{"stig":{"title":"EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide","version":"2","release":"4"},"checks":[{"vulnId":"V-224130","ruleId":"SV-224130r960735_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.","description":"Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources; a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks.\n\nThis requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts and it does not deal with the total number of sessions across all accounts.\n\nThe capability to limit the number of concurrent sessions per user must be configured in, or added to, the DBMS (for example, by use of a logon trigger), when this is technically feasible. \nNote: it is not sufficient to limit sessions via a web server or application server alone, because legitimate users and adversaries can potentially connect to the DBMS by other means.\n\nThe organization will need to define the maximum number of concurrent sessions by account type, by account, or a combination thereof. In deciding on the appropriate number, it is important to consider the work requirements of the various types of users. For example, two might be an acceptable limit for general users accessing the database via an application; but ten might be too few for a database administrator using a database management GUI tool, where each query tab and navigation pane may count as a separate session.\n\n(Sessions may also be referred to as connections or logons, which for the purposes of this requirement are synonyms.)\n\nNote that by default if no connection limit is specified, when a Postgres database user is created it will be allowed to have an unlimited number of concurrent sessions. The EDB Postgres CREATE USER and the PostgreSQL CREATE ROLE sql commands, which are used to create database users, provide a CONNECTION LIMIT option for configuring the allowable number of concurrent sessions for a user. It is good administrative practice to use this option to set the connection limit when new users are created. However, if a user was created without a connection limit or if the assigned connection limit needs to be changed, the CONNECTION LIMIT option can be set using the ALTER USER and ALTER ROLE commands.","checkContent":"Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users.\n\nExecute the following SQL as enterprisedb:\n\n SELECT rolname, rolconnlimit FROM pg_roles;\n\nIf rolconnlimit is -1 or larger than the system documentation limits for any rolname, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\n SELECT rolname, rolconnlimit FROM pg_roles;\n\nFor any roles where rolconnlimit is -1 or larger than the system documentation limits, execute this SQL as enterprisedb:\n\n ALTER USER <role> WITH CONNECTION LIMIT <desired connection limit>;","ccis":["CCI-000054"]},{"vulnId":"V-224131","ruleId":"SV-224131r960768_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.","description":"Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed.\n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nThe EDB Postgres Advanced Server must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy.\n\nAutomation may be comprised of differing technologies that when placed together contain an overall mechanism supporting an organization's automated account management requirements.","checkContent":"Verify that the Postgres host-based authentication file (i.e., pg_hba.conf) has been configured so that database users are authenticated using credentials supplied by the organization-level authentication/access system. If it has been configured correctly, this is not a finding.\n\nActions to verify:\n Verify none of the uncommented entries in the pg_hba.conf include: \"trust\", \"sha-256-scram\", \"md5\", \"ident\", \"peer”, or \"password\" as allowable access methods.\nVerify options are set to the correct values for the specific environment.\n\nNote: The default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nTo verify the pg_hba.conf file is not using the access methods listed above, open the pg_hba.conf file in a text editor and inspect the contents of the file, looking for uncommented lines with these methods. Optionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: \n\n type <postgresql pg_hba.conf directory>\\pg_hba.conf | findstr /N \"scram-sha-256 md5 trust password peer ident\" | find /V /N \"#\"\n\nNote: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) must be placed in double quotes. \n\nIf any uncommented lines are identified, verify that the users are documented as being authorized to use one of these access methods.\n\nIf the users are not authorized to use these access methods, this is a finding.","fixText":"Identify any user using \"trust\", \"sha-256-scram\", md5\", \"ident\", \"peer\" or \"password\" as allowable access methods.\n\nTo identify users in the pg_hba.conf file using the methods listed above, open the pg_hba.conf file in a text editor, and inspect the contents of the file, looking for uncommented lines with these methods. Optionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: \n\n type <postgresql pg_hba.conf directory>\\pg_hba.conf | findstr /N \"scram-sha-256 md5 trust password peer ident\" | find /V /N \"#\"\n\nNote: If the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes.\n\nDocument any rows that have \"trust\", \"sha-256-scram\", \"md5\", \"ident\", \"peer”, or \"password\" specified for the \"METHOD\" column and obtain appropriate approval for each user specified in the \"USER\" column (i.e., all DBMS managed accounts).\n\nFor any users not documented and approved as DBMS managed accounts, change the \"METHOD\" column to one of the externally managed (not \"trust\", \"sha-256-scram\", \"md5\", \"ident\", \"peer\" or \"password\") options defined here:\n\nhttps://www.postgresql.org/docs/current/static/auth-methods.html","ccis":["CCI-000015"]},{"vulnId":"V-224132","ruleId":"SV-224132r960792_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the DBMS. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies.\n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.\n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If the DBMS does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.","checkContent":"Review the system security plan or equivalent documentation to determine the allowed permissions on database objects for each database role or user as well as the database authentication methods that are allowed for each role or user. If this documentation is missing, this is a finding.\n\nReview the permissions actually in place for the EDB postgres cluster (i.e., instance).\n\nFirst check the privileges of all users and roles in the database by running the following command from the Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"\\du\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf any users or roles have privileges that exceed those that are documented, this is a finding.\n\nNext check the privileges that have been granted on the tables, views, and sequences in the database by running the following command from the Windows command prompt for each database in the EDB postgres instance:\n\n psql -d <database name> -U <database superuser name> -c \"\\dp\"\n\nIf the privileges assigned to these objects for any users or roles exceeds those that have been documented, this is a finding.\n\nNext as a user that has permission to view the contents of the pg_hba.conf file, review the authentication settings that are configured in that file.\n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf any entries do not match the documented authentication requirements, this is a finding.","fixText":"Use GRANT, REVOKE, ALTER statements to add and remove permissions on database objects, bringing them into line with the documented requirements.\n\nTo change authentication requirements for the database, as a user with permissions to edit the pg_hba.conf, edit the entries in the file to comply with the documented organizational authentication requirements. See the official PostgreSQL documentation for the complete list of options for authentication: http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html","ccis":["CCI-000213"]},{"vulnId":"V-224133","ruleId":"SV-224133r960864_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.","description":"Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables, and configuring the DBMS' audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, group account.","checkContent":"If there are no shared accounts available to more than one user, this is not a finding.\n\nIf a shared account is used by an application to interact with the database, review the System Security Plan, the tables in the database, and the application source code/documentation to determine whether the application captures the individual user's identity and stores that identity in the audit log or along with all data inserted and updated (also with all records of reads and/or deletions, if these are required to be logged).\n\nThe EDB audit feature provides the ability to include application user information with the database audit log using the edb_audit_tag session parameter. If all database shared accounts are accessed via an application that uses the edb_audit_tag parameter to identify individual applications users, this is not a finding. \n\nIf there are gaps in the application's ability to capture an individual user's identity, and the gaps and the risk are not defined in the system documentation and accepted by the AO, this is a finding.\n\nIf users are sharing a group account to log on to EDB Postgres tools or third-party products that access the database, this is a finding.\n\nTo ensure EDB auditing is enabled, execute the following SQL as enterprisedb:\n\n SHOW edb_audit;\n\nIf the result is not \"csv\" or \"xml\", this is a finding.","fixText":"Use accounts assigned to individual users where feasible. Configure the DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account.\n\nModify any applications that use a shared database account to capture individual application user identities to the audit log using the edb_audit_tag or to the data tables.\n\nCreate and enforce the use of individual user IDs for logging on to EDB Postgres tools and third-party products.\n\nIf EDB auditing is not already enabled, enable it.\n\nExecute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET edb_audit = csv;\n SELECT pg_reload_conf();\n\nor\n\n ALTER SYSTEM SET edb_audit = xml;\n SELECT pg_reload_conf();","ccis":["CCI-000166"]},{"vulnId":"V-224134","ruleId":"SV-224134r960879_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must be configured to provide audit record generation capability for DoD-defined auditable events within all EDB Postgres Advanced Server/database components.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the DBMS (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the DBMS will provide an audit record generation capability as the following:\n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities, or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.\n\nOrganizations may define additional events requiring continuous or ad hoc auditing.","checkContent":"Verify, using vendor and system documentation if necessary, that the DBMS is configured to use EDB's auditing features and configured to satisfy this requirement.\n\nExecute the following SQL as the enterprisedb database user or another database superuser to check if EDB auditing is enabled:\n\n SHOW edb_audit;\n\nIf the result is not \"csv\" or \"xml\", this is a finding.\n\nIf organization-defined auditable events are not being audited, this is a finding.","fixText":"Configure the DBMS's auditing to audit organization-defined auditable events.\n\nExecute the following SQL as enterprisedb to ensure that EDB Auditing is enabled:\n\n ALTER SYSTEM SET edb_audit = csv;\n SELECT pg_reload_conf();\n\nor\n\n ALTER SYSTEM SET edb_audit = xml;\n SELECT pg_reload_conf(); \n\nConfigure EDB audit settings to audit organization-defined auditable events in accordance with the information documented in the EDB Postgres Advanced Server Guide.","ccis":["CCI-000169"]},{"vulnId":"V-224135","ruleId":"SV-224135r960882_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict the types of roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Check DBMS settings and documentation to determine whether designated personnel can select which auditable events are being audited. If designated personnel are not able to configure auditable events, this is a finding.\n\nIf EDB Audit is being used, the EDB Audit settings may only be configured by Operating System users authorized to edit the cluster's postgresql.conf file or by database superusers. As such, the permissions associated with the postgresql.conf file must be checked as well as the database roles assigned to database users. In addition, database parameters, including the EDB Audit settings, may be specified via server startup command options. Users assigned \"Modify\" permission or greater on the postgresql data directory and its contents will be able to start the postgres database cluster. Therefore, only authorized users should be assigned these permissions.\n\n1) Check Postgresql Data Directory Ownership and Permissions:\nFirst, determine ownership of the postgresql data directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nNote: The default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nUsing Windows Explorer:\nBrowse to the directory where the postgresql data directory folder is located.\nSelect and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \nNote the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command:\n\n dir \"<postgresql data directory>\" /Q /S\n\nNote: The above command will list all of the files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the data directory is not authorized to own the folder and its content, this is a finding.\n\nNext, check the permissions assigned to the postgresql data directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\nBrowse to the directory where the postgresql data directory folder is located.\nSelect and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\nReview the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<postgresql data directory>\"\n icacls \"<postgresql data directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\nNote: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation.\nIf permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to start a postgresql database cluster are listed, this is a finding.\n\n2) Check Postgresql Configuration File Ownership and Permissions:\nFirst, determine ownership of the postresql.conf file(s). This can be done using Windows Explorer or via a Windows command prompt.\n\nNote that the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW config_file\"\n\nUsing Windows Explorer:\n Browse to the directory where the postgresql.conf file is located.\n Select and right-click on the postgresql.conf file, select \"Properties\", and select the \"Details\" tab. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command:\n\n dir \"<directory where postgresql.conf is located>\\postgresql*.conf\" /Q\n\nReview the system security documentation. If the owner listed for the file(s) is not authorized to own the file(s) this is a finding.\n\nNext, check the permissions assigned to the postgresql configuration files. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the postgresql.conf file is located.\n Select and right-click on the postgresql.conf file, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the file.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<directory where postgresql.conf is located>\\postgresql*.conf\"\n\n Review the users and groups and permissions assigned to them for the file(s).\n\nReview the system security documentation.\nIf permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to make changes to the configuration parameters of this database are listed, this is a finding.\n\nNote: Since the postgresql.conf file may utilize include and include_dir statements to include additional parameter organizational specified configuration files, review the contents of the postgresql.conf file to determine if any uncommented include or include_dir statements are specified in the file. If these statements are found, the file ownership and permissions assigned to the files specified by these statements should also be checked. If any unauthorized users are owners of the files or have permission to edit the files this is a finding.\n\n3) Check Database Users Assigned Superuser Privileges:\nUse psql to connect to the db as enterprisedb and run this command:\n\n \\du\n\nIf any unauthorized users/roles are listed as a superuser, this is a finding.","fixText":"If a non-EDB provided database auditing solution or a custom auditing solution is being used, configure the DBMS's settings according to the documentation provided for those solutions to allow designated personnel to select which auditable events are audited.\n\nIf EDB Auditing is being used, perform the following actions as necessary to address any findings:\n1) Postgresql Data Directory Ownership and Permissions:\nIf the postgresql data directory and its contents are owned by unauthorized users, change ownership to an authorized user.\n\nRestrict access on the postgresql data directory to the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to start a postgresql database cluster.\n\n2) Postgresql Configuration File Ownership and Permissions:\nIf the postgresql configuration file(s) is owned by an unauthorized user, change ownership to an authorized user.\n\nRestrict write access on Postgres configuration file(s) the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to edit the file(s).\n\n3) Database Users Assigned Superuser Privileges:\nRemove superuser rights from unauthorized database users via the ALTER ROLE or ALTER USER SQL command.\n\nThe syntax is:\nALTER ROLE <role> NOSUPERUSER\n\nor\n\nALTER USER <user> NOSUPERUSER\n\nExample: \nALTER ROLE testuser NOSUPERUSER;\n\nOR \n\nALTER USER testuser NOSUPERUSER;\n\nSee PostgreSQL and/or EDB Postgres Advanced Server documentation for details.","ccis":["CCI-000171"]},{"vulnId":"V-224136","ruleId":"SV-224136r960885_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records for DoD-defined auditable events.","description":"The EDB Postgres Advanced Server must generate audit records for DoD-defined auditable events within all DBMS/database components.\n  \nAudit records should contain (at a minimum):\n-Time stamps to establish when the events occurred\n-Sufficient information to establish what type of events occurred\n-Sufficient information to establish where the events occurred\n-Sufficient information to establish the sources (origins) of the events\n-Sufficient information to establish the outcome (success or failure) of the events\n-Sufficient information to establish the identity of any user/subject or process associated with the event\n\nAudit record content which may be necessary to investigate the events relating to an incident or identify those responsible for one. Audit policy includes, for example, time stamps, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality.\n\nThe list of minimum DoD-defined audit events includes:\n-When privileges/permissions are retrieved, added, modified or deleted\n-When unsuccessful attempts to retrieve, add, modify, delete privileges/permissions occur\n-Enforcement of access restrictions associated with changes to the configuration of the database(s)\n-When security objects are accessed, modified, or deleted\n-When unsuccessful attempts to access, modify, or delete security objects occur\n-When categories of information (e.g., classification levels/security levels) are accessed, created, modified, or deleted\n-When unsuccessful attempts to access, create, modify, or delete categorized information occur\n-All privileged activities or other system-level access\n-When unsuccessful attempts to execute privileged activities or other system-level access occur\n-When successful or unsuccessful access to objects occur\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.\n\nSatisfies: SRG-APP-000095-DB-000039, SRG-APP-000091-DB-000325, SRG-APP-000096-DB-000040, SRG-APP-000097-DB-000041, SRG-APP-000098-DB-000042, SRG-APP-000099-DB-000043, SRG-APP-000100-DB-000201, SRG-APP-000381-DB-000361, SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333, SRG-APP-000494-DB-000344, SRG-APP-000494-DB-000345, SRG-APP-000495-DB-000326, SRG-APP-000495-DB-000327, SRG-APP-000495-DB-000328, SRG-APP-000495-DB-000329, SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000498-DB-000346, SRG-APP-000498-DB-000347, SRG-APP-000499-DB-000330, SRG-APP-000499-DB-000331, SRG-APP-000501-DB-000336, SRG-APP-000501-DB-000337, SRG-APP-000502-DB-000348, SRG-APP-000502-DB-000349, SRG-APP-000504-DB-000354, SRG-APP-000504-DB-000355, SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.","ccis":["CCI-000172","CCI-000131","CCI-000134","CCI-001487","CCI-001814"]},{"vulnId":"V-224138","ruleId":"SV-224138r960888_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must initiate support of session auditing upon startup.","description":"Session auditing is used when a user's activities are under investigation. To ensure all activity is captured during those periods when session auditing is in use, it must be in operation for the entire time the DBMS is running.","checkContent":"Execute the following SQL as enterprisedb to ensure auditing is enabled:\n\n SHOW edb_audit;\n\nIf the result is not \"csv\" or \"xml\", this is a finding.\n\nExecute the following SQL as enterprisedb to check which events are configured to be audited:\n\n SHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"If EDB Auditing is not enabled, execute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET edb_audit = csv;\n SELECT pg_reload_conf();\n\nor\n\n ALTER SYSTEM SET edb_audit = xml;\n SELECT pg_reload_conf(); \n\nIf the edb_audit_statement parameter values is not set to \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, execute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET edb_audit_statement = 'all';\n SELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.","ccis":["CCI-001464"]},{"vulnId":"V-224145","ruleId":"SV-224145r960909_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.","description":"Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. To support analysis, some types of events will need information to be logged that exceeds the basic requirements of event type, time stamps, location, source, outcome, and user identity. If additional information is not available, it could negatively impact forensic investigations into user actions or other malicious events.\n\nThe organization must determine what additional information is required for complete analysis of the audited events. The additional information required is dependent on the type of information (e.g., sensitivity of the data and the environment within which it resides). At a minimum, the organization must employ either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nExamples of detailed information the organization may require in audit records are full-text recording of privileged commands or the individual identities of group account users.\n\nIn EnterpriseDB Postgres Plus Advanced Server, the edb_audit_tag can be used to record additional information. This tag can be set to different values by different sessions (connections), and can be set to new values any number of times. How to recognize the conditions for producing such audit data must be determined and coded for as part of application and database design.","checkContent":"Review the system documentation to identify what additional information the organization has determined necessary.