STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: PostgreSQL 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214141r508027_rule
V-214141
SRG-APP-000121-DB-000202
PGS9-00-010700
CAT II
10
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.
If pg_log or data directory are not owned by postgres user and group, configure them as follows:
$ sudo chown -R postgres:postgres ${PGDATA?}
If the pgaudit installation is not owned by root user and group, configure it as follows:
$ sudo chown -R root:root /usr/pgsql-${PGVER?}/share/contrib/pgaudit
To remove superuser from a role, as the database administrator (shown here as "postgres"), run the following SQL:
$ sudo su - postgres
$ psql -c "ALTER ROLE <role-name> WITH NOSUPERUSER"
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. Only the database owner and superuser can alter configuration of PostgreSQL.
Make sure the pg_log directory are owned by postgres user and group:
$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log
If pg_log is not owned by the database owner, this is a finding.
Make sure the data directory are owned by postgres user and group.
$ sudo su - postgres
$ ls -la ${PGDATA?}
If PGDATA is not owned by the database owner, this is a finding.
Make sure pgaudit installation is owned by root:
$ sudo su - postgres
$ ls -la /usr/pgsql-${PGVER?}/share/contrib/pgaudit
If pgaudit installation is not owned by root, this is a finding.
Next, as the database administrator (shown here as "postgres"), run the following SQL to list all roles and their privileges:
$ sudo su - postgres
$ psql -x -c "\du"
If any role has "superuser" that should not, this is a finding.
V-214141
False
PGS9-00-010700
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. Only the database owner and superuser can alter configuration of PostgreSQL.
Make sure the pg_log directory are owned by postgres user and group:
$ sudo su - postgres
$ ls -la ${PGDATA?}/pg_log
If pg_log is not owned by the database owner, this is a finding.
Make sure the data directory are owned by postgres user and group.
$ sudo su - postgres
$ ls -la ${PGDATA?}
If PGDATA is not owned by the database owner, this is a finding.
Make sure pgaudit installation is owned by root:
$ sudo su - postgres
$ ls -la /usr/pgsql-${PGVER?}/share/contrib/pgaudit
If pgaudit installation is not owned by root, this is a finding.
Next, as the database administrator (shown here as "postgres"), run the following SQL to list all roles and their privileges:
$ sudo su - postgres
$ psql -x -c "\du"
If any role has "superuser" that should not, this is a finding.
M
3994