11:["$","div",null,{"className":"mx-auto max-w-7xl p-6","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-brand text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-4 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold","children":"Crunchy Data Postgres 16 Security Technical Implementation Guide"}],false,["$","$L1b",null,{}]]}],["$","section",null,{"className":"mb-8 rounded-lg border border-gray-200 bg-white p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","2"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Feb 27, 2026"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-xs text-gray-500","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"CD_Postgres_16_STIG","children":"CD_Postgres_16_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":111}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"rounded-full bg-gray-100 px-2 py-0.5 text-xs text-gray-700","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"rounded bg-red-100 px-3 py-1 text-sm font-medium text-red-800","children":["CAT I: ",10]}],["$","span",null,{"className":"rounded bg-yellow-100 px-3 py-1 text-sm font-medium text-yellow-800","children":["CAT II: ",101]}],["$","span",null,{"className":"rounded bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"mt-4 text-sm text-gray-600","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Crunchy%20Data%20Postgres%2016%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Crunchy%20Data%20Postgres%2016%20Security%20Technical%20Implementation%20Guide&format=csv","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Crunchy%20Data%20Postgres%2016%20Security%20Technical%20Implementation%20Guide&format=json","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CD_Postgres_16_V1R2_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-brand/10 text-brand hover:bg-brand/20 border-brand/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1c",null,{"checks":[{"id":"d3f58a15-ea41-47a8-b6c6-5843ece39348","vulnId":"V-261857","severity":"medium","ruleTitle":"PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.","description":"$1d","checkContent":"To check the total amount of connections allowed by the database, as the database administrator, run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW max_connections\"\n\nIf the total amount of connections is greater than documented by an organization, this is a finding.\n\nTo check the amount of connections allowed for each role, as the database administrator, run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SELECT rolname, rolconnlimit \nFROM pg_roles\nWHERE rolname NOT IN (\n'pg_database_owner',\n'pg_read_all_data',\n'pg_write_all_data',\n'pg_monitor',\n'pg_read_all_settings',\n'pg_read_all_stats',\n'pg_stat_scan_tables',\n'pg_read_server_files',\n'pg_write_server_files',\n'pg_execute_server_program',\n'pg_signal_backend',\n'pg_checkpoint',\n'pg_use_reserved_connections',\n'pg_create_subscription');\"\n\nIf any roles have more connections configured than documented, this is a finding. A value of \"-1\" indicates Unlimited and is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo configure the maximum amount of connections allowed to the database, as the database administrator (shown here as \"postgres\") change the following in postgresql.conf (the value 10 is an example; set the value to suit local conditions):\n\n$ sudo su - postgres \n$ vi ${PGDATA?}/postgresql.conf \nmax_connections = 10 \n\nRestart the database:\n\n$ sudo systemctl restart postgresql-${PGVER?}\n\nTo limit the amount of connections allowed by a specific role, as the database administrator, run the following SQL: \n\n$ psql -c \"ALTER ROLE CONNECTION LIMIT 1\";"},{"id":"dee023db-8f18-4f33-a4cc-86604a8a418a","vulnId":"V-261858","severity":"high","ruleTitle":"PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.","description":"$1e","checkContent":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nIf all accounts are authenticated by the organization-level authentication/access mechanism, such as LDAP or Kerberos and not by PostgreSQL, this is not a finding.\n\nAs the database administrator (shown here as \"postgres\"), review pg_hba.conf authentication file settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nAll records must use an auth-method of gss, sspi, ldap, or cert. For details on the specifics of these authentication methods refer to: http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html.\n\nIf there are any records with a different auth-method than gss, sspi, ldap, or cert, review the system documentation for justification and approval of these records.\n\nIf there are any records with a different auth-method than gss, sspi, ldap, or cert, that are not documented and approved, this is a finding.","fixText":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nIntegrate PostgreSQL security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals.\n\nAs the database administrator (shown here as \"postgres\"), edit pg_hba.conf authentication file:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nFor each PostgreSQL-managed account that is not documented and approved, either transfer it to management by the external mechanism, or document the need for it and obtain approval, as appropriate."},{"id":"9d1eba89-7984-4e1c-8911-689d843a1907","vulnId":"V-261859","severity":"high","ruleTitle":"PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"$1f","checkContent":"$20","fixText":"$21"},{"id":"251b8668-4349-45a6-ad8e-5e98f521a585","vulnId":"V-261860","severity":"medium","ruleTitle":"PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.","description":"Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNonrepudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring PostgreSQL audit tools to capture the necessary audit trail. Design and implementation must ensure that applications pass individual user identification to PostgreSQL, even where the application connects to PostgreSQL with a standard, shared account.","checkContent":"As the database administrator, review the current log_line_prefix settings by running the following SQL: \n\n$ sudo su - postgres \n$ psql -c \"SHOW log_line_prefix\" \n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p >', this is a finding. \n\nReview the current shared_preload_libraries settings by running the following SQL: \n\n$ psql -c \"SHOW shared_preload_libraries\" \n\nIf shared_preload_libraries does not contain \"pgaudit\", this is a finding.","fixText":"$22"},{"id":"1689c6e4-c193-4397-a157-8a3b3bfcf8db","vulnId":"V-261861","severity":"medium","ruleTitle":"PostgreSQL must provide audit record generation capability for DOD-defined auditable events within all DBMS/database components.","description":"$23","checkContent":"Note: The following instructions use the PGLOG environment variables. Refer to supplementary content APPENDIX-I for instructions on configuring PGVER.\n\nCheck PostgreSQL audit logs to determine whether organization-defined auditable events are being audited by the system.\n\nFor example, if the organization defines 'CREATE TABLE' as an auditable event, issuing the following command should return a result:\n\n$ sudo su - postgres\n$ psql -c \"CREATE TABLE example (id int)\"\n$ grep 'AUDIT:.*,CREATE TABLE.*example' ${PGLOG?}/\n$ psql -c 'DROP TABLE example;'\n\nIf organization-defined auditable events are not being audited, this is a finding.","fixText":"Configure PostgreSQL to generate audit records for at least the DOD minimum set of events.\n\nUsing \"pgaudit\", PostgreSQL can be configured to audit these requests. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"db19e0cc-0f72-4963-a421-dbb05b017da2","vulnId":"V-261862","severity":"medium","ruleTitle":"PostgreSQL must allow only the information system security manager (ISSM), or individuals or roles appointed by the ISSM, to select which events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nCheck PostgreSQL settings and documentation to determine whether designated personnel are able to select which auditable events are being audited.\n\nAs the database administrator (shown here as \"postgres\"), verify the permissions for PGDATA:\n\n$ ls -la ${PGDATA?}\n\nIf anything in PGDATA is not owned by the database administrator, this is a finding.\n\nAs the database administrator, run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nReview the role permissions, if any role is listed as superuser but should not have that access, this is a finding.","fixText":"Configure PostgreSQL's settings to allow designated personnel to select which auditable events are audited.\n\nUsing pgaudit allows administrators the flexibility to choose what they log. For an overview of the capabilities of pgaudit, refer to https://github.com/pgaudit/pgaudit. \n\nRefer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nRefer to supplementary content APPENDIX-C for instructions on enabling logging. Only administrators/superuser can change PostgreSQL configurations. Access to the database administrator must be limited to designated personnel only.\n\nTo ensure that postgresql.conf is owned by the database owner:\n\n$ chown postgres:postgres ${PGDATA?}/postgresql.conf\n$ chmod 600 ${PGDATA?}/postgresql.conf"},{"id":"b18cad47-f21c-48a8-89bf-bffb37312789","vulnId":"V-261863","severity":"medium","ruleTitle":"PostgreSQL must be able to generate audit records when privileges/permissions are retrieved.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. PostgreSQLs typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that PostgreSQL continually performs to determine if any and every action on the database is permitted.","checkContent":"$24","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters): \n\npgaudit.log_catalog = 'on'\npgaudit.log = 'read'\n\nNote: For this requirement the pgaudit.log must contain 'read' however APPENDIX-C suggests setting pgaudit.log='ddl, role, read, write' to fulfill all requirements.\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"80422023-d7f1-4246-89e0-ae9abe990e82","vulnId":"V-261864","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. PostgreSQLs typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that PostgreSQL continually performs to determine if any and every action on the database is permitted.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Note: The following instructions use the PGLOG environment variables. Refer to supplementary content APPENDIX-I for instructions on configuring PGLOG.\n\nAs the database administrator (shown here as \"postgres\"), create a role \"bob\" by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"CREATE ROLE bob\"\n\nAttempt to retrieve information from the pg_authid table:\n\n$ psql -c \"SET ROLE bob; SELECT * FROM pg_authid\"\n$ psql -c \"DROP ROLE bob;\"\n\nAs the database administrator (shown here as \"postgres\"), verify the event was logged in PGLOG:\n\n$ sudo su - postgres\n$ cat ${PGLOG?}/\n< 2024-02-13 16:49:58.864 UTC postgres postgres ERROR: > permission denied for relation pg_authid\n< 2024-02-13 16:49:58.864 UTC postgres postgres STATEMENT: > SELECT * FROM pg_authid\n\nIf the above steps cannot verify that audit records are produced when PostgreSQL denies retrieval of privileges/permissions/role memberships, this is a finding.","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to access privileges occur.\n\nAll denials are logged if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"440d3326-1521-431e-9b0a-5e4f1206af8c","vulnId":"V-261865","severity":"medium","ruleTitle":"PostgreSQL must initiate session auditing upon startup.","description":"Session auditing is for use when a user's activities are under investigation. To ensure the capture of all activity during those periods when session auditing is in use, it needs to be in operation for the whole time PostgreSQL is running.","checkContent":"As the database administrator (shown here as \"postgres\"), check the current settings by running the following SQL: \n\n$ sudo su - postgres \n$ psql -c \"SHOW shared_preload_libraries\" \n\nIf pgaudit is not in the current setting, this is a finding. \n\nAs the database administrator (shown here as \"postgres\"), check the current settings by running the following SQL: \n\n$ psql -c \"SHOW log_destination\" \n\nIf stderr or syslog are not in the current setting, this is a finding.","fixText":"Configure PostgreSQL to enable auditing.\n\nTo ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\n\nFor session logging, using pgaudit is recommended. For instructions on how to setup pgaudit, refer to supplementary content APPENDIX-B."},{"id":"6d6c2041-facb-4899-be55-1fba0e9a8305","vulnId":"V-261866","severity":"medium","ruleTitle":"PostgreSQL must produce audit records containing sufficient information to establish what type of events occurred.","description":"$25","checkContent":"As the database administrator (shown here as \"postgres\"), verify the current log_line_prefix setting:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session processes\n\nIf the audit record does not log events required by the organization, this is a finding.\n\nVerify the current settings of log_connections and log_disconnections by running the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf either setting is off, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C. \n\nIf logging is enabled the following configurations must be made to log connections, date/time, username and session identifier.\n\nEdit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum requirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"6b27f2e1-9c38-4075-8c2d-b2d264affd02","vulnId":"V-261867","severity":"medium","ruleTitle":"PostgreSQL must produce audit records containing time stamps to establish when the events occurred.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nTo compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.