\n\nCheck application and database design, and existing audit records to verify that all organization-defined additional, more detailed information is in the audit records for audit events identified by type, location, or subject.\n\nIf any additional information is defined and is not included in the audit records, this is a finding.","fixText":"Execute the following SQL to set additional detailed information for the audit records in the session:\n\n set edb_audit_tag = '<information>';\n\nReplace <information> with a character string holding the additional data that must be captured.\n\nTo set this in a trigger, an example is included below. Keep in mind that the edb_audit_tag is set for the life of the session, not just the life of the insert command:\n\nCREATE OR REPLACE FUNCTION add_audit_info()\nRETURNS trigger AS\n$BODY\n$BEGIN\nSET edb_audit_tag = '<information>';\nRETURN NEW;\nEND;\n$BODY\n$LANGUAGE plpgsql;\n\nCREATE TRIGGER add_audit_info_trigger\nBEFORE INSERT\nON <table>\nFOR EACH ROW\nEXECUTE PROCEDURE add_audit_info();","ccis":["CCI-000135"]},{"vulnId":"V-224146","ruleId":"SV-224146r960915_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.","description":"It is critical that when the DBMS is at risk of failing to process audit logs as required, action be taken to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen the need for system availability does not outweigh the need for a complete audit trail, the DBMS should shut down immediately, rolling back all in-flight transactions.\n\nSystems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.","checkContent":"If Postgres Enterprise Manager (PEM) is installed and configured to shut down the database when the audit log is full, this is not a finding.\n\nOtherwise, review the procedures, manual and/or automated, for monitoring the space used by audit trail(s) and for off-loading audit records to a centralized log management system.\n\nIf the procedures do not exist, this is a finding.\n\nIf the procedures exist, request evidence that they are followed. If the evidence indicates that the procedures are not followed, this is a finding.\n\nIf the procedures exist, inquire if the system has ever run out of audit trail space in the last two years or since the last system upgrade, whichever is more recent. If it has run out of space in this period, and the procedures have not been updated to compensate, this is a finding.","fixText":"Modify DBMS, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached.\n\nIf EDB Postgres Enterprise Manager (PEM) is in use, it may be configured to issue an alert, send an email to designated personnel, and shut down the EDB Postgres Advanced Server instance when the audit log mount point is at 99 percent full. Refer to the Supplemental Procedures document, supplied with this STIG, for guidance on configuring PEM alerts.","ccis":["CCI-000140"]},{"vulnId":"V-224147","ruleId":"SV-224147r960915_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.","description":"It is critical that when the DBMS is at risk of failing to process audit logs as required, action be taken to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, approved actions in response to an audit failure are as follows:\n\n(i) If the failure was caused by the lack of audit record storage capacity, the DBMS must continue generating audit records, if possible (automatically restarting the audit service if necessary), and overwriting the oldest audit records in a first-in-first-out manner.\n\n(ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the DBMS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.\n\nSystems where availability is paramount will most likely be MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid audit data loss in all but the most extreme situations.","checkContent":"If the system documentation indicates audit trail completeness takes precedence over availability this is not applicable (NA).\n\nIf an externally managed and monitored partition or logical volume that can be grown dynamically is being used for logging, this is not a finding. \n\nIf EDB Postgres Advanced Server (EPAS) is auditing to a directory that is not being actively checked for availability of disk space, and if a tool, utility, script, or other mechanism is not being used to ensure sufficient disk space is available for the creation of new audit logs, this is a finding.\n\nIf a tool, utility, script, or other mechanism is being used to rotate audit logs and oldest logs are not being removed to ensure sufficient space for newest logs or oldest logs are not being replaced by newest logs, this is a finding.","fixText":"Establish a process with accompanying tools for monitoring available disk space and ensuring that sufficient disk space is maintained in order to continue generating audit logs, overwriting the oldest existing records if necessary.\n\nIf the organization does not employ an existing log management utility, the following example identifies one approach that may be followed to rotate EDB audit log files on Windows. \n\nDetermine the maximum size of the audit log directory. For this example fix, assume the audit log directory must have a maximum size of 100MB. Divide the maximum size of the directory by 10 to determine the size of the log files for rotation. For this example, the audit log file size will be set to 10Mb. Perform the following steps to ensure that the audit log directory is never more than 90% full and the oldest logs are removed to make room for new logs:\n\n1) Execute the following SQL statements to review current auditing related settings and to configure EPAS to generate a new audit log file when the current log file has reached the log file size determined above (10 Mb):\n\n -- List current EDB Audit settings\n SELECT name, setting FROM pg_settings WHERE category LIKE 'EnterpriseDB Audit%' ORDER BY name;\n\n /*\n * Note: If edb_audit is not set to 'csv' or 'xml', auditing is not enabled.\n * To enable EDB auditing, issue one of the following SQL statements:\n *\n * ALTER SYSTEM SET edb_audit TO 'xml';\n * \n * or\n *\n * ALTER SYSTEM SET edb_audit TO 'csv';\n *\n */\n\n -- Set edb_audit_filename parameter to ensure unique name for each log file that is generated\n ALTER SYSTEM SET edb_audit_filename TO 'audit-%Y%m%d_%H%M%S';\n\n -- Set edb_audit_rotation_size to desired maximum file size (e.g., 10 Mb)\n ALTER SYSTEM SET edb_audit_rotation_size TO 10;\n\n -- Reload configuration settings to put the updated settings into effect\n SELECT pg_reload_conf();\n\n -- List current EDB Audit settings to confirm updates are in place\n SELECT name, setting FROM pg_settings WHERE category LIKE 'EnterpriseDB Audit%' ORDER BY name;\n\n2) Using a text editor, create a Windows batch file with the following content:\n\n @ECHO OFF\n SETLOCAL\n SET \"targetdir=<Path to edb_audit Directory>\"\n SET /a retain=8\n\n FOR /f \"skip=%retain%delims=\" %%a IN (\n 'dir /b /a-d /o-d \"%targetdir%\\audit-????????_??????.xml\" '\n ) DO DEL \"%targetdir%\\%%a\"\n\n GOTO :EOF\n\n3) Replace \"<Path to edb_audit Directory>\" for \"targetdir\" variable in the batch file (3rd line) to correspond to the EDB audit log directory configured for your EPAS instance. Note that the EDB audit log directory is configured by the edb_audit_directory parameter. By default, the edb_audit_directory is set to \"edb_audit\", which results in an \"edb_audit\" directory being created under the EPAS cluster's data directory for audit logs if auditing is enabled. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit.\n\n4) Update the \"retain\" variable in the batch file (4th line) to correspond to the desired minimum number of audit log files that should be retained in the directory. It should be set so that sufficient headroom is maintained in the directory for log files generated between runs of the batch file.\n\n5) Save the batch file to a location that would be accessible to the Windows Task Scheduler. For this example, save the file to \"C:\\Windows\\System32\\Manage_EDB_Audit_Logs.bat\".\n\n6) Using the Windows Task Scheduler, create a scheduled task to execute the Manage_EDB_Audit_Logs.bat file on a periodic basis. At a minimum, it is recommended that the task be scheduled to perform this action at least on an hourly basis. Depending on the various audit log settings and database activity, it may be necessary to configure the task to be run more frequently.","ccis":["CCI-000140"]},{"vulnId":"V-224148","ruleId":"SV-224148r960930_rule","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized read access.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, copy, etc.\n\nThis requirement can be achieved through multiple methods which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections and limiting log data location.\n\nAdditionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring that audit information is protected from unauthorized access.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.","checkContent":"The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to \"edb_audit\", which results in a directory name \"edb_audit\" being created under the postgresql data directory. \n\nThe location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW edb_audit_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS). \n\nNote that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf the default path is used for the postgresql data directory and the default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different.\n\nFirst, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB Audit directory> with the correct path for the EDB audit directory:\n\n dir \"<EDB Audit directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB Audit directory>\"\n icacls \"<EDB Audit directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account not identified in the system documentation as being approved for the permission, this is a finding.","fixText":"1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.","ccis":["CCI-000162"]},{"vulnId":"V-224149","ruleId":"SV-224149r960933_rule","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized modification.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.\n\nThis requirement can be achieved through multiple methods that will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions and limiting log data locations.\n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nModification of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.","checkContent":"The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to \"edb_audit\", which results in a directory name \"edb_audit\" being created under the postgresql data directory. \n\nThe location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW edb_audit_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS). \n\nNote that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf the default path is used for the postgresql data directory and the default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different.\n\nFirst, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB Audit directory> with the correct path for the EDB audit directory:\n\n dir \"<EDB Audit directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB audit directory folder and its content. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB Audit directory>\"\n icacls \"<EDB Audit directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.","fixText":"1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.","ccis":["CCI-000163"]},{"vulnId":"V-224150","ruleId":"SV-224150r960936_rule","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized deletion.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods which will depend upon system architecture and design.\n\nSome commonly employed methods include: ensuring log files enjoy the proper file system permissions utilizing file system protections; restricting access; and backing up log data to ensure log data is retained.\n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nDeletion of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.","checkContent":"The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to \"edb_audit\", which results in a directory name \"edb_audit\" being created under the postgresql data directory. \n\nThe location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW edb_audit_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS). \n\nNote that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf the default path is used for the postgresql data directory and the default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different.\n\nFirst, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB Audit directory> with the correct path for the EDB audit directory:\n\n dir \"<EDB Audit directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB Audit directory>\"\n icacls \"<EDB Audit directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.","fixText":"1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.","ccis":["CCI-000164"]},{"vulnId":"V-224151","ruleId":"SV-224151r960939_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit features from unauthorized access.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.\n\nDepending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, OS-provided audit tools, vendor-provided audit tools, and open source audit tools needed to successfully view and manipulate audit information system activity and records.\n\nIf an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.","checkContent":"The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to \"edb_audit\", which results in a directory name \"edb_audit\" being created under the postgresql data directory. \n\nThe location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW edb_audit_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS). \n\nNote that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf the default path is used for the postgresql data directory and the default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different.\n\nFirst, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB Audit directory> with the correct path for the EDB audit directory:\n\n dir \"<EDB Audit directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB Audit directory>\"\n icacls \"<EDB Audit directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.","fixText":"1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.","ccis":["CCI-001493"]},{"vulnId":"V-224152","ruleId":"SV-224152r960942_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit configuration from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to \"edb_audit\", which results in a directory name \"edb_audit\" being created under the postgresql data directory. \n\nThe location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW edb_audit_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS). \n\nNote that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf the default path is used for the postgresql data directory and the default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different.\n\nFirst, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB Audit directory> with the correct path for the EDB audit directory:\n\n dir \"<EDB Audit directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB audit directory folder and its content. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB Audit directory>\"\n icacls \"<EDB Audit directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.","fixText":"1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.","ccis":["CCI-001494"]},{"vulnId":"V-224153","ruleId":"SV-224153r960945_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit features from unauthorized removal.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to \"edb_audit\", which results in a directory name \"edb_audit\" being created under the postgresql data directory. \n\nThe location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW edb_audit_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS). \n\nNote that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf the default path is used for the postgresql data directory and the default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different.\n\nFirst, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB Audit directory> with the correct path for the EDB audit directory:\n\n dir \"<EDB Audit directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB Audit directory>\"\n icacls \"<EDB Audit directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.","fixText":"1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.","ccis":["CCI-001495"]},{"vulnId":"V-224154","ruleId":"SV-224154r960960_rule","severity":"medium","ruleTitle":"Software, applications, and configuration files that are part of, or related to, the Postgres Plus Advanced Server installation must be monitored to discover unauthorized changes.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is done.\n\nVerify the list of files and directories being monitored is complete.\n\nIf monitoring does not occur or is not complete, this is a finding.","fixText":"Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.\n\nUse file hashes or checksums for comparisons, as file dates may be manipulated by malicious users.","ccis":["CCI-001499"]},{"vulnId":"V-224155","ruleId":"SV-224155r960960_rule","severity":"medium","ruleTitle":"EDB Postgres Advanced Server software modules, to include stored procedures, functions, and triggers must be monitored to discover unauthorized changes.","description":"If the system were to allow any user to make changes to software modules implemented within the database, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is being performed.\n\nIf the database schema (includes functions, procedures, schemas, extensions, etc.) is not being regularly checked for changes, this is a finding.","fixText":"Regularly run a check similar to this:\n\nmove <postgresql data directory>\\latest.schema <postgresql data directory>\\previous.schema\n\nC:\\Program Files\\edb\\as<version>\\bin\\pg_dump -s -d edb -f <postgresql data directory>\\latest.schema\n\nFC <postgresql data directory>\\previous.schema <postgresql data directory>\\latest.schema\n\nIf any differences are shown, ensure the differences are expected.","ccis":["CCI-001499"]},{"vulnId":"V-224156","ruleId":"SV-224156r960960_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server software installation account must be restricted to authorized users.","description":"When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system.\n\nIf the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nDBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.","checkContent":"Review procedures for controlling, granting access to, and tracking use of the DBMS software installation account.\n\nIf access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.","fixText":"Develop, document, and implement procedures to restrict and track use of the DBMS software installation account.","ccis":["CCI-001499"]},{"vulnId":"V-224157","ruleId":"SV-224157r960960_rule","severity":"medium","ruleTitle":"Database software, including EDB Postgres Advanced Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.","description":"When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.\n\nMultiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.","checkContent":"Review the DBMS software library directory and note other root directories located on the same disk directory or any subdirectories.\n\nIf any non-DBMS software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the DBMS, this is a finding.\n\nOnly applications that are required for the functioning and administration, not use, of the DBMS should be located in the same disk directory as the DBMS software libraries.\n\nIf other applications are located in the same directory as the DBMS, this is a finding.","fixText":"Install all applications on directories separate from the DBMS software library directory. Relocate any directories or reinstall other application software that currently shares the DBMS software library directory.","ccis":["CCI-001499"]},{"vulnId":"V-224158","ruleId":"SV-224158r960960_rule","severity":"medium","ruleTitle":"Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.","description":"Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.","checkContent":"Review system documentation to identify accounts authorized to own database objects. Review accounts that own objects in the database(s) by running this SQL command:\n\nselect * from sys.all_objects;\n\nIf any database objects are found to be owned by users not authorized to own database objects, this is a finding.","fixText":"Assign ownership of authorized objects to authorized object owner accounts by running this SQL command for each object to be changed:\n\nALTER <type> <object name> OWNER TO <new owner>;\n\nFor example: ALTER TABLE my_table OWNER TO APP_USER;","ccis":["CCI-001499"]},{"vulnId":"V-224159","ruleId":"SV-224159r960960_rule","severity":"medium","ruleTitle":"The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be restricted to authorized users.","description":"If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Use psql to connect to the db as enterprisedb and run this command:\n\n\\dp *.*\n\nIf any unauthorized roles have unauthorized accesses, this is a finding.\n\nDefinitions of the access privileges are defined here:\n\nhttp://www.postgresql.org/docs/current/static/sql-grant.html","fixText":"Revoke unauthorized privileges.\n\nThe syntax is:\n REVOKE <privilege> ON <object> FROM <role>.\n\nExample:\n REVOKE INSERT ON a FROM PUBLIC;\n\nSee PostgreSQL documentation for details.","ccis":["CCI-001499"]},{"vulnId":"V-224160","ruleId":"SV-224160r960963_rule","severity":"medium","ruleTitle":"Default, demonstration and sample databases, database objects, and applications must be removed.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plugins not related to requirements or providing a wide array of functionality, not required for every mission, that cannot be disabled.\n\nDBMSs must adhere to the principles of least functionality by providing only essential capabilities.\n\nDemonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system.","checkContent":"If EDB Postgres Advanced Server (EPAS) is hosted on a server that does not support production systems, and is designated for the deployment of samples and demonstrations, this is not applicable (NA).\n\nReview documentation and websites from EnterpriseDB and any other relevant vendors for vendor-provided demonstration or sample databases, database applications, schemas, objects, and files.\n\nReview the EPAS DBMS to determine if any of the demonstration and sample databases, schemas, database applications, or objects are installed in the database or are included with the DBMS application. If any are present in the database or are included with the DBMS application, this is a finding.\n\nCheck for the existence of EDB Postgres sample databases: postgres and edb. To check Execute the following SQL as enterprisedb:\n\n SELECT datname FROM pg_database WHERE datistemplate = false;\n\nIf any databases are listed here that are not documented as being used by the application, this is a finding.\n\nEDB Postgres provides the ability to install a set of sample tables and related objects in a postgres database via the installer or via the edb-sample.sql script installed with EDB Postgres Advanced Server (located in the <EDB Postgres Installation Directory>\\installer\\server directory by default). To check whether these sample tables have been installed, execute the following SQL as enterprisedb: \n\n SELECT * FROM dba_tables WHERE table_name IN ('EMP', 'DEPT', 'JOBHIST');\n\nIf any rows are returned that do not correspond to application tables, this is a finding.