STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.

DISA Rule

SV-214132r508027_rule

Vulnerability Number

V-214132

Group Title

SRG-APP-000080-DB-000063

Rule Version

PGS9-00-009700

Severity

CAT II

CCI(s)

• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Weight

10

Fix Recommendation

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

Configure the database to supply additional auditing information to protect against a user falsely repudiating having performed organization-defined actions. 

Using pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for documentation on installing pgaudit. 

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. 

Modify the configuration of audit logs to include details identifying the individual user: 

First, as the database administrator (shown here as "postgres"), edit postgresql.conf: 

$ sudo su - postgres 
$ vi ${PGDATA?}/postgresql.conf 

Extra parameters can be added to the setting log_line_prefix to identify the user: 

log_line_prefix = '< %m %a %u %d %r %p %m >' 

Now, as the system administrator, reload the server with the new configuration: 

# SYSTEMD SERVER ONLY 
$ sudo systemctl reload postgresql-${PGVER?}

# INITD SERVER ONLY 
$ sudo service postgresql-${PGVER?} reload 

Use accounts assigned to individual users. Where the application connects to PostgreSQL using a standard, shared account, ensure that it also captures the individual user identification and passes it to PostgreSQL.

Check Contents

First, as the database administrator, review the current log_line_prefix settings by running the following SQL: 

$ sudo su - postgres 
$ psql -c "SHOW log_line_prefix" 

If log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a finding. 

Next, review the current shared_preload_libraries settings by running the following SQL: 

$ psql -c "SHOW shared_preload_libraries" 

If shared_preload_libraries does not contain "pgaudit", this is a finding.

Vulnerability Number

V-214132

Documentable

False

Rule Version

PGS9-00-009700

Severity Override Guidance

First, as the database administrator, review the current log_line_prefix settings by running the following SQL: 

$ sudo su - postgres 
$ psql -c "SHOW log_line_prefix" 

If log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a finding. 

Next, review the current shared_preload_libraries settings by running the following SQL: 

$ psql -c "SHOW shared_preload_libraries" 

If shared_preload_libraries does not contain "pgaudit", this is a finding.

Check Content Reference

M

Target Key

3994

Comments