\n\nPostgreSQL is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when specific actions were performed. This requires the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use.","checkContent":"As the database administrator (usually postgres), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf the query result does not contain \"%m\", this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nLogging must be enabled to capture timestamps. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nIf logging is enabled, the following configurations must be made to log events with timestamps:\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"20607146-8307-41c1-9d2f-7888dd016c7a","vulnId":"V-261868","severity":"medium","ruleTitle":"PostgreSQL must produce audit records containing sufficient information to establish where the events occurred.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality. \n\nAssociating information about where the event occurred within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"As the database administrator (shown here as \"postgres\"), check the current log_line_prefix setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain \"%m %u %d %s\", this is a finding.","fixText":"$$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to log application related information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n# %i = command tag\n# %s = session startup\n# %e = SQL state\n\nFor example:\n\nlog_line_prefix = '< %m %a %u %d %r %p %i %e %s>'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"c9c34fc7-4902-471c-aa19-0bcb842ad5cd","vulnId":"V-261869","severity":"medium","ruleTitle":"PostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nTo compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event.\n\nAssociating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Check PostgreSQL settings and existing audit records to verify information specific to the source (origin) of the event is being captured and stored with audit records.\n\nAs the database administrator (usually postgres) check the current log_line_prefix and log_hostname setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n$ psql -c \"SHOW log_hostname\"\n\nFor a complete list of extra information that can be added to log_line_prefix, refer to the official documentation: https://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LINE-PREFIX.\n\nIf the current settings do not provide enough information regarding the source of the event, this is a finding.","fixText":"$26"},{"id":"cb32cd42-1a06-4dd3-b334-e3e480c3dcdd","vulnId":"V-261870","severity":"medium","ruleTitle":"PostgreSQL must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.","description":"Information system auditing capability is critical for accurate forensic analysis. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.","checkContent":"$27","fixText":"$28"},{"id":"47146cd9-76f5-4360-aaa9-5b4879cf735e","vulnId":"V-261871","severity":"medium","ruleTitle":"PostgreSQL must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.","description":"Information system auditing capability is critical for accurate forensic analysis. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nIdentifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, usernames, or process identifiers.","checkContent":"Check PostgreSQL settings and existing audit records to verify a username associated with the event is being captured and stored with the audit records. If audit records exist without specific user information, this is a finding.\n\nAs the database administrator (shown here as \"postgres\"), verify the current setting of log_line_prefix by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nLogging must be enabled to capture the identity of any user/subject or process associated with an event. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nTo enable username, database name, process ID, remote host/port and application name in logging, as the database administrator (shown here as \"postgres\"), edit the following in postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_line_prefix = '< %m %u %d %p %r %a >'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"e1fac84e-c44e-46b4-a1aa-736dbc844617","vulnId":"V-261872","severity":"medium","ruleTitle":"PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.","description":"$29","checkContent":"Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F and APPENDIX-I for instructions on configuring them.\n\nReview the system documentation to identify what additional information the organization has determined necessary.\n\nCheck PostgreSQL settings by examining ${PGDATA?}/postgresql.conf to ensure additional auditing is configured and then examine existing audit records in ${PGLOG?}/ to verify that all organization-defined additional, more detailed information is in the audit records for audit events identified by type, location, or subject after executing SQL commands that fall under the additional audit classes.\n\nIf any additional information is defined and is not contained in the audit records, this is a finding.","fixText":"Configure PostgreSQL audit settings to include all organization-defined detailed information in the audit records for audit events identified by type, location, or subject.\n\nUsing pgaudit, PostgreSQL can be configured to audit these requests. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"e798727c-db3a-4fb5-bf5a-088b569e7e26","vulnId":"V-261873","severity":"medium","ruleTitle":"PostgreSQL must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.","description":"It is critical that when the DBMS is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen the need for system availability does not outweigh the need for a complete audit trail, PostgreSQL should shut down immediately, rolling back all in-flight transactions.\n\nSystems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.","checkContent":"If the application owner has determined that the need for system availability outweighs the need for a complete audit trail, this is Not Applicable.\n\nReview the procedures, either manually and/or automated, for monitoring the space used by audit trail(s) and for offloading audit records to a centralized log management system.\n\nIf the procedures do not exist, this is a finding.\n\nIf the procedures exist, request evidence that they are followed. If the evidence indicates that the procedures are not followed, this is a finding.\n\nIf the procedures exist, inquire if the system has ever run out of audit trail space in the last two years or since the last system upgrade, whichever is more recent. If it has run out of space in this period, and the procedures have not been updated to compensate, this is a finding.","fixText":"Modify PostgreSQL, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached."},{"id":"8de06fba-4829-488b-bcf9-3fa911cc11f8","vulnId":"V-261874","severity":"medium","ruleTitle":"PostgreSQL must be configurable to overwrite audit log records, oldest first (first-in-first-out [FIFO]), in the event of unavailability of space for more audit log records.","description":"$2a","checkContent":"If the Authorizing Official (AO)-approved system documentation states that system availability takes precedence, this requirement is Not Applicable.\n\nIf an externally managed and monitored partition or logical volume that can be grown dynamically is being used for logging, this is not a finding. \n\nIf PostgreSQL is auditing to a directory that is not being actively checked for availability of disk space, and if a tool, utility, script, or other mechanism is not being used to ensure sufficient disk space is available for the creation of new audit logs, this is a finding.\n\nIf a tool, utility, script, or other mechanism is being used to rotate audit logs and oldest logs are not being removed to ensure sufficient space for newest logs or oldest logs are not being replaced by newest logs, this is a finding.","fixText":"Establish a process with accompanying tools for monitoring available disk space and ensuring that sufficient disk space is maintained to continue generating audit logs, overwriting the oldest existing records if necessary."},{"id":"9a46e9c3-3829-4362-99b9-8edb343974a7","vulnId":"V-261875","severity":"medium","ruleTitle":"The audit information produced by PostgreSQL must be protected from unauthorized read access.","description":"$2b","checkContent":"$2c","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. \n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\n#### syslog Logging\n\nIf PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log files.\n\n#### stderr Logging\n\nIf PostgreSQL is configured to use stderr for logging, permissions of the log files can be set in postgresql.conf.\n\nAs the database administrator (shown here as \"postgres\"), edit the following settings of logs in the postgresql.conf file:\n\nNote: Consult the organization's documentation on acceptable log privileges.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_file_mode = 0600\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"42efe6ec-9055-42d9-b127-973d1f927c1e","vulnId":"V-261876","severity":"medium","ruleTitle":"The audit information produced by PostgreSQL must be protected from unauthorized modification.","description":"$2d","checkContent":"$2e","fixText":"To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nNote: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for instructions on configuring PGLOG.\n\n#### stderr Logging\n\nWith stderr logging enabled, as the database owner (shown here as \"postgres\"), set the following parameter in postgresql.conf:\n\n$ vi ${PGDATA?}/postgresql.conf\nlog_file_mode = 0600\n\nTo change the owner and permissions of the log files, run the following:\n\n$ chown postgres:postgres ${PGDATA?}/${PGLOG?}\n$ chmod 0700 ${PGDATA?}/${PGLOG?}\n$ chmod 600 ${PGDATA?}/${PGLOG?}/*.log\n\n#### syslog Logging\n\nIf PostgreSQL is configured to use syslog for logging, the log files must be configured to be owned by root with 0600 permissions.\n\n$ chown root:root /\n$ chmod 0700 \n$ chmod 0600 /*.log"},{"id":"c1bd578b-4caf-450c-823c-ff867fad3c62","vulnId":"V-261877","severity":"medium","ruleTitle":"The audit information produced by PostgreSQL must be protected from unauthorized deletion.","description":"$2f","checkContent":"$30","fixText":"To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nNote: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for instructions on configuring PGLOG.\n\n#### stderr Logging\n\nWith stderr logging enabled, as the database owner (shown here as \"postgres\"), set the following parameter in postgresql.conf:\n\n$ vi ${PGDATA?}/postgresql.conf\nlog_file_mode = 0600\n\nTo change the owner and permissions of the log files, run the following:\n\n$ chown postgres:postgres ${PGDATA?}/${PGLOG?}\n$ chmod 0700 ${PGDATA?}/${PGLOG?}\n$ chmod 600 ${PGDATA?}/${PGLOG?}/*.log\n\n#### syslog Logging\n\nIf PostgreSQL is configured to use syslog for logging, the log files must be configured to be owned by root with 0600 permissions.\n\n$ chown root:root /\n$ chmod 0700 \n$ chmod 0600 /*.log"},{"id":"5276c6c1-e410-4059-9d80-a423bdfb730b","vulnId":"V-261878","severity":"medium","ruleTitle":"PostgreSQL must protect its audit features from unauthorized access.","description":"$31","checkContent":"$32","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA, APPENDIX-H for PGVER and APPENDIX-I for PGLOG.\n\nIf PGLOG or PGDATA are not owned by postgres user and group, configure them as follows: \n\n$ sudo chown -R postgres:postgres ${PGDATA?}\n$ sudo chown -R postgres:postgres ${PGLOG?}\n\nIf the pgaudit installation is not owned by root user and group, configure it as follows:\n\n$ sudo chown -R root:root /usr/pgsql-${PGVER?}/share/extension/pgaudit*\n\nTo remove superuser from a role, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"ALTER ROLE WITH NOSUPERUSER\""},{"id":"45e95411-2e77-4ceb-a978-eee0013d0863","vulnId":"V-261879","severity":"medium","ruleTitle":"PostgreSQL must protect its audit configuration from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"$33","fixText":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nApply or modify access controls and permissions (both within PostgreSQL and in the file system/operating system) to tools used to view or modify audit log data. Tools must be configurable by authorized personnel only.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_file_mode = 0600\n\nAs the database administrator (shown here as \"postgres\"), change the ownership and permissions of configuration files in PGDATA:\n\n$ sudo su - postgres\n$ chown postgres:postgres ${PGDATA?}/*.conf\n$ chmod 0600 ${PGDATA?}/*.conf"},{"id":"b55c221f-a955-4f18-90b3-e75f2036bc8d","vulnId":"V-261880","severity":"medium","ruleTitle":"PostgreSQL must protect its audit features from unauthorized removal.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nAs the database administrator (shown here as \"postgres\"), verify the permissions of PGDATA: \n\n$ sudo su - postgres \n$ ls -la ${PGDATA?} \n\nIf PGDATA is not owned by postgres:postgres or if files can be accessed by others, this is a finding. \n\nAs the system administrator, verify the permissions of pgsql shared objects and compiled binaries: \n\n$ ls -la /usr/pgsql-${PGVER?}/bin\n$ ls -la /usr/pgsql-${PGVER?}/include\n$ ls -la /usr/pgsql-${PGVER?}/lib\n$ ls -la /usr/pgsql-${PGVER?}/share \n\nIf any of these are not owned by root:root, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nAs the system administrator, change the permissions of PGDATA: \n\n$ sudo chown -R postgres:postgres ${PGDATA?} \n$ sudo chmod 700 ${PGDATA?} \n\nAs the system administrator, change the permissions of pgsql: \n\n$ sudo chown -R root:root /usr/pgsql-${PGVER?}"},{"id":"f2478008-3cb7-48b6-9133-11aa6c7d2517","vulnId":"V-261881","severity":"medium","ruleTitle":"PostgreSQL must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to PostgreSQL.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nAs the database administrator (shown here as \"postgres\"), check the permissions of configuration files for the database:\n\n$ sudo su - postgres\n$ ls -la ${PGDATA?