\n\nPostgres provides the ability to install a set of tables for benchmark purposes using the pgbench utility. To check whether these pgbench tables have been installed, execute the following SQL as enterprisedb:\n\n SELECT * FROM dba_tables WHERE table_name LIKE 'PGBENCH%';\n\nIf any rows are returned that do not correspond to application tables, this is a finding.","fixText":"Remove any unused sample databases or sample objects within a database from the DBMS.\n\nTo remove a database, execute the follow SQL:\n\n DROP DATABASE <database>;\n\nTo remove objects within a database, use the appropriate DROP statement (DROP TABLE, DROP VIEW, etc.).","ccis":["CCI-000381"]},{"vulnId":"V-224161","ruleId":"SV-224161r960963_rule","severity":"medium","ruleTitle":"Unused database components, EDB Postgres Advanced Server software, and database objects must be removed.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives.\n\nDBMSs must adhere to the principles of least functionality by providing only essential capabilities.","checkContent":"Open Control Program >> Programs >> Programs and Features. Look specifically for publishers of EnterpriseDB, pgAdmin, or PostgreSQL. If any programs are installed which are not documented as needed by the government program, this is a finding.","fixText":"Open Control Program >> Programs >> Programs and Features. Select any programs that should not be installed, click \"uninstall\", and then follow the prompts to uninstall the software.","ccis":["CCI-000381"]},{"vulnId":"V-224162","ruleId":"SV-224162r960963_rule","severity":"medium","ruleTitle":"Unused database components which are integrated in the EDB Postgres Advanced Server and cannot be uninstalled must be disabled.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives.\n\nDBMSs must adhere to the principles of least functionality by providing only essential capabilities.\n\nUnused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled. The techniques available for disabling components will vary by DBMS product, OS, and the nature of the component, and may include DBMS configuration settings, OS service settings, OS file access security, and DBMS user/role permissions.","checkContent":"Open Control Program >> Programs >> Programs and Features. Look specifically for publishers of EnterpriseDB, pgAdmin, or PostgreSQL. If any programs are installed which are not documented as needed by the government program, this is a finding.","fixText":"Open Control Program >> Programs >> Programs and Features. Select any programs that should not be installed, click \"uninstall\", and then follow the prompts to uninstall the software.","ccis":["CCI-000381"]},{"vulnId":"V-224163","ruleId":"SV-224163r960963_rule","severity":"medium","ruleTitle":"Access to external executables must be disabled or restricted.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives.\n\nApplications must adhere to the principles of least functionality by providing only essential capabilities.\n\nEDB Postgres Advanced Server may spawn additional external processes to execute procedures that are defined in EDB Postgres Advanced Server but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than EDB Postgres Advanced Server and provide unauthorized access to the host system.","checkContent":"Check for EDB Postgres Advanced Server related programs that have been installed but not documented as approved. Open Control Program >> Programs >> Programs and Features. Look specifically for publishers of EnterpriseDB, pgAdmin, or PostgreSQL. If any programs are installed which are not documented as needed by the organization for the system, this is a finding.\n\nThe Postgres COPY command provides options for reading or writing files or running a program that the server has privileges to access. These options are only allowed for users who have been granted superuser privilege or have been granted the pg_read_server_files, pg_write_server_files, or pg_execute_server_program roles. The SUPERUSER privilege and the roles that provide access to files on the underlying server should only be granted to approved users.\n\nTo check for user and group roles that have been granted the SUPERUSER privilege, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, how_superuser, root_role_name )\n AS (\n SELECT NULL::oid granted_role_id\n , NULL::name granted_role_name\n , r1.oid role_id\n , r1.rolname role_name\n , r1.rolcanlogin can_login\n , 'Assigned Superuser Privilege' how_superuser\n , r1.rolname root_role_name\n FROM pg_authid r1\n WHERE r1.rolsuper = 't'\n UNION\n SELECT m.roleid\n , r3.rolname\n , m.member\n , r2.rolname\n , r2.rolcanlogin\n , 'Granted Role with Superuser Privilege'\n , r1.root_role_name\n FROM pg_auth_members m\n JOIN pg_authid r2\n ON r2.oid = m.member\n JOIN pg_authid r3\n ON r3.oid = m.roleid\n JOIN roles r1\n ON m.roleid = r1.role_id\n )\n SELECT DISTINCT r.role_name, r.can_login, hs.how_superuser, gr.granted_roles, rr.root_superuser_roles\n FROM roles r\n JOIN ( SELECT role_name, string_agg(how_superuser, ', ') how_superuser \n FROM ( SELECT DISTINCT role_name, how_superuser FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) hs\n ON r.role_name = hs.role_name\n JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles\n FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) \n GROUP BY role_name\n ) gr\n ON r.role_name = gr.role_name\n JOIN ( SELECT role_name, string_agg(root_role_name, ', ') root_superuser_roles \n FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) rr \n ON r.role_name = rr.role_name\n ORDER BY 3,1;\n\nThe above query will list all user and group roles that have either been granted the SUPERUSER privilege explicitly or via one of the roles in the hierarchy of roles they have been granted.\n\nIf a user or group roles has the SUPERUSER privilege either directly or via one of the roles in the hierarchy of roles it has been granted, and the role is not documented as being approved to have this privilege, this is a finding.\n\nTo check for user and group roles that have been granted any of the pg_read_server_files, pg_write_server_files, or pg_execute_server_program roles, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, root_role_name )\n AS (\n SELECT NULL::oid granted_role_id\n , NULL::name granted_role_name\n , r1.oid role_id\n , r1.rolname role_name\n , r1.rolcanlogin can_login\n , r1.rolname root_role_name\n FROM pg_authid r1\n WHERE r1.rolname IN ( 'pg_read_server_files', 'pg_write_server_files', 'pg_execute_server_program' )\n UNION\n SELECT m.roleid\n , r3.rolname\n , m.member\n , r2.rolname\n , r2.rolcanlogin\n , r1.root_role_name\n FROM pg_auth_members m\n JOIN pg_authid r2\n ON r2.oid = m.member\n JOIN pg_authid r3\n ON r3.oid = m.roleid\n JOIN roles r1\n ON m.roleid = r1.role_id\n )\n SELECT DISTINCT r.role_name, r.can_login, gr.granted_roles, rr.server_os_access_roles\n FROM roles r\n JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles\n FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) \n GROUP BY role_name\n ) gr\n ON r.role_name = gr.role_name\n JOIN ( SELECT role_name, string_agg(root_role_name, ', ') server_os_access_roles \n FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) rr \n ON r.role_name = rr.role_name\n WHERE gr.granted_roles IS NOT NULL\n ORDER BY 1;\n\nThe above query will list all user and group roles that have been granted one of these roles either explicitly or via one of the roles in the hierarchy of roles they have been granted.\n\nIf a user or group roles has been granted one of these roles either explicitly or via one of the roles in the hierarchy of roles they have been granted, and the role is not documented as being approved to have this role, this is a finding.\n\nIt is possible for a Postgres database extension to contain code that could access external executables via SQL. To list all installed extensions, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n SELECT * FROM pg_available_extensions WHERE installed_version IS NOT NULL ORDER BY 1;\n\nIf any extensions are installed that are not documented as being approved, this is a finding.\n\nIt is possible to create database functions that are written in C or other procedural languages that reference code in externally loaded modules that may enable interaction with the OS. To list such functions, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n SELECT n.nspname \"Schema\", p.proname \"Function\", p.prosrc \"Source\", p.probin \"Library\", l.lanname \"Language\"\n FROM pg_proc p\n JOIN pg_namespace n ON p.pronamespace = n.oid \n JOIN pg_language l on p.prolang = l.oid \n WHERE n.nspname NOT IN ('pg_catalog', 'sys', 'information_schema')\n AND (l .lanpltrusted = 'f' AND l.lanname != 'internal' )\n ORDER BY 4, 1, 2, 3;\n\nIf any C-language or other procedural language function is listed that is not documented as being approved, this is a finding.","fixText":"To uninstall programs that are not approved, open Control Program | Programs | Programs and Features. Select any programs that should not be installed, click the \"uninstall\" button, and follow the prompts to uninstall the software.\n\nTo remove the SUPERUSER privilege from a role, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n ALTER ROLE <role name> WITH NOSUPERUSER;\n\nTo remove a role that has been granted to another role, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n REVOKE ROLE <name of role to be removed> FROM <role name>;\n\nTo remove an extension from a Postgres database, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n DROP EXTENSION <name of extension to be removed>;\n\nTo remove a function from a Postgres database, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n DROP FUNCTION <name of function to be removed>;\n\nIf the unapproved function is contained in an EDB-SPL database package, drop the package specification and body or replace the package specification and package body source with an updated version of the source that does not include the unapproved function. \n\nTo drop a package, execute the following SQL statements in psql or another EDB Postgres Advanced Server SQL client as enterprisedb:\n\n DROP PACKAGE BODY <name of package to be dropped>;\n DROP PACKAGE <name of package to be dropped>;\n\nTo update a package, execute the \"CREATE OR REPLACE PACKAGE <package name>\" and \"CREATE OR REPLACE PACKAGE BODY <package name>\" SQL statements in psql or another EDB Postgres Advanced Server SQL client. See the EnterpriseDB \"Database Compatibility for Oracle Developers Reference Guide\" for more information about the commands for creating, replacing, and dropping database packages.","ccis":["CCI-000381"]},{"vulnId":"V-224164","ruleId":"SV-224164r960966_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols/services on information systems.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\n\nDatabase Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and through the database to other components of the information system.\n\nA Postgres database cluster (i.e., instance) listens for connections on a single TCP port. The default port for an EDB Postgres Advanced Server cluster is 5444; however, the port number that is used is configurable via the Postgres \"port\" parameter. A database restart is required to apply a change to the port parameter. Also by default, a Postgres cluster will listen for connections on all interfaces on the host. The \"listen_addresses\" parameter can be used to configure specific interfaces on the host to listen for connections. The default value of \"*\" indicates all interfaces are used. To listen only on specific interfaces, the listen_addresses parameter is configured with a comma-separated list of host names and/or numeric IP addresses corresponding to the interfaces that should be used. As with the port parameter, changes to the listen_addresses parameter requires a cluster restart to take effect.","checkContent":"Review documentation for approved list of ports, protocols, and addresses.\n\nTo list the port that is being used, execute the following SQL as enterprisedb:\n\n SHOW port;\n\nIf the port returned by the above command is not approved, this is a finding.\n\nTo list the interface addresses that are being used, execute the following SQL as enterprisedb:\n\n SHOW listen_addresses;\n\nFor the above statement, a return value of \"*\" indicates that the database cluster (i.e., instance) is configured to listen on all interfaces on the database host.\n\nIf the addresses returned are not approved, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET port = <port>;\n ALTER SYSTEM SET listen_addresses = <comma separated addresses>;\n\nRestart the database service. For EDB Postgres Advanced Server, the default service name is \"edb-as-<EDB Version #>\" with a default display name of \"edb-as-<EDB Version #> - Advanced Server <EDB Version #>\":\n\nTo restart the database service, using the Windows Services Control Manager:\n1. Open the Windows Services Control Manager.\n2. Select the database service from the list of services, right-click it, and select \"Restart\".\n\nAlternatively, the database can be restarted via the Windows command line using either the NET or SC command as follows:\n\n NET STOP <service name>\n NET START <service name>\n\nor\n\n SC STOP <service name>\n SC START <service name>\n\nNote that if pgAgent is installed and running, the corresponding pgAgent service is dependent on the EDB Postgres database service and will first need to be stopped in order to restart the database service. After restarting the database service, the pgAgent service may be started again.","ccis":["CCI-000382"]},{"vulnId":"V-224165","ruleId":"SV-224165r960969_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Verify that the pg_hba.conf is not using the \"trust\" authentication method.\n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nTo verify that the pg_hba.conf file is not using the methods listed above, open the pg_hba.conf file in a text editor and inspect the contents of the file. If any uncommented lines have \"trust\" specified for the \"METHOD\" column and the setting has not been documented with sufficient justification and approved, this is a finding.\n\nOptionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: \n\n type <postgresql data directory>\\pg_hba.conf | findstr /N \"trust\" | find /V /N \"#\"\n\nNote: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes. \n\nIf any uncommented lines showing that the \"trust\" authentication method has been specified are reported via the above command and the setting has not been documented with sufficient justification and approved, this is a finding.","fixText":"Open \"<postgresql data directory>\\pg_hba.conf\" in an editor. \n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf any rows have \"trust\" specified for the \"METHOD\" column that are not documented and approved, delete the rows or change them to other authentication methods.\n\nPermitted methods in preferred order are: peer (local only), cert, ldap, sspi, pam, sha-256-scram, md5","ccis":["CCI-000764"]},{"vulnId":"V-224166","ruleId":"SV-224166r981946_rule","severity":"high","ruleTitle":"If DBMS authentication, using passwords, is employed, EDB Postgres Advanced Server must enforce the DoD standards for password complexity and lifetime.","description":"OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.\n\nThe DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.\n\nIn such cases, the DoD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.","checkContent":"If DBMS authentication, using passwords, is not employed, this is not a finding.\n\nIn a SQL window, run this command:\n\nselect * from dba_profiles;\n\nIf there are UNLIMITED or NULL values in the \"limit\" column, this is a finding.\n\nReview the password verification functions specified for the PASSWORD_VERIFY_FUNCTION settings for each profile. Determine whether the following rules are enforced by the code in those functions. If any are not, this is a finding.\na. minimum of 15 characters, including at least one of each of the following character sets:\n- Upper-case\n- Lower-case\n- Numerics\n- Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)\nb. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight\n\nReview the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding.\na. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days\nb. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days\nc. Number of password changes before an old one may be reused: Minimum of five","fixText":"After creating a password verification function, configure the default profile to use it and to the other required password related settings.\n\nTo facilitate checking that a new password is sufficiently different from a previously used one, the dod_verify_password function uses the Levenshtein function, which is available as part of the PostgreSQL fuzzystrmatch extension. \n\nBefore creating the password verification function, check whether the fuzzystrmatch extension is installed by executing the following SQL query as enterprisedb:\n\n SELECT extname FROM pg_extension;\n\nIf \"fuzzystrmatch\" is not listed, execute the following SQL to install the extension as enterprisedb:\n\n CREATE EXTENSION fuzzystrmatch;\n\nWith the fuzzystrmatch extension installed, execute the following SQL statements as enterprisedb:\n\n CREATE OR REPLACE FUNCTION sys.dod_verify_password(user_name varchar2, new_password varchar2, old_password varchar2) \n RETURN boolean IMMUTABLE \n IS \n pwd_length integer := NVL( length(new_password), 0 );\n\n min_length integer := 15;\n min_lower integer := 1;\n min_upper integer := 1;\n min_numeric integer := 1;\n min_special integer := 1;\n min_diff integer := ceil(min_length::numeric / 2);\n\n cnt_lower integer := 0;\n cnt_upper integer := 0;\n cnt_numeric integer := 0;\n cnt_special integer := 0;\n\n cnt_diff integer := 0;\n\n i integer ;\n curr_char CHAR(1);\n\n BEGIN \n\n --\n -- Check Length of new password\n --\n IF ( pwd_length < min_length ) \n THEN \n raise_application_error(-20001, 'Password is too short. Password must be at least '||min_length||' characters long.'); \n END IF;\n\n --\n -- Get count of each character type in new password.\n --\n FOR i in 1..pwd_length LOOP\n curr_char := substr(new_password, i, 1);\n\n IF ( curr_char SIMILAR TO '[a-z]' ) THEN\n cnt_lower := cnt_lower + 1;\n ELSIF ( curr_char SIMILAR TO '[A-Z]' ) THEN\n cnt_upper := cnt_upper + 1;\n ELSIF ( curr_char SIMILAR TO '[0-9]' ) THEN\n cnt_numeric := cnt_numeric + 1;\n ELSE\n cnt_special := cnt_special + 1;\n END IF;\n END LOOP;\n\n --\n -- Calculate Levenshtein difference between old and new password\n --\n cnt_diff := levenshtein( old_password, new_password );\n\n -- Check if new password has minimum number of lowercase characters\n IF cnt_lower < min_lower THEN\n raise_application_error(-20004, 'Password must contain at least '||min_lower||' lowercase character(s)'); \n END IF;\n\n -- Check if new password has minimum number of uppercase characters\n IF cnt_upper < min_upper THEN\n raise_application_error(-20003, 'Password must contain at least '||min_upper||' uppercase character(s)'); \n END IF;\n\n -- Check if new password has minimum number of numeric characters\n IF cnt_numeric < min_numeric THEN\n raise_application_error(-20005, 'Password must contain at least '||min_numeric||' numeric character(s)'); \n END IF;\n\n -- Check if new password has minimum number of special characters\n IF cnt_special < min_special THEN\n raise_application_error(-20006, 'Password must contain at least '||min_special||' special character(s)'); \n END IF;\n\n -- Check if new password differs from old password by minimum number of required characters\n IF cnt_diff < min_diff THEN\n raise_application_error(-20007, 'Password must differ from old password by at least '||min_diff||' character(s)'); \n END IF;\n\n\n RETURN true; \n END; \n\n ALTER FUNCTION sys.dod_verify_password(varchar2, varchar2, varchar2) OWNER TO enterprisedb;\n\nNext, execute the following statement (or a variant of this) to set the default profile for DoD standards:\n\n ALTER PROFILE DEFAULT LIMIT\n FAILED_LOGIN_ATTEMPTS 3 \n PASSWORD_LOCK_TIME 1\n PASSWORD_LIFE_TIME 60\n PASSWORD_GRACE_TIME 3\n PASSWORD_REUSE_TIME 180\n PASSWORD_REUSE_MAX 5\n PASSWORD_VERIFY_FUNCTION dod_verify_password;\n\nNote that the above statement assumes that the password verification function is named \"dod_verify_password\". If the function was created with a different name, update the ALTER PROFILE statement above as appropriate.","ccis":["CCI-000192"]},{"vulnId":"V-224167","ruleId":"SV-224167r981949_rule","severity":"high","ruleTitle":"If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.","description":"The DoD standard for authentication is DoD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.\n\nIn Postgres, encrypted passwords may be generated and stored using either MD5 or SRAM-SHA-256 encryption algorithms. The Postgres password_encryption parameter identifies which algorithm is being used by the Postgres cluster (i.e., instance). In general, MD5 is not approved for use within DoD systems. However, SCRAM-SHA-256 is approved for use within the DoD.","checkContent":"Execute the following SQL as enterprisedb:\n\n SHOW password_encryption;\n\nIf the value returned for the password_encryption parameter is not \"scram-sha-256\", this is a finding unless otherwise documented as approved for the system.","fixText":"Execute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET password_encryption = \"scram-sha-256\";\n SELECT pg_reload_conf();","ccis":["CCI-000196"]},{"vulnId":"V-224168","ruleId":"SV-224168r961029_rule","severity":"high","ruleTitle":"If passwords are used for authentication, the EDB Postgres Advanced Server must transmit only encrypted representations of passwords.","description":"The DoD standard for authentication is DoD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.\n\nIn such cases, passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.\n\nDBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.","checkContent":"Verify that the pg_hba.conf is not using the \"password\" authentication method.\n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nTo verify that the pg_hba.conf file is not using the methods listed above, open the pg_hba.conf file in a text editor and inspect the contents of the file. If any uncommented lines have \"password\" specified for the \"METHOD\" column, this is a finding.\n\nOptionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: \n\n type <postgresql data directory>\\pg_hba.conf | findstr /N \"password\" | find /V /N \"#\"\n\nNote: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes. \n\nIf any uncommented lines showing that the \"password\" authentication method has been specified are reported via the above command, this is a finding.","fixText":"Open \"<postgresql data directory>\\pg_hba.conf\" in an editor. \n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nFor any rows that have \"password\" specified for the \"METHOD\" column, change the value to \"sha-256-scram\" or \"md5\".","ccis":["CCI-000197"]},{"vulnId":"V-224169","ruleId":"SV-224169r961038_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.","description":"The DoD standard for authentication is DoD-approved PKI certificates.\n\nA certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.