STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020: STIGQter: STIG Summary: Crunchy Data PostgreSQL Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:SV-233612r617333_rule
V-233612
SRG-APP-000148-DB-000103
CD12-00-011500
CAT II
10
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
Configure PostgreSQL settings to uniquely identify and authenticate all organizational users who log on/connect to the system.
To create roles, use the following SQL:
CREATE ROLE <role_name> [OPTIONS]
For more information on CREATE ROLE, see the official documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html
For each role created, the database administrator can specify database authentication by editing pg_hba.conf:
$ sudo su - postgres
$ vi ${PGDATA?}/pg_hba.conf
An example pg_hba entry looks like this:
# TYPE DATABASE USER ADDRESS METHOD
host test_db bob 192.168.0.0/16 scram-sha-256
For more information on pg_hba.conf, see the official documentation: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html.
Review PostgreSQL settings to determine whether organizational users are uniquely identified and authenticated when logging on/connecting to the system.
To list all roles in the database, as the database administrator (shown here as "postgres"), run the following SQL:
$ sudo su - postgres
$ psql -c "\du"
If organizational users are not uniquely identified and authenticated, this is a finding.
Next, as the database administrator (shown here as "postgres"), verify the current pg_hba.conf authentication settings:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_hba.conf
If every role does not have unique authentication requirements, this is a finding.
If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account, this is a finding.
V-233612
False
CD12-00-011500
Review PostgreSQL settings to determine whether organizational users are uniquely identified and authenticated when logging on/connecting to the system.
To list all roles in the database, as the database administrator (shown here as "postgres"), run the following SQL:
$ sudo su - postgres
$ psql -c "\du"
If organizational users are not uniquely identified and authenticated, this is a finding.
Next, as the database administrator (shown here as "postgres"), verify the current pg_hba.conf authentication settings:
$ sudo su - postgres
$ cat ${PGDATA?}/pg_hba.conf
If every role does not have unique authentication requirements, this is a finding.
If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account, this is a finding.
M
5254