}\n\nIf any files are not owned by the database owner or have permissions allowing others to modify (write) configuration files, this is a finding.\n\nAs the server administrator, check the permissions on the shared libraries for PostgreSQL:\n\n$ sudo ls -la /usr/pgsql-${PGVER?} \n$ sudo ls -la /usr/pgsql-${PGVER?}/bin\n$ sudo ls -la /usr/pgsql-${PGVER?}/include\n$ sudo ls -la /usr/pgsql-${PGVER?}/lib\n$ sudo ls -la /usr/pgsql-${PGVER?}/share\n\nIf any files are not owned by root or have permissions allowing others to modify (write) configuration files, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nAs the database administrator (shown here as \"postgres\"), change the ownership and permissions of configuration files in PGDATA: \n\n$ sudo su - postgres \n$ chown postgres:postgres ${PGDATA?}/postgresql.conf \n$ chmod 0600 ${PGDATA?}/postgresql.conf \n\nAs the server administrator, change the ownership and permissions of shared objects in /usr/pgsql-${PGVER?}/*.so \n\n$ sudo chown root:root /usr/pgsql-${PGVER?}/lib/*.so \n$ sudo chmod 0755 /usr/pgsql-${PGVER?}/lib/*.so \n\nAs the service administrator, change the ownership and permissions of executables in /usr/pgsql-${PGVER?}/bin: \n\n$ sudo chown root:root /usr/pgsql-${PGVER?}/bin/* \n$ sudo chmod 0755 /usr/pgsql-${PGVER?}/bin/*"},{"id":"34d1758a-c8bf-463c-ba0d-ebc34ff80c0a","vulnId":"V-261882","severity":"high","ruleTitle":"The PostgreSQL software installation account must be restricted to authorized users.","description":"When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system.\n\nIf the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nDBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.","checkContent":"Review procedures for controlling, granting access to, and tracking use of the PostgreSQL software installation account(s).\n\nIf access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.","fixText":"Develop, document, and implement procedures to restrict and track use of the PostgreSQL software installation account(s)."},{"id":"d6a92c41-4048-4815-954b-fe5be7155ab7","vulnId":"V-261883","severity":"medium","ruleTitle":"Database software, including PostgreSQL configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.","description":"$34","checkContent":"Review the PostgreSQL software library directory and any subdirectories.\n\nIf any non-PostgreSQL software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the PostgreSQL, this is a finding.\n\nOnly applications that are required for the functioning and administration, not use, of the PostgreSQL software library should be located in the same disk directory as the PostgreSQL software libraries.\n\nIf other applications are located in the same directory as PostgreSQL, this is a finding.","fixText":"Install all applications on directories separate from the PostgreSQL software library directory. Relocate any directories or reinstall other application software that currently shares the PostgreSQL software library directory."},{"id":"8e22f09c-7c13-4172-a842-c57b40f0edb2","vulnId":"V-261884","severity":"medium","ruleTitle":"Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be owned by database/PostgreSQL principals authorized for ownership.","description":"Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who uses the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.","checkContent":"Review system documentation to identify accounts authorized to own database objects. Review accounts that own objects in the database(s).\n\nIf any database objects are found to be owned by users not authorized to own database objects, this is a finding.\n\nTo check the ownership of objects in the database, as the database administrator, run the following SQL:\n\n$ sudo su - postgres\n$ psql -X -c '\\dnS'\n$ psql -x -c \"\\dt *.*\"\n$ psql -X -c '\\dsS'\n$ psql -x -c \"\\dv *.*\"\n$ psql -x -c \"\\df+ *.*\"\n\nIf any object is not owned by an authorized role for ownership, this is a finding.","fixText":"Assign ownership of authorized objects to authorized object owner accounts.\n\n#### Schema Owner\n\nTo create a schema owned by the user \"bob\", run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"CREATE SCHEMA test AUTHORIZATION bob\" \n\nTo alter the ownership of an existing object to be owned by the user \"bob\", run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"ALTER SCHEMA test OWNER TO bob\""},{"id":"879edeff-6448-4a5a-82ed-8995ce3bdbd1","vulnId":"V-261885","severity":"medium","ruleTitle":"The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to PostgreSQL, etc.) must be restricted to authorized users.","description":"If PostgreSQL were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \"postgres\"), list all users and their permissions by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\dp *.*\"\n\nVerify that all objects have the correct privileges. If they do not, this is a finding.\n\nAs the database administrator (shown here as \"postgres\"), verify the permissions of the database directory on the filesystem:\n\n$ ls -la ${PGDATA?}\n\nIf permissions of the database directory are not limited to an authorized user account, this is a finding.","fixText":"As the database administrator, revoke any permissions from a role that are deemed unnecessary by running the following SQL:\n\nALTER ROLE bob NOCREATEDB;\nALTER ROLE bob NOCREATEROLE;\nALTER ROLE bob NOSUPERUSER;\nALTER ROLE bob NOINHERIT;\nREVOKE SELECT ON some_function FROM bob;"},{"id":"bb4bdc7e-4559-4a68-a2f5-183c04df183c","vulnId":"V-261886","severity":"medium","ruleTitle":"Unused database components, PostgreSQL software, and database objects must be removed.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. \n\nPostgreSQL must adhere to the principles of least functionality by providing only essential capabilities.","checkContent":"To get a list of all extensions installed, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"select * from pg_extension where extname != 'plpgsql'\"\n\nIf any extensions exist that are not approved, this is a finding.","fixText":"To remove extensions, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"DROP EXTENSION \"\n\nNote: Removal of plpgsql is not recommended."},{"id":"204c5aa7-0044-4d7b-b68f-1a24bde632aa","vulnId":"V-261887","severity":"medium","ruleTitle":"Unused database components that are integrated in PostgreSQL and cannot be uninstalled must be disabled.","description":"$35","checkContent":"To list all installed packages, as the system administrator, run the following:\n\n# RHEL/CENT 8/9 Systems\n$ sudo dnf list installed | grep postgres\n\n# RHEL/CENT 7 Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any of the packages installed not required, this is a finding.","fixText":"To remove any unneeded executables, as the system administrator, run the following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove "},{"id":"314c2b90-fdec-4d63-a070-12013be49cb6","vulnId":"V-261888","severity":"medium","ruleTitle":"Access to external executables must be disabled or restricted.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives.\n\nApplications must adhere to the principles of least functionality by providing only essential capabilities.\n\nPostgreSQL may spawn additional external processes to execute procedures that are defined in PostgreSQL but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than PostgreSQL and provide unauthorized access to the host system.","checkContent":"PostgreSQL's COPY command can interact with the underlying OS. Only superuser has access to this command.\n\nAs the database administrator (shown here as \"postgres\"), run the following SQL to list all roles and their privileges:\n\n$ sudo su - postgres\n$ psql -x -c \"\\du\"\n\nIf any role has \"superuser\" that should not, this is a finding.\n\nIt is possible for an extension to contain code that could access external executables via SQL. To list all installed extensions, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \"SELECT * FROM pg_available_extensions WHERE installed_version IS NOT NULL\"\n\nIf any installed extensions are not approved, this is a finding.","fixText":"To remove superuser from a role, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"ALTER ROLE WITH NOSUPERUSER\"\n\nTo remove extensions from PostgreSQL, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"DROP EXTENSION extension_name\""},{"id":"09a1f5c8-5791-4c0a-a795-7aef9158644d","vulnId":"V-261889","severity":"medium","ruleTitle":"PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$36","checkContent":"As the database administrator, run the following SQL:\n\n$ psql -c \"SHOW port\"\n$ psql -c \"SHOW listen_addresses\"\n\nIf the currently defined address:port configuration is deemed prohibited, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo change the listening port of the database, as the database administrator, change the following setting in postgresql.conf: \n\n$ sudo su - postgres \n$ vi $PGDATA/postgresql.conf \n\nChange the port parameter to the desired port. \n\nTo change the listening address of the database, as the database administrator, change the following setting in postgresql.conf: \nlisten_addresses = '10.0.0.1, 127.0.0.1'\n\nRestart the database: \n\n# SYSTEMD SERVER ONLY \n$ sudo systemctl restart postgresql-${PGVER?} \n\n\nNote: psql uses the port 5432 by default. This can be changed by specifying the port with psql or by setting the PGPORT environment variable: \n\n$ psql -p 5432 -c \"SHOW port\" \n$ export PGPORT=5432"},{"id":"33d7e3c9-7119-47c9-9452-177979963756","vulnId":"V-261890","severity":"medium","ruleTitle":"PostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals using shared accounts, for detailed accountability of individual activity.","checkContent":"Review PostgreSQL settings to determine whether organizational users are uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf organizational users are not uniquely identified and authenticated, this is a finding.\n\nAs the database administrator (shown here as \"postgres\"), verify the current pg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication requirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account, this is a finding.","fixText":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all organizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, refer to the official documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html.\n\nFor each role created, the database administrator can specify database authentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 scram-sha-256\n\nFor more information on pg_hba.conf, refer to the official documentation: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html."},{"id":"4fbc3c59-2519-40a6-a5a2-d6ec1f90088e","vulnId":"V-261891","severity":"high","ruleTitle":"If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.","description":"The DOD standard for authentication is DOD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires Authorizing Official (AO) approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to PostgreSQL.","checkContent":"Note: The following instructions use the PGVER environment variables. Refer to supplementary content APPENDIX-H for PGVER.\n\nTo check if password encryption is enabled, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW password_encryption\"\n\nIf password_encryption is not \"scram-sha-256\", this is a finding.\n\nTo identify if any passwords have been stored without being hashed and salted, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \"SELECT username, passwd FROM pg_shadow WHERE passwd IS NULL OR passwd NOT LIKE 'SCRAM-SHA-256%';\"\n\nIf any password is in plaintext, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = 'scram-sha-256'\n\nInstitute a policy of not using the \"WITH UNENCRYPTED PASSWORD\" option with the CREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of the password_encryption configuration parameter.)\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-${PGVER?}"},{"id":"69be129d-7838-456a-8a8d-98a845f24e49","vulnId":"V-261892","severity":"high","ruleTitle":"If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords.","description":"The DOD standard for authentication is DOD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires Authorizing Official (AO) approval.\n\nIn such cases, passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.\n\nPostgreSQL passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.","checkContent":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \"postgres\"), review the authentication entries in pg_hba.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf any entries use the auth_method (last column in records) \"password\" or \"md5\", this is a finding.","fixText":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \"postgres\"), edit pg_hba.conf authentication file and change all entries of \"password\" to \"scram-sha-256\":\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\nhost all all .example.com scram-sha-256"},{"id":"5591d9a4-b35e-4f35-aa7a-ba02ce5bfb29","vulnId":"V-261893","severity":"medium","ruleTitle":"PostgreSQL, when using PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.","description":"The DOD standard for authentication is DOD-approved PKI certificates.\n\nA certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.\n\nDatabase Management Systems that do not validate certificates by performing RFC 5280-compliant certification path validation are in danger of accepting certificates that are invalid and/or counterfeit. This could allow unauthorized access to the database.","checkContent":"$37","fixText":"$38"},{"id":"e955429e-0222-4d31-828a-21c31591c8ba","vulnId":"V-261894","severity":"high","ruleTitle":"PostgreSQL must enforce authorized access to all PKI private keys stored/used by PostgreSQL.","description":"$39","checkContent":"$3a","fixText":"$3b"},{"id":"bc80fc49-03a0-45e1-aae4-538b5da636e3","vulnId":"V-261895","severity":"medium","ruleTitle":"PostgreSQL must map the PKI-authenticated identity to an associated user account.","description":"The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a PostgreSQL user account for the authenticated identity to be meaningful to PostgreSQL and useful for authorization decisions.","checkContent":"The Common Name (cn) attribute of the certificate will be compared to the requested database username and, if they match, the login will be allowed.