SV-233525r617333_rule
V-233525
SRG-APP-000311-DB-000308
CD12-00-001700
CAT II
10
In addition to the SQL-standard privilege system available through GRANT, tables can have row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. This feature is also known as Row-Level Security (RLS).
RLS policies can be very different depending on their use case. For one example of using RLS for Security Labels, see supplementary content APPENDIX-D.
If security labeling is not required, this is not a finding.
First, as the database administrator (shown here as "postgres"), run the following SQL against each table that requires security labels:
$ sudo su - postgres
$ psql -c "\d+ <schema_name>.<table_name>"
If security labeling is required and the results of the SQL above do not show a policy attached to the table, this is a finding.
If security labeling is required and not implemented according to the system documentation, such as SSP, this is a finding.
If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding.
V-233525
False
CD12-00-001700
If security labeling is not required, this is not a finding.
First, as the database administrator (shown here as "postgres"), run the following SQL against each table that requires security labels:
$ sudo su - postgres
$ psql -c "\d+ <schema_name>.<table_name>"
If security labeling is required and the results of the SQL above do not show a policy attached to the table, this is a finding.
If security labeling is required and not implemented according to the system documentation, such as SSP, this is a finding.
If security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding.
M
5254