SV-224194r508023_rule
V-224194
SRG-APP-000342-DB-000302
EP11-00-007510
CAT II
10
Determine where, when, how, and by what principals/subjects elevated privilege is needed.
Modify the system and the application(s) using the database to ensure privilege elevation is used only as required.
To alter a user to not allow bypassing RLS, execute the following SQL:
ALTER USER <user> NOBYPASSRLS;
Review the system documentation and source code of the application(s) using the database.
If elevation of DBMS privileges is used but not documented, this is a finding.
If elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding.
If the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding.
Execute the following SQL to find any users with BYPASS RLS permissions:
select rolname from pg_roles where rolbypassrls = true;
If any of these users are not superusers that should bypass RLS, this is a finding.
V-224194
False
EP11-00-007510
Review the system documentation and source code of the application(s) using the database.
If elevation of DBMS privileges is used but not documented, this is a finding.
If elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding.
If the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding.
Execute the following SQL to find any users with BYPASS RLS permissions:
select rolname from pg_roles where rolbypassrls = true;
If any of these users are not superusers that should bypass RLS, this is a finding.
M
4107