STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-224209r557408_rule
V-224209
SRG-APP-000442-DB-000379
EP11-00-009600
CAT II
10
To configure EDB Postgres Advanced Server to use SSL, open the ”postgresql.conf" file in an editor. Note the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf for a running EDB Postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command:
SHOW config_file;
In the postgresql.conf file, set the “ssl” parameter as follows:
ssl = on
Make sure the parameter is uncommented.
In order to start an EDB Postgres Advanced Server instance in SSL mode, files containing the server certificate and private key must exist. By default, these files are expected to exist in the Postgres data directory and are expected to be named server.crt and server.key, respectively. Update the ssl_cert_file and ssl_cert_key parameters in the postgresql.conf file if the files are placed in a different location or are named differently.
Note changes to the ssl parameter setting and any of the other ssl related parameters require a reload of the database server configuration to put the changes into effect.
To reload the database server configuration, connect to the database as a database superuser using psql and execute the following command:
SELECT pg_reload_conf();
After verifying SSL is enabled for the database, open the pg_hba.conf file in an editor to configure the host-based authentication settings. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and execute the following command:
SHOW hba_file;
Obtain approval and document any uncommented entries with corresponding justification that are not of type hostssl and do not include the “clientcert=1” option.
For any entries that are not of type hostssl authentication with the “clientcert=1” option and not documented and approved, change the "TYPE" column to “hostssl” and add the “clientcert=1” authentication method option.
Note that on Microsoft Windows systems, changes to the host-based authentication settings in the pg_hba.conf file are immediately applied by subsequent new connections.
For more information on configuring PostgreSQL to use SSL, consult the following documentation:
https://www.postgresql.org/docs/current/ssl-tcp.html
For more information on configuring the postgresql pg_hba.conf file, consult the following documentation:
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
First, check if ssl is enabled for the database instance, connect to the database as a database superuser using psql and executing the following command:
SHOW ssl;
If the result is not "on", this is a finding.
Next, review the host based authentication settings by connecting to the database as a database superuser using psql and executing the following command:
SELECT * FROM pg_hba_file_rules;
Alternatively, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file.
Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command:
SHOW hba_file;
If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.
V-224209
False
EP11-00-009600
If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.
First, check if ssl is enabled for the database instance, connect to the database as a database superuser using psql and executing the following command:
SHOW ssl;
If the result is not "on", this is a finding.
Next, review the host based authentication settings by connecting to the database as a database superuser using psql and executing the following command:
SELECT * FROM pg_hba_file_rules;
Alternatively, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file.
Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command:
SHOW hba_file;
If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.
M
4107