11:["$","div",null,{"className":"mx-auto max-w-7xl p-6","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-brand text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-4 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"text-3xl font-bold","children":"EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide"}],false,["$","$L1b",null,{}]]}],["$","section",null,{"className":"mb-8 rounded-lg border border-gray-200 bg-white p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Dec 18, 2023"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-xs text-gray-500","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"EDB_Postgres_Advanced_Server_STIG","children":"EDB_Postgres_Advanced_Server_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":109}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-xs text-gray-500","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"rounded-full bg-gray-100 px-2 py-0.5 text-xs text-gray-700","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"rounded bg-red-100 px-3 py-1 text-sm font-medium text-red-800","children":["CAT I: ",16]}],["$","span",null,{"className":"rounded bg-yellow-100 px-3 py-1 text-sm font-medium text-yellow-800","children":["CAT II: ",93]}],["$","span",null,{"className":"rounded bg-blue-100 px-3 py-1 text-sm font-medium text-blue-800","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"mt-4 text-sm text-gray-600","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=EDB%20Postgres%20Advanced%20Server%20v9.6%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=EDB%20Postgres%20Advanced%20Server%20v9.6%20Security%20Technical%20Implementation%20Guide&format=csv","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=EDB%20Postgres%20Advanced%20Server%20v9.6%20Security%20Technical%20Implementation%20Guide&format=json","className":"rounded border px-3 py-1 text-sm text-gray-700 hover:bg-gray-50","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EDB_PGS_Advanced_Server_v9-6_V2R3_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-brand/10 text-brand hover:bg-brand/20 border-brand/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1c",null,{"checks":[{"id":"5fd66ac4-704a-4b1d-9d65-7dc42f6569ba","vulnId":"V-213561","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.","description":"$1d","checkContent":"Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users.\n\nExecute the following SQL as enterprisedb:\n\nSELECT rolname, rolconnlimit FROM pg_roles;\n\nIf rolconnlimit is -1 or larger than the system documentation limits for any rolname, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\nSELECT rolname, rolconnlimit FROM pg_roles;\n\nFor any roles where rolconnlimit is -1 or larger than the system documentation limits, execute this SQL as enterprisedb:.\n\nALTER USER WITH CONNECTION LIMIT ;"},{"id":"cde5b9ce-e015-4752-9ef6-a6319ce20941","vulnId":"V-213562","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.","description":"$1e","checkContent":"Verify that pg_hba.conf is not using: “trust”, “md5”, or “password” as allowable access methods.\n\n> cat /pg_hba.conf | egrep –I ‘(trust|md5|password)’ | grep –v ‘#’\n\nIf any output is produced, verify the users are documented as being authorized to use one of these access methods.\n\nIf the users are not authorized to use these access methods, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"Identify any user that is using “trust”, “md5”, or “password” as allowable access methods.\n\n> cat /pg_hba.conf | egrep –I ‘(trust|md5|password)’ | grep –v ‘#’\n\nDocument any rows that have \"trust\", \"md5\", or \"password\" specified for the \"METHOD\" column and obtain appropriate approval for each user specified in the \"USER\" column (i.e., all DBMS managed accounts).\n\nFor any users that are not documented and approved as DBMS managed accounts, change the \"METHOD\" column to one of the externally managed (not \"trust\", \"md5\", or \"password\") options defined here:\n\nhttp://www.postgresql.org/docs/9.5/static/auth-methods.html\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"0c9cc6be-8c2d-4dd3-b1a4-a6aa3c204298","vulnId":"V-213563","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"$1f","checkContent":"Review the system documentation to determine the required levels of protection for DBMS server securables by type of login.\n\nReview the permissions actually in place on the server. \n\nIf the actual permissions do not match the documented requirements, this is a finding.","fixText":"Use GRANT, REVOKE, ALTER statements to add and remove permissions on server-level securables, bringing them into line with the documented requirements."},{"id":"69554222-479c-4999-a5c7-b12286669395","vulnId":"V-213564","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect against a user falsely repudiating having performed organization-defined actions.","description":"Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. \n\nNon-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables, and configuring the DBMS' audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, group account.