\n\nDatabase Management Systems that do not validate certificates by performing RFC 5280-compliant certification path validation are in danger of accepting certificates that are invalid and/or counterfeit. This could allow unauthorized access to the database.","checkContent":"Verify that hostssl entries in pg_hba.conf have \"clientcert=1\" enabled.\n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nOpen the pg_hba.conf file in a text editor and inspect the contents of the file. If any uncommented lines have TYPE of \"hostssl\" but do not include \"clientcert=1\" in the OPTIONS column at the end of the line, this is a finding.\n\nOptionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: \n\n type <postgresql data directory>\\pg_hba.conf | findstr /N \"hostssl\" | find /V /N \"#\"\n\nNote: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes. \n\nIf any uncommented lines are reported using the above command that show a TYPE of \"hostssl\" but do not include \"clientcert=1\" in the OPTIONS column at the end of the line, this is a finding.","fixText":"Open the \"<postgresql data directory>\\pg_hba.conf\" in an editor. \n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nFor any rows that have TYPE of \"hostssl\", append \"clientcert=1\" in the OPTIONS column at the end of the line.","ccis":["CCI-000185"]},{"vulnId":"V-224170","ruleId":"SV-224170r961041_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/utilized by the EDB Postgres Advanced Server.","description":"The DoD standard for authentication is DoD-approved PKI certificates. PKI certificate-based authentication is performed by requiring the certificate holder to cryptographically prove possession of the corresponding private key.\n\nIf the private key is stolen, an attacker can use the private key(s) to impersonate the certificate holder. In cases where the DBMS-stored private keys are used to authenticate the DBMS to the system’s clients, loss of the corresponding private keys would allow an attacker to successfully perform undetected man in the middle attacks against the DBMS system and its clients.\n\nBoth the holder of a digital certificate and the issuing authority must take careful measures to protect the corresponding private key. Private keys should always be generated and protected in FIPS 140-2 or 140-3 validated cryptographic modules.\n\nAll access to the private key(s) of the DBMS must be restricted to authorized and authenticated users. If unauthorized users have access to one or more of the DBMS's private keys, an attacker could gain access to the key(s) and use them to impersonate the database on the network or otherwise perform unauthorized actions.","checkContent":"Verify User ownership, Group ownership, and permissions on the \"server.key\" file:\n\nRight-click and select \"Properties\" on <postgresql data directory>\\server.key\n\nIf any users other than the database administrator user (enterprisedb by default) or other users documented in the program security guide have any permissions on this file, this is a finding.","fixText":"Right-click and select \"Properties\" on <postgresql data directory>\\server.key\n\nGive the database administrator (default \"enterprisedb\") full control of the file.","ccis":["CCI-000186"]},{"vulnId":"V-224171","ruleId":"SV-224171r961047_rule","severity":"high","ruleTitle":"Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.","description":"The DoD standard for authentication is DoD-approved PKI certificates.\n\nNormally, with PKI authentication, the interaction with the user for authentication will be handled by a software component separate from the DBMS, such as ActivIdentity ActivClient. However, in cases where the DBMS controls the interaction, this requirement applies.\n\nTo prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. \n\nObfuscation of user-provided authentication secrets when typed into the system is a method used in addressing this risk. \n\nDisplaying asterisks when a user types in a password or a smart card PIN is an example of obscuring feedback of authentication secrets.\n\nThis calls for review of applications, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At minimum, the DBA must attempt to obtain assurances from the development organization the issue has been addressed, and must document what has been discovered.","checkContent":"Determine whether any applications that access the database allow for entry of the account name and password or PIN.\n\nIf any do, determine whether these applications obfuscate authentication data. If they do not, this is a finding.","fixText":"Configure or modify applications to prohibit display of passwords in clear text.","ccis":["CCI-000206"]},{"vulnId":"V-224172","ruleId":"SV-224172r961047_rule","severity":"high","ruleTitle":"When using command-line tools such as psql, users must use a logon method that does not expose the password.","description":"To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.\n\nObfuscation of user-provided information when typed into the system is a method used in addressing this risk.\n\nFor example, displaying asterisks when a user types in a password or PIN, is an example of obscuring feedback of authentication information.\n\nThis requirement is applicable when md5-based password authentication is enabled. When this is the case, password-authenticated accounts can be created in and authenticated by EDB Postgres Advanced Server. Other STIG requirements prohibit the use of password authentication except when justified and approved. This deals with the exceptions.\n\nThe psql command line tool is part of any PostgreSQL installation. Other command-line tools may also exist. These tools can accept a plain-text password, but do offer alternative techniques. Since the typical user of these tools is a database administrator, the consequences of password compromise are particularly serious. Therefore, the use of plain-text passwords must be prohibited, as a matter of practice and procedure.","checkContent":"For psql, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. If not, this is a finding.\n\nRequest evidence that all users of the tool are trained in the importance of using the \"-W\" option (and not using the plain-text password option), how to keep the password hidden, and that they adhere to this practice. If not, this is a finding.","fixText":"For psql, which can accept a plain-text password, and any other essential tool with the same limitation:\n\n1) Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval.\n2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden by using the \"-W\" option.","ccis":["CCI-000206"]},{"vulnId":"V-224173","ruleId":"SV-224173r961863_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server password file must not be used.","description":"The EDB Postgres password file can contain passwords to be used if the connection allows a password (and no password has been specified otherwise). \n\nThis file contain lines of the following format:\nhostname:port:database:username:password\n\nIt is critically important to system security that use of a password file be avoided as it stores passwords in plain text. Any user with access to these could potentially compromise the security of the database.","checkContent":"Check DBMS settings to determine whether a password file is being used.\n\nOn Windows the default file name and location is:\n%APPDATA%\\postgresql\\pgpass.conf (where %APPDATA% refers to the Application Data subdirectory in the user's profile). \nAlternatively, a password file can be specified using the connection parameter passfile or the environment variable PGPASSFILE.\n\nIf a password file exists, this is a finding.\nIf a password file is not in use, this is not a finding.","fixText":"Remove any password files present on the server and implement a  more secure form of authentication.\n\nThe DoD standard for authentication is DoD-approved PKI certificates.","ccis":["CCI-000366"]},{"vulnId":"V-224174","ruleId":"SV-224174r961050_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.","description":"Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of the DBMS.\n\nApplications, including DBMSs, utilizing cryptography are required to use approved NIST FIPS 140-2 or 140-3 validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. \n\nNSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules.\n\nThe standard for validating cryptographic modules will transition to the NIST FIPS 140-3 publication.\n\nFIPS 140-2 modules can remain active for up to 5 years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list.  Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page:\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules\n\nMore information on the FIPS 140-3 transition can be found here: \nhttps://csrc.nist.gov/Projects/fips-140-3-transition-effort/\n\nWhen the EDB FIPS 140 certified cryptographic modules are configured properly, an EDB Postgres Advanced Server will fail to start if non-FIPS 140 ciphers are specified for the Postgres ssl_ciphers parameter. To test whether the FIPS 140 compliant configuration is working, temporarily set the \"ssl_ciphers\" parameter in the postgresql.conf file to 'RC4-SHA' and then attempt to restart the database service. Since \"RC4-SHA\" is not a FIPS 140 approved cipher, the database will fail to start. Using the Event Viewer in Windows, a \"FATAL: could not set the cipher list (no valid ciphers available)\" error will be found under \"Event Viewer (Local) >> Windows Logs >> Application\".\n\nSatisfies: SRG-APP-000179-DB-000114,SRG-APP-000514-DB-000382,SRG-APP-000514-DB-000383","checkContent":"If any uncommented lines in <postgresql data dir>\\pg_hba.conf do not start with \"hostssl\", this is a finding.\n\nThe \"ssleay32_dll\" and \"libeay32.dll\" files in <EDB Postgres Advanced Server Home>\\bin should be FIPS 140-2 or 140-3 compliant DLLs from EnterpriseDB. These are included in EDB Postgres Advanced Server v11 update 6 (i.e., 11.6) and greater.\nIf the installed EDB v11 is not update 11.6 or greater, this is a finding.\n\nIf C:\\usr\\local\\ssl\\openssl.cnf does not exist with these contents, or if an System Environment variable called OPENSSL_CONF pointing to a file with these contents has not been created, this is a finding:\n\nHOME = .\nRANDFILE = $ENV::HOME/.rnd\nopenssl_conf=openssl_conf_section\n[openssl_conf_section]\nalg_section=evp_settings\n[evp_settings]\nfips_mode=yes","fixText":"Edit <postgresql data dir>\\pg_hba.conf so that each uncommented line starts with \"hostssl\"\n\nIf the EDB Postgres Advanced Server minor version is less than version 11.6, install the 11.6 update or later version or contact EnterpriseDB to obtain a copy of the FIPS 140 compliant versions of the \"ssleay32.dll\" and \"libeay32.dll\" files and replace the \"ssleay32.dll\" and \"libeay32.dll\" files in <EDB Postgres Advanced Server Home>\\bin with FIPS 140 compliant DLLs from EnterpriseDB. If the EDB Postgres Advanced Server minor version is 11.6 or greater, the FIPS 140 compliant versions of these DLLs are installed by default and do not need to be replaced.\n\nCreate C:\\usr\\local\\ssl\\openssl.cnf or another file referenced by a System Environment variable called OPENSSL_CONF with these contents:\n\nHOME = .\nRANDFILE = $ENV::HOME/.rnd\nopenssl_conf=openssl_conf_section\n[openssl_conf_section]\nalg_section=evp_settings\n[evp_settings]\nfips_mode=yes\n\nRestart the Postgres server via the Services administration GUI.","ccis":["CCI-000803","CCI-002450"]},{"vulnId":"V-224175","ruleId":"SV-224175r961053_rule","severity":"medium","ruleTitle":"The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). \n\nNon-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.\n\nAccordingly, a risk assessment is used in determining the authentication needs of the organization. \n\nScalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.\n\nWith Postgres, all database users are uniquely identified. To discriminate non-organizational users from organizational users, applications often create and utilize one or more tables to record additional information about the users, including their organizational affiliations. Another approach that may be used is to create and assign database roles corresponding to the different organizations. The EDB Postgres Advanced Server session audit log tagging feature can also be used to log additional information about the user associated with a database session such as organizational affiliation. The session audit tagging feature uses the edb_audit_tag parameter. Typically, this parameter would be set on a session by session basis via the application that connects to the EDB Postgres Advanced Server database.","checkContent":"Review documentation, EDB Postgres Advanced Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system.\n\nEDB Postgres Advanced Server uniquely identifies and authenticates Postgres users through the use of DBMS roles.\n\nTo list the user and group roles in an EDB Postgres Advanced Server instance, execute the following command in psql as the enterprisedb user:\n\n \\du\n\nIf accounts are determined to be shared, determine if individuals are first individually authenticated. Where an application connects to EDB Postgres Advanced Server using a standard, shared account, ensure it also captures the individual user identification, and passes it to EDB Postgres Advanced Server.\n\nIf the EDB session audit log tagging feature is being used to capture individual user identification and organizational affiliation, review the EDB audit log to verify that the information documented as being required is logged to the \"audit_tag\" field. If the required information is not logged, this is a finding.\n\nIf the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding.\n\nIf non-organizational users are not uniquely identified and authenticated, this is a finding.","fixText":"Ensure all logins are uniquely identifiable and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of application, operating system, and EDB Postgres Advanced Server configuration settings. Verify server documentation to ensure accounts are documented and unique.","ccis":["CCI-000804"]},{"vulnId":"V-224176","ruleId":"SV-224176r961095_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must separate user functionality (including user interface services) from database management functionality.","description":"Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers and typically requires privileged user access. \n\nThe separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. \n\nAn example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. \n\nThis may include isolating the administrative interface on a different domain and with additional access controls.\n\nIf administrative functionality or information regarding DBMS management is presented on an interface available for users, information on DBMS settings may inadvertently be made available to the user.","checkContent":"Check EDB Postgres Advanced Server permission settings to verify that administrative functionality is kept separate from user functionality.\n\nAs a database superuser user (e.g., enterprisedb), list the user and group roles and their permissions in an EDB Postgres Advanced Server instance; execute the following command in psql:\n\n   \\du\n\nIf any non-administrative role has the attribute \"Superuser\", \"Create role\", \"Create DB\" or \"Bypass RLS\", this is a finding.\n\nIf administrator and general user functionality is not separated either physically or logically, this is a finding.","fixText":"Configure EDB Postgres Advanced Server to separate database administration and general user functionality.\n\nUse the ALTER ROLE SQL command to remove \"SUPERUSER\", \"CREATE Role\", \"Create DB\", or \"Bypass RLS\" privileges from user and group roles that are not authorized for those roles.\n\nFor example:\n\n  ALTER ROLE <username> NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;","ccis":["CCI-001082"]},{"vulnId":"V-224177","ruleId":"SV-224177r961125_rule","severity":"medium","ruleTitle":"In the event of a system failure, the DBMS must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.","description":"Failure to a known state can address safety or security in accordance with the mission/business needs of the organization.\n\nFailure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. \n\nPreserving information system state information helps to facilitate system restart and return to the operational mode of the organization with less disruption of mission/business processes. \n\nSince it is usually not possible to test this capability in a production environment, systems should either be validated in a testing environment or prior to installation. This requirement is usually a function of the design of the IDPS component. Compliance can be verified by acceptance/validation processes or vendor attestation.\n\nAt all times, Postgres maintains a write ahead log (WAL) in the pg_wal/ subdirectory of the cluster's data directory. The log records every change made to the database's data files. This log exists primarily for crash-safety purposes: if the system crashes, the database can be restored to consistency by “replaying” the log entries made since the last checkpoint. Under the covers, Postgres uses fsync system calls to help ensure that modified database information held in memory is written to disk. To support certain specialized use cases where crash recovery is not as important as system performance, Postgres provides an fsync parameter that can be set to \"off\" to disable the use of fsync. By default, this parameter is set to \"on\" and except for the rare use cases should not be set to \"off\".\n\nTo support being able to determine what may have caused a database failure, Postgres inherently logs failures.","checkContent":"To check whether fsync() has been enabled for the EDB Postgres Advanced Server cluster, connect to the database as a database superuser using psql and execute the following psql command:\n\n SHOW fsync\n\nIf the parameter is set to \"off\" and this setting has not been documented as approved with justification, this is a finding.","fixText":"To set the fsync parameter to \"on\", connect to the database as a database superuser using psql and execute the following SQL commands:\n\n ALTER SYSTEM SET fsync = on;\n\n SELECT pg_reload_conf();","ccis":["CCI-001665"]},{"vulnId":"V-224178","ruleId":"SV-224178r961128_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must protect the confidentiality and integrity of all information at rest.","description":"This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, must be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.","checkContent":"If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.\n\nRight-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button.\n\nIf the \"Encrypt contents to secure data\" check box is not checked, this is a finding.","fixText":"Complete these steps as the Windows user that serves as the user who is configure to run the EDB Postgres database service. If done as a different user, the Windows database service user will be unable to view this folder and therefore unable to start the database. By default, the service is configured to be run by the NetworkService account, which is a special Windows account that may not have the ability to encrypt the data directory. As a result, it may be necessary to change the service to run under a different account that can access the directory and encrypt it.\n\nUse the following steps, to update the service, encrypt the data directory, and restart the service:\n1. Change the edb-as-11 service to run as a local user account that is the same domain user that will be used to encrypt the data directory (ex. \"administrator\").\nOpen Computer Management >> Services.\nHighlight the \"edb-as-11 service\".\nStop the service.\nSelect the service properties.\nSelect the \"Log On\" tab, and update the \"Log on as\" setting to an account such as \"Administrator\".\n\n2. Encrypt the data directory by following these instructions (logged in as the user who runs the service):\nRight-click on <postgresql data directory>, select properties, select the Advanced button in the General tab, and then select the \"Encrypt contents to secure data\" checkbox in the \"Advanced Attributes\" window. Select the option to apply to subfolders and files when prompted. \n\n3. Restart the EDB service after encrypting the drive.","ccis":["CCI-001199"]},{"vulnId":"V-224179","ruleId":"SV-224179r961131_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must isolate security functions from non-security functions.","description":"An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.\n\nSecurity functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.\n\nDevelopers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles.\n\nDatabase Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality.","checkContent":"All PPAS built-in security packages are in the sys, pg_catalog, information_schema, and dbo schemas.\n\nIf any application-specific packages have been added to these schemas, this is a finding.","fixText":"Remove all application-specific packages that were added to the sys, pg_catalog, information_schema, and dbo schemas.","ccis":["CCI-001084"]},{"vulnId":"V-224180","ruleId":"SV-224180r961149_rule","severity":"medium","ruleTitle":"Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.","description":"Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls.","checkContent":"Review the procedures for the refreshing of development/test data from production.\n\nReview any scripts or code that exist for the movement of production data to development/test systems or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.","fixText":"Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy and to ensure copies of production data are not left in unsecured locations.","ccis":["CCI-001090"]},{"vulnId":"V-224181","ruleId":"SV-224181r961149_rule","severity":"medium","ruleTitle":"Access to database files must be limited to relevant processes and to authorized, administrative users.","description":"Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.","checkContent":"Verify User ownership, Group ownership, and permissions on the <postgressql data directory> directory. Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\n1) Check Ownership of Postgresql Data Directory:\nFirst, determine ownership of the postgresql data directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the postgresql data directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Details\" tab. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command:\n\n dir \"<postgresql data directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the data directory is not the database service account and the configuration has not been documented and approved, this is a finding.\n\n2) Check Permissions on Postgresql Data Directory\nCheck the permissions assigned to the postgresql data directory folder and its content. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the postgresql data directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<postgresql data directory>\"\n icacls \"<postgresql data directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation.\nVerify that at most the following permissions are applied:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Full Control)\n Users (none)\n\nIf other permissions have been granted to other users or groups and the permission setting has not been documented with sufficient documentation and approved, this is a finding.","fixText":"If the postgresql data directory and its contents are not owned by the database service account or other user as documented and approved in the system documentation, change ownership to an authorized user.