STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL.

DISA Rule

SV-214055r508027_rule

Vulnerability Number

V-214055

Group Title

SRG-APP-000133-DB-000179

Rule Version

PGS9-00-000710

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

To change ownership of an object, as the database administrator (shown here as "postgres"), run the following SQL:

$ sudo su – postgres
$ psql -c "ALTER FUNCTION function_name OWNER TO new_role_name"

To change ownership of postgresql.conf, as the database administrator (shown here as "postgres"), run the following commands:

$ sudo su - postgres
$ chown postgres:postgres ${PGDATA?}/postgresql.conf
$ chmod 0600 ${PGDATA?}/postgresql.conf

To remove superuser from a role, as the database administrator (shown here as "postgres"), run the following SQL:

$ sudo su - postgres
$ psql -c "ALTER ROLE rolename WITH NOSUPERUSER"

Check Contents

Only owners of objects can change them. To view all functions, triggers, and trigger procedures, their ownership and source, as the database administrator (shown here as "postgres") run the following SQL:

$ sudo su - postgres
$ psql -x -c "\df+"

Only the OS database owner user (shown here as "postgres") or a PostgreSQL superuser can change links to external software. As the database administrator (shown here as "postgres"), check the permissions of configuration files for the database:

$ sudo su - postgres
$ ls -la ${PGDATA?}

If any files are not owned by the database owner or have permissions allowing others to modify (write) configuration files, this is a finding.

Vulnerability Number

V-214055

Documentable

False

Rule Version

PGS9-00-000710

Severity Override Guidance

Only owners of objects can change them. To view all functions, triggers, and trigger procedures, their ownership and source, as the database administrator (shown here as "postgres") run the following SQL:

$ sudo su - postgres
$ psql -x -c "\df+"

Only the OS database owner user (shown here as "postgres") or a PostgreSQL superuser can change links to external software. As the database administrator (shown here as "postgres"), check the permissions of configuration files for the database:

$ sudo su - postgres
$ ls -la ${PGDATA?}

If any files are not owned by the database owner or have permissions allowing others to modify (write) configuration files, this is a finding.

Check Content Reference

M

Target Key

3994

Comments