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit;\n \nIf the result is not \"csv\" or \"xml\", this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\nALTER SYSTEM SET edb_audit = csv;\nSELECT pg_reload_conf();\n\nor\n\nALTER SYSTEM SET edb_audit = xml;\nSELECT pg_reload_conf();"},{"id":"3357e2ab-556b-42a0-9a92-427412b1d3c9","vulnId":"V-213565","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide audit record generation capability for DoD-defined auditable events within all EDB Postgres Advanced Server/database components.","description":"$20","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit;\n \nIf the result is not \"csv\" or \"xml\", this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\nALTER SYSTEM SET edb_audit = csv;\nSELECT pg_reload_conf();\n\nor\n\nALTER SYSTEM SET edb_audit = xml;\nSELECT pg_reload_conf();"},{"id":"242b86e2-e0ff-4adf-a085-5f22ded00e27","vulnId":"V-213566","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Run the command \"ls -al /postgresql*.conf\" to show file permissions. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)\n\nIf the files are not owned by enterprisedb(user)/enterprisedb(group) or does not have RW permission for the user only, this is a finding.","fixText":"Run these commands: \n\n1) \"chown enterprisedb /postgresql*.conf\" \n\n2) \"chgrp enterprisedb /postgresql*.conf\"\n\n3) \"chmod 600 /postgresql*.conf\"\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"adc72005-0f25-4669-99ec-6ba3809ebbcd","vulnId":"V-213567","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when privileges/permissions are retrieved.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"4d1f9d72-c73d-45ca-b67d-51fbc836faca","vulnId":"V-213568","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"777ccac8-2cf7-4b04-9540-a196f621ed17","vulnId":"V-213569","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must initiate support of session auditing upon startup.","description":"Session auditing is for use when a user's activities are under investigation. \n\nTypically, this DBMS capability would be used in conjunction with comparable monitoring of a user's online session, involving other software components such as operating systems, web servers and front-end user applications. The current requirement, however, deals specifically with the DBMS.\n\nTo be sure of capturing all activity during those periods when session auditing is in use, database auditing needs to be in operation for the whole time the DBMS is running.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"65f2cacd-6839-4339-9b11-65fcc62825a9","vulnId":"V-213570","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish what type of events occurred.","description":"$21","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"daedc3ed-0a72-4ee0-ac41-be7108ef8a6d","vulnId":"V-213571","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing time stamps to establish when the events occurred.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. \n\nDatabase software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when specific actions were performed. This requires the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"a94f687c-2a5b-4e3b-8903-065c7a242490","vulnId":"V-213572","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish where the events occurred.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality. \n\nAssociating information about where the event occurred within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"15ad52a7-d738-4148-ba45-8547824416ff","vulnId":"V-213573","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the sources (origins) of the events.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality. \n\nIn addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event.\n\nAssociating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"71f03865-f510-440b-96e3-b7a81dc16ad4","vulnId":"V-213574","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.","description":"Information system auditing capability is critical for accurate forensic analysis. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"aa1677c5-2d47-4d3a-b04e-d346ef5fca19","vulnId":"V-213575","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.","description":"Information system auditing capability is critical for accurate forensic analysis. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nIdentifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"0c91811e-0b9f-4471-804e-1f78f0a70fe8","vulnId":"V-213576","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.","description":"$22","checkContent":"Review the system documentation to identify what additional information the organization has determined necessary.\n\nCheck application and database design, and existing audit records to verify that all organization-defined additional, more detailed information is in the audit records for audit events identified by type, location, or subject.