\n\nModify permissions on the data directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Full Control)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.","ccis":["CCI-001090"]},{"vulnId":"V-224182","ruleId":"SV-224182r961158_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.","description":"Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that is recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Review DBMS code (trigger procedures, functions), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\n\nIf code exists that allows invalid data to be acted upon or input into the database, this is a finding.\n\nIf column/field definitions do not exist in the database, this is a finding.\n\nIf columns/fields do not contain constraints and validity checking where required, this is a finding.\n\nWhere a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding.\n\nWhere a column/field is clearly identified by name, caption, or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.\n\nCheck application code that interacts with the EDB Postgres Advanced Server database for the use of prepared statements. If prepared statements are not used, this is a finding.\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.\n\n1) Execute the following SQL as enterprisedb:\n\n SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\\_sql\\_protect.%' ESCAPE '\\';\n\nIf the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.\n\n2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n \\dn\n\nIf the \"sqlprotect\" schema is not listed, this is a finding.\n\n3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n SELECT * FROM sqlprotect.list_protected_users;\n\nIf the database and user that handles user input is not listed, or the remaining settings are not set to approved values, this is a finding.","fixText":"Modify database code to properly validate data before it is put into the database or acted upon by the database.\n\nModify the database to contain column/field definitions for each column/field in the database.\n\nModify the database to contain constraints and validity checking on database columns and tables that require them for data integrity.\n\nUse prepared statements for user supplied inputs.\n\nDo not allow general users direct console access to the EDB Postgres Advanced Server database.\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here:\n\n https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#","ccis":["CCI-001310"]},{"vulnId":"V-224183","ruleId":"SV-224183r961158_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.","description":"With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nThe principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers).\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Review DBMS source code (stored procedures, functions, triggers) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements.\n\nIf dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, this is a finding.\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.\n\n1) Execute the following SQL as enterprisedb:\n\n SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\\_sql\\_protect.%' ESCAPE '\\';\n\nIf the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.\n\n2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n \\dn\n\nIf the \"sqlprotect\" schema is not listed, this is a finding.\n\n3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n SELECT * FROM sqlprotect.list_protected_users;\n\nIf the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.","fixText":"Where dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, modify the code to do so.\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here:\n\n https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#","ccis":["CCI-001310"]},{"vulnId":"V-224184","ruleId":"SV-224184r961158_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.","description":"With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nThe principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers).\n\nWhen dynamic execution is necessary, ways to mitigate the risk include the following, which should be implemented both in the on-screen application and at the database level, in the stored procedures:\n-- Allow strings as input only when necessary.\n-- Rely on data typing to validate numbers, dates, etc. Do not accept invalid values. If substituting other values for them, think carefully about whether this could be subverted.\n-- Limit the size of input strings to what is truly necessary.\n-- If single quotes/apostrophes, double quotes, semicolons, equals signs, angle brackets, or square brackets will never be valid as input, reject them.\n-- If comment markers will never be valid as input, reject them. In SQL, these are -- or /* */\n-- If HTML and XML tags, entities, comments, etc., will never be valid, reject them.\n-- If wildcards are present, reject them unless truly necessary. In SQL these are the underscore and the percentage sign, and the word ESCAPE is also a clue that wildcards are in use.\n-- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP, ESCAPE, UNION, GRANT, and REVOKE will never be valid, reject them. Use case-insensitive comparisons when searching for these. Bear in mind that some of these words, particularly “Grant” (as a person's name), could also be valid input.\n-- If there are range limits on the values that may be entered, enforce those limits.\n-- Institute procedures for inspection of programs for correct use of dynamic coding, by a party other than the developer.\n-- Conduct rigorous testing of program modules that use dynamic coding, searching for ways to subvert the intended use.\n-- Record the inspection and testing in the system documentation.\n-- Bear in mind that all this applies not only to screen input, but also to the values in an incoming message to a web service or to a stored procedure called by a software component that has not itself been hardened in these ways. Not only can the caller be subject to such vulnerabilities; it may itself be the attacker.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Review DBMS source code (stored procedures, functions, triggers) and application source code to identify cases of dynamic code execution.\n\nIf dynamic code execution is employed without protective measures against code injection, this is a finding.\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs.\n\n1) Execute the following SQL as enterprisedb:\n\n SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\\_sql\\_protect.%' ESCAPE '\\';\n\nIf the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.\n\n2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n \\dn\n\nIf the \"sqlprotect\" schema is not listed, this is a finding.\n\n3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n SELECT * FROM sqlprotect.list_protected_users;\n\nIf the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.","fixText":"Where dynamic code execution is used, modify the code to implement protections against code injection (i.e., prepared statements).\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here:\n\n https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#","ccis":["CCI-001310"]},{"vulnId":"V-224185","ruleId":"SV-224185r961167_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages must be carefully considered by the organization and development team.\n\nDatabases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system.\n\nCarefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Check custom database code to verify that error messages do not contain information beyond what is needed for troubleshooting the issue.\n\nIf custom database errors contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.","fixText":"Configure custom database code and associated application code not to divulge sensitive information or information useful for system identification in error messages.","ccis":["CCI-001312"]},{"vulnId":"V-224186","ruleId":"SV-224186r961170_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.","description":"If EDB Postgres Advanced Server provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSome default EDB Postgres Advanced Server error messages can contain information that could aid an attacker in, among others things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information.\n\nIt is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, \"An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk\" would be relevant. A message such as \"Warning: your transaction generated a large number of page splits\" would likely not be relevant.\n\nAdministrative users authorized to review detailed error messages typically are the ISSO, ISSM, SA, and DBA. Other individuals or roles may be specified according to organization-specific needs, with appropriate approval.\n\nIn addition to ensuring that access to EDB Postgres Advanced Server database and audit logs is restricted to authorized users and that EDB Postgres Advanced Server is configured to emit minimal information to clients related to Postgres generated errors, custom database code and external application code should also be designed to not emit detailed error messages to a client. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"# Verify client_min_messages setting\nCheck the level of detail for errors exposed to clients, connect to the database as a database superuser using psql and execute the following psql command:\n\n SHOW client_min_messages\n\nIf client_min_messages is set to LOG or DEBUG, this is a finding.\n\n# Verify access to database logs and audit log restricted to authorized users\nVerify that only authorized users are able to access EDB Postgres Advanced Server database and audit logs that may contain detailed error messages. By default, these logs are written to directories under the EDB Postgres Advanced Server data directory. The full path of the data directory can be determined by connecting to the database as a database superuser using psql and execute the following psql command:\n\n SHOW data_directory\n\nTo check the access permissions assigned to the database logs, first determine where the logs are being written by connecting to the database as a database superuser using psql and execute the following psql command:\n\n SHOW log_destination\n\n# Verify access to database logs (stderr or csvlog)\nIf the log_destination parameter is set to \"stderr\" or \"csvlog\", next determine the directory on the files system where the logs are being written by connecting to the database as a database superuser using psql and execute the following psql command:\n\n SHOW log_directory\n\nIf the log_directory parameter is set to a relative path, database logs have been configured to be written to the named directory under the EDB Postgres Advanced Server data directory. \n\nIf the log_directory parameter is set to an absolute path, database logs have been configured to be written to that location.\n\nNext, determine ownership of the log directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the log directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB log directory> with the correct path for the log directory:\n\n dir \"<EDB log directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB log directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB log directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB log directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB log directory>\"\n icacls \"<EDB log directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the log directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.\n\n# Verify access to database logs (eventlog)\nIf the log_destination parameter is set to \"eventlog\", logs are written to the Windows Application event log. Review system security documentation and the Windows event log local and group policy settings. If the configured Windows Event Log policies give access to the Windows Application event log to any system users who are not documented as approved to view EDB Postgres Advanced Server logs, this is a finding.\n\n# Verify access to audit logs\nFirst determine the directory on the files system where the EDB Audit logs are being written by connecting to the database as a database superuser using psql and execute the following psql command:\n\n SHOW edb_audit_directory\n\nIf the edb_audit_directory parameter is set to a relative path, database logs have been configured to be written to the named directory under the EDB Postgres Advanced Server data directory. \n\nIf the log_directory parameter is set to an absolute path, database logs have been configured to be written to that location.\n\nNext, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Security\" tab, and select the \"Advanced\" button. \n Note the Value of the Owner field.\n\nUsing the Windows command prompt, enter the following command, replacing <EDB Audit directory> with the correct path for the EDB audit directory:\n\n dir \"<EDB Audit directory>\" /Q /S\n\n Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. \n\nNext, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt.\n\nUsing Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Review the users and groups and permissions assigned to them for the folder.\n\nUsing a Windows command prompt, the following command may be used to list file permissions:\n\n icacls \"<EDB Audit directory>\"\n icacls \"<EDB Audit directory>\\*\" \n Review the users and groups and permissions assigned to them for the file(s).\n\n Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file.\n\nReview the system security documentation. \nIf read or greater permissions are granted to Everyone or to the Users group, this is a finding.\nIf any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding.\nIf any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding.\nIf any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.\n\n# Verify custom database code and application does not display detailed error messages\nCheck custom database code and application code to determine if detailed error messages are ever displayed to unauthorized individuals.\n\nIf detailed error messages are displayed to individuals not authorized to view them, this is a finding.","fixText":"# Set client_min_messages\nTo set the level of detail for errors messages exposed to clients, connect to the database as a database superuser using psql and execute the following commands:\n\n ALTER SYSTEM SET client_min_messages = notice;\n SELECT pg_reload_conf();\n\n# Update EDB Postgres Advanced Server database log permissions.\nIf the EDB Postgres Advanced Server log_destination parameter is set to \"stderr\" or \"csvlog\":\n\n1) Change ownership of EDB Postgres Advanced Server database log directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Postgres Advanced Server database log directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the log directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Postgres Advanced Server database log directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the log directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf the EDB Postgres Advanced Server log_destination parameter is set to \"eventlog\", update the Windows policy settings to only allow access to the Windows Application event log to authorized users.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.\n\n# Update EDB Audit log permissions.\n1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account.\n\nIf the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", select the \"Securities\" tab, and select the \"Advanced\" button.\n Select the \"Change\" link shown next to the owner of the folder to change the folder's owner.\n\nAlternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt.\n\n2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access.\n\nThis may be done using Windows Explorer:\n Browse to the directory where the EDB audit directory folder is located.\n Select and right-click on the folder, select \"Properties\", and select the \"Security\" tab.\n Modify the security permissions to:\n NT AUTHORITY/NetworkService (or configured database service account) (Full Control)\n Administrators (Read)\n Users (none)\n\nAlternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt.\n\nIf other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.\n\n# Update custom database code and application code\nConfigure custom database code and associated application code not to display detailed error messages to those not authorized to view them.","ccis":["CCI-001314"]},{"vulnId":"V-224187","ruleId":"SV-224187r961221_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.","description":"This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance.","checkContent":"Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination. If the documentation explicitly states that such termination is not required or is prohibited, this is not a finding.\n\nIf the documentation requires automatic session termination but the DBMS is not configured via triggers, scripts, or other organization-defined manners to terminate sessions when required, this is a finding.","fixText":"Execute this SQL command in the places where the documentation requires automatic session termination:\n\n SELECT pg_terminate_backend(pid)\n FROM pg_stat_activity\n WHERE usename = '<username>'","ccis":["CCI-002361"]},{"vulnId":"V-224188","ruleId":"SV-224188r961269_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must associate organization-defined types of security labels having organization-defined security label values with information in storage.","description":"Without the association of security labels to information, there is no basis for EDB Postgres Advanced Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of EDB Postgres Advanced Server, a third-party product, or custom application code.\n\nIn addition to being able to grant privileges on tables using standard SQL features, EDB Postgres Advanced Server provides a Row Level Security (RLS) feature. This feature provides the ability to define and enable row-level security policies that restrict insert, update, delete, and select access on the rows of a table on a per user basis. For deployments within the DoD, RLS policies are configured to use the assigned security labels.","checkContent":"If security labeling is not required, this is not a finding.\n\nIf security labeling requirements have been specified, execute the following SQL as enterprisedb:\n\n SELECT * from ALL_POLICIES where OBJECT_NAME = '<table name>';\n\nIf a policy is not enabled for the table requiring security labeling, this is a finding.\n\nIf security labeling is required and not implemented according to the system documentation, this is a finding.\n\nIf security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding.","fixText":"Deploy EDB Postgres Advanced Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements, and application code, to provide reliable security labeling of information in storage.\n\nhttps://www.enterprisedb.com/docs/en/11.0/EPAS_BIP_Guide_v11/Database_Compatibility_for_Oracle_Developers_Built-in_Package_Guide.1.31.html#pID0E0UUD0HA","ccis":["CCI-002262"]},{"vulnId":"V-224189","ruleId":"SV-224189r961272_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must associate organization-defined types of security labels having organization-defined security label values with information in process.","description":"Without the association of security labels to information, there is no basis for EDB Postgres Advanced Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of EDB Postgres Advanced Server, a third-party product, or custom application code.\n\nIn addition to being able to grant privileges on tables using standard SQL features, EDB Postgres Advanced Server provides a Row Level Security (RLS) feature. This feature provides the ability to define and enable row level security policies that restrict insert, update, delete, and select access on the rows of a table on a per user basis. For deployments within the DoD, RLS policies are configured to use the assigned security labels.","checkContent":"If security labeling is not required, this is not applicable (NA).\n\nIf security labeling requirements have been specified, execute the following SQL as enterprisedb:\n\n SELECT * from ALL_POLICIES where OBJECT_NAME = '<table name>';\n\nIf a policy is not enabled for the table requiring security labeling, this is a finding.\n\nIf security labeling is required and not implemented according to the system documentation, this is a finding.\n\nIf security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in process, this is a finding.","fixText":"Deploy EDB Postgres Advanced Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process.\n\nhttps://www.enterprisedb.com/docs/en/11.0/EPAS_BIP_Guide_v11/Database_Compatibility_for_Oracle_Developers_Built-in_Package_Guide.1.31.html#pID0E0UUD0HA","ccis":["CCI-002263"]},{"vulnId":"V-224190","ruleId":"SV-224190r961275_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission.","description":"Without the association of security labels to information, there is no basis for EDB Postgres Advanced Server to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy.\n\nOne example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of EDB Postgres Advanced Server, a third-party product, or custom application code.\n\nIn addition to being able to grant privileges on tables using standard SQL features, EDB Postgres Advanced Server provides a Row Level Security (RLS) feature. This feature provides the ability to define and enable row level security policies that restrict insert, update, delete, and select access on the rows of a table on a per user basis. For deployments within the DoD, RLS policies are configured to use the assigned security labels.","checkContent":"If security labeling is not required, this is not applicable (NA).\n\nIf security labeling requirements have been specified, execute the following SQL as enterprisedb:\n\n SELECT * from ALL_POLICIES where OBJECT_NAME = '<table name>';\n\nIf a policy is not enabled for the table requiring security labeling, this is a finding.\n\nIf security labeling is required and not implemented according to the system documentation, this is a finding.\n\nIf security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding.","fixText":"Deploy EDB Postgres Advanced Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission.\n\nhttps://www.enterprisedb.com/docs/en/11.0/EPAS_BIP_Guide_v11/Database_Compatibility_for_Oracle_Developers_Built-in_Package_Guide.1.31.html#pID0E0UUD0HA","ccis":["CCI-002264"]},{"vulnId":"V-224191","ruleId":"SV-224191r961317_rule","severity":"medium","ruleTitle":"EDB Postgres Advanced Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.","description":"Discretionary Access Control (DAC) is based on the notion that individual users are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.","checkContent":"Review system documentation to identify the required discretionary access control (DAC).\n\nReview the security configuration of the database and EDB Postgres Advanced Server. If applicable, review the security configuration of the application(s) using the database.\n\nIf the discretionary access control defined in the documentation is not implemented in the security configuration, this is a finding.\n\nCheck the EDB Postgres instance for the ownership and privileges assigned to database objects.