STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020: STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:SV-233562r617333_rule
V-233562
SRG-APP-000091-DB-000066
CD12-00-005500
CAT II
10
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.
Using pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for documentation on installing pgaudit.
With pgaudit installed the following configurations can be made:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
Add the following parameters (or edit existing parameters):
pgaudit.log_catalog = 'on'
pgaudit.log = 'read'
Now, as the system administrator, reload the server with the new configuration:
$ sudo systemctl reload postgresql-${PGVER?}
Note: The following instructions use the PGLOG environment variable. See supplementary content APPENDIX-I for instructions on configuring PGLOG.
First, as the database administrator (shown here as "postgres"), check if pgaudit is enabled by running the following SQL:
$ sudo su - postgres
$ psql -c "SHOW shared_preload_libraries"
If pgaudit is not found in the results, this is a finding.
Next, as the database administrator (shown here as "postgres"), list all role memberships for the database:
$ sudo su - postgres
$ psql -c "\du"
Next, verify the query was logged:
$ sudo su - postgres
$ cat ${PGLOG?}/<latest_log>
This should, as an example, return (among other rows):
2016-01-28 19:43:12.126 UTC postgres postgres: >LOG: AUDIT: SESSION,1,1,READ,SELECT,,,"SELECT r.rolname, r.rolsuper, r.rolinherit,
r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
r.rolconnlimit, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
ORDER BY 1;",<none>
If audit records are not produced, this is a finding.
V-233562
False
CD12-00-005500
Note: The following instructions use the PGLOG environment variable. See supplementary content APPENDIX-I for instructions on configuring PGLOG.
First, as the database administrator (shown here as "postgres"), check if pgaudit is enabled by running the following SQL:
$ sudo su - postgres
$ psql -c "SHOW shared_preload_libraries"
If pgaudit is not found in the results, this is a finding.
Next, as the database administrator (shown here as "postgres"), list all role memberships for the database:
$ sudo su - postgres
$ psql -c "\du"
Next, verify the query was logged:
$ sudo su - postgres
$ cat ${PGLOG?}/<latest_log>
This should, as an example, return (among other rows):
2016-01-28 19:43:12.126 UTC postgres postgres: >LOG: AUDIT: SESSION,1,1,READ,SELECT,,,"SELECT r.rolname, r.rolsuper, r.rolinherit,
r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
r.rolconnlimit, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
ORDER BY 1;",<none>
If audit records are not produced, this is a finding.
M
5254