STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-224183r508023_rule
V-224183
SRG-APP-000251-DB-000391
EP11-00-006300
CAT II
10
Where dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, modify the code to do so.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here:
https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#
Review DBMS source code (stored procedures, functions, triggers) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements.
If dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, this is a finding.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.
1) Execute the following SQL as enterprisedb:
SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\';
If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.
2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
\dn
If the "sqlprotect" schema is not listed, this is a finding.
3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
SELECT * FROM sqlprotect.list_protected_users;
If the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.
V-224183
False
EP11-00-006300
Review DBMS source code (stored procedures, functions, triggers) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements.
If dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, this is a finding.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.
1) Execute the following SQL as enterprisedb:
SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\';
If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.
2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
\dn
If the "sqlprotect" schema is not listed, this is a finding.
3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
SELECT * FROM sqlprotect.list_protected_users;
If the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.
M
4107