STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-224175r508023_rule
V-224175
SRG-APP-000180-DB-000115
EP11-00-005000
CAT II
10
Ensure all logins are uniquely identifiable and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of application, operating system, and EDB Postgres Advanced Server configuration settings. Verify server documentation to ensure accounts are documented and unique.
Review documentation, EDB Postgres Advanced Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system.
EDB Postgres Advanced Server uniquely identifies and authenticates Postgres users through the use of DBMS roles.
To list the user and group roles in an EDB Postgres Advanced Server instance, execute the following command in psql as the enterprisedb user:
\du
If accounts are determined to be shared, determine if individuals are first individually authenticated. Where an application connects to EDB Postgres Advanced Server using a standard, shared account, ensure it also captures the individual user identification, and passes it to EDB Postgres Advanced Server.
If the EDB session audit log tagging feature is being used to capture individual user identification and organizational affiliation, review the EDB audit log to verify that the information documented as being required is logged to the "audit_tag" field. If the required information is not logged, this is a finding.
If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.
If non-organizational users are not uniquely identified and authenticated, this is a finding.
V-224175
False
EP11-00-005000
Review documentation, EDB Postgres Advanced Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system.
EDB Postgres Advanced Server uniquely identifies and authenticates Postgres users through the use of DBMS roles.
To list the user and group roles in an EDB Postgres Advanced Server instance, execute the following command in psql as the enterprisedb user:
\du
If accounts are determined to be shared, determine if individuals are first individually authenticated. Where an application connects to EDB Postgres Advanced Server using a standard, shared account, ensure it also captures the individual user identification, and passes it to EDB Postgres Advanced Server.
If the EDB session audit log tagging feature is being used to capture individual user identification and organizational affiliation, review the EDB audit log to verify that the information documented as being required is logged to the "audit_tag" field. If the required information is not logged, this is a finding.
If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.
If non-organizational users are not uniquely identified and authenticated, this is a finding.
M
4107