STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-224182r508023_rule
V-224182
SRG-APP-000251-DB-000160
EP11-00-006200
CAT II
10
Modify database code to properly validate data before it is put into the database or acted upon by the database.
Modify the database to contain column/field definitions for each column/field in the database.
Modify the database to contain constraints and validity checking on database columns and tables that require them for data integrity.
Use prepared statements for user supplied inputs.
Do not allow general users direct console access to the EDB Postgres Advanced Server database.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here:
https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#
Review DBMS code (trigger procedures, functions), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.
If code exists that allows invalid data to be acted upon or input into the database, this is a finding.
If column/field definitions do not exist in the database, this is a finding.
If columns/fields do not contain constraints and validity checking where required, this is a finding.
Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.
Where a column/field is clearly identified by name, caption, or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.
Check application code that interacts with the EDB Postgres Advanced Server database for the use of prepared statements. If prepared statements are not used, this is a finding.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.
1) Execute the following SQL as enterprisedb:
SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\';
If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.
2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
\dn
If the "sqlprotect" schema is not listed, this is a finding.
3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
SELECT * FROM sqlprotect.list_protected_users;
If the database and user that handles user input is not listed, or the remaining settings are not set to approved values, this is a finding.
V-224182
False
EP11-00-006200
Review DBMS code (trigger procedures, functions), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.
If code exists that allows invalid data to be acted upon or input into the database, this is a finding.
If column/field definitions do not exist in the database, this is a finding.
If columns/fields do not contain constraints and validity checking where required, this is a finding.
Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.
Where a column/field is clearly identified by name, caption, or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.
Check application code that interacts with the EDB Postgres Advanced Server database for the use of prepared statements. If prepared statements are not used, this is a finding.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.
1) Execute the following SQL as enterprisedb:
SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\';
If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.
2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
\dn
If the "sqlprotect" schema is not listed, this is a finding.
3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
SELECT * FROM sqlprotect.list_protected_users;
If the database and user that handles user input is not listed, or the remaining settings are not set to approved values, this is a finding.
M
4107