STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage.

DISA Rule

SV-214062r508027_rule

Vulnerability Number

V-214062

Group Title

SRG-APP-000311-DB-000308

Rule Version

PGS9-00-001700

Severity

CAT II

CCI(s)

• CCI-002262 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.

Weight

10

Fix Recommendation

In addition to the SQL-standard privilege system available through GRANT, tables can have row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. This feature is also known as Row-Level Security (RLS).

RLS policies can be very different depending on their use case. For one example of using RLS for Security Labels, see supplementary content APPENDIX-D.

Check Contents

If security labeling is not required, this is not a finding.

First, as the database administrator (shown here as "postgres"), run the following SQL against each table that requires security labels:

$ sudo su - postgres
$ psql -c "\d+ <schema_name>.<table_name>"

If security labeling is required and the results of the SQL above do not show a policy attached to the table, this is a finding.

If security labeling is required and not implemented according to the system documentation, such as SSP, this is a finding.

If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding.

Vulnerability Number

V-214062

Documentable

False

Rule Version

PGS9-00-001700

Severity Override Guidance

If security labeling is not required, this is not a finding.

First, as the database administrator (shown here as "postgres"), run the following SQL against each table that requires security labels:

$ sudo su - postgres
$ psql -c "\d+ <schema_name>.<table_name>"

If security labeling is required and the results of the SQL above do not show a policy attached to the table, this is a finding.

If security labeling is required and not implemented according to the system documentation, such as SSP, this is a finding.

If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding.

Check Content Reference

M

Target Key

3994

Comments