\n\nTo check the cn of the certificate, using openssl, do the following:\n\n$ openssl x509 -noout -subject -in /path/to/your/client_cert.file\n\nIf the cn does not match the users listed in PostgreSQL and no user mapping is used, this is a finding.\n\nUser name mapping can be used to allow cn to be different from the database username. If User Name Maps are used, run the following as the database administrator (shown here as \"postgres\"), to get a list of maps used for authentication:\n\n$ sudo su - postgres\n$ grep \"map\" ${PGDATA?}/pg_hba.conf\n\nWith the names of the maps used, check those maps against the username mappings in pg_ident.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_ident.conf\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.\n\nIf the cn and the username mapping do not match, this is a finding.","fixText":"Configure PostgreSQL to map authenticated identities directly to PostgreSQL user accounts.\n\nFor information on configuring PostgreSQL to use SSL, refer to supplementary content APPENDIX-G."},{"id":"1d6aa187-c60e-49c0-971d-3962321d657f","vulnId":"V-261896","severity":"high","ruleTitle":"PostgreSQL must use NIST FIPS 140-2/140-3 validated cryptographic modules for cryptographic operations.","description":"$3c","checkContent":"Verify FIPS is enabled for the OS. Following are example Linux commands:\n\n# sysctl crypto.fips_enabled\ncrypto.fips_enabled = 1\n \nIf crypto.fips_enabled = 0, this is a finding. \n\nOR\n\n$ sudo fips-mode-setup --check\nFIPS mode is enabled.\n\nIf FIPS mode is not enabled, this is a finding.\n\nRun the following command to check the OpenSSL version:\n\n$ openssl -version\n\nNote: FIPS-compliant libraries for OpenSSL 1.x.x contain \"fips\" in the version.\n\nIf the value of OpenSSL library is not FIPS compliant, this is a finding.\n\nIf using OpenSSL 3.x, check the providers:\n\nopenssl list -providers\n\nProviders:\ndefault\nname: OpenSSL Default Provider\nversion: 3.2.2\nstatus: active\n\nfips\n name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider\n version: 3.2.2-622cc79c634cbbef\n status: active\n\nIf the response does not list a FIPS provider with a status of \"active\", this is a finding.","fixText":"$3d"},{"id":"88577fb4-5ec0-42b3-b65d-b8bae585bc6b","vulnId":"V-261897","severity":"medium","ruleTitle":"PostgreSQL must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).","description":"Nonorganizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations).\n\nNonorganizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.\n\nAccordingly, a risk assessment is used in determining the authentication needs of the organization.\n\nScalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.","checkContent":"PostgreSQL uniquely identifies and authenticates PostgreSQL users through the use of DBMS roles.\n\nTo list all roles in the database, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf users are not uniquely identified per organizational documentation, this is a finding.","fixText":"To drop a role, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"DROP ROLE \"\n\nTo create a role, as the database administrator, run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"CREATE ROLE LOGIN\"\n\nFor the complete list of permissions allowed by roles, refer to the official documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html."},{"id":"bf0a9e9a-e275-4520-b8a9-2e4f15301e95","vulnId":"V-261898","severity":"medium","ruleTitle":"PostgreSQL must separate user functionality (including user interface services) from database management functionality.","description":"$3e","checkContent":"Check PostgreSQL settings and vendor documentation to verify that administrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \"postgres\"), list all roles and permissions for the database:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf any nonadministrative role has the attribute \"Superuser\", \"Create role\", \"Create DB\" or \"Bypass RLS\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically or logically, this is a finding.","fixText":"Configure PostgreSQL to separate database administration and general user functionality.\n\nDo not grant superuser, create role, create db, or bypass rls role attributes to users that do not require it.\n\nTo remove privileges, refer to the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;"},{"id":"f3a6b241-75b0-4e31-b1f7-f770f6359847","vulnId":"V-261899","severity":"medium","ruleTitle":"PostgreSQL must invalidate session identifiers upon user logout or other session termination.","description":"$3f","checkContent":"As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -h localhost -c \"SHOW tcp_keepalives_idle\"\n$ psql -h localhost -c \"SHOW tcp_keepalives_interval\"\n$ psql -h localhost -c \"SHOW tcp_keepalives_count\"\n$ psql -h localhost -c \"SHOW statement_timeout\"\n\nIf these settings are not set to something other than zero, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi $PGDATA/postgresql.conf\n\nSet the following parameters to organizational requirements:\n\nstatement_timeout = 10000 #milliseconds\ntcp_keepalives_idle = 10 # seconds\ntcp_keepalives_interval = 10 # seconds\ntcp_keepalives_count = 10\n\nAs the system administrator, restart the server with the new configuration:\n\n$ sudo systemctl restart postgresql-${PGVER?}"},{"id":"92f98c13-e5cd-45e6-82c1-7719163f0260","vulnId":"V-261900","severity":"medium","ruleTitle":"PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.","description":"One class of man-in-the-middle, or session hijacking, attack involves the adversary guessing at valid session identifiers based on patterns in identifiers already known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of unique session identifiers using a FIPS 140-2 or 140-3 approved random number generator.\n\nHowever, it is recognized that available DBMS products do not all implement the preferred technique yet may have other protections against session hijacking. Therefore, other techniques are acceptable, provided they are demonstrated to be effective.","checkContent":"To check if PostgreSQL is configured to use ssl, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf this is not set to on, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo configure PostgreSQL to use SSL, as a database owner (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}\n\nFor more information on configuring PostgreSQL to use SSL, refer to supplementary content APPENDIX-G.\n\nFor further SSL configurations, refer to the official documentation: https://www.postgresql.org/docs/current/static/ssl-tcp.html."},{"id":"6a73b6ad-77e1-4276-b9f9-770b84a3c79b","vulnId":"V-261901","severity":"high","ruleTitle":"PostgreSQL must protect the confidentiality and integrity of all information at rest.","description":"This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.","checkContent":"If the application owner and Authorizing Official (AO) have determined that encryption of data at rest is NOT required, this is not a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use the pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown here as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a finding.\n\nIf disk or filesystem requires encryption, ask the system owner, database administrator (DBA), and system administrator (SA) to demonstrate the use of disk-level encryption. If this is required and is not found, this is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.","fixText":"Apply appropriate controls to protect the confidentiality and integrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. Refer to supplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password', gen_salt('xdes')));"},{"id":"ce9db82e-99af-4fcb-8d18-802ba14559a4","vulnId":"V-261902","severity":"medium","ruleTitle":"PostgreSQL must isolate security functions from nonsecurity functions.","description":"$40","checkContent":"$41","fixText":"Do not locate security-related database objects with application tables or schema.\n\nReview any site-specific applications security modules built into the database: determine what schema they are located in and take appropriate action.\n\nDo not grant access to pg_catalog or information_schema to anyone but the database administrator(s). Access to the database administrator account(s) must not be granted to anyone without official approval."},{"id":"8b5a014c-39ed-4b67-96fd-008b254db672","vulnId":"V-261903","severity":"medium","ruleTitle":"Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.","description":"Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls.","checkContent":"Review the procedures for the refreshing of development/test data from production.\n\nReview any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations. \n\nIf the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.","fixText":"Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations."},{"id":"764d6342-5294-4780-a69e-3b55f8f71b8e","vulnId":"V-261904","severity":"medium","ruleTitle":"Access to database files must be limited to relevant processes and to authorized, administrative users.","description":"Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only PostgreSQL processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.","checkContent":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nReview the permissions granted to users by the operating system/file system on the database files, database log files and database backup files.\n\nTo verify that all files are owned by the database administrator and have the correct permissions, run the following as the database administrator (shown here as \"postgres\"):\n\n$ sudo su - postgres\n$ ls -lR ${PGDATA?}\n\nIf any files are not owned by the database administrator or allow anyone but the database administrator to read/write/execute, this is a finding.\n\nIf any user/role that is not an authorized system administrator with a need-to-know or database administrator with a need-to-know, or a system account for running PostgreSQL processes, is permitted to read/view any of these files, this is a finding.","fixText":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the permissions granted by the operating system/file system on the database files, database log files, and database backup files so that only relevant system accounts and authorized system administrators and database administrators with a need to know are permitted to read/view these files.\n\nAny files (for example: extra configuration files) created in ${PGDATA?} must be owned by the database administrator, with only owner permissions to read, write, and execute."},{"id":"f8f95e6f-0a1f-46df-b7ce-ab544dea42d0","vulnId":"V-261905","severity":"medium","ruleTitle":"PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.","description":"$42","checkContent":"$43","fixText":"Modify database code to properly validate data before it is put into the database or acted upon by the database.\n\nModify the database to contain constraints and validity checking on database columns and tables that require them for data integrity.\n\nUse prepared statements when taking user input.\n\nDo not allow general users direct console access to PostgreSQL."},{"id":"d9b8302f-0910-470c-a452-7f871b752d3b","vulnId":"V-261906","severity":"medium","ruleTitle":"PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.","description":"$44","checkContent":"Review PostgreSQL source code (trigger procedures, functions) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements.\n\nIf dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, this is a finding.","fixText":"Where dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, modify the code to do so."},{"id":"b25214e8-8f8f-42f9-94d1-0e0803ce7b40","vulnId":"V-261907","severity":"medium","ruleTitle":"PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.","description":"$45","checkContent":"Review PostgreSQL source code (trigger procedures, functions) and application source code to identify cases of dynamic code execution.\n\nIf dynamic code execution is employed without protective measures against code injection, this is a finding.","fixText":"Where dynamic code execution is used, modify the code to implement protections against code injection (i.e., prepared statements)."},{"id":"89e62655-6d30-4c21-a8e1-8c01165e23b6","vulnId":"V-261908","severity":"medium","ruleTitle":"PostgreSQL must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"$46","checkContent":"To check the level of detail for errors exposed to clients, as the DBA (shown here as \"postgres\"), run the following:\n\n$ sudo su - postgres\n$ psql -c \"SHOW client_min_messages;\"\n\nIf client_min_messages is not set to error, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nAs the database administrator, edit \"postgresql.conf\": \n\n$ sudo su - postgres \n$ vi $PGDATA/postgresql.conf \n\nChange the client_min_messages parameter to be \"error\": \n\nclient_min_messages = error \n\nReload the server with the new configuration (this just reloads settings currently in memory; it will not cause an interruption): \n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"26c9e567-eb21-4e3f-99be-15eeb014e8dd","vulnId":"V-261909","severity":"medium","ruleTitle":"PostgreSQL must reveal detailed error messages only to the information system security officer (ISSO), information system security manager (ISSM), system administrator (SA), and database administrator (DBA).","description":"$47","checkContent":"$48","fixText":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.\n\nTo set the level of detail for error messages exposed to clients, as the DBA (shown here as \"postgres\"), run the following commands:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nclient_min_messages = error"},{"id":"961fbd3c-8269-4092-8374-8996efb6eedd","vulnId":"V-261910","severity":"medium","ruleTitle":"PostgreSQL must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.","description":"$49","checkContent":"Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination. If the documentation explicitly states that such termination is not required or is prohibited, this is not a finding.\n\nIf the documentation requires automatic session termination, but PostgreSQL is not configured accordingly, this is a finding.","fixText":"$4a"},{"id":"3c677587-a252-4e13-95a0-51ecb4ffc825","vulnId":"V-261911","severity":"medium","ruleTitle":"PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage.","description":"$4b","checkContent":"If security labeling is not required, this is not a finding.\n\nAs the database administrator (shown here as \"postgres\"), run the following SQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \"\\d+ .\"\n\nIf security labeling is required and the results of the SQL above do not show a policy attached to the table, this is a finding.\n\nIf security labeling is required and not implemented according to the system documentation, such as SSP, this is a finding.\n\nIf security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding.","fixText":"In addition to the SQL-standard privilege system available through GRANT, tables can have row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of using RLS for Security Labels, refer to supplementary content APPENDIX-D."},{"id":"2900c071-ba41-4caa-a6be-ef187aa2e90d","vulnId":"V-261912","severity":"medium","ruleTitle":"PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in process.","description":"$4c","checkContent":"If security labeling is not required, this is not a finding.\n\nAs the database administrator (shown here as \"postgres\"), run the following SQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \"\\d+ .\"\n\nIf security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in process, this is a finding.","fixText":"In addition to the SQL-standard privilege system available through GRANT, tables can have row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of using RLS for Security Labels, refer to supplementary content APPENDIX-D."},{"id":"58f76817-59b4-4883-99f8-31255eaacd54","vulnId":"V-261913","severity":"medium","ruleTitle":"PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission.","description":"$4d","checkContent":"If security labeling is not required, this is not a finding.\n\nAs the database administrator (shown here as \"postgres\"), run the following SQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \"\\d+ .\"\n\nIf security labeling is required and the results of the SQL above do not show a policy attached to the table, this is a finding.\n\nIf security labeling is required and not implemented according to the system documentation, such as SSP, this is a finding.\n\nIf security labeling requirements have been specified, but the security labeling is not implemented or does not reliably maintain labels on information in storage, this is a finding.","fixText":"In addition to the SQL-standard privilege system available through GRANT, tables can have row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of using RLS for Security Labels, refer to supplementary content APPENDIX-D."},{"id":"0c3e65e3-8d6c-4e43-987f-ef3d8b0d6b79","vulnId":"V-261914","severity":"medium","ruleTitle":"PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.","description":"$4e","checkContent":"Review system documentation to identify the required discretionary access control (DAC).\n\nReview the security configuration of the database and PostgreSQL. If applicable, review the security configuration of the application(s) using the database.\n\nIf the discretionary access control defined in the documentation is not implemented in the security configuration, this is a finding.\n\nIf any database objects are found to be owned by users not authorized to own database objects, this is a finding.\n\nTo check the ownership of objects in the database, as the database administrator, run the following:\n\n$ sudo su - postgres\n$ psql -X -c '\\dnS'\n$ psql -x -c \"\\dt *.*\"\n$ psql -X -c '\\dsS'\n$ psql -x -c \"\\dv *.*\"\n$ psql -x -c \"\\df+ *.*\"\n\nIf any role is given privileges to objects it should not have, this is a finding.","fixText":"Implement the organization's DAC policy in the security configuration of the database and PostgreSQL, and, if applicable, the security configuration of the application(s) using the database.\n\nTo GRANT privileges to roles, as the database administrator (shown here as \"postgres\"), run statements like the following examples:\n\n$ sudo su - postgres\n$ psql -c \"CREATE SCHEMA test\"\n$ psql -c \"GRANT CREATE ON SCHEMA test TO bob\"\n$ psql -c \"CREATE TABLE test.test_table(id INT)\"\n$ psql -c \"GRANT SELECT ON TABLE test.test_table TO bob\"\n\nTo REVOKE privileges to roles, as the database administrator (shown here as \"postgres\"), run statements like the following examples:\n\n$ psql -c \"REVOKE SELECT ON TABLE test.test_table FROM bob\"\n$ psql -c \"REVOKE CREATE ON SCHEMA test FROM bob\""},{"id":"a0379500-84e3-4e6b-b426-7c8132625a7e","vulnId":"V-261915","severity":"medium","ruleTitle":"PostgreSQL must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"$4f","checkContent":"Review the system documentation to obtain the definition of the PostgreSQL functionality considered privileged in the context of the system in question.\n\nReview the PostgreSQL security configuration and/or other means used to protect privileged functionality from unauthorized use.\n\nIf the configuration does not protect all of the actions defined as privileged, this is a finding.\n\nIf PostgreSQL instance uses procedural languages, such as pl/Python or pl/R, without Authorizing Official (AO) authorization, this is a finding.","fixText":"Configure PostgreSQL security to protect all privileged functionality.\n\nIf pl/R and pl/Python are used, document their intended use, document users that have access to pl/R and pl/Python, as well as their business use case, such as data-analytics or data-mining. Because of the risks associated with using pl/R and pl/Python, their use must have AO risk acceptance.\n\nTo remove unwanted extensions, use:\n\nDROP EXTENSION \n\nTo remove unwanted privileges from a role, use the REVOKE command.\n\nRefer to the PostgreSQL documentation for more details: http://www.postgresql.org/docs/current/static/sql-revoke.html."},{"id":"f3995318-e073-4909-baec-216456cac76d","vulnId":"V-261916","severity":"medium","ruleTitle":"Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.","description":"$50","checkContent":"$51","fixText":"Determine where, when, how, and by what principals/subjects elevated privilege is needed.\n\nTo change a SECURITY DEFINER function to SECURITY INVOKER, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"ALTER FUNCTION SECURITY INVOKER\""},{"id":"d3668a03-63b3-4439-8424-e5fdeacfae64","vulnId":"V-261917","severity":"medium","ruleTitle":"PostgreSQL must use centralized management of the content captured in audit records generated by all components of PostgreSQL.","description":"Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThe content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. \n\nPostgreSQL may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with offloading the records to the centralized system.","checkContent":"On Unix systems, PostgreSQL can be configured to use stderr, csvlog, and syslog. To send logs to a centralized location, syslog should be used.\n\nAs the database owner (shown here as \"postgres\"), ensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_destination\"\n\nAs the database owner (shown here as \"postgres\"), check to which log facility PostgreSQL is configured by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW syslog_facility\"\n\nCheck with the organization to refer to how syslog facilities are defined in their organization.\n\nIf PostgreSQL audit records are not written directly to or systematically transferred to a centralized log management system, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. \n\nTo ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\n\nWith logging enabled, as the database owner (shown here as \"postgres\"), configure the following parameters in postgresql.conf:\n\nNote: Consult the organization on how syslog facilities are defined in the syslog daemon configuration.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_destination = 'syslog'\nsyslog_facility = 'LOCAL0'\nsyslog_ident = 'postgres'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"834824ee-b4f0-4b50-87c4-b5726dbfafc0","vulnId":"V-261918","severity":"medium","ruleTitle":"PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.","description":"$52","checkContent":"Investigate whether there have been any incidents where PostgreSQL ran out of audit log space since the last time the space was allocated or other corrective measures were taken.\n\nIf there have been incidents where PostgreSQL ran out of audit log space, this is a finding.","fixText":"Allocate sufficient audit file/table space to support peak demand."},{"id":"173dc280-27f4-4e14-a67b-e25845d30f51","vulnId":"V-261919","severity":"medium","ruleTitle":"PostgreSQL must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.","description":"Organizations are required to use a central log management system so under normal conditions, the audit space allocated to PostgreSQL on its own server will not be an issue. However, space will still be required on the PostgreSQL server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result.\n\nIf support personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. \n\nThe appropriate support staff include, at a minimum, the information system security officer (ISSO) and the database administrator (DBA)/system administrator (SA).","checkContent":"Review system configuration.\n\nIf no script or tool is monitoring the partition for the PostgreSQL log directories, this is a finding.\n\nIf appropriate support staff are not notified immediately upon storage volume utilization reaching 75 percent, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nConfigure the system to notify appropriate support staff immediately upon storage volume utilization reaching 75 percent.\n\nPostgreSQL does not monitor storage; however, it is possible to monitor storage with a script.\n\n##### Example Monitoring Script\n\n#!/bin/bash\n\nPGDATA=/var/lib/pgsql/${PGVER?}/data\nCURRENT=$(df ${PGDATA?} | grep / | awk '{ print $5}' | sed 's/%//g')\nTHRESHOLD=75\n\nif [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\nmail -s 'Disk Space Alert' mail@support.com << EOF\nThe data directory volume is almost full. Used: $CURRENT\nEOF\nfi\n\nSchedule this script in cron to run around the clock."},{"id":"0987a560-b070-4a07-8557-48fc1929cd5f","vulnId":"V-261920","severity":"medium","ruleTitle":"PostgreSQL must provide an immediate real-time alert to appropriate support staff of all audit log failures.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. \n\nThe appropriate support staff include, at a minimum, the information system security officer (ISSO) and the database administrator (DBA)/system administrator (SA).\n\nA failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions.\n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).","checkContent":"Review PostgreSQL, OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason.\n\nIf real-time alerts are not sent upon auditing failure, this is a finding.","fixText":"Configure the system to provide an immediate real-time alert to appropriate support staff when an audit log failure occurs.\n\nIt is possible to create scripts or implement third-party tools to enable real-time alerting for audit failures in PostgreSQL."},{"id":"8307f35f-2f47-40b2-be8b-ba013782b023","vulnId":"V-261921","severity":"medium","ruleTitle":"PostgreSQL must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC), formerly Greenwich Mean Time (GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by PostgreSQL must include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.\n\nSome DBMS products offer a data type called TIMESTAMP that is not a representation of date and time. Rather, it is a database state counter and does not correspond to calendar and clock time. This requirement does not refer to that meaning of TIMESTAMP.","checkContent":"When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster will be configured to use the same time zone as the target server.\n\nAs the database administrator (shown here as \"postgres\"), check the current log_timezone setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_timezone\"\n\nlog_timezone\n--------------\nUTC\n(1 row)\n\nIf log_timezone is not set to the desired time zone, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo change log_timezone in postgresql.conf to use a different time zone for logs, as the database administrator (shown here as \"postgres\"), run the following:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_timezone='UTC'\n\nRestart the database:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"04561051-2e61-4737-a1f7-3b8e7f8ee2e3","vulnId":"V-261922","severity":"medium","ruleTitle":"PostgreSQL must generate time stamps for audit records and application data with a minimum granularity of one second.","description":"Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.\n\nTime stamps generated by PostgreSQL must include date and time. Granularity of time measurements refers to the precision available in time stamp values. Granularity coarser than one second is not sufficient for audit trail purposes. Time stamp values are typically presented with three or more decimal places of seconds; however, the actual granularity may be coarser than the apparent precision. For example, SQL Server's GETDATE()/CURRENT_TMESTAMP values are presented to three decimal places, but the granularity is not one millisecond: it is about 1/300 of a second.\n\nSome DBMS products offer a data type called TIMESTAMP that is not a representation of date and time. Rather, it is a database state counter and does not correspond to calendar and clock time. This requirement does not refer to that meaning of TIMESTAMP.","checkContent":"Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\n\nAs the database administrator (shown here as \"postgres\"), verify the current log_line_prefix setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain %m, this is a finding.\n\nCheck the logs to verify time stamps are being logged:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/${PGLOG?}/\n< 2024-02-23 12:53:33.947 EDT postgres postgres 570bd68d.3912 >LOG: connection authorized: user=postgres database=postgres\n< 2024-02-23 12:53:41.576 EDT postgres postgres 570bd68d.3912 >LOG: AUDIT: SESSION,1,1,DDL,CREATE TABLE,,,CREATE TABLE test_srg(id INT);,\n< 2024-02-23 12:53:44.372 EDT postgres postgres 570bd68d.3912 >LOG: disconnection: session time: 0:00:10.426 user=postgres database=postgres host=[local]\n\nIf time stamps are not being logged, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL will not log anything if logging is not enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nIf logging is enabled, the following configurations must be made to log events with time stamps:\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable time stamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"28d1b301-713f-4257-99e7-449c17385139","vulnId":"V-261923","severity":"medium","ruleTitle":"PostgreSQL must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.","description":"$53","checkContent":"$54","fixText":"Document and obtain approval for any nonadministrative users who require the ability to create, alter, or replace logic modules.\n\nImplement the approved permissions. Revoke any unapproved permissions."},{"id":"08eaf21d-6ab9-46e9-897a-ff8102bfb5be","vulnId":"V-261924","severity":"medium","ruleTitle":"PostgreSQL must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).","description":"Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.","checkContent":"To list all the permissions of individual roles, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nList all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\l\"\n$ psql -c \"\\dn+\"\n\nIf any database or schema has update (\"W\") or create (\"C\") privileges and should not, this is a finding.","fixText":"Configure PostgreSQL to enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \"ALTER ROLE NOSUPERUSER\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \"REVOKE ALL PRIVILEGES ON FROM \""},{"id":"8aaeeb5c-acd7-4e9f-9877-1e5aac0ad6bb","vulnId":"V-261925","severity":"medium","ruleTitle":"PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s).","description":"Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions. \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.","checkContent":"$55","fixText":"Enable logging.\n\nAll denials are logged by default if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"8692212e-c0aa-485e-8d6a-eb9c7631b44b","vulnId":"V-261926","severity":"medium","ruleTitle":"PostgreSQL must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with the Ports, Protocols, and Services Management (PPSM) guidance.","description":"Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.","checkContent":"As the database administrator, run the following SQL:\n\n$ psql -c \"SHOW port\"\n\nIf the currently defined port configuration is deemed prohibited, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo change the listening port of the database, as the database administrator, change the following setting in postgresql.conf: \n\n$ sudo su - postgres \n$ vi $PGDATA/postgresql.conf \n\nChange the port parameter to the desired port. \n\nRestart the database: \n\n$ sudo systemctl restart postgresql-${PGVER?} \n\nNote: psql uses the port 5432 by default. This can be changed by specifying the port with psql or by setting the PGPORT environment variable: \n\n$ psql -p 5432 -c \"SHOW port\" \n$ export PGPORT=5432"},{"id":"84221fff-5f8d-4aa9-941e-c59ce163892c","vulnId":"V-261927","severity":"medium","ruleTitle":"PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.","description":"$56","checkContent":"Determine all situations where a user must reauthenticate. Check if the mechanisms that handle such situations use the following SQL:\n\nTo make a single user reauthenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users reauthenticate, run the following:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force reauthentication, this is a finding.","fixText":"Modify and/or configure PostgreSQL and related applications and tools so that users are always required to reauthenticate when changing role or escalating privileges.\n\nTo make a single user reauthenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users reauthenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'"},{"id":"15760d97-a413-4f68-8d5e-0f36e1f2d4ac","vulnId":"V-261928","severity":"high","ruleTitle":"PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of PostgreSQL with the encryption devices.","checkContent":"If PostgreSQL is deployed in an unclassified environment, this is not applicable.\n\nIf PostgreSQL is not using NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards, this is a finding.\n\nTo check if PostgreSQL is configured to use SSL, as the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf SSL is off, this is a finding.\n\nConsult network administration staff to determine whether the server is protected by NSA-approved encrypting devices. If not, this a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo configure PostgreSQL to use SSL as a database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}\n\nFor more information on configuring PostgreSQL to use SSL, refer to supplementary content APPENDIX-G.\n\nDeploy NSA-approved encrypting devices to protect the server on the network."},{"id":"40bc313f-645e-4b48-8171-7885e7c5d826","vulnId":"V-261929","severity":"medium","ruleTitle":"PostgreSQL must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.","description":"Only DOD-approved external PKIs have been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DOD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.\n\nThe authoritative list of DOD-approved PKIs is published at https://public.cyber.mil/pki-pke/interoperability/.\n\nThis requirement focuses on communications protection for the PostgreSQL session rather than for the network packet.","checkContent":"As the database administrator (shown here as \"postgres\"), verify the following setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n\nIf the database is not configured to use only DOD-approved certificates, this is a finding.","fixText":"Revoke trust in any certificates not issued by a DOD-approved certificate authority.\n\nConfigure PostgreSQL to accept only DOD and DOD-approved PKI end-entity certificates.\n\nTo configure PostgreSQL to accept approved CAs, refer to the official PostgreSQL documentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\nFor more information on configuring PostgreSQL to use SSL, refer to supplementary content APPENDIX-G."},{"id":"409ad36c-c3e8-4db5-820f-45baf14fd227","vulnId":"V-261930","severity":"medium","ruleTitle":"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.","description":"PostgreSQLs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to PostgreSQL or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"$57","fixText":"Configure PostgreSQL, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. Refer to supplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('mypass', gen_salt('bf', 4));"},{"id":"a3c0b0e0-37bd-4d86-8c24-aa8cb4348053","vulnId":"V-261931","severity":"medium","ruleTitle":"PostgreSQL must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.","description":"PostgreSQLs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to PostgreSQL or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"To check if pgcrypto is installed on PostgreSQL, as a database administrator (shown here as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a finding.\n\nIf a disk or filesystem requires encryption, ask the system owner, database administrator (DBA), and system administrator (SA) to demonstrate the use of filesystem and/or disk-level encryption. If this is required and is not found, this is a finding.","fixText":"Configure PostgreSQL, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection for information requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. Refer to supplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('mypass', gen_salt('bf', 4));"},{"id":"a568803a-aa15-40b1-9681-ecbc0776bc66","vulnId":"V-261932","severity":"medium","ruleTitle":"PostgreSQL must maintain the confidentiality and integrity of information during preparation for transmission.","description":"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nUse of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.\n\nWhen transmitting data, PostgreSQL, associated applications, and infrastructure must leverage transmission protection mechanisms.","checkContent":"If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.\n\nAs the database administrator (shown here as \"postgres\"), verify SSL is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf SSL is not enabled, this is a finding.\n\nIf PostgreSQL does not employ protective measures against unauthorized disclosure and modification during preparation for transmission, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nImplement protective measures against unauthorized disclosure and modification during preparation for transmission.\n\nTo configure PostgreSQL to use SSL, as a database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}\n\nFor more information on configuring PostgreSQL to use SSL, refer to supplementary content APPENDIX-G."},{"id":"87696b8b-ee80-4657-bfca-db0981246146","vulnId":"V-261933","severity":"medium","ruleTitle":"PostgreSQL must maintain the confidentiality and integrity of information during reception.","description":"Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nThis requirement applies only to those applications that are either distributed or can allow access to data nonlocally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. \n\nWhen receiving data, PostgreSQL, associated applications, and infrastructure must leverage protection mechanisms.","checkContent":"If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.\n\nAs the database administrator (shown here as \"postgres\"), verify SSL is enabled in postgresql.conf by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\" \n\nIf SSL is off, this is a finding.\n\nIf PostgreSQL, associated applications, and infrastructure do not employ protective measures against unauthorized disclosure and modification during reception, this is a finding.","fixText":"Implement protective measures against unauthorized disclosure and modification during reception.\n\nTo configure PostgreSQL to use SSL, refer to supplementary content APPENDIX-G for instructions on enabling SSL."},{"id":"1b2d82d6-59bb-4d14-9cef-31b414300c8d","vulnId":"V-261934","severity":"medium","ruleTitle":"When invalid inputs are received, PostgreSQL must behave in a predictable and documented manner that reflects organizational and system objectives.","description":"$58","checkContent":"$59","fixText":"Enable logging.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nAll errors and denials are logged if logging is enabled."},{"id":"104b0db6-cb24-4688-992a-45a86d4cfec8","vulnId":"V-261935","severity":"medium","ruleTitle":"When updates are applied to the PostgreSQL software, any software components that have been replaced or made unnecessary must be removed.","description":"Previous versions of PostgreSQL components that are not removed from the information system after updates have been installed may be exploited by adversaries.\n\nSome DBMSs' installation tools may remove older versions of software automatically from the information system. In other cases, manual review and removal will be required. In planning installations and upgrades, organizations must include steps (automated, manual, or both) to identify and remove the outdated modules.\n\nA transition period may be necessary when both the old and the new software are required. This should be taken into account in the planning.","checkContent":"To check software installed by packages, as the system administrator, run the following command:\n\n$ sudo rpm -qa | grep postgres\n\nIf multiple versions of postgres are installed but are unused, this is a finding.","fixText":"Use package managers (RPM or apt-get) for installing PostgreSQL. Unused software is removed when updated."},{"id":"bb499b3c-a824-4e1f-b717-1ce4b51e6f98","vulnId":"V-261936","severity":"medium","ruleTitle":"Security-relevant software updates to PostgreSQL must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"$5a","checkContent":"If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system:\n\nTo list the version of installed PostgreSQL using psql:\n\n$ sudo su - postgres\n$ psql --version\n\nTo list the current version of software for RPM:\n\n$ rpm -qa | grep postgres\n\nTo list the current version of software for APT:\n\n$ apt-cache policy postgres\n\nAll versions of PostgreSQL are listed here: http://www.postgresql.org/support/versioning/.\n\nAll security-relevant software updates for PostgreSQL are listed here: http://www.postgresql.org/support/security/.\n\nIf PostgreSQL is not at the latest version, this is a finding.\n\nIf PostgreSQL is not at the latest version and the evaluated version has CVEs (IAVAs), then this is a CAT I finding.","fixText":"Institute and adhere to policies and procedures to ensure that patches are consistently applied to PostgreSQL within the time allowed."