SV-214146r508027_rule
V-214146
SRG-APP-000148-DB-000103
PGS9-00-011500
CAT II
10
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
Configure PostgreSQL settings to uniquely identify and authenticate all organizational users who log on/connect to the system.
To create roles, use the following SQL:
CREATE ROLE <role_name> [OPTIONS]
For more information on CREATE ROLE, see the official documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html
For each role created, the database administrator can specify database authentication by editing pg_hba.conf:
$ sudo su - postgres
$ vi ${PGDATA?}/pg_hba.conf
An example pg_hba entry looks like this:
# TYPE DATABASE USER ADDRESS METHOD
host test_db bob 192.168.0.0/16 md5
For more information on pg_hba.conf, see the official documentation: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
Review PostgreSQL settings to determine whether organizational users are uniquely identified and authenticated when logging on/connecting to the system.
To list all roles in the database, as the database administrator (shown here as "postgres"), run the following SQL:
$ sudo su - postgres
$ psql -c "\du"
If organizational users are not uniquely identified and authenticated, this is a finding.
Next, as the database administrator (shown here as "postgres"), verify the current pg_hba.conf authentication settings:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_hba.conf
If every role does not have unique authentication requirements, this is a finding.
If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account, this is a finding.
V-214146
False
PGS9-00-011500
Review PostgreSQL settings to determine whether organizational users are uniquely identified and authenticated when logging on/connecting to the system.
To list all roles in the database, as the database administrator (shown here as "postgres"), run the following SQL:
$ sudo su - postgres
$ psql -c "\du"
If organizational users are not uniquely identified and authenticated, this is a finding.
Next, as the database administrator (shown here as "postgres"), verify the current pg_hba.conf authentication settings:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_hba.conf
If every role does not have unique authentication requirements, this is a finding.
If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account, this is a finding.
M
3994