STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.

DISA Rule

SV-214137r508027_rule

Vulnerability Number

V-214137

Group Title

SRG-APP-000427-DB-000385

Rule Version

PGS9-00-010300

Severity

CAT II

CCI(s)

CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

Fix Recommendation

Revoke trust in any certificates not issued by a DoD-approved certificate authority.

Configure PostgreSQL to accept only DoD and DoD-approved PKI end-entity certificates.

To configure PostgreSQL to accept approved CA's, see the official PostgreSQL documentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html

For more information on configuring PostgreSQL to use SSL, see supplementary content APPENDIX-G.

Check Contents

As the database administrator (shown here as "postgres"), verify the following setting in postgresql.conf:

$ sudo su - postgres
$ psql -c "SHOW ssl_ca_file"
$ psql -c "SHOW ssl_cert_file"

If the database is not configured to used approved certificates, this is a finding.

Vulnerability Number

V-214137

Documentable

False

Rule Version

PGS9-00-010300

Severity Override Guidance

Check Content Reference

Target Key

3994

PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments