STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020: STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:SV-233577r617333_rule
V-233577
SRG-APP-000175-DB-000067
CD12-00-007000
CAT II
10
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.
To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.
To generate a Certificate Revocation List, see the official Red Hat Documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-Administration_Guide-Certification_Revocation_List_CRL.html
As the database administrator (shown here as "postgres"), copy the CRL file into the data directory:
First, as the system administrator, copy the CRL file into the PostgreSQL Data Directory:
$ sudo cp root.crl ${PGDATA?}/root.crl
As the database administrator (shown here as "postgres"), set the ssl_crl_file parameter to the filename of the CRL:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
ssl_crl_file = 'root.crl'
Next, in pg_hba.conf, require ssl authentication:
$ sudo su - postgres
$ vi ${PGDATA?}/pg_hba.conf
hostssl <database> <user> <address> cert clientcert=1
Now, as the system administrator, reload the server with the new configuration:
# SYSTEMD SERVER ONLY
$ sudo systemctl reload postgresql-${PGVER?}
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
To verify that a CRL file exists, as the database administrator (shown here as "postgres"), run the following:
$ sudo su - postgres
$ psql -c "SELECT CASE WHEN length(setting) > 0 THEN CASE WHEN substring(setting, 1, 1) = '/' THEN setting ELSE (SELECT setting FROM pg_settings WHERE name = 'data_directory') || '/' || setting END ELSE '' END AS ssl_crl_file FROM pg_settings WHERE name = 'ssl_crl_file';"
If this is not set to a CRL file, this is a finding.
Next verify the existence of the CRL file by checking the directory from above:
$ sudo su - postgres
$ ls -ld <ssl_crl_file>
If the CRL file does not exist, this is a finding.
Next, verify that hostssl entries in pg_hba.conf have "cert" and "clientcert=1" enabled:
$ sudo su - postgres
$ grep '^hostssl.*cert.*clientcert=1' ${PGDATA?}/pg_hba.conf
If hostssl entries are not returned, this is a finding.
If certificates are not being validated by performing RFC 5280-compliant certification path validation, this is a finding.
V-233577
False
CD12-00-007000
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
To verify that a CRL file exists, as the database administrator (shown here as "postgres"), run the following:
$ sudo su - postgres
$ psql -c "SELECT CASE WHEN length(setting) > 0 THEN CASE WHEN substring(setting, 1, 1) = '/' THEN setting ELSE (SELECT setting FROM pg_settings WHERE name = 'data_directory') || '/' || setting END ELSE '' END AS ssl_crl_file FROM pg_settings WHERE name = 'ssl_crl_file';"
If this is not set to a CRL file, this is a finding.
Next verify the existence of the CRL file by checking the directory from above:
$ sudo su - postgres
$ ls -ld <ssl_crl_file>
If the CRL file does not exist, this is a finding.
Next, verify that hostssl entries in pg_hba.conf have "cert" and "clientcert=1" enabled:
$ sudo su - postgres
$ grep '^hostssl.*cert.*clientcert=1' ${PGDATA?}/pg_hba.conf
If hostssl entries are not returned, this is a finding.
If certificates are not being validated by performing RFC 5280-compliant certification path validation, this is a finding.
M
5254