\n\n# Check for object ownership and privileges\n# Check for database owners and granted privileges\nTo list all the databases contained in an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the databases, connect to a database as a database superuser using psql and execute the following psql command:\n\n   \\l\n\nReview the results of the above command.\n\nIf any database is owned by a user or group role that is not documented as being approved to own the database, this is a finding.\n\nIf any user or group role has been granted privileges on a database that is not documented and approved, this is a finding.\n   \n# Check for schema owners and granted privileges\nTo list all the schemas contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following psql command:\n\n   \\dn+ *\n   \nReview the results of the above command.\n\nIf any schema is owned by a user or group role that is not documented as being approved to own the schema, this is a finding.\n\nIf any user or group role has been granted privileges on a schema that is not documented and approved, this is a finding.\n\n# Check for table, sequence, and view owners\nTo list all the tables, sequences, and views contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners, connect to the database as a database superuser using psql and execute the following psql commands: \n   \\dt *.*\n   \\ds *.*\n   \\dv *.*\n   \nReview the results of the above commands.\n\nIf any table, sequence, or view is owned by a user or group role that is not documented as being approved to own the object, this is a finding.\n\n# Check for table, sequence, and view access privileges \nTo list all the privileges that have been granted on the tables, sequences, and views in a database, connect to the database as a database superuser using psql and execute the following psql command:     \n\n   \\dp *.*\n\nReview the results of the above command.\n\nIf any user or group role has been granted privileges on an object that is not documented and approved, this is a finding.\n\n# Check for function/procedure owners and access privileges\nTo list all the functions and procedures contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following SQL statement:\n\n  SELECT r.rolname as owner\n       , n.nspname as namespace\n       , p.proname as name\n       , pg_get_function_identity_arguments(p.oid)\n       , p.prokind as kind\n       , p.proacl as access_privileges\n    FROM pg_proc p \n    JOIN pg_namespace n ON p.pronamespace = n.oid\n    JOIN pg_authid r ON p.proowner = r.oid\n  ORDER BY 1, 2, 3, 4;\n\nReview the results of the above query.\n\nIf any function or procedure is owned by a user or group role that is not documented as being approved to own the object, this is a finding.\n\nIf any user or group role has been granted privileges on a function or procedure that is not documented and approved, this is a finding.","fixText":"Implement the organization's DAC policy in the security configuration of the database and EDB Postgres Advanced Server, and, if applicable, the security configuration of the application(s) using the database.\n\nIf an unapproved user or group role is the owner of a database object, change the owner to an approved user or group role using one of the following ALTER SQL commands as appropriate:\n\n  The syntax is:\n     ALTER DATABASE <database name> OWNER TO <new_owner>\n     ALTER SCHEMA <schema name> OWNER TO <new_owner>\n     ALTER TABLE <table name> OWNER TO <new_owner>\n     ALTER SEQUENCE <sequence name> OWNER TO <new_owner>\n     ALTER VIEW <view name> OWNER TO <new_owner>\n     ALTER FUNCTION <function name> (<args>) OWNER TO <new_owner>\n     ALTER PROCEDURE <procedure name> (<args>) OWNER TO <new_owner>\n\n  Examples:\n     ALTER DATABASE test_db OWNER TO app_admin\n     ALTER SCHEMA test_schema OWNER TO app_admin\n     ALTER TABLE test_tbl OWNER TO app_admin\n     ALTER SEQUENCE test_seq OWNER TO app_admin\n     ALTER VIEW test_vw OWNER TO app_admin\n     ALTER FUNCTION test_func (p1 numeric, p2 text) OWNER TO app_admin\n     ALTER PROCEDURE test_proc (p1 numeric, p2 text) OWNER TO app_admin\n\nIf a user or group role has been granted an unapproved role or object privilege, execute the appropriate REVOKE command as documented here:\n\n  http://www.postgresql.org/docs/current/static/sql-revoke.html","ccis":["CCI-002165"]},{"vulnId":"V-224192","ruleId":"SV-224192r961353_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nSystem documentation should include a definition of the functionality considered privileged.\n\nDepending on circumstances, privileged functions can include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.\n\nA privileged function in the DBMS/database context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In an SQL environment, it encompasses, but is not necessarily limited to:\nCREATE\nALTER\nDROP\nGRANT\nREVOKE\n\nThere may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples include:\n\nTRUNCATE TABLE;\nDELETE, or\nDELETE affecting more than n rows, for some n, or\nDELETE without a WHERE clause;\n\nUPDATE or\nUPDATE affecting more than n rows, for some n, or\nUPDATE without a WHERE clause;\n\nany SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal.\n\nDepending on the capabilities of the DBMS and the design of the database and associated applications, the prevention of unauthorized use of privileged functions may be achieved by means of DBMS security features, database triggers, other mechanisms, or a combination of these.\n\nIn Postgres, a user or group role that has been granted the SUPERUSER privilege can perform any action in the database. As such, the SUPERUSER privilege should only be granted to a limited set of approved users. The SUPERUSER privilege can be assigned to a role when the role is created. It can also be assigned or removed from a role via an ALTER ROLE statement.\n\nPostgres also provides the CREATEROLE, CREATEDB, REPLICATION, and BYPASSURLS privileges that can be granted to non-superuser roles to allow them to perform a limited set of privileged activities such as creating databases, creating user and group roles, managing replication slots, and bypassing row level security restrictions. Although not as all-encompassing as the SUPERUSER privilege, these privileges must only be granted to users who are approved to perform these activities. Like the SUPERUSER privilege, these privileges can be assigned to a role when the role is created. They can also be assigned or removed from a role via an ALTER ROLE statement. The PostgreSQL CREATE ROLE documentation provides more information about these privileges. See: https://www.postgresql.org/docs/current/sql-createrole.html\n\nIn addition to the SUPERUSER, CREATEDB, and CREATEROLE privileges, a user may be granted one or more default roles that provide access to certain privileged capabilities and activities. A listing and description of the default roles provided with Postgres is documented at the following link:\n\n https://www.postgresql.org/docs/current/default-roles.html\n\nRoles and privileges on database objects can be granted to or revoked from a user using the GRANT and REVOKE statements. Users that are granted a role with the ADMIN OPTION can in turn grant the role to other users and roles. The ADMIN OPTION should only be granted to user and group roles that are approved to grant the roles. A description of the available privileges that may be granted to the different types of Postgres database objects is documented at the following link:\n\n https://www.postgresql.org/docs/current/ddl-priv.html\n\nAlso in Postgres, for most object types, object owners can perform any action on the objects they own, including dropping or altering them and assigning or revoking privileges on them. As such, database objects should only be owned by users who are approved to own them.\n\nAnother security risk to consider, is that Postgres can be extended with additional procedural languages that can be used to create user defined functions (i.e., not provided by EDB Postgres Advanced Server out-of-the-box). Some of these languages, such as pl/Python and pl/R are defined as \"untrusted\" languages. Any users who are granted access to these untrusted languages are able to run user defined functions to escalate privileges and perform unintended functions. These languages allow a Postgres database to be extended with additional capabilities that may be of benefit to a system. However, usage of these languages should only be granted to approved users for documented and approved purposes.","checkContent":"Review the system documentation to obtain the definition of the EDB Postgres Advanced Server functionality considered privileged in the context of the system in question.\n\nReview the EDB Postgres Advanced Server security configuration and/or other means used to protect privileged functionality from unauthorized use.\n\nIf the configuration does not protect all of the actions defined as privileged, this is a finding.\n\nTo list the user and group roles in an EDB Postgres Advanced Server along with the privileges that have been assigned to each role and the roles that have been granted to each role, execute the following command in psql as a database superuser:\n\n \\du+\n\nIf any user or group role is assigned a privilege or is a member of a role that provides the ability to perform an action that is considered privileged and is not documented as being approved to have these privileges or roles, this is a finding.\n\n# Check for SUPERUSER privilege\nTo check for user and group roles that have been granted the SUPERUSER privilege, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, how_superuser, root_role_name )\n AS (\n SELECT NULL::oid granted_role_id\n , NULL::name granted_role_name\n , r1.oid role_id\n , r1.rolname role_name\n , r1.rolcanlogin can_login\n , 'Assigned Superuser Privilege' how_superuser\n , r1.rolname root_role_name\n FROM pg_authid r1\n WHERE r1.rolsuper = 't'\n UNION\n SELECT m.roleid\n , r3.rolname\n , m.member\n , r2.rolname\n , r2.rolcanlogin\n , 'Granted Role with Superuser Privilege'\n , r1.root_role_name\n FROM pg_auth_members m\n JOIN pg_authid r2\n ON r2.oid = m.member\n JOIN pg_authid r3\n ON r3.oid = m.roleid\n JOIN roles r1\n ON m.roleid = r1.role_id\n )\n SELECT DISTINCT r.role_name, r.can_login, hs.how_superuser, gr.granted_roles, rr.root_superuser_roles\n FROM roles r\n JOIN ( SELECT role_name, string_agg(how_superuser, ', ') how_superuser \n FROM ( SELECT DISTINCT role_name, how_superuser FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) hs\n ON r.role_name = hs.role_name\n JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles\n FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) \n GROUP BY role_name\n ) gr\n ON r.role_name = gr.role_name\n JOIN ( SELECT role_name, string_agg(root_role_name, ', ') root_superuser_roles \n FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) rr \n ON r.role_name = rr.role_name\n ORDER BY 3,1;\n\nThe above query will list all user and group roles that have either been granted the SUPERUSER privilege explicitly, or via one of the roles in the hierarchy of roles they have been granted.\n\nIf a user or group role has the SUPERUSER privilege either directly or via one of the roles in the hierarchy of roles it has been granted and the role is not documented as being approved to have this privilege, this is a finding.\n\n# Check for CREATEROLE, CREATEDB, REPLICATION, and BYPASSURLS privileges\nTo check for user and group roles that have been granted the CREATEROLE, CREATEDB, REPLICATION, or BYPASSSRLS privileges, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:\n\n WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, how_privileged, root_role_name )\n AS (\n SELECT NULL::oid granted_role_id\n , NULL::name granted_role_name\n , r1.oid role_id\n , r1.rolname role_name\n , r1.rolcanlogin can_login\n , 'Assigned Privilege' how_privileged\n , r1.rolname root_role_name\n , pr.privilege\n , pr.sortkey\n FROM ( SELECT 1 sortkey, oid, 'CREATEROLE' privilege FROM pg_authid WHERE rolcreaterole = 't'\n UNION\n SELECT 2 sortkey, oid, 'CREATEDB' privilege FROM pg_authid WHERE rolcreatedb = 't'\n UNION\n SELECT 3 sortkey, oid, 'REPLICATION' privilege FROM pg_authid WHERE rolreplication = 't'\n UNION\n SELECT 4 sortkey, oid, 'BYPASSRLS' privilege FROM pg_authid WHERE rolbypassrls = 't'\n ) pr \n JOIN pg_authid r1 ON pr.oid = r1.oid\n UNION\n SELECT m.roleid\n , r3.rolname\n , m.member\n , r2.rolname\n , r2.rolcanlogin\n , 'Granted Role with Privilege'\n , r1.root_role_name\n , r1.privilege\n , r1.sortkey\n FROM pg_auth_members m\n JOIN pg_authid r2\n ON r2.oid = m.member\n JOIN pg_authid r3\n ON r3.oid = m.roleid\n JOIN roles r1\n ON m.roleid = r1.role_id\n )\n SELECT DISTINCT r.sortkey, r.privilege, r.role_name, r.can_login, hs.how_privileged, gr.granted_roles, rr.root_roles_with_priv\n FROM roles r\n JOIN ( SELECT role_name, string_agg(how_privileged, ', ') how_privileged \n FROM ( SELECT DISTINCT role_name, how_privileged FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) hs\n ON r.role_name = hs.role_name\n JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles\n FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) \n GROUP BY role_name\n ) gr\n ON r.role_name = gr.role_name\n JOIN ( SELECT role_name, string_agg(root_role_name, ', ') root_roles_with_priv \n FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) rr \n ON r.role_name = rr.role_name\n ORDER BY r.sortkey, r.privilege, hs.how_privileged, r.role_name;\n\nThe above query will list all user and group roles that have either been granted the CREATEROLE, CREATEDB, REPLICATION, or BYPASSRLS privileges explicitly or via one of the roles in the hierarchy of roles they have been granted.\n\nIf a user or group role has one of these privileges either directly or via one of the roles in the hierarchy of roles it has been granted and the role is not documented as being approved to have this privilege, this is a finding.\n\n# Check for default role assignments \nIn addition to the SUPERUSER, CREATEDB, and CREATEROLE privileges, a user may be granted one or more default roles that provide access to certain privileged capabilities and activities. A listing and description of the default roles provided with Postgres is documented at the following link:\n\n https://www.postgresql.org/docs/current/default-roles.html\n\nTo check for user and group roles that have been granted a role, execute the following SQL statement in psql or another Postgres SQL client as a database administrator, replacing <ROLE NAME> with the name of the role to be checked:\n\n WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, root_role_name )\n AS (\n SELECT NULL::oid granted_role_id\n , NULL::name granted_role_name\n , r1.oid role_id\n , r1.rolname role_name\n , r1.rolcanlogin can_login\n , r1.rolname root_role_name\n FROM pg_authid r1\n WHERE r1.rolname = '<ROLE NAME>'\n UNION\n SELECT m.roleid\n , r3.rolname\n , m.member\n , r2.rolname\n , r2.rolcanlogin\n , r1.root_role_name\n FROM pg_auth_members m\n JOIN pg_authid r2\n ON r2.oid = m.member\n JOIN pg_authid r3\n ON r3.oid = m.roleid\n JOIN roles r1\n ON m.roleid = r1.role_id\n )\n SELECT DISTINCT r.role_name, r.can_login, gr.granted_roles, rr.server_os_access_roles\n FROM roles r\n JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles\n FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) \n GROUP BY role_name\n ) gr\n ON r.role_name = gr.role_name\n JOIN ( SELECT role_name, string_agg(root_role_name, ', ') server_os_access_roles \n FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 )\n GROUP BY role_name\n ) rr \n ON r.role_name = rr.role_name\n WHERE gr.granted_roles IS NOT NULL\n ORDER BY 1;\n\nNote that in the above query, to do a check for more than one role in a single query, replace \"r1.rolname = '<ROLE NAME>'\" with a comma separated list of roles in an SQL \"IN\" clause (e.g., \"r1.rolname IN ( '<ROLE 1 NAME>', '<ROLE 2 NAME>', \n<'ROLE N NAME'> )\").\n\nThe above query will list all user and group roles that have been granted the specified role(s) either explicitly or via one of the roles in the hierarchy of roles they have been granted.\n\nIf a user or group role has been granted one of the default privileged roles explicitly or via one of the roles in the hierarchy of roles they have been granted, and the role is not documented as being approved to have this role, this is a finding.\n\n# Check for object ownership and privileges\n# Check for database owners and granted privileges\nTo list all the databases contained in an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the databases, connect to a database as a database superuser using psql and execute the following psql command:\n\n \\l\n\nReview the results of the above command.\n\nIf any database is owned by a user or group role that is not documented as being approved to own the database, this is a finding.\n\nIf any user or group role has been granted privileges on a database that is not documented and approved, this is a finding.\n\n# Check for schema owners and granted privileges\nTo list all the schemas contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following psql command:\n\n \\dn+ *\n\nReview the results of the above command.\n\nIf any schema is owned by a user or group role that is not documented as being approved to own the schema, this is a finding.\n\nIf any user or group role has been granted privileges on a schema that is not documented and approved, this is a finding.\n\n# Check for table, sequence, and view owners\nTo list all the tables, sequences, and views contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners, connect to the database as a database superuser using psql and execute the following psql commands: \n \\dt *.*\n \\ds *.*\n \\dv *.*\n\nReview the results of the above commands.\n\nIf any table, sequence, or view is owned by a user or group role that is not documented as being approved to own the object, this is a finding.\n\n# Check for table, sequence, and view access privileges \nTo list all the privileges that have been granted on the tables, sequences, and views in a database, connect to the database as a database superuser using psql and execute the following psql command: \n\n \\dp *.*\n\nReview the results of the above command.\n\nIf any user or group role has been granted privileges on an object that is not documented and approved, this is a finding.\n\n# Check for function/procedure owners and access privileges\nTo list all the functions and procedures contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following SQL statement:\n\n SELECT r.rolname as owner\n , n.nspname as namespace\n , p.proname as name\n , pg_get_function_identity_arguments(p.oid)\n , p.prokind as kind\n , p.proacl as access_privileges\n FROM pg_proc p \n JOIN pg_namespace n ON p.pronamespace = n.oid\n JOIN pg_authid r ON p.proowner = r.oid\n ORDER BY 1, 2, 3, 4;\n\nReview the results of the above query.\n\nIf any function or procedure is owned by a user or group role that is not documented as being approved to own the object, this is a finding.\n\nIf any user or group role has been granted privileges on a function or procedure that is not documented and approved, this is a finding.\n\n# Check for additional installed procedural languages\nTo list the procedural languages that are available for use in a database within an EDB Postgres Advanced Server database, connect to the database as a database superuser using psql and execute the following psql command: \n\n \\dL+\n\nReview the results of the above command. A value of \"f\" in the \"Trusted\" column of the results indicates that the language is defined as an \"untrusted\" language. If no Access Privileges are listed for a particular language, this means that default privileges are assigned. In Postgres, unless overridden by using the ALTER DEFAULT PRIVILEGES command, the USAGE privilege on languages is assigned to PUBLIC by default.\n\nIf any \"untrusted\" language is listed in the results of the above command and not approved for use by the system, this is finding.\n\nIf any user or group role has been granted USAGE on an \"untrusted\" language that is not documented and approved, this is a finding.\n\n# Check for functions that are written in untrusted procedural languages\nTo check whether any user defined functions contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) are written in an untrusted procedural language, connect to the database as a database superuser using psql and execute the following SQL statement:\n\n SELECT n.nspname \"Schema\", p.proname \"Function\", p.prosrc \"Source\", p.probin \"Library\", l.lanname \"Language\", p.proacl \"Access Privileges\"\n FROM pg_proc p\n JOIN pg_namespace n ON p.pronamespace = n.oid \n JOIN pg_language l on p.prolang = l.oid \n WHERE (l .lanpltrusted = 'f' AND l.lanname != 'internal' )\n AND n.nspname NOT IN ('pg_catalog', 'sys', 'information_schema')\n ORDER BY 5, 1, 2;\n\nReview the results of the above query. Note that if no Access Privileges are listed for a particular function, this means that default privileges are assigned. In Postgres, unless overridden by using the ALTER DEFAULT PRIVILEGES command, the EXECUTE privilege on functions is assigned to PUBLIC by default.\n\nIf any user defined function is listed and is not documented as being approved for use, this is a finding.\n\nIf any user defined function is listed and is documented as being approved, but has execute privilege granted to a user or group role that has not been documented as having been approved for this permission, this is a finding.","fixText":"Update system documentation to accurately identify all user and group roles that are authorized to perform privileged actions.\n\nIf the SUPERUSER, CREATEROLE, CREATEDB, REPLICATION, or BYPASSRLS privileges have been assigned to a user or group role that is not approved to have these privileges, remove the privilege using the ALTER ROLE SQL command as necessary.\n\n The syntax is:\n ALTER ROLE <role> NOSUPERUSER\n ALTER ROLE <role> NOCREATEROLE\n ALTER ROLE <role> NOCREATEDB\n ALTER ROLE <role> NOREPLICATION\n ALTER ROLE <role> NOBYPASSURLS\n\n Examples: \n ALTER ROLE testuser NOSUPERUSER\n ALTER ROLE testuser NOCREATEROLE\n ALTER ROLE testuser NOCREATEDB\n ALTER ROLE testuser NOREPLICATION\n ALTER ROLE testuser NOBYPASSURLS\n\nIf an unapproved user or group role is the owner of a database object, change the owner to an approved user or group role using one of the following ALTER SQL commands as appropriate:\n\n The syntax is:\n ALTER DATABASE <database name> OWNER TO <new_owner>\n ALTER SCHEMA <schema name> OWNER TO <new_owner>\n ALTER TABLE <table name> OWNER TO <new_owner>\n ALTER SEQUENCE <sequence name> OWNER TO <new_owner>\n ALTER VIEW <view name> OWNER TO <new_owner>\n ALTER FUNCTION <function name> (<args>) OWNER TO <new_owner>\n ALTER PROCEDURE <procedure name> (<args>) OWNER TO <new_owner>\n\n Examples:\n ALTER DATABASE test_db OWNER TO app_admin\n ALTER SCHEMA test_schema OWNER TO app_admin\n ALTER TABLE test_tbl OWNER TO app_admin\n ALTER SEQUENCE test_seq OWNER TO app_admin\n ALTER VIEW test_vw OWNER TO app_admin\n ALTER FUNCTION test_func (p1 numeric, p2 text) OWNER TO app_admin\n ALTER PROCEDURE test_proc (p1 numeric, p2 text) OWNER TO app_admin\n\nIf a user or group role has been granted an unapproved role or object privilege, execute the appropriate REVOKE command as documented here:\n\n http://www.postgresql.org/docs/current/static/sql-revoke.html\n\nUpdate the system documentation to identify the intended use, scope, and justification for any \"untrusted\" procedural languages that are being used for user defined functions as well as the users who are approved to use these languages and corresponding functions.