STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214124r508027_rule
V-214124
SRG-APP-000428-DB-000386
PGS9-00-008700
CAT II
10
Configure PostgreSQL, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection.
The pgcrypto module provides cryptographic functions for PostgreSQL. See supplementary content APPENDIX-E for documentation on installing pgcrypto.
With pgcrypto installed, it's possible to insert encrypted data into the database:
INSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password', gen_salt('md5')));
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.
If no information is identified as requiring such protection, this is not a finding.
Review the configuration of PostgreSQL, operating system/file system, and additional software as relevant.
If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.
One possible way to encrypt data within PostgreSQL is to use pgcrypto extension.
To check if pgcrypto is installed on PostgreSQL, as a database administrator (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ psql -c "SELECT * FROM pg_available_extensions where name='pgcrypto'"
If data in the database requires encryption and pgcrypto is not available, this is a finding.
If disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate filesystem or disk level encryption.
If this is required and is not found, this is a finding.
V-214124
False
PGS9-00-008700
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.
If no information is identified as requiring such protection, this is not a finding.
Review the configuration of PostgreSQL, operating system/file system, and additional software as relevant.
If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.
One possible way to encrypt data within PostgreSQL is to use pgcrypto extension.
To check if pgcrypto is installed on PostgreSQL, as a database administrator (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ psql -c "SELECT * FROM pg_available_extensions where name='pgcrypto'"
If data in the database requires encryption and pgcrypto is not available, this is a finding.
If disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate filesystem or disk level encryption.
If this is required and is not found, this is a finding.
M
3994