STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-224184r508023_rule
V-224184
SRG-APP-000251-DB-000392
EP11-00-006400
CAT II
10
Where dynamic code execution is used, modify the code to implement protections against code injection (i.e., prepared statements).
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here:
https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#
Review DBMS source code (stored procedures, functions, triggers) and application source code to identify cases of dynamic code execution.
If dynamic code execution is employed without protective measures against code injection, this is a finding.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.
1) Execute the following SQL as enterprisedb:
SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\';
If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.
2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
\dn
If the "sqlprotect" schema is not listed, this is a finding.
3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
SELECT * FROM sqlprotect.list_protected_users;
If the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.
V-224184
False
EP11-00-006400
Review DBMS source code (stored procedures, functions, triggers) and application source code to identify cases of dynamic code execution.
If dynamic code execution is employed without protective measures against code injection, this is a finding.
If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.
1) Execute the following SQL as enterprisedb:
SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\';
If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.
2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
\dn
If the "sqlprotect" schema is not listed, this is a finding.
3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:
SELECT * FROM sqlprotect.list_protected_users;
If the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.
M
4107