\n\nIf an unapproved user defined function exists, remove it from the database by executing the DROP FUNCTION SQL command as documented here:\n\n https://www.postgresql.org/docs/current/sql-dropfunction.html\n\nIf an unapproved procedural language is installed, remove it from the database by executing the following SQL command:\n\n DROP EXTENSION <extension_name>","ccis":["CCI-002235"]},{"vulnId":"V-224193","ruleId":"SV-224193r961359_rule","severity":"medium","ruleTitle":"Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.","description":"In certain situations, to provide required functionality, a DBMS must execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Review the system documentation and source code of the application(s) using the database.\n\nIf elevation of DBMS privileges is used but not documented, this is a finding.\n\nIf elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding.\n\nIf the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding.\n\nExecute the following SQL to find any SECURITY DEFINER functions (meaning they are executed as owner rather than invoker):\n\nselect proname from pg_proc where prosecdef = true;\n\nIf any of these functions should not be SECURITY DEFINER, this is a finding.","fixText":"Determine where, when, how, and by what principals/subjects elevated privilege is needed.\n\nModify the system and the application(s) using the database to ensure privilege elevation is used only as required.\n\nTo alter a function to use SECURITY INVOKER instead of SECURITY DEFINER, execute the following SQL:\n\nALTER FUNCTION <function()> SECURITY INVOKER;","ccis":["CCI-002233"]},{"vulnId":"V-224194","ruleId":"SV-224194r961359_rule","severity":"medium","ruleTitle":"Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.","description":"In certain situations, to provide required functionality, a DBMS must execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.\n\nPrivilege elevation must be utilized only where necessary and protected from misuse.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Review the system documentation and source code of the application(s) using the database.\n\nIf elevation of DBMS privileges is used but not documented, this is a finding.\n\nIf elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding.\n\nIf the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding.\n\nExecute the following SQL to find any users with BYPASS RLS permissions:\n\nselect rolname from pg_roles where rolbypassrls = true;\n\nIf any of these users are not superusers that should bypass RLS, this is a finding.","fixText":"Determine where, when, how, and by what principals/subjects elevated privilege is needed.\n\nModify the system and the application(s) using the database to ensure privilege elevation is used only as required.\n\nTo alter a user to not allow bypassing RLS, execute the following SQL:\n\nALTER USER <user> NOBYPASSRLS;","ccis":["CCI-002233"]},{"vulnId":"V-224195","ruleId":"SV-224195r981952_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must utilize centralized management of the content captured in audit records generated by all components of the EDB Postgres Advanced Server.","description":"Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThe content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records.\n\nThe DBMS may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.","checkContent":"If a centralized log collecting tool such as Postgres Enterprise Manager (PEM) is not installed and configured to automatically collect audit logs, this is a finding.\n\nReview the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.","fixText":"Install a centralized log collecting tool and configure it as instructed in its documentation.\n\nIf using PEM, find the instructions at\n https://www.enterprisedb.com/docs/en/7.0/pemgetstarted/toc.html","ccis":["CCI-001844"]},{"vulnId":"V-224196","ruleId":"SV-224196r981953_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide centralized configuration of the content to be captured in audit records generated by all components of the EDB Postgres Advanced Server.","description":"If the configuration of the DBMS's auditing is spread across multiple locations in the database management software, or across multiple commands, only loosely related, it is harder to use and takes longer to reconfigure in response to events.\n\nThe DBMS must provide a unified tool for audit configuration.","checkContent":"If managing only single EDB Postgres Advanced Server clusters, this is not a finding.\n\nIf managing multiple EDB Postgres Advanced Server clusters and a unified tool for audit configuration such as PEM (Postgres Enterprise Manager) is not installed to configure and manage audit logs, this is a finding.\n\nReview the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.","fixText":"If managing multiple EDB Postgres Advanced Server clusters (i.e., instances), install a centralized audit log management tool and configure it as instructed in its documentation.\n\nIf using PEM, find the instructions at\n https://www.enterprisedb.com/docs/en/7.0/pemgetstarted/toc.html","ccis":["CCI-001844"]},{"vulnId":"V-224197","ruleId":"SV-224197r961392_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.","description":"To ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the DBMS and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both.\n\nIn determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the DBMS's ability to reuse the space formerly occupied by off-loaded records.","checkContent":"Investigate whether there have been any incidents where the DBMS ran out of audit log space since the last time the space was allocated or other corrective measures were taken.\n\nIf there have been incidents, this is a finding.\n\nTo check how much storage capacity is available for audit records, first determine the location where the EDB audit logs are being written by executing the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW edb_audit_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS). \n\nNote that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW data_directory\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf the default path is used for the postgresql data directory and the default setting of \"edb_audit\" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\\edb_audit. Depending on the version of EPAS installed, the options selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different.\n\nWith the EDB audit directory identified, note the disk on which this directory exists. Use the Windows Disk Management panel to determine how much space has been allocated to the disk and how much space remains. The Disk Management panel can be opened via \"Start > Run > diskmgmt.msc\". To determine the capacity, used, and free space on the disk via the Windows Explorer, right click to select the disk, and then select the \"Properties\" menu option. To determine how much space is currently being consumed by the audit log using Windows Explorer, right click select the audit directory and then select the \"Properties\" menu option.\n\nIf the remaining storage on the disk does not meet organizationally defined audit record storage requirements, this is a finding.","fixText":"Allocate sufficient audit file space to the partition containing the EDB Audit directory to support peak demand.\n\nNote that the EDB audit log directory is configured by the edb_audit_directory parameter. By default, the edb_audit_directory is set to \"edb_audit\", which results in an \"edb_audit\" directory being created under the EPAS cluster's data directory for audit logs if auditing is enabled.","ccis":["CCI-001849"]},{"vulnId":"V-224198","ruleId":"SV-224198r961398_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.","description":"Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to EDB Postgres on its own server will not be an issue. However, space will still be required on the EDB Postgres server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result.\n\nIf support personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. \n\nThe appropriate support staff include, at a minimum, the ISSO and the DBA/SA.","checkContent":"If Postgres Enterprise Manager (PEM) or another similar monitoring capability is not installed and configured to probe storage volume utilization of \"<postgresql data directory>\" and notify appropriate support staff upon storage volume utilization reaching 75 percent, this is a finding.\n\n(The default path for the postgresql data directory is C:\\Program Files\\edb\\as<version>\\data, but this will vary according to local circumstances.)","fixText":"Install PEM (or similar tool) and configure a probe to monitor \"<postgresql data directory>\" and notify appropriate support staff upon storage volume utilization reaching 75 percent.\n\n(The default path for the postgresql data directory is C:\\Program Files\\edb\\as<version>\\data, but this will vary according to local circumstances.)\n\nExample steps for creating a probe are below, using the thin client (browser) PEM interface. Refer also to the Supplemental Procedures document, supplied with this STIG.\n\nOpen the PEM web console in a browser.\n- Log in.\n- Click on the agent for the machine to be monitored.\n- Select \"Management | Probe Configuration\".\n- Select \"Disk Space\" and set the check interval as you like.\n- Select \"Management | Alerting\".\n- Name the definition \"Audit Log Full\".\n- Select Template \"Disk Consumption Percentage\".\n- Set Frequency, Comparison Operator, and Thresholds (1 minute, >, 74/75/76 for example).\n- Enter the Location for the audit log.\n- Click Notification tab.\n- Click Email all alerts.\n- Click Add/Change to save, click \"OK\" to exit dialog box.","ccis":["CCI-001855"]},{"vulnId":"V-224199","ruleId":"SV-224199r961401_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. \n\nThe appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).\n\nThe necessary monitoring and alerts may be implemented using features of EDB Postgres, the OS, third-party software, custom code, or a combination of these. The term \"the system\" is used to encompass all of these.","checkContent":"If Postgres Enterprise Manager (PEM) or another similar monitoring capability is not installed and configured to probe storage volume utilization of \"<postgresql data directory>\" and notify appropriate support staff upon storage volume utilization reaching capacity, this is a finding.\n\n(The default path for the postgresql data directory is C:\\Program Files\\edb\\as<version>\\data, but this will vary according to local circumstances.)","fixText":"Install PEM (or similar tool) and configure a probe to monitor \"<postgresql data directory>\" and notify appropriate support staff upon storage volume utilization reaching capacity.\n\n(The default path for the postgresql data directory is C:\\Program Files\\edb\\as<version>\\data, but this will vary according to local circumstances.)\n\nExample steps for creating a probe are below, using the thin client (browser) PEM interface. Refer also to the Supplemental Procedures document, supplied with this STIG.\n\nOpen the PEM web console in a browser.\n- Log in.\n- Click on the agent for the machine to be monitored.\n- Select \"Management | Probe Configuration\".\n- Select \"Disk Space\" and set the check interval as you like.\n- Select \"Management | Alerting\".\n- Name the definition \"Audit Log Full\".\n- Select Template \"Disk Consumption Percentage\".\n- Set Frequency, Comparison Operator, and Thresholds (1 minute, >, 90/95/98 for example).\n- Enter the Location for the audit log.\n- Click Notification tab.\n- Click Email all alerts.\n- Click Add/Change to save, click \"OK\" to exit dialog box.","ccis":["CCI-001858"]},{"vulnId":"V-224200","ruleId":"SV-224200r981956_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.","description":"Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nThe DBMS must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.\n\nIn the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc.","checkContent":"If EDB Postgres supports only software development, experimentation, and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.\n\nReview the EDB Postgres security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. These following commands, which are run using psql, can help with showing existing permissions of databases and schemas:\n\n\\l\n\\dn+\n\nPermissions of concern in this respect include the following, and possibly others:\n - any database or schema with \"C\" (create) or \"w\" (update) privileges that are not necessary\n\nIf any such permissions exist and are not documented and approved, this is a finding.","fixText":"Document and obtain approval for any non-administrative users who require the ability to create, alter, or replace logic modules.\n\nImplement the approved permissions. Revoke (or deny) any unapproved permissions and remove any unauthorized role memberships.\n\nUse the REVOKE SQL command to remove privileges from databases and schemas.\n\n For example, to revoke create privileges on a database:\n REVOKE CREATE ON DATABASE <database_name > FROM <role_name>;\n\n To revoke create privileges on a database:\n REVOKE CREATE ON SCHEMA <schema_name> FROM <role_name>;","ccis":["CCI-001812"]},{"vulnId":"V-224201","ruleId":"SV-224201r961461_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).","description":"Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.","checkContent":"Review the security configuration of the EDB Postgres database(s).\n\nIf EDB Postgres Advanced Server does not enforce access restrictions associated with changes to the configuration of the database(s), this is a finding.\n\n- - - - -\n\nTo assist in conducting reviews of permissions, the following commands, which are run using psql, describe permissions of databases, schemas, and users:\n\n\\l\n\\dn+\n\\du\n\nPermissions of concern in this respect include the following, and possibly others:\n\n- any user with SUPERUSER privileges\n- any database or schema with \"C\" (create) or \"w\" (update) privileges that are not necessary\n\nIf any users are listed that have SUPERUSER privileges who are not authorized for these privileges, this is a finding.\n\nIf any user has create or update privileges on a database and schema who is not authorized for these privileges, this is a finding.","fixText":"Configure EDB Postgres Advanced Server to enforce access restrictions associated with changes to the configuration of the EDB Postgres database(s).\n\nRemove superuser rights from unauthorized database users via the ALTER ROLE or ALTER USER SQL command.\n\n The syntax is:\n ALTER ROLE <role> NOSUPERUSER\n or\n ALTER USER <user> NOSUPERUSER\n\n Example: \n ALTER ROLE testuser NOSUPERUSER;\n OR \n ALTER USER testuser NOSUPERUSER;\n\nUse the REVOKE SQL command to remove privileges from databases and schemas.\n\n For example:\n REVOKE ALL PRIVILEGES ON <table> FROM <role_name>;","ccis":["CCI-001813"]},{"vulnId":"V-224203","ruleId":"SV-224203r961470_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.","description":"Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.\n\nA database cluster listens on a single port (usually 5444 for Postgres Plus Advanced Server). The Postgres Enterprise Manager (PEM) agents do not listen on ports, they only act as clients to the PEM server. The PEM server has two components (a repository which is a Postgres database) and an Apache HTTPD application. The Apache HTTPD application listens on a port configured in Apache, generally 8080 or 8443.\n\nThe ports to check are: \n1) The primary Postgres cluster port, \n2) If PEM is in use, the PEM Apache HTTPD port, and \n3) The PEM Repository DB port. \n\nGenerally 2 and 3 should be installed on an isolated management machine without access from anyone other than administrators.","checkContent":"Review the network functions, ports, protocols, and services supported by the DBMS.\n\nIf any protocol is prohibited by the PPSM guidance and is enabled, this is a finding.\n\nOpen the pg_hba.conf file in an editor and verify that none of the uncommented rows have a TYPE of \"host\" or \"hostnossl\". \n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nIf any rows in the pg_hba.conf file have a TYPE that is \"host\" or \"hostnossl\" and not documented as approved in the system security documentation, this is a finding.\n\nExecute the following SQL as enterprisedb:\n\n SHOW port;\n\nIf the displayed port is not allowed, this is a finding.","fixText":"Disable each prohibited network function, port, protocol, or service prohibited by the PPSM guidance.\n\nOpen the pg_hba.conf file in an editor and change the TYPE of any rows not starting with a \"#\" to be \"hostssl\". The METHOD for the hostssl rows should be one of these (in preferred order): cert, sspi, ldap, scram-sha-256\n\nNote that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:\n\n psql -d <database name> -U <database superuser name> -c \"SHOW hba_file\"\n\nwhere, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named \"edb\" and a superuser named \"enterprisedb\" are installed with EDB Postgres Advanced Server (EPAS).\n\nExecute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET port = <port>;\n\nRestart the database service. For EDB Postgres Advanced Server, the default service name for an instance will be \"edb-as-<version>\" with a default display name of \"edb-as-<version> - Advanced Server <version>\", where \"<version>\" is the major version number of the EDB Postgres Advanced Server that is installed:\n\nTo restart the database service, using the Windows Services Control Manager:\n 1. Open the Windows Services Control Manager.\n 2. Select the database service from the list of services, right-click it, and select \"Restart\".\n\nAlternatively, the database can be restarted via the Windows command line using either the NET or SC command as follows:\n\n NET STOP <service name>\n NET START <service name>\n\nor\n\n SC STOP <service name>\n SC START <service name>\n\nIn the above commands, replace <service name> with the actual service name corresponding to the EDB Postgres instance.\n\nNote that if pgAgent is installed and running, the corresponding pgAgent service is dependent on the EDB Postgres database service and must first be stopped to restart the database service. After restarting the database service, the pgAgent service may be started again.","ccis":["CCI-001762"]},{"vulnId":"V-224204","ruleId":"SV-224204r987687_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.","description":"The DoD standard for authentication of an interactive user is the presentation of a Common Access Card (CAC) or other physical token bearing a valid, current, DoD-issued Public Key Infrastructure (PKI) certificate, coupled with a Personal Identification Number (PIN) to be entered by the user at the beginning of each session and whenever re-authentication is required.\n\nWithout re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user re-authenticate.\n\nIn addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances:\n\n(i) When authenticators change;\n(ii) When roles change;\n(iii) When security categories of information systems change;\n(iv) When the execution of privileged functions occurs;\n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.","checkContent":"Determine all situations where a user must re-authenticate. Check if the mechanisms that handle such situations use the following SQL:\n\nTo make a single user re-authenticate, the following must be present:\n\n SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user='<username>'\n\nTo make all users re-authenticate, run the following:\n\n SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force re-authentication, this is a finding.","fixText":"Determine the organization-defined circumstances or situations that require re-authentication and ensure the following SQL is executed in those situations.\n\nTo require a single user to re-authenticate, use this SQL: \n\n SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user = '<username>';\n\nTo require all users to re-authenticate, use this SQL: \n\n SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%';","ccis":["CCI-002038"]},{"vulnId":"V-224205","ruleId":"SV-224205r961596_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.","description":"Only DoD-approved external PKIs evaluated to ensure security controls and identity vetting procedures are in place that are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.\n\nThe authoritative list of DoD-approved PKIs is published at https://cyber.mil/pki-pke/interoperability/.\n\nThis requirement focuses on communications protection for the DBMS session rather than for the network packet.","checkContent":"In a Windows CMD prompt, run this command:\n\nCertUtil <postgresql data directory>\\server.crt\n\nIf the \"Issuer\" that is printed out is not a DoD entity, this is a finding.","fixText":"Contact your program security office to request DoD issued certificates:\n\nroot.crt (CA Certificate)\nserver.crt\nserver.key","ccis":["CCI-002470"]},{"vulnId":"V-224206","ruleId":"SV-224206r961599_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.","description":"DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"If the application owner and Authorizing Official have determined that encryption of data at rest is not required, this is not a finding.\n\nRight-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button.\n\nIf the \"Encrypt contents to secure data\" check box is not checked, this is a finding.","fixText":"Do these steps as the Windows user that is the database administrators (default is enterprisedb), if done as a different user, the Windows database administration user will be unable to view this folder and therefore unable to start the database:\n\nRight-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button. Select option to apply to subfolders and files when prompted.","ccis":["CCI-002475"]},{"vulnId":"V-224207","ruleId":"SV-224207r961602_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.","description":"DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nThe decision whether and what to encrypt rests with the data owner and is influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"If the application owner and Authorizing Official have determined that encryption of data at rest is not required, this is not a finding.\n\nRight-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button.\n\nIf the \"Encrypt contents to secure data\" check box is not checked, this is a finding.","fixText":"Do these steps as the Windows user that is the database administrators (default is enterprisedb). If done as a different user, the Windows database administration user will be unable to view this folder and therefore unable to start the database:\n\nRight-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button. Select option to apply to subfolders and files when prompted.","ccis":["CCI-002476"]},{"vulnId":"V-224208","ruleId":"SV-224208r961638_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must maintain the confidentiality and integrity of information during preparation for transmission.","description":"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nUse of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. \n\nWhen transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms.