STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020: STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:SV-233514r617333_rule
V-233514
SRG-APP-000119-DB-000060
CD12-00-000400
CAT II
10
To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for instructions on configuring PGLOG.
#### stderr Logging
With stderr logging enabled, as the database owner (shown here as "postgres"), set the following parameter in postgresql.conf:
$ vi ${PGDATA?}/postgresql.conf
log_file_mode = 0600
To change the owner and permissions of the log files, run the following:
$ chown postgres:postgres ${PGDATA?}/${PGLOG?}
$ chmod 0700 ${PGDATA?}/${PGLOG?}
$ chmod 600 ${PGDATA?}/${PGLOG?}/*.log
#### syslog Logging
If PostgreSQL is configured to use syslog for logging, the log files must be configured to be owned by root with 0600 permissions.
$ chown root:root <log directory name>/<log_filename>
$ chmod 0700 <log directory name>
$ chmod 0600 <log directory name>/*.log
Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.
Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.
Note: The following instructions use the PGLOG environment variable. See supplementary content APPENDIX-I for instructions on configuring PGLOG.
#### stderr Logging
If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database owner (usually postgres user) with a default permissions level of 0600. The permissions can be configured in postgresql.conf.
To check the permissions for log files in postgresql.conf, as the database owner (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ psql -c "show log_file_mode;"
If the permissions are not 0600, this is a finding.
As the database owner (shown here as "postgres"), list the permissions of the logs:
$ sudo su - postgres
$ ls -la ${PGLOG?}
If logs are not owned by the database owner (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.
#### syslog Logging
If the PostgreSQL server is configured to use syslog for logging, consult the organization syslog setting for permissions and ownership of logs.
V-233514
False
CD12-00-000400
Review locations of audit logs, both internal to the database and database audit logs located at the operating system level.
Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification.
Note: The following instructions use the PGLOG environment variable. See supplementary content APPENDIX-I for instructions on configuring PGLOG.
#### stderr Logging
If the PostgreSQL server is configured to use stderr for logging, the logs will be owned by the database owner (usually postgres user) with a default permissions level of 0600. The permissions can be configured in postgresql.conf.
To check the permissions for log files in postgresql.conf, as the database owner (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ psql -c "show log_file_mode;"
If the permissions are not 0600, this is a finding.
As the database owner (shown here as "postgres"), list the permissions of the logs:
$ sudo su - postgres
$ ls -la ${PGLOG?}
If logs are not owned by the database owner (shown here as "postgres") and are not the same permissions as configured in postgresql.conf, this is a finding.
#### syslog Logging
If the PostgreSQL server is configured to use syslog for logging, consult the organization syslog setting for permissions and ownership of logs.
M
5254