},{"id":"afaab7a0-3115-4d1a-8add-d5f317eba466","vulnId":"V-261938","severity":"medium","ruleTitle":"PostgreSQL must be able to generate audit records when security objects are accessed.","description":"Changes to the security configuration must be tracked.\n\nThis requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via specialized security functionality.\n\nIn an SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain pgaudit, this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL can be configured to audit these requests using pgaudit.. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"a1a22c02-bfa9-4727-bf7e-1fc75e447209","vulnId":"V-261939","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to access security objects occur.","description":"Changes to the security configuration must be tracked.\n\nThis requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via specialized security functionality.\n\nIn an SQL environment, types of access include, but are not limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"$5b","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to access security objects occur.\n\nAll denials are logged if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"343c2eab-794f-4d08-b536-7c3e5362910e","vulnId":"V-261940","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when categories of information (e.g., classification levels/security levels) are accessed.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of federal information and information systems, and FIPS Publication 200, Minimum Security Requirements for federal information and information systems.","checkContent":"As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW pgaudit.log\"\n\nIf pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. \n\nThe DBMS (PostgreSQL) can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit. \n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres \n\n$ vi ${PGDATA?}/postgresql.conf \n\nAdd the following parameters (or edit existing parameters): \n\npgaudit.log = 'ddl, write, role' \n\nAs the system administrator, reload the server with the new configuration: \n\n$ sudo systemctl reload postgresql- ${PGVER?}"},{"id":"978d803b-cb99-4e71-afa0-3f8435209394","vulnId":"V-261941","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to access categories of information (e.g., classification levels/security levels) occur.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of federal information and information systems, and FIPS Publication 200, Minimum Security Requirements for federal information and information systems.","checkContent":"As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW pgaudit.log\"\n\nIf pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nConfigure PostgreSQL to produce audit records when unsuccessful attempts to access categories of information occur.\n\nAll denials are logged if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'ddl, write, role'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"12e8601d-b1ac-470a-8a0c-c03c4a5fcdfb","vulnId":"V-261942","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when privileges/permissions are added.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.\n\nIn an SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the DENY command.","checkContent":"$5c","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL can be configured to audit these requests using pgaudit,. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"9e5b25b9-0943-46e5-a5c5-d58c2d482cfb","vulnId":"V-261943","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to add privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.\n\nIn an SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the DENY command.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\n\nAs the database administrator (shown here as \"postgres\"), create a role \"bob\" and a test table by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"CREATE ROLE bob; CREATE TABLE test(id INT);\"\n\nSet current role to \"bob\" and attempt to modify privileges:\n\n$ psql -c \"SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;\"\n\nAs the database administrator (shown here as \"postgres\"), verify the unsuccessful attempt was logged:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/${PGLOG?}/\n2024-07-14 18:12:23.208 EDT postgres postgres ERROR: permission denied for relation test\n2024-07-14 18:12:23.208 EDT postgres postgres STATEMENT: GRANT ALL PRIVILEGES ON test TO bob;\n\nIf audit logs are not generated when unsuccessful attempts to add privileges/permissions occur, this is a finding.","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to add privileges occur.\n\nAll denials are logged by default if logging is enabled. To ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging."},{"id":"a66b1aa0-2631-47b8-b28b-e86f4a59f02c","vulnId":"V-261944","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when privileges/permissions are modified.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.\n\nIn an SQL environment, modifying permissions is typically done via the GRANT, REVOKE, and DENY commands.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain pgaudit, this is a finding.\n\nVerify that role is enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='role'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"74015fff-4d21-4d6c-bccb-89ac46149102","vulnId":"V-261945","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to modify privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected. \n\nIn an SQL environment, modifying permissions is typically done via the GRANT, REVOKE, and DENY commands. \n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"$5d","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to modify privileges occur.\n\nAll denials are logged by default if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"40d20553-1221-47c0-b025-8b11fe303bc3","vulnId":"V-261946","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when security objects are modified.","description":"Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized changes to the security subsystem could go undetected. The database could be severely compromised or rendered inoperative.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the results does not contain pgaudit, this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.\n\nVerify that accessing the catalog is audited by running the following SQL:\n\n$ psql -c \"SHOW pgaudit.log_catalog\"\n\nIf log_catalog is not on, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log_catalog = 'on'\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"40630cca-f902-404c-8332-11c5b84c0c90","vulnId":"V-261947","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to modify security objects occur.","description":"Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized changes to the security subsystem could go undetected. The database could be severely compromised or rendered inoperative.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\n\nAs the database administrator (shown here as \"postgres\"), create a test role by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"CREATE ROLE bob\"\n\nTo test if audit records are generated from unsuccessful attempts at modifying security objects, run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SET ROLE bob; UPDATE pg_authid SET rolsuper = 't' WHERE rolname = 'bob';\"\n\nAs the database administrator (shown here as \"postgres\"), verify the denials were logged:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/${PGLOG?}/\n< 2024-03-17 10:34:00.017 EDT bob 56eabf52.b62 postgres: >ERROR: permission denied for relation pg_authid\n< 2024-03-17 10:34:00.017 EDT bob 56eabf52.b62 postgres: >STATEMENT: UPDATE pg_authid SET rolsuper = 't' WHERE rolname = 'bob';\n\nIf denials are not logged, this is a finding.","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to modify security objects occur.\n\nUnsuccessful attempts to modify security objects can be logged if logging is enabled. To ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging."},{"id":"57300931-0420-40c8-827c-152c6375e023","vulnId":"V-261948","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when categories of information (e.g., classification levels/security levels) are modified.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of federal information and information systems, and FIPS Publication 200, Minimum Security Requirements for federal information and information systems.","checkContent":"If category tracking is not required in the database, this is not applicable.\n\nAs the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain pgaudit, this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"d6dd0049-a6e0-4c91-bff4-09630137e4f0","vulnId":"V-261949","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to modify categories of information (e.g., classification levels/security levels) occur.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of federal information and information systems, and FIPS Publication 200, Minimum Security Requirements for federal information and information systems.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain \"pgaudit\", this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nConfigure PostgreSQL to produce audit records when unsuccessful attempts to modify categories of information occur.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C. All denials are logged when logging is enabled.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"6e8545b9-ed87-4d06-af56-633bbfa57414","vulnId":"V-261950","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when privileges/permissions are deleted.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.\n\nIn an SQL environment, deleting permissions is typically done via the REVOKE or DENY command.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain pgaudit, this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"2a912339-8918-4a4c-9717-47a022cde885","vulnId":"V-261951","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to delete privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.\n\nIn an SQL environment, deleting permissions is typically done via the REVOKE or DENY command.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\n\nAs the database administrator (shown here as \"postgres\"), create the roles \"joe\" and \"bob\" with LOGIN by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"CREATE ROLE joe LOGIN\"\n$ psql -c \"CREATE ROLE bob LOGIN\"\n\nSet current role to \"bob\" and attempt to alter the role \"joe\":\n\n$ psql -c \"SET ROLE bob; ALTER ROLE joe NOLOGIN;\"\n\nAs the database administrator (shown here as \"postgres\"), verify the denials are logged:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/${PGLOG?}/\n< 2024-03-17 11:28:10.004 UTC bob 56eacd05.cda postgres: >ERROR: permission denied to alter role\n< 2024-03-17 11:28:10.004 UTC bob 56eacd05.cda postgres: >STATEMENT: ALTER ROLE joe;\n\nIf audit logs are not generated when unsuccessful attempts to delete privileges/permissions occur, this is a finding.","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to delete privileges occur.\n\nAll denials are logged if logging is enabled. To ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging."},{"id":"22b6bca9-ce87-42f6-bff3-270fce276963","vulnId":"V-261952","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when security objects are deleted.","description":"The removal of security objects from the database/PostgreSQL would seriously degrade a system's information assurance posture. If such an event occurs, it must be logged.","checkContent":"$5e","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'ddl'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"ef968c55-2edd-4b8c-8904-8eb42fbe6db5","vulnId":"V-261953","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to delete security objects occur.","description":"The removal of security objects from the database/PostgreSQL would seriously degrade a system's information assurance posture. If such an action is attempted, it must be logged.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain pgaudit, this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nConfigure PostgreSQL to produce audit records when unsuccessful attempts to delete security objects occur.\n\nAll errors and denials are logged if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"eb404c7a-cebf-4b21-8464-c4a69fc688dd","vulnId":"V-261954","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when categories of information (e.g., classification levels/security levels) are deleted.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of federal information and information systems, and FIPS Publication 200, Minimum Security Requirements for federal information and information systems.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain \"pgaudit\", this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"9b7f38d0-7cea-45d2-a130-a712c30141fd","vulnId":"V-261955","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to delete categories of information (e.g., classification levels/security levels) occur.","description":"Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of federal information and information systems, and FIPS Publication 200, Minimum Security Requirements for federal information and information systems.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain \"pgaudit\", this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nAll errors and denials are logged if logging is enabled. To ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"21bb6340-512b-43fd-9177-b3382a646b2a","vulnId":"V-261956","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when successful logons or connections occur.","description":"For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to PostgreSQL.","checkContent":"Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\n\nAs the database administrator (shown here as \"postgres\"), check if log_connections is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_connections\"\n\nIf log_connections is off, this is a finding.