STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The EDB Postgres Advanced Server must associate organization-defined types of security labels having organization-defined security label values with information in storage.

DISA Rule

SV-224188r508023_rule

Vulnerability Number

V-224188

Group Title

SRG-APP-000311-DB-000308

Rule Version

EP11-00-006900

Severity

CAT II

CCI(s)

• CCI-002262 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.

Weight

10

Fix Recommendation

Deploy EDB Postgres Advanced Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements, and application code, to provide reliable security labeling of information in storage.

https://www.enterprisedb.com/docs/en/11.0/EPAS_BIP_Guide_v11/Database_Compatibility_for_Oracle_Developers_Built-in_Package_Guide.1.31.html#pID0E0UUD0HA

Check Contents

If security labeling is not required, this is not a finding.

If security labeling requirements have been specified, execute the following SQL as enterprisedb:

SELECT * from ALL_POLICIES where OBJECT_NAME = '<table name>';

If a policy is not enabled for the table requiring security labeling, this is a finding.

If security labeling is required and not implemented according to the system documentation, this is a finding.

If security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding.

Vulnerability Number

V-224188

Documentable

False

Rule Version

EP11-00-006900

Severity Override Guidance

If security labeling is not required, this is not a finding.

If security labeling requirements have been specified, execute the following SQL as enterprisedb:

SELECT * from ALL_POLICIES where OBJECT_NAME = '<table name>';

If a policy is not enabled for the table requiring security labeling, this is a finding.

If security labeling is required and not implemented according to the system documentation, this is a finding.

If security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding.

Check Content Reference

M

Target Key

4107

Comments