\n\nIf any additional information is defined and is not included in the audit records, this is a finding.","fixText":"Execute the following SQL to set additional detailed information for the audit records in the session:\n\nset edb_audit_tag = '';\n\nReplace with a character string holding the additional data that must be captured.\n\nTo set this in a trigger, an example is included below. Keep in mind that the edb_audit_tag is set for the life of the session, not just the life of the insert command:\n\nCREATE OR REPLACE FUNCTION add_audit_info()\n RETURNS trigger AS\n$BODY$\nBEGIN\n SET edb_audit_tag = ''; \n RETURN NEW;\nEND;\n$BODY$\nLANGUAGE plpgsql;\n\nCREATE TRIGGER add_audit_info_trigger\n BEFORE INSERT\n ON \n FOR EACH ROW\n EXECUTE PROCEDURE add_audit_info();"},{"id":"81c4f10e-9d72-4d06-94de-9b14aeb80bc8","vulnId":"V-213577","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.","description":"It is critical that when the DBMS is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. \n\nWhen the need for system availability does not outweigh the need for a complete audit trail, the DBMS should shut down immediately, rolling back all in-flight transactions.\n\nSystems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.","checkContent":"If Postgres Enterprise Manager (PEM) is not installed and configured to shut down the database when the audit log is full, this is a finding.","fixText":"Install PEM and configure an alert to shut down the PPAS server when the audit log mount point is at 99 percent full. Refer to the Supplemental Procedures document, supplied with this STIG, for guidance on configuring alerts."},{"id":"aa2e9543-e9be-4418-8ea4-2d5e04c66f46","vulnId":"V-213578","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.","description":"$23","checkContent":"If an externally managed and monitored partition or logical volume that can be grown dynamically is being used for logging, this is not a finding. \n\nIf PPAS is auditing to a directory that is not being actively checked for availability of disk space, and if logrotate is not configured to rotate logs based on the size of the audit log directory with oldest logs being replaced by newest logs, this is a finding.","fixText":"$24"},{"id":"752256da-400f-4b82-ac9c-698cbd93c739","vulnId":"V-213579","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized read access.","description":"$25","checkContent":"Verify User ownership, Group ownership, and permissions on the “edb_audit” directory:\n> ls –ald /edb_audit\nIf the User owner is not “enterprisedb”, this is a finding\nIf the Group owner is not “enterprisedb”, this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"Run these commands:\n\n1) \"chown enterprisedb /edb_audit\" \n\n2) \"chgrp enterprisedb /edb_audit\" \n\n3) \"chmod 700 /edb_audit\"\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"2d6fa356-db90-418c-87b3-589dc78ba235","vulnId":"V-213580","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized modification.","description":"$26","checkContent":"Verify User ownership, Group ownership, and permissions on the “edb_audit” directory:\n> ls –ald /edb_audit\nIf the User owner is not “enterprisedb”, this is a finding\nIf the Group owner is not “enterprisedb”, this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"Run these commands: \n\n1) \"chown enterprisedb /edb_audit\" \n\n2) \"chgrp enterprisedb /edb_audit\" \n\n3) \"chmod 700 /edb_audit\"\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"111b3084-d863-4426-8a26-dfbef12005c4","vulnId":"V-213581","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized deletion.","description":"$27","checkContent":"Verify User ownership, Group ownership, and permissions on the “edb_audit” directory:\n> ls –ald /edb_audit\nIf the User owner is not “enterprisedb”, this is a finding\nIf the Group owner is not “enterprisedb”, this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"Run these commands: \n\n1) \"chown enterprisedb /edb_audit\" \n\n2) \"chgrp enterprisedb /edb_audit\" \n\n3) \"chmod 700 /edb_audit\"\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"c4ce0a26-5ba0-44d1-a47d-1395ed139b00","vulnId":"V-213582","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit features from unauthorized access.","description":"$28","checkContent":"Verify User ownership, Group ownership, and permissions on the “edb_audit” directory:\n> ls –ald /edb_audit\nIf the User owner is not “enterprisedb”, this is a finding\nIf the Group owner is not “enterprisedb”, this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"Run these commands: \n\n1) \"chown enterprisedb /edb_audit\" \n\n2) \"chgrp enterprisedb /edb_audit\" \n\n3) \"chmod 700 /edb_audit\"\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"46e3a083-4af7-48b7-b632-ee6512210b1c","vulnId":"V-213583","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit configuration from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Verify User ownership, Group ownership, and permissions on the “edb_audit” directory:\n> ls –ald /edb_audit\nIf the User owner is not “enterprisedb”, this is a finding\nIf the Group owner is not “enterprisedb”, this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"Run these commands: \n\n1) \"chown enterprisedb /edb_audit\" \n\n2) \"chgrp enterprisedb /edb_audit\" \n\n3) \"chmod 700 /edb_audit\"\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"ecc74761-4c2a-4771-a87a-8331a3b29ca8","vulnId":"V-213584","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit features from unauthorized removal.