\n\nVerify the logs that the previous connection to the database was logged:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/${PGLOG?}/\n< 2024-02-16 15:54:03.934 UTC postgres postgres 56c64b8b.aeb: >LOG: connection authorized: user=postgres database=postgres\n\nIf an audit record is not generated each time a user (or other principal) logs on or connects to PostgreSQL, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nIf logging is enabled the following configurations must be made to log connections, date/time, username, and session identifier.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters as such:\n\nlog_connections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nWhere:\n* %m is the time and date\n* %u is the username\n* %d is the database\n* %c is the session ID for the connection\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"1451012c-b45d-4f9c-a430-6b55cb80c23d","vulnId":"V-261957","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur.","description":"For completeness of forensic analysis, it is necessary to track failed attempts to log on to PostgreSQL. While positive identification may not be possible in a case of failed authentication, as much information as possible about the incident must be captured.","checkContent":"Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I on PGLOG.\n\nIn this example the user \"joe\" will log in to the Postgres database unsuccessfully:\n\n$ psql -d postgres -U joe\n\nAs the database administrator (shown here as \"postgres\"), check ${PGLOG?} for a FATAL connection audit trail:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/${PGLOG?}/{latest_log>\n< 2024-02-16 16:18:13.027 UTC joe 56c65135.b5f postgres: >LOG: connection authorized: user=joe database=postgres\n< 2024-02-16 16:18:13.027 UTC joe 56c65135.b5f postgres: >FATAL: role \"joe\" does not exist\n\nIf an audit record is not generated each time a user (or other principal) attempts, but fails to log on or connect to PostgreSQL (including attempts where the user ID is invalid/unknown), this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nIf logging is enabled the following configurations must be made to log unsuccessful connections, date/time, username, and session identifier.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters:\n\nlog_connections = on\nlog_line_prefix = '< %m %u %c: >'\n\nWhere:\n* %m is the time and date\n* %u is the username\n* %c is the session ID for the connection\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"7562933e-c2af-49eb-b870-249c3c65dd14","vulnId":"V-261958","severity":"medium","ruleTitle":"PostgreSQL must generate audit records for all privileged activities or other system-level access.","description":"$5f","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain pgaudit, this is a finding.\n\nVerify that role, read, write, and ddl auditing are enabled:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed the following configurations can be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\nshared_preload_libraries = 'pgaudit'\npgaudit.log='ddl, role, read, write'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"d97153c5-f82c-41a0-858a-19373987c94e","vulnId":"V-261959","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.","description":"Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nSystem documentation should include a definition of the functionality considered privileged.\n\nA privileged function in this context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In an SQL environment, it encompasses, but is not necessarily limited to:\nCREATE\nALTER\nDROP\nGRANT\nREVOKE\nDENY\n\nNote that it is particularly important to audit and tightly control any action that weakens the implementation of this requirement itself, since the objective is to have a complete audit trail of all administrative activity.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"$60","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to execute privileged SQL.\n\nAll denials are logged by default if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"77c2057a-cc56-4c6f-b116-6bf590a8606d","vulnId":"V-261960","severity":"medium","ruleTitle":"PostgreSQL must generate audit records showing starting and ending time for user access to the database(s).","description":"For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to PostgreSQL lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs.\n\nDisconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.","checkContent":"Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\n\nLog into the database with the postgres user by running the following commands:\n\n$ sudo su - postgres\n$ psql -U postgres\n\nAs the database administrator, verify the log for a connection audit trail:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/${PGLOG?}/\n< 2024-02-23 20:25:39.931 UTC postgres 56cfa993.7a72 postgres: >LOG: connection authorized: user=postgres database=postgres\n< 2024-02-23 20:27:45.428 UTC postgres 56cfa993.7a72 postgres: >LOG: AUDIT: SESSION,1,1,READ,SELECT,,,SELECT current_user;,\n< 2024-02-23 20:27:47.988 UTC postgres 56cfa993.7a72 postgres: >LOG: disconnection: session time: 0:00:08.057 user=postgres database=postgres host=[local]\n\nIf connections are not logged, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.\n\nIf logging is enabled the following configurations must be made to log connections, date/time, username, and session identifier.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf by running the following:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters:\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %c: >'\n\nWhere:\n* %m is the time and date\n* %u is the username\n* %c is the session ID for the connection\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"036ead0e-3abf-4016-af8f-f1f3bd7d07d3","vulnId":"V-261961","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when concurrent logons/connections by the same user from different workstations occur.","description":"For completeness of forensic analysis, it is necessary to track who logs on to PostgreSQL.\n\nConcurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the Common Access Card (CAC) for authentication; or they may indicate unauthorized account sharing; or they may be because an account has been compromised.\n\nIf multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events (logons/connections; voluntary and involuntary disconnections), then it is not mandatory to create additional log entries specifically for this.","checkContent":"As the database administrator, verify that log_connections and log_disconnections are enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf either is off, this is a finding.\n\nVerify that log_line_prefix contains sufficient information by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain at least %m %u %d %c, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters as such:\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nWhere:\n* %m is the time and date\n* %u is the username\n* %d is the database\n* %c is the session ID for the connection\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"9d0c9f54-6e58-4ed4-9eac-d0aed59f21a4","vulnId":"V-261962","severity":"medium","ruleTitle":"PostgreSQL must be able to generate audit records when successful accesses to objects occur.","description":"Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nIn an SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL: \n\n$ sudo su - postgres \n$ psql -c \"SHOW shared_preload_libraries\" \n\nIf the output does not contain \"pgaudit\", this is a finding. \n\nVerify that role, read, write, and ddl auditing are enabled: \n\n$ psql -c \"SHOW pgaudit.log\" \n\nIf the output does not contain role, read, write, and ddl, this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. To ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\n\nIf logging is enabled, the following configurations must be made to log unsuccessful connections, date/time, username, and session identifier.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf: \n\n$ sudo su - postgres \n$ vi ${PGDATA?}/postgresql.conf \n\nEdit the following parameters: \n\nlog_connections = on \nlog_line_prefix = '< %m %u %c: >' \npgaudit.log = 'read, write' \n\nWhere: \n* %m is the time and date \n* %u is the username \n* %c is the session ID for the connection \n\nAs the system administrator, reload the server with the new configuration: \n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"5e78049b-b88f-4d74-bbee-6c7da18b0549","vulnId":"V-261963","severity":"medium","ruleTitle":"PostgreSQL must generate audit records when unsuccessful accesses to objects occur.","description":"Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nIn an SQL environment, types of access include, but are not limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"$61","fixText":"Configure PostgreSQL to produce audit records when unsuccessful attempts to access objects occur.\n\nAll errors and denials are logged if logging is enabled. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."},{"id":"92b993d0-32e5-4187-ad48-484597148452","vulnId":"V-261964","severity":"medium","ruleTitle":"PostgreSQL must generate audit records for all direct access to the database(s).","description":"In this context, direct access is any query, command, or call to PostgreSQL that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and nonstandard sources.","checkContent":"As the database administrator, verify pgaudit is enabled by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf the output does not contain \"pgaudit\", this is a finding.\n\nVerify that connections and disconnections are being logged by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf the output does not contain \"on\", this is a finding.","fixText":"Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\n\nPostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, the following configurations should be made:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log='ddl, role, read, write'\nlog_connections='on'\nlog_disconnections='on'\n\nAs the system administrator, reload the server with the new configuration:\n\n$ sudo systemctl reload postgresql-${PGVER?}"},{"id":"9c7ff239-6dfa-4895-922b-fad607984cbc","vulnId":"V-261965","severity":"medium","ruleTitle":"PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nFor detailed information, refer to NIST FIPS Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS compliant.","checkContent":"As the system administrator, run the following to ensure FIPS is enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not \"1\", this is a finding.","fixText":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS 140-2 compliant, refer to the official RHEL Documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies.\n\nFor more information on configuring PostgreSQL to use SSL, refer to supplementary content APPENDIX-G."},{"id":"2bc55f6e-c32e-4057-9612-d49b656ed7c5","vulnId":"V-261966","severity":"medium","ruleTitle":"PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners' requirements.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS compliant.","checkContent":"As the system administrator, run the following to ensure FIPS is enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not \"1\", this is a finding.","fixText":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS 140-2 compliant, refer to the official RHEL Documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies.\n\nFor more information on configuring PostgreSQL to use SSL, refer to supplementary content APPENDIX-G."},{"id":"79d62560-ebd9-467d-aae8-9ab504753e99","vulnId":"V-261967","severity":"medium","ruleTitle":"PostgreSQL must offload audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for standalone systems.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOffloading is a common process in information systems with limited audit storage capacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with offloading the records to the centralized system.","checkContent":"As the database administrator (shown here as \"postgres\"), ensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_destination\"\n\nIf log_destination is not syslog, this is a finding.\n\nAs the database administrator, check which log facility is configured by running the following SQL:\n\n$ psql -c \"SHOW syslog_facility\" \n\nCheck with the organization to refer to how syslog facilities are defined in their organization.\n\nIf the wrong facility is configured, this is a finding.\n\nIf PostgreSQL does not have a continuous network connection to the centralized log management system, and PostgreSQL audit records are not transferred to the centralized log management system weekly or more often, this is a finding.","fixText":"$62"},{"id":"b0c8deee-cc90-4f9a-9907-3de0e124dc14","vulnId":"V-283674","severity":"high","ruleTitle":"PostgreSQL products must be a version supported by the vendor.","description":"Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.\n\nSoftware and systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nWhen maintenance updates and patches are no longer available, software is no longer considered supported and should be upgraded or decommissioned.","checkContent":"If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system:\n\nTo list the version of installed PostgreSQL using psql:\n\n$ sudo su - postgres\n$ psql --version\n\nTo list the current version of software for RPM:\n\n$ rpm -qa | grep postgres\n\nTo list the current version of software for APT:\n\n$ apt-cache policy postgres\n\nAll versions of PostgreSQL are listed here: http://www.postgresql.org/support/versioning/\n\nAll security-relevant software updates for PostgreSQL are listed here: http://www.postgresql.org/support/security/\n\nIf PostgreSQL is not at the latest version, this is a finding.","fixText":"Upgrade or install a version of the product supported by the vendor."}]}]]}]

Crunchy Data Postgres 16 Security Technical Implementation Guide

Checks (111)