Consult the organization's documentation on acceptable log privileges.

$ sudo su - postgres
$ psql -c "SHOW log_file_mode"

If log_file_mode is not 600, this is a finding.

Next, verify the log files have the set permissions in ${PG_LOG?}:

$ ls -l ${PGLOG?}/
total 32
-rw-------. 1 postgres postgres 0 Apr 8 00:00 postgresql-Fri.log
-rw-------. 1 postgres postgres 8288 Apr 11 17:36 postgresql-Mon.log
-rw-------. 1 postgres postgres 0 Apr 9 00:00 postgresql-Sat.log
-rw-------. 1 postgres postgres 0 Apr 10 00:00 postgresql-Sun.log
-rw-------. 1 postgres postgres 16212 Apr 7 17:05 postgresql-Thu.log
-rw-------. 1 postgres postgres 1130 Apr 6 17:56 postgresql-Wed.log

If logs with 600 permissions do not exist in ${PG_LOG?}, this is a finding.

Vulnerability Number

V-233549

Documentable

False

Rule Version

CD12-00-004200

Severity Override Guidance

Check Content Reference

Target Key

5254

The audit information produced by PostgreSQL must be protected from unauthorized read access.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments