STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

DISA Rule

SV-233614r617333_rule

Vulnerability Number

V-233614

Group Title

SRG-APP-000340-DB-000304

Rule Version

CD12-00-011700

Severity

CAT I

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Configure PostgreSQL security to protect all privileged functionality.

If pl/R and pl/Python are used, document their intended use, document users that have access to pl/R and pl/Python, as well as their business use case, such as data-analytics or data-mining. Because of the risks associated with using pl/R and pl/Python, their use must have AO risk acceptance.

To remove unwanted extensions, use:

DROP EXTENSION <extension_name>

To remove unwanted privileges from a role, use the REVOKE command.

See the PostgreSQL documentation for more details: http://www.postgresql.org/docs/current/static/sql-revoke.html.

Check Contents

Review the system documentation to obtain the definition of the PostgreSQL functionality considered privileged in the context of the system in question.

Review the PostgreSQL security configuration and/or other means used to protect privileged functionality from unauthorized use.

If the configuration does not protect all of the actions defined as privileged, this is a finding.

If PostgreSQL instance uses procedural languages, such as pl/Python or pl/R, without Authorizing Official (AO) authorization, this is a finding.

Vulnerability Number

V-233614

Documentable

False

Rule Version

CD12-00-011700

Severity Override Guidance

Review the system documentation to obtain the definition of the PostgreSQL functionality considered privileged in the context of the system in question.

Review the PostgreSQL security configuration and/or other means used to protect privileged functionality from unauthorized use.

If the configuration does not protect all of the actions defined as privileged, this is a finding.

If PostgreSQL instance uses procedural languages, such as pl/Python or pl/R, without Authorizing Official (AO) authorization, this is a finding.

Check Content Reference

M

Target Key

5254

Comments