STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214068r508027_rule
V-214068
SRG-APP-000120-DB-000061
PGS9-00-002300
CAT II
10
To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
#### stderr Logging
With stderr logging enabled, as the database owner (shown here as "postgres"), set the following parameter in postgresql.conf:
$ vi ${PGDATA?}/postgresql.conf
log_file_mode = 0600
To change the owner and permissions of the log files, run the following:
$ chown postgres:postgres ${PGDATA?}/<log directory name>
$ chmod 0700 ${PGDATA?}/<log directory name>
$ chmod 600 ${PGDATA?}/<log directory name>/*.log
#### syslog Logging
If PostgreSQL is configured to use syslog for logging, the log files must be configured to be owned by root with 0600 permissions.
$ chown root:root <log directory name>/<log_filename>
$ chmod 0700 <log directory name>
$ chmod 0600 <log directory name>/*.log
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.
Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.
#### stderr Logging
If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database administrator (shown here as "postgres") with a default permissions level of 0600. The permissions can be configured in postgresql.conf.
To check the permissions for log files in postgresql.conf, as the database administrator (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ grep "log_file_mode" ${PGDATA?}/postgresql.conf
If the permissions are not 0600, this is a finding.
Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database administrator (shown here as "postgres"):
$ sudo su - postgres
$ grep "log_directory" ${PGDATA?}/postgresql.conf
With the log directory identified, as the database administrator (shown here as "postgres"), list the permissions of the logs:
$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log
If logs are not owned by the database administrator (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.
#### syslog Logging
If the PostgreSQL server is configured to use syslog for logging, consult organization syslog setting for permissions and ownership of logs
V-214068
False
PGS9-00-002300
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.
Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.
#### stderr Logging
If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database administrator (shown here as "postgres") with a default permissions level of 0600. The permissions can be configured in postgresql.conf.
To check the permissions for log files in postgresql.conf, as the database administrator (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ grep "log_file_mode" ${PGDATA?}/postgresql.conf
If the permissions are not 0600, this is a finding.
Next, navigate to where the logs are stored. This can be found by running the following command against postgresql.conf as the database administrator (shown here as "postgres"):
$ sudo su - postgres
$ grep "log_directory" ${PGDATA?}/postgresql.conf
With the log directory identified, as the database administrator (shown here as "postgres"), list the permissions of the logs:
$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log
If logs are not owned by the database administrator (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.
#### syslog Logging
If the PostgreSQL server is configured to use syslog for logging, consult organization syslog setting for permissions and ownership of logs
M
3994