STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214090r508027_rule
V-214090
SRG-APP-000495-DB-000326
PGS9-00-004900
CAT II
10
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.
Using pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for documentation on installing pgaudit.
With pgaudit installed the following configurations can be made:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
Add the following parameters (or edit existing parameters):
pgaudit.log = 'role'
Now, as the system administrator, reload the server with the new configuration:
# SYSTEMD SERVER ONLY
$ sudo systemctl reload postgresql-${PGVER?}
# INITD SERVER ONLY
$ sudo service postgresql-${PGVER?} reload
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
First, as the database administrator (shown here as "postgres"), create a role by running the following SQL:
Change the privileges of another user:
$ sudo su - postgres
$ psql -c "CREATE ROLE bob"
Next, GRANT then REVOKE privileges from the role:
$ psql -c "GRANT CONNECT ON DATABASE postgres TO bob"
$ psql -c "REVOKE CONNECT ON DATABASE postgres FROM bob"
postgres=# REVOKE CONNECT ON DATABASE postgres FROM bob;
REVOKE
postgres=# GRANT CONNECT ON DATABASE postgres TO bob;
GRANT
Now, as the database administrator (shown here as "postgres"), verify the events were logged:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_log/<latest_log>
< 2016-07-13 16:25:21.103 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,GRANT,,,GRANT CONNECT ON DATABASE postgres TO bob,<none>
< 2016-07-13 16:25:25.520 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,REVOKE,,,REVOKE CONNECT ON DATABASE postgres FROM bob,<none>
If the above steps cannot verify that audit records are produced when privileges/permissions/role memberships are added, this is a finding.
V-214090
False
PGS9-00-004900
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
First, as the database administrator (shown here as "postgres"), create a role by running the following SQL:
Change the privileges of another user:
$ sudo su - postgres
$ psql -c "CREATE ROLE bob"
Next, GRANT then REVOKE privileges from the role:
$ psql -c "GRANT CONNECT ON DATABASE postgres TO bob"
$ psql -c "REVOKE CONNECT ON DATABASE postgres FROM bob"
postgres=# REVOKE CONNECT ON DATABASE postgres FROM bob;
REVOKE
postgres=# GRANT CONNECT ON DATABASE postgres TO bob;
GRANT
Now, as the database administrator (shown here as "postgres"), verify the events were logged:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_log/<latest_log>
< 2016-07-13 16:25:21.103 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,GRANT,,,GRANT CONNECT ON DATABASE postgres TO bob,<none>
< 2016-07-13 16:25:25.520 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,REVOKE,,,REVOKE CONNECT ON DATABASE postgres FROM bob,<none>
If the above steps cannot verify that audit records are produced when privileges/permissions/role memberships are added, this is a finding.
M
3994