STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214051r508027_rule
V-214051
SRG-APP-000119-DB-000060
PGS9-00-000400
CAT II
10
To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
#### stderr Logging
With stderr logging enabled, as the database owner (shown here as "postgres"), set the following parameter in postgresql.conf:
$ vi ${PGDATA?}/postgresql.conf
log_file_mode = 0600
To change the owner and permissions of the log files, run the following:
$ chown postgres:postgres ${PGDATA?}/<log directory name>
$ chmod 0700 ${PGDATA?}/<log directory name>
$ chmod 600 ${PGDATA?}/<log directory name>/*.log
#### syslog Logging
If PostgreSQL is configured to use syslog for logging, the log files must be configured to be owned by root with 0600 permissions.
$ chown root:root <log directory name>/<log_filename>
$ chmod 0700 <log directory name>
$ chmod 0600 <log directory name>/*.log
Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.
Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
#### stderr Logging
If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database owner (usually postgres user) with a default permissions level of 0600. The permissions can be configured in postgresql.conf.
To check the permissions for log files in postgresql.conf, as the database owner (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ grep "log_file_mode" ${PGDATA?}/postgresql.conf
If the permissions are not 0600, this is a finding.
Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database owner (shown here as "postgres"):
$ sudo su - postgres
$ grep "log_directory" ${PGDATA?}/postgresql.conf
With the log directory identified, as the database owner (shown here as "postgres"), list the permissions of the logs:
$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log
If logs are not owned by the database owner (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.
#### syslog Logging
If the PostgreSQL server is configured to use syslog for logging, consult the organization syslog setting for permissions and ownership of logs.
V-214051
False
PGS9-00-000400
Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.
Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
#### stderr Logging
If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database owner (usually postgres user) with a default permissions level of 0600. The permissions can be configured in postgresql.conf.
To check the permissions for log files in postgresql.conf, as the database owner (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ grep "log_file_mode" ${PGDATA?}/postgresql.conf
If the permissions are not 0600, this is a finding.
Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database owner (shown here as "postgres"):
$ sudo su - postgres
$ grep "log_directory" ${PGDATA?}/postgresql.conf
With the log directory identified, as the database owner (shown here as "postgres"), list the permissions of the logs:
$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log
If logs are not owned by the database owner (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.
#### syslog Logging
If the PostgreSQL server is configured to use syslog for logging, consult the organization syslog setting for permissions and ownership of logs.
M
3994