STIGQter STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 25 Oct 2019: Privileges to change PostgreSQL software modules must be limited.

DISA Rule

SV-87505r2_rule

Vulnerability Number

V-72853

Group Title

SRG-APP-000133-DB-000179

Rule Version

PGS9-00-000700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

As the database administrator (shown here as "postgres"), change the ownership and permissions of configuration files in PGDATA:

$ sudo su - postgres
$ chown postgres:postgres ${PGDATA?}/postgresql.conf
$ chmod 0600 ${PGDATA?}/postgresql.conf

As the server administrator, change the ownership and permissions of shared objects in /usr/pgsql-${PGVER?}/*.so

$ sudo chown root:root /usr/pgsql-${PGVER?}/lib/*.so
$ sudo chmod 0755 /usr/pgsql-${PGVER?}/lib/*.so

As the service administrator, change the ownership and permissions of executables in /usr/pgsql-${PGVER?}/bin:

$ sudo chown root:root /usr/pgsql-${PGVER?}/bin/*
$ sudo chmod 0755 /usr/pgsql-${PGVER?}/bin/*

Check Contents

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

As the database administrator (shown here as "postgres"), check the permissions of configuration files for the database: 

$ sudo su - postgres 
$ ls -la ${PGDATA?} 

If any files are not owned by the database owner or have permissions allowing others to modify (write) configuration files, this is a finding. 

As the server administrator, check the permissions on the shared libraries for PostgreSQL: 

$ sudo ls -la /usr/pgsql-${PGVER?}
$ sudo ls -la /usr/pgsql-${PGVER?}/bin 
$ sudo ls -la /usr/pgsql-${PGVER?}/include 
$ sudo ls -la /usr/pgsql-${PGVER?}/lib 
$ sudo ls -la /usr/pgsql-${PGVER?}/share 

If any files are not owned by root or have permissions allowing others to modify (write) configuration files, this is a finding.

Vulnerability Number

V-72853

Documentable

False

Rule Version

PGS9-00-000700

Severity Override Guidance

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

As the database administrator (shown here as "postgres"), check the permissions of configuration files for the database: 

$ sudo su - postgres 
$ ls -la ${PGDATA?} 

If any files are not owned by the database owner or have permissions allowing others to modify (write) configuration files, this is a finding. 

As the server administrator, check the permissions on the shared libraries for PostgreSQL: 

$ sudo ls -la /usr/pgsql-${PGVER?}
$ sudo ls -la /usr/pgsql-${PGVER?}/bin 
$ sudo ls -la /usr/pgsql-${PGVER?}/include 
$ sudo ls -la /usr/pgsql-${PGVER?}/lib 
$ sudo ls -la /usr/pgsql-${PGVER?}/share 

If any files are not owned by root or have permissions allowing others to modify (write) configuration files, this is a finding.

Check Content Reference

M

Target Key

3087

Comments