STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.

DISA Rule

SV-233596r617333_rule

Vulnerability Number

V-233596

Group Title

SRG-APP-000171-DB-000074

Rule Version

CD12-00-009500

Severity

CAT II

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

To enable password_encryption, as the database administrator, edit postgresql.conf:


$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
password_encryption = 'scram-sha-256'

Institute a policy of not using the "WITH UNENCRYPTED PASSWORD" option with the CREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of the password_encryption configuration parameter).

As the system administrator, restart the server with the new configuration:

# SYSTEMD SERVER ONLY
$ sudo systemctl restart postgresql-${PGVER?}

Check Contents

Note: The following instructions use the PGVER environment variables. See supplementary content APPENDIX-H for PGVER.

To check if password encryption is enabled, as the database administrator (shown here as "postgres"), run the following SQL:

$ sudo su - postgres
$ psql -c "SHOW password_encryption"

If password_encryption is not "scram-sha-256", this is a finding.

Next, to identify if any passwords have been stored without being hashed and salted, as the database administrator (shown here as "postgres"), run the following SQL:

$ sudo su - postgres
$ psql -x -c "SELECT usename, passwd FROM pg_shadow WHERE passwd IS NULL AND passwd NOT LIKE 'SCRAM-SHA-256%';"

If any password is in plaintext, this is a finding.

Vulnerability Number

V-233596

Documentable

False

Rule Version

CD12-00-009500

Severity Override Guidance

Note: The following instructions use the PGVER environment variables. See supplementary content APPENDIX-H for PGVER.

To check if password encryption is enabled, as the database administrator (shown here as "postgres"), run the following SQL:

$ sudo su - postgres
$ psql -c "SHOW password_encryption"

If password_encryption is not "scram-sha-256", this is a finding.

Next, to identify if any passwords have been stored without being hashed and salted, as the database administrator (shown here as "postgres"), run the following SQL:

$ sudo su - postgres
$ psql -x -c "SELECT usename, passwd FROM pg_shadow WHERE passwd IS NULL AND passwd NOT LIKE 'SCRAM-SHA-256%';"

If any password is in plaintext, this is a finding.

Check Content Reference

M

Target Key

5254

Comments