STIGQter STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The EDB Postgres Advanced Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.

DISA Rule

SV-224133r508023_rule

Vulnerability Number

V-224133

Group Title

SRG-APP-000080-DB-000063

Rule Version

EP11-00-000900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Use accounts assigned to individual users where feasible. Configure the DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account.

Modify any applications that use a shared database account to capture individual application user identities to the audit log using the edb_audit_tag or to the data tables.

Create and enforce the use of individual user IDs for logging on to EDB Postgres tools and third-party products.

If EDB auditing is not already enabled, enable it.

Execute the following SQL as enterprisedb:

ALTER SYSTEM SET edb_audit = csv;
SELECT pg_reload_conf();

or

ALTER SYSTEM SET edb_audit = xml;
SELECT pg_reload_conf();

Check Contents

If there are no shared accounts available to more than one user, this is not a finding.

If a shared account is used by an application to interact with the database, review the System Security Plan, the tables in the database, and the application source code/documentation to determine whether the application captures the individual user's identity and stores that identity in the audit log or along with all data inserted and updated (also with all records of reads and/or deletions, if these are required to be logged).

The EDB audit feature provides the ability to include application user information with the database audit log using the edb_audit_tag session parameter. If all database shared accounts are accessed via an application that uses the edb_audit_tag parameter to identify individual applications users, this is not a finding.

If there are gaps in the application's ability to capture an individual user's identity, and the gaps and the risk are not defined in the system documentation and accepted by the AO, this is a finding.

If users are sharing a group account to log on to EDB Postgres tools or third-party products that access the database, this is a finding.

To ensure EDB auditing is enabled, execute the following SQL as enterprisedb:

SHOW edb_audit;

If the result is not "csv" or "xml", this is a finding.

Vulnerability Number

V-224133

Documentable

False

Rule Version

EP11-00-000900

Severity Override Guidance

If there are no shared accounts available to more than one user, this is not a finding.

If a shared account is used by an application to interact with the database, review the System Security Plan, the tables in the database, and the application source code/documentation to determine whether the application captures the individual user's identity and stores that identity in the audit log or along with all data inserted and updated (also with all records of reads and/or deletions, if these are required to be logged).

The EDB audit feature provides the ability to include application user information with the database audit log using the edb_audit_tag session parameter. If all database shared accounts are accessed via an application that uses the edb_audit_tag parameter to identify individual applications users, this is not a finding.

If there are gaps in the application's ability to capture an individual user's identity, and the gaps and the risk are not defined in the system documentation and accepted by the AO, this is a finding.

If users are sharing a group account to log on to EDB Postgres tools or third-party products that access the database, this is a finding.

To ensure EDB auditing is enabled, execute the following SQL as enterprisedb:

SHOW edb_audit;

If the result is not "csv" or "xml", this is a finding.

Check Content Reference

M

Target Key

4107

Comments