STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214111r508027_rule
V-214111
SRG-APP-000175-DB-000067
PGS9-00-007000
CAT II
10
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.
To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.
To generate a Certificate Revocation List, see the official Red Hat Documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-Administration_Guide-Certification_Revocation_List_CRL.html
As the database administrator (shown here as "postgres"), copy the CRL file into the data directory:
First, as the system administrator, copy the CRL file into the PostgreSQL Data Directory:
$ sudo cp root.crl ${PGDATA?}/root.crl
As the database administrator (shown here as "postgres"), set the ssl_crl_file parameter to the filename of the CRL:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
ssl_crl_file = 'root.crl'
Next, in pg_hba.conf, require ssl authentication:
$ sudo su - postgres
$ vi ${PGDATA?}/pg_hba.conf
hostssl <database> <user> <address> cert clientcert=1
Now, as the system administrator, reload the server with the new configuration:
# SYSTEMD SERVER ONLY
$ sudo systemctl reload postgresql-${PGVER?}
# INITD SERVER ONLY
$ sudo service postgresql-${PGVER?} reload
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
To verify that a CRL file exists, as the database administrator (shown here as "postgres"), run the following:
$ sudo su - postgres
$ psql -c "SHOW ssl_crl_file"
If this is not set to a CRL file, this is a finding.
Next verify the existence of the CRL file by checking the directory set in postgresql.conf in the ssl_crl_file parameter from above:
Note: If no directory is specified, then the CRL file should be located in the same directory as postgresql.conf (PGDATA).
If the CRL file does not exist, this is a finding.
Next, verify that hostssl entries in pg_hba.conf have "cert" and "clientcert=1" enabled:
$ sudo su - postgres
$ grep hostssl ${PGDATA?}/pg_hba.conf
If hostssl entries do not contain cert or clientcert=1, this is a finding.
If certificates are not being validated by performing RFC 5280-compliant certification path validation, this is a finding.
V-214111
False
PGS9-00-007000
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
To verify that a CRL file exists, as the database administrator (shown here as "postgres"), run the following:
$ sudo su - postgres
$ psql -c "SHOW ssl_crl_file"
If this is not set to a CRL file, this is a finding.
Next verify the existence of the CRL file by checking the directory set in postgresql.conf in the ssl_crl_file parameter from above:
Note: If no directory is specified, then the CRL file should be located in the same directory as postgresql.conf (PGDATA).
If the CRL file does not exist, this is a finding.
Next, verify that hostssl entries in pg_hba.conf have "cert" and "clientcert=1" enabled:
$ sudo su - postgres
$ grep hostssl ${PGDATA?}/pg_hba.conf
If hostssl entries do not contain cert or clientcert=1, this is a finding.
If certificates are not being validated by performing RFC 5280-compliant certification path validation, this is a finding.
M
3994