SV-214052r508027_rule
V-214052
SRG-APP-000023-DB-000001
PGS9-00-000500
CAT II
10
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
Integrate PostgreSQL security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals.
As the database administrator (shown here as "postgres"), edit pg_hba.conf authentication file:
$ sudo su - postgres
$ vi ${PGDATA?}/pg_hba.conf
For each PostgreSQL-managed account that is not documented and approved, either transfer it to management by the external mechanism, or document the need for it and obtain approval, as appropriate.
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
If all accounts are authenticated by the organization-level authentication/access mechanism, such as LDAP or Kerberos and not by PostgreSQL, this is not a finding.
As the database administrator (shown here as "postgres"), review pg_hba.conf authentication file settings:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_hba.conf
All records must use an auth-method of gss, sspi, or ldap. For details on the specifics of these authentication methods see: http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
If there are any records with a different auth-method than gss, sspi, or ldap, review the system documentation for justification and approval of these records.
If there are any records with a different auth-method than gss, sspi, or ldap, that are not documented and approved, this is a finding.
V-214052
False
PGS9-00-000500
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
If all accounts are authenticated by the organization-level authentication/access mechanism, such as LDAP or Kerberos and not by PostgreSQL, this is not a finding.
As the database administrator (shown here as "postgres"), review pg_hba.conf authentication file settings:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_hba.conf
All records must use an auth-method of gss, sspi, or ldap. For details on the specifics of these authentication methods see: http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
If there are any records with a different auth-method than gss, sspi, or ldap, review the system documentation for justification and approval of these records.
If there are any records with a different auth-method than gss, sspi, or ldap, that are not documented and approved, this is a finding.
M
3994