STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020: STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:SV-233607r617333_rule
V-233607
SRG-APP-000121-DB-000202
CD12-00-010700
CAT II
10
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA, APPENDIX-H for PGVER and APPENDIX-I for PGLOG.
If PGLOG or PGDATA are not owned by postgres user and group, configure them as follows:
$ sudo chown -R postgres:postgres ${PGDATA?}
$ sudo chown -R postgres:postgres ${PGLOG?}
If the pgaudit installation is not owned by root user and group, configure it as follows:
$ sudo chown -R root:root /usr/pgsql-${PGVER?}/share/contrib/pgaudit
To remove superuser from a role, as the database administrator (shown here as "postgres"), run the following SQL:
$ sudo su - postgres
$ psql -c "ALTER ROLE <role-name> WITH NOSUPERUSER"
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA, APPENDIX-H for PGVER, and APPENDIX-I for PGLOG. Only the database owner and superuser can alter configuration of PostgreSQL.
Ensure the PGLOG directory is owned by postgres user and group:
$ sudo su - postgres
$ ls -la ${PGLOG?}
If PGLOG is not owned by the database owner, this is a finding.
Ensure the data directory is owned by postgres user and group.
$ sudo su - postgres
$ ls -la ${PGDATA?}
If PGDATA is not owned by the database owner, this is a finding.
Ensure pgaudit installation is owned by root:
$ sudo su - postgres
$ ls -la /usr/pgsql-${PGVER?}/share/contrib/pgaudit
If pgaudit installation is not owned by root, this is a finding.
Next, as the database administrator (shown here as "postgres"), run the following SQL to list all roles and their privileges:
$ sudo su - postgres
$ psql -x -c "\du"
If any role has "superuser" that should not, this is a finding.
V-233607
False
CD12-00-010700
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA, APPENDIX-H for PGVER, and APPENDIX-I for PGLOG. Only the database owner and superuser can alter configuration of PostgreSQL.
Ensure the PGLOG directory is owned by postgres user and group:
$ sudo su - postgres
$ ls -la ${PGLOG?}
If PGLOG is not owned by the database owner, this is a finding.
Ensure the data directory is owned by postgres user and group.
$ sudo su - postgres
$ ls -la ${PGDATA?}
If PGDATA is not owned by the database owner, this is a finding.
Ensure pgaudit installation is owned by root:
$ sudo su - postgres
$ ls -la /usr/pgsql-${PGVER?}/share/contrib/pgaudit
If pgaudit installation is not owned by root, this is a finding.
Next, as the database administrator (shown here as "postgres"), run the following SQL to list all roles and their privileges:
$ sudo su - postgres
$ psql -x -c "\du"
If any role has "superuser" that should not, this is a finding.
M
5254