STIGQter STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 25 Oct 2019: The audit information produced by PostgreSQL must be protected from unauthorized modification.

DISA Rule

SV-87499r2_rule

Vulnerability Number

V-72847

Group Title

SRG-APP-000119-DB-000060

Rule Version

PGS9-00-000400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

#### stderr Logging

With stderr logging enabled, as the database owner (shown here as "postgres"), set the following parameter in postgresql.conf:

$ vi ${PGDATA?}/postgresql.conf
log_file_mode = 0600

To change the owner and permissions of the log files, run the following:

$ chown postgres:postgres ${PGDATA?}/<log directory name>
$ chmod 0700 ${PGDATA?}/<log directory name>
$ chmod 600 ${PGDATA?}/<log directory name>/*.log

#### syslog Logging

If PostgreSQL is configured to use syslog for logging, the log files must be configured to be owned by root with 0600 permissions.

$ chown root:root <log directory name>/<log_filename>
$ chmod 0700 <log directory name>
$ chmod 0600 <log directory name>/*.log

Check Contents

Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.

Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

#### stderr Logging

If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database owner (usually postgres user) with a default permissions level of 0600. The permissions can be configured in postgresql.conf.

To check the permissions for log files in postgresql.conf, as the database owner (shown here as "postgres"), run the following command:

$ sudo su - postgres
$ grep "log_file_mode" ${PGDATA?}/postgresql.conf

If the permissions are not 0600, this is a finding.

Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database owner (shown here as "postgres"):

$ sudo su - postgres
$ grep "log_directory" ${PGDATA?}/postgresql.conf

With the log directory identified, as the database owner (shown here as "postgres"), list the permissions of the logs:

$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log

If logs are not owned by the database owner (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.

#### syslog Logging

If the PostgreSQL server is configured to use syslog for logging, consult the organization syslog setting for permissions and ownership of logs.

Vulnerability Number

V-72847

Documentable

False

Rule Version

PGS9-00-000400

Severity Override Guidance

Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.

Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

#### stderr Logging

If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database owner (usually postgres user) with a default permissions level of 0600. The permissions can be configured in postgresql.conf.

To check the permissions for log files in postgresql.conf, as the database owner (shown here as "postgres"), run the following command:

$ sudo su - postgres
$ grep "log_file_mode" ${PGDATA?}/postgresql.conf

If the permissions are not 0600, this is a finding.

Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database owner (shown here as "postgres"):

$ sudo su - postgres
$ grep "log_directory" ${PGDATA?}/postgresql.conf

With the log directory identified, as the database owner (shown here as "postgres"), list the permissions of the logs:

$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log

If logs are not owned by the database owner (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.

#### syslog Logging

If the PostgreSQL server is configured to use syslog for logging, consult the organization syslog setting for permissions and ownership of logs.

Check Content Reference

M

Target Key

3087

Comments