SV-233590r617333_rule
V-233590
SRG-APP-000428-DB-000386
CD12-00-008700
CAT II
10
Configure PostgreSQL, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection.
The pgcrypto module provides cryptographic functions for PostgreSQL. See supplementary content APPENDIX-E for documentation on installing pgcrypto.
With pgcrypto installed, it is possible to insert encrypted data into the database:
INSERT INTO accounts(username, password) VALUES ('bob', crypt('mypass', gen_salt('bf', 4));
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.
If no information is identified as requiring such protection, this is not a finding.
Review the configuration of PostgreSQL, operating system/file system, and additional software as relevant.
If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.
One possible way to encrypt data within PostgreSQL is to use pgcrypto extension.
To check if pgcrypto is installed on PostgreSQL, as a database administrator (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ psql -c "SELECT * FROM pg_available_extensions where name='pgcrypto'"
If data in the database requires encryption and pgcrypto is not available, this is a finding.
If disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate filesystem or disk level encryption.
If this is required and is not found, this is a finding.
V-233590
False
CD12-00-008700
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.
If no information is identified as requiring such protection, this is not a finding.
Review the configuration of PostgreSQL, operating system/file system, and additional software as relevant.
If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.
One possible way to encrypt data within PostgreSQL is to use pgcrypto extension.
To check if pgcrypto is installed on PostgreSQL, as a database administrator (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ psql -c "SELECT * FROM pg_available_extensions where name='pgcrypto'"
If data in the database requires encryption and pgcrypto is not available, this is a finding.
If disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate filesystem or disk level encryption.
If this is required and is not found, this is a finding.
M
5254