STIGQter STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

PostgreSQL must produce audit records containing sufficient information to establish what type of events occurred.

DISA Rule

SV-214138r508027_rule

Vulnerability Number

V-214138

Group Title

SRG-APP-000095-DB-000039

Rule Version

PGS9-00-010400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. 

If logging is enabled the following configurations must be made to log connections, date/time, username and session identifier. 

First, edit the postgresql.conf file as a privileged user: 

$ sudo su - postgres 
$ vi ${PGDATA?}/postgresql.conf 

Edit the following parameters based on the organization's needs (minimum requirements are as follows): 

log_connections = on 
log_disconnections = on 
log_line_prefix = '< %m %u %d %c: >' 

Now, as the system administrator, reload the server with the new configuration: 

# SYSTEMD SERVER ONLY 
$ sudo systemctl reload postgresql-${PGVER?}

# INITD SERVER ONLY 
$ sudo service postgresql-${PGVER?} reload

Check Contents

As the database administrator (shown here as "postgres"), verify the current log_line_prefix setting in postgresql.conf:

$ sudo su - postgres
$ psql -c "SHOW log_line_prefix"

Verify that the current settings are appropriate for the organization.

The following is what is possible for logged information:

# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes

If the audit record does not log events required by the organization, this is a finding.

Next, verify the current settings of log_connections and log_disconnections by running the following SQL:

$ psql -c "SHOW log_connections"
$ psql -c "SHOW log_disconnections"

If both settings are off, this is a finding.

Vulnerability Number

V-214138

Documentable

False

Rule Version

PGS9-00-010400

Severity Override Guidance

As the database administrator (shown here as "postgres"), verify the current log_line_prefix setting in postgresql.conf:

$ sudo su - postgres
$ psql -c "SHOW log_line_prefix"

Verify that the current settings are appropriate for the organization.

The following is what is possible for logged information:

# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes

If the audit record does not log events required by the organization, this is a finding.

Next, verify the current settings of log_connections and log_disconnections by running the following SQL:

$ psql -c "SHOW log_connections"
$ psql -c "SHOW log_disconnections"

If both settings are off, this is a finding.

Check Content Reference

M

Target Key

3994

Comments