SV-214060r508027_rule
V-214060
SRG-APP-000133-DB-000362
PGS9-00-001300
CAT II
10
As the database administrator, revoke any permissions from a role that are deemed unnecessary by running the following SQL:
ALTER ROLE bob NOCREATEDB;
ALTER ROLE bob NOCREATEROLE;
ALTER ROLE bob NOSUPERUSER;
ALTER ROLE bob NOINHERIT;
REVOKE SELECT ON some_function FROM bob;
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
As the database administrator (shown here as "postgres"), list all users and their permissions by running the following SQL:
$ sudo su - postgres
$ psql -c "\dp *.*"
Verify that all objects have the correct privileges. If they do not, this is a finding.
Next, as the database administrator (shown here as "postgres"), verify the permissions of the database directory on the filesystem:
$ ls -la ${PGDATA?}
If permissions of the database directory are not limited to an authorized user account, this is a finding.
V-214060
False
PGS9-00-001300
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
As the database administrator (shown here as "postgres"), list all users and their permissions by running the following SQL:
$ sudo su - postgres
$ psql -c "\dp *.*"
Verify that all objects have the correct privileges. If they do not, this is a finding.
Next, as the database administrator (shown here as "postgres"), verify the permissions of the database directory on the filesystem:
$ ls -la ${PGDATA?}
If permissions of the database directory are not limited to an authorized user account, this is a finding.
M
3994