STIGQter: STIG Summary: EDB Postgres Advanced Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.

DISA Rule

SV-213630r508024_rule

Vulnerability Number

V-213630

Group Title

SRG-APP-000427-DB-000385

Rule Version

PPS9-00-009100

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Remove any certificate that was not issued by a valid DoD certificate authority.

Contact the organization's certificate issuer and request a new certificate that is issued by a valid DoD certificate authorities.

Check Contents

Verify that the root.crt certificate was issued by a valid DoD entity.

> openssl x509 -in <postgresql data directory>/root.crt –text | grep –i “issuer”. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)

If any issuers are listed that are not valid DoD certificate authorities, this is a finding.

Vulnerability Number

V-213630

Documentable

False

Rule Version

PPS9-00-009100

Severity Override Guidance

Verify that the root.crt certificate was issued by a valid DoD entity.

> openssl x509 -in <postgresql data directory>/root.crt –text | grep –i “issuer”. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)

If any issuers are listed that are not valid DoD certificate authorities, this is a finding.

Check Content Reference

M

Target Key

3988

Comments