← Back to VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide

V-240298

CAT II (Medium)

The vRA PostgreSQL database must use md5 for authentication.

Rule ID

SV-240298r879608_rule

STIG

VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000196

Discussion

The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.

Check Content

At the command prompt, execute the following command to enter the psql prompt:

# cat /storage/db/pgdata/pg_hba.conf

If any rows have "trust" specified for the "METHOD" column, this is a finding.

Fix Text

Navigate to and open /storage/db/pgdata/pg_hba.conf.  

Navigate to the user that has a method of "trust".  

Change the method to "md5".

A correct, typical line will look like the following:
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host       all                        all                 127.0.0.1/32           md5