STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.

DISA Rule

SV-214067r508027_rule

Vulnerability Number

V-214067

Group Title

SRG-APP-000328-DB-000301

Rule Version

PGS9-00-002200

Severity

CAT II

CCI(s)

• CCI-002165 - The information system enforces organization-defined discretionary access control policies over defined subjects and objects.

Weight

10

Fix Recommendation

Implement the organization's DAC policy in the security configuration of the database and PostgreSQL, and, if applicable, the security configuration of the application(s) using the database.

To GRANT privileges to roles, as the database administrator (shown here as "postgres"), run statements like the following examples:

$ sudo su - postgres
$ psql -c "CREATE SCHEMA test"
$ psql -c "GRANT CREATE ON SCHEMA test TO bob"
$ psql -c "CREATE TABLE test.test_table(id INT)"
$ psql -c "GRANT SELECT ON TABLE test.test_table TO bob"

To REVOKE privileges to roles, as the database administrator (shown here as "postgres"), run statements like the following examples:

$ psql -c "REVOKE SELECT ON TABLE test.test_table FROM bob"
$ psql -c "REVOKE CREATE ON SCHEMA test FROM bob"

Check Contents

Review system documentation to identify the required discretionary access control (DAC).

Review the security configuration of the database and PostgreSQL. If applicable, review the security configuration of the application(s) using the database.

If the discretionary access control defined in the documentation is not implemented in the security configuration, this is a finding.

If any database objects are found to be owned by users not authorized to own database objects, this is a finding.

To check the ownership of objects in the database, as the database administrator, run the following:

$ sudo su - postgres
$ psql -c "\dn *.*"
$ psql -c "\dt *.*"
$ psql -c "\ds *.*"
$ psql -c "\dv *.*"
$ psql -c "\df+ *.*"

If any role is given privileges to objects it should not have, this is a finding.

Vulnerability Number

V-214067

Documentable

False

Rule Version

PGS9-00-002200

Severity Override Guidance

Review system documentation to identify the required discretionary access control (DAC).

Review the security configuration of the database and PostgreSQL. If applicable, review the security configuration of the application(s) using the database.

If the discretionary access control defined in the documentation is not implemented in the security configuration, this is a finding.

If any database objects are found to be owned by users not authorized to own database objects, this is a finding.

To check the ownership of objects in the database, as the database administrator, run the following:

$ sudo su - postgres
$ psql -c "\dn *.*"
$ psql -c "\dt *.*"
$ psql -c "\ds *.*"
$ psql -c "\dv *.*"
$ psql -c "\df+ *.*"

If any role is given privileges to objects it should not have, this is a finding.

Check Content Reference

M

Target Key

3994

Comments