\n\nEDB Postgres Advanced Server provides native support for using SSL connections to encrypt client/server communications. To enable the use of SSL, the postgres “ssl” configuration parameter must be set to “on” and the database instance needs to be configured to use a valid server certificate and private key installed on the server. With SSL enabled, connections made to the database server will default to being encrypted. However, it is possible for clients to override the default and attempt to establish an unencrypted connection. To prevent connections made from non-local hosts from being unencrypted, the postgres host-based authentication settings should be configured to only allow hostssl (i.e., encrypted) connections. The hostssl connections can be further configured to require the client present a valid (trusted) SSL certificate for a connection.","checkContent":"If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.\nFirst, check if SSL is enabled for the database instance by connecting to the database as a database superuser using psql and executing the following command:\n    SHOW ssl;\nIf the result is not \"on\", this is a finding. \nNext, review the host based authentication settings by connecting to the database as a database superuser using psql and executing the following command:\n   SELECT * FROM pg_hba_file_rules;\nAlternatively, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file. \n\nNote the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command:\n   SHOW hba_file; \n\nIf any uncommented lines are not of TYPE \"hostssl\" and do not include the \"clientcert=1\" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.","fixText":"To configure EDB Postgres Advanced Server to use SSL, open the ”postgresql.conf\" file in an editor. Note the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf for a running EDB Postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command:\n\n   SHOW config_file;\n\nIn the postgresql.conf file, set the “ssl” parameter as follows:\n\n   ssl = on\n\nMake sure the parameter is uncommented. \n\nIn order to start an EDB Postgres Advance Server instance in SSL mode, files containing the server certificate and private key must exist. By default, these files are expected to exist in the Postgres data directory and are expected to be named server.crt and server.key, respectively. Update the ssl_cert_file and ssl_cert_key parameters in the postgresql.conf file if the files are placed in a different location or are named differently. \nNote that changes to the ssl parameter setting and any of the other ssl related parameters require a reload of the database server configuration to put the changes into effect. \nTo reload the database server configuration, connect to the database as a database superuser using psql and execute the following command:\n   SELECT pg_reload_conf();\nAfter verifying that SSL is enabled for the database, open the pg_hba.conf file in an editor to configure the host-based authentication settings. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and execute the following command:\n   SHOW hba_file;\n\nObtain approval and document any uncommented entries with corresponding justification that are not of type hostssl and do not include the “clientcert=1” option.\n\nFor any entries that are not of type hostssl authentication with the “clientcert=1” option and not documented and approved, change the \"TYPE\" column to “hostssl” and add the “clientcert=1” authentication method option. \n\nNote on Microsoft Windows systems, changes to the host-based authentication settings in the pg_hba.conf file are immediately applied by subsequent new connections.\n\nFor more information on configuring PostgreSQL to use SSL, consult the following documentation:\nhttps://www.postgresql.org/docs/current/ssl-tcp.html\n\nFor more information on configuring the postgresql pg_hba.conf file, consult the following documentation:\nhttps://www.postgresql.org/docs/current/auth-pg-hba-conf.html","ccis":["CCI-002420"]},{"vulnId":"V-224209","ruleId":"SV-224209r961641_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must maintain the confidentiality and integrity of information during reception.","description":"Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nThis requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. \n\nWhen receiving data, the DBMS, associated applications, and infrastructure must leverage protection mechanisms.\n\nEDB Postgres Advanced Server provides native support for using SSL connections to encrypt client/server communications. To enable the use of SSL, the postgres “ssl” configuration parameter must be set to “on” and the database instance needs to be configured to use a valid server certificate and private key installed on the server. With SSL enabled, connections made to the database server will default to being encrypted. However, it is possible for clients to override the default and attempt to establish an unencrypted connection. To prevent connections made from non-local hosts from being unencrypted, the postgres host-based authentication settings should be configured to only allow hostssl (i.e., encrypted) connections. The hostssl connections can be further configured to require the client present a valid (trusted) SSL certificate for a connection.","checkContent":"If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.\n\nFirst, check if ssl is enabled for the database instance, connect to the database as a database superuser using psql and executing the following command:\n    SHOW ssl;\nIf the result is not \"on\", this is a finding. \nNext, review the host based authentication settings by connecting to the database as a database superuser using psql and executing the following command:\n   SELECT * FROM pg_hba_file_rules;\nAlternatively, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file. \n\nNote the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command:\n   SHOW hba_file; \n\nIf any uncommented lines are not of TYPE \"hostssl\" and do not include the \"clientcert=1\" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.","fixText":"To configure EDB Postgres Advanced Server to use SSL, open the ”postgresql.conf\" file in an editor. Note the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf for a running EDB Postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command:\n\n   SHOW config_file;\n\nIn the postgresql.conf file, set the “ssl” parameter as follows:\n\n   ssl = on\n\nMake sure the parameter is uncommented. \n\nIn order to start an EDB Postgres Advanced Server instance in SSL mode, files containing the server certificate and private key must exist. By default, these files are expected to exist in the Postgres data directory and are expected to be named server.crt and server.key, respectively. Update the ssl_cert_file and ssl_cert_key parameters in the postgresql.conf file if the files are placed in a different location or are named differently. \nNote changes to the ssl parameter setting and any of the other ssl related parameters require a reload of the database server configuration to put the changes into effect. \nTo reload the database server configuration, connect to the database as a database superuser using psql and execute the following command:\n   SELECT pg_reload_conf();\nAfter verifying SSL is enabled for the database, open the pg_hba.conf file in an editor to configure the host-based authentication settings. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and execute the following command:\n   SHOW hba_file;\nObtain approval and document any uncommented entries with corresponding justification that are not of type hostssl and do not include the “clientcert=1” option.\n\nFor any entries that are not of type hostssl authentication with the “clientcert=1” option and not documented and approved, change the \"TYPE\" column to “hostssl” and add the “clientcert=1” authentication method option. \n\nNote that on Microsoft Windows systems, changes to the host-based authentication settings in the pg_hba.conf file are immediately applied by subsequent new connections.\n\nFor more information on configuring PostgreSQL to use SSL, consult the following documentation:\nhttps://www.postgresql.org/docs/current/ssl-tcp.html\n\nFor more information on configuring the postgresql pg_hba.conf file, consult the following documentation:\nhttps://www.postgresql.org/docs/current/auth-pg-hba-conf.html","ccis":["CCI-002422"]},{"vulnId":"V-224210","ruleId":"SV-224210r961656_rule","severity":"medium","ruleTitle":"When invalid inputs are received, the EDB Postgres Advanced Server must behave in a predictable and documented manner that reflects organizational and system objectives.","description":"A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.\n\nThe behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Review system documentation to determine how input errors are to be handled in general and if any special handling is defined for specific circumstances.\n\nReview the source code for database program objects (stored procedures, functions, triggers) and application source code to identify how the system responds to invalid input.\n\nIf it does not implement the documented behavior, this is a finding.\n\nVerify that EDB auditing is enabled.\n\n Execute the following SQL as enterprisedb:\n\n SHOW edb_audit;\n\nIf the result is not \"csv\" or \"xml\", this is a finding.\n\nVerify that EDB Audit is logging errors at a minimum, and unless otherwise documented and approved, also logging DDL and DML actions performed on the EDB Postgres Advanced Server database.\n\n Execute the following SQL as enterprisedb:\n\n SHOW edb_audit_statement;\n\nIf the result is \"all\", this is not a finding.\n\nOtherwise, if the result is not at least \"error,ddl,dml\" and if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from unexpected or unauthorized actions performed on database tables, verify that it has been configured according to documented organizational needs.\n\n1) Execute the following SQL as enterprisedb:\n\n SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\\_sql\\_protect.%' ESCAPE '\\';\n\nIf the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding.\n\n2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n \\dn\n\nIf the \"sqlprotect\" schema is not listed, this is a finding.\n\n3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb:\n\n SELECT * FROM sqlprotect.list_protected_users;\n\nIf the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.","fixText":"Revise and deploy the source code for database program objects (stored procedures, functions, triggers) and application source code, to implement the documented behavior.\n\nTo enable EDB Auditing, execute the following SQL statements as the enterprisedb user:\n\n ALTER SYSTEM SET edb_audit = csv;\n SELECT pg_reload_conf();\n\nor\n\n ALTER SYSTEM SET edb_audit = xml;\n SELECT pg_reload_conf(); \n\nTo configure the edb_audit_statement parameter, execute the following SQL statements as the enterprisedb user:\n\n ALTER SYSTEM SET edb_audit_statement = 'all';\n SELECT pg_reload_conf();\n\nor\n\n Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.\n\nIf EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from unexpected or unauthorized actions performed on database tables, install and configure SQL/Protect as documented in section \"Protecting Against SQL Injection Attacks\" in the EDB Postgres Advanced Server Guide available at the following link:\n\nhttps://www.enterprisedb.com/edb-docs/p/edb-postgres-advanced-server","ccis":["CCI-002754"]},{"vulnId":"V-224211","ruleId":"SV-224211r961683_rule","severity":"medium","ruleTitle":"Security-relevant software updates to the EDB Postgres Advanced Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means the time period utilized must be a configurable parameter. Timeframes for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Obtain evidence that software patches are obtained from EnterpriseDB and are consistently applied to the DBMS within the timeframe defined for each patch.\n\nIf such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding.\n\nTo check which version of EDB Postgres Advanced Server is installed, execute the following SQL statement:\n\n SELECT version();\n\nIf the version returned by the above query is at a lower version level than required, this is a finding.\n\nIf an administrator is not registered on the EDB Support Portal with an email address for monitoring technical alerts, this is a finding.","fixText":"Institute and adhere to policies and procedures to ensure that patches are consistently obtained from EnterpriseDB and applied to the DBMS within the time allowed.\n\nEnsure that a monitored email address is registered as a user on the EDB support portal and is receiving technical alerts.","ccis":["CCI-002605"]},{"vulnId":"V-224232","ruleId":"SV-224232r961824_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when successful/unsuccessful logons, connections, or connection attempts occur.","description":"For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to the DBMS.\n\nIt is also necessary to track failed attempts to log on to the DBMS. While positive identification may not be possible in a case of failed authentication, as much information as possible about the incident must be captured.\n\nSatisfies: SRG-APP-000503-DB-000350,SRG-APP-000503-DB-000351","checkContent":"Execute the following SQL as enterprisedb:\n\n SHOW edb_audit_connect;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET edb_audit_connect = 'all';\n SELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.","ccis":["CCI-000172"]},{"vulnId":"V-224235","ruleId":"SV-224235r961830_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records showing starting and ending time for user access to the database(s) and concurrent logons/connections by the same user from different workstations.","description":"For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to the DBMS lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs.\n\nDisconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.\n\nConcurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the CAC for authentication; or they may indicate unauthorized account sharing; or they may be because an account has been compromised.\n\n(If the fact of multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events [logons/connections; voluntary and involuntary disconnections], then it is not mandatory to create additional log entries specifically for this.)\n\nSatisfies: SRG-APP-000505-DB-000352,SRG-APP-000506-DB-000353","checkContent":"Execute the following SQL as enterprisedb:\n\n SHOW edb_audit_connect;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.\n\nExecute the following SQL as enterprisedb:\n\n SHOW edb_audit_disconnect;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET edb_audit_connect = 'all';\n ALTER SYSTEM SET edb_audit_disconnect = 'all';\n SELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.","ccis":["CCI-000172"]},{"vulnId":"V-224238","ruleId":"SV-224238r961839_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records for all direct access to the database(s).","description":"In this context, direct access is any query, command, or call to the DBMS that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.","checkContent":"Execute the following SQL as enterprisedb:\n\n SHOW edb_audit_statement;\n SHOW edb_audit_connect;\n SHOW edb_audit_disconnect;\n\nIf the result is not \"all\" for any or if the current settings for this requirement have not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\n ALTER SYSTEM SET edb_audit_statement = 'all';\n ALTER SYSTEM SET edb_audit_connect = 'all';\n ALTER SYSTEM SET edb_audit_disconnect = 'all';\n SELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.","ccis":["CCI-000172"]},{"vulnId":"V-224239","ruleId":"SV-224239r961857_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance of testing and validation.\n\nFor detailed information, refer to NIST FIPS Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"If any uncommented lines in <postgresql data dir>\\pg_hba.conf do not start with \"hostssl\", this is a finding.\n\nThe \"ssleay32_dll\" and \"libeay32.dll\" files in <EDB Postgres Advanced Server Home>\\bin should be FIPS 140-2 compliant DLLs from EnterpriseDB. These are included in EDB Postgres Advanced Server v11 update 6 (i.e., 11.6) and greater.\nIf the installed EDB v11 is not update 11.6 or greater, this is a finding.\n\nIf C:\\usr\\local\\ssl\\openssl.cnf does not exist with these contents, or if an System Environment variable called OPENSSL_CONF pointing to a file with these contents has not been created, this is a finding:\n\nHOME = .\nRANDFILE = $ENV::HOME/.rnd\nopenssl_conf=openssl_conf_section\n[openssl_conf_section]\nalg_section=evp_settings\n[evp_settings]\nfips_mode=yes","fixText":"Edit <postgresql data dir>\\pg_hba.conf so that each uncommented line starts with \"hostssl\".\n\nIf the EDB Postgres Advanced Server minor version is less than version 11.6, install the 11.6 update or later version or contact EnterpriseDB to obtain a copy of the FIPS 140-2 compliant versions of the \"ssleay32.dll\" and \"libeay32.dll\" files and replace the \"ssleay32.dll\" and \"libeay32.dll\" files in <EDB Postgres Advanced Server Home>\\bin with FIPS 140-2 compliant DLLs from EnterpriseDB. If the EDB Postgres Advanced Server minor version is 11.6 or greater, the FIPS 140-2 compliant versions of these DLLs are installed by default and do not need to be replaced.\n\nCreate C:\\usr\\local\\ssl\\openssl.cnf or another file referenced by a System Environment variable called OPENSSL_CONF with these contents:\n\nHOME = .\nRANDFILE = $ENV::HOME/.rnd\nopenssl_conf=openssl_conf_section\n[openssl_conf_section]\nalg_section=evp_settings\n[evp_settings]\nfips_mode=yes\n\nRestart the Postgres server via the Services administration GUI.","ccis":["CCI-002450"]},{"vulnId":"V-224240","ruleId":"SV-224240r961860_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nThe DBMS may write audit records to database tables, to files in the file system, to other kinds of local repositories, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.","checkContent":"If Postgres Enterprise Manager (PEM) or another log collection tool is not installed and configured to automatically collect audit logs or if or a process for off-loading audit logs to a centralized system is not in place, this is a finding.\n\nReview the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.","fixText":"Install a centralized log-collecting tool and configure it as instructed in its documentation.\n\nIf using PEM, find the instructions for configuring the centralized audit manager at:\n https://www.enterprisedb.com/docs/en/7.0/pemgetstarted/toc.html","ccis":["CCI-001851"]},{"vulnId":"V-224241","ruleId":"SV-224241r961863_rule","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.","description":"Configuring the DBMS to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nIn addition to this SRG, sources of guidance on security and information assurance exist. These include NSA configuration guides, CTOs, DTMs, and IAVMs. The DBMS must be configured in compliance with guidance from all such relevant sources.","checkContent":"Review the DBMS documentation and configuration to determine if the DBMS is configured in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs and IAVMs.\n\nIf the DBMS is not configured in accordance with security configuration settings, this is a finding.","fixText":"Configure EDB Postgres Advanced Server in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, and IAVMs.","ccis":["CCI-000366"]},{"vulnId":"V-224242","ruleId":"SV-224242r961050_rule","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.","description":"Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of the DBMS.\n\nApplications, including DBMSs, utilizing cryptography are required to use approved NIST FIPS 140-2 or 140-3 validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. \n\nNSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules.\n\nThe standard for validating cryptographic modules will transition to the NIST FIPS 140-3 publication.\n\nFIPS 140-2 modules can remain active for up to 5 years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list.  Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page:\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules\n\nMore information on the FIPS 140-3 transition can be found here: \nhttps://csrc.nist.gov/Projects/fips-140-3-transition-effort/\n\nWhen the EDB FIPS 140 certified cryptographic modules are configured properly, an EDB Postgres Advanced Server will fail to start if non-FIPS 140 ciphers are specified for the Postgres ssl_ciphers parameter. To test whether the FIPS 140 compliant configuration is working, temporarily set the \"ssl_ciphers\" parameter in the postgresql.conf file to 'RC4-SHA' and then attempt to restart the database service. Since \"RC4-SHA\" is not a FIPS 140 approved cipher, the database will fail to start. Using the Event Viewer in Windows, a \"FATAL: could not set the cipher list (no valid ciphers available)\" error will be found under \"Event Viewer (Local) >> Windows Logs >> Application\".\n\nSatisfies: SRG-APP-000179-DB-000114,SRG-APP-000514-DB-000382,SRG-APP-000514-DB-000383","checkContent":"If any uncommented lines in <postgresql data dir>\\pg_hba.conf do not start with \"hostssl\", this is a finding.\n\nThe \"ssleay32_dll\" and \"libeay32.dll\" files in <EDB Postgres Advanced Server Home>\\bin should be FIPS 140-2 or 140-3 compliant DLLs from EnterpriseDB. These are included in EDB Postgres Advanced Server v11 update 6 (i.e., 11.6) and greater.\nIf the installed EDB v11 is not update 11.6 or greater, this is a finding.\n\nIf C:\\usr\\local\\ssl\\openssl.cnf does not exist with these contents, or if an System Environment variable called OPENSSL_CONF pointing to a file with these contents has not been created, this is a finding:\n\nHOME = .\nRANDFILE = $ENV::HOME/.rnd\nopenssl_conf=openssl_conf_section\n[openssl_conf_section]\nalg_section=evp_settings\n[evp_settings]\nfips_mode=yes","fixText":"Edit <postgresql data dir>\\pg_hba.conf so that each uncommented line starts with \"hostssl\"\n\nIf the EDB Postgres Advanced Server minor version is less than version 11.6, install the 11.6 update or later version or contact EnterpriseDB to obtain a copy of the FIPS 140 compliant versions of the \"ssleay32.dll\" and \"libeay32.dll\" files and replace the \"ssleay32.dll\" and \"libeay32.dll\" files in <EDB Postgres Advanced Server Home>\\bin with FIPS 140 compliant DLLs from EnterpriseDB. If the EDB Postgres Advanced Server minor version is 11.6 or greater, the FIPS 140 compliant versions of these DLLs are installed by default and do not need to be replaced.\n\nCreate C:\\usr\\local\\ssl\\openssl.cnf or another file referenced by a System Environment variable called OPENSSL_CONF with these contents:\n\nHOME = .\nRANDFILE = $ENV::HOME/.rnd\nopenssl_conf=openssl_conf_section\n[openssl_conf_section]\nalg_section=evp_settings\n[evp_settings]\nfips_mode=yes\n\nRestart the Postgres server via the Services administration GUI.","ccis":["CCI-000803"]},{"vulnId":"V-265873","ruleId":"SV-265873r999525_rule","severity":"high","ruleTitle":"EDB Postgres Advanced Server v11 products must be a version supported by the vendor.","description":"Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.\n\nSystems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nWhen maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.","checkContent":"Enterprise Postgres Advanced Server v11 on Windows is no longer supported by the vendor. If the system is running Enterprise Postgres Advanced Server v11 on Windows, this is a finding.","fixText":"Remove or decommission all unsupported software products.\n\nUpgrade unsupported DBMS or unsupported components to a supported version of the product.","ccis":["CCI-003376"]}]}