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Verify User ownership, Group ownership, and permissions on the “edb_audit” directory:\n> ls –ald /edb_audit\nIf the User owner is not “enterprisedb”, this is a finding\nIf the Group owner is not “enterprisedb”, this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"Run these commands: \n\n1) \"chown enterprisedb /edb_audit\" \n\n2) \"chgrp enterprisedb /edb_audit\" \n\n3) \"chmod 700 /edb_audit\"\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)"},{"id":"a4ea7642-34d5-46dd-ae9b-995e957bfce9","vulnId":"V-213585","severity":"medium","ruleTitle":"Software, applications, and configuration files that are part of, or related to, the Postgres Plus Advanced Server installation must be monitored to discover unauthorized changes.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is done.\n\nVerify the list of files and directories being monitored is complete.\n\nIf monitoring does not occur or is not complete, this is a finding.","fixText":"Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.\n\nUse file hashes or checksums for comparisons, as file dates may be manipulated by malicious users."},{"id":"59cffdbd-bcc7-4538-9598-2b62405cde8b","vulnId":"V-213586","severity":"medium","ruleTitle":"EDB Postgres Advanced Server software modules, to include stored procedures, functions and triggers must be monitored to discover unauthorized changes.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective.\n\nUnmanaged changes that occur to the logic modules within the database can lead to unauthorized or compromised installations.","checkContent":"Check the EDB Postgres configuration for a timed job that automatically checks all system and user-defined procedures, functions and triggers for being modified by running the following EDB Postgres query: \nselect job, what from ALL_JOBS; \n\n(Alternatively, in Postgres Enterprise Manager, navigate to the \"Jobs\" node of the database and examine the job from there.) \n\nIf a timed job or some other method is not implemented to check for Triggers being modified, this is a finding.","fixText":"Configure an EDB Postgres timed job that automatically checks all system and user-defined procedures, functions and triggers for being modified, and in the event of such changes informs the proper personnel for evaluation and possible action."},{"id":"391b21d1-7640-4e94-9fe0-126a90f3e24b","vulnId":"V-213587","severity":"high","ruleTitle":"The EDB Postgres Advanced Server software installation account must be restricted to authorized users.","description":"When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. \n\nIf the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nDBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.","checkContent":"Review procedures for controlling, granting access to, and tracking use of the DBMS software installation account.\n\nIf access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.","fixText":"Develop, document, and implement procedures to restrict and track use of the DBMS software installation account."},{"id":"3a98fc27-241a-45ec-a4b5-b70bd5c414a7","vulnId":"V-213588","severity":"medium","ruleTitle":"Database software, including EDB Postgres Advanced Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.","description":"$29","checkContent":"Review the DBMS software library directory and note other root directories located on the same disk directory or any subdirectories.\n\nIf any non-DBMS software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the DBMS, this is a finding.\n\nOnly applications that are required for the functioning and administration, not use, of the DBMS should be located in the same disk directory as the DBMS software libraries.\n\nIf other applications are located in the same directory as the DBMS, this is a finding.","fixText":"Install all applications on directories separate from the DBMS software library directory. Relocate any directories or reinstall other application software that currently shares the DBMS software library directory."},{"id":"f4256b06-c03a-466c-b067-4798c2b868bb","vulnId":"V-213589","severity":"medium","ruleTitle":"Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.","description":"Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.","checkContent":"Review system documentation to identify accounts authorized to own database objects. Review accounts that own objects in the database(s) by running this SQL command:\n\nselect * from sys.all_objects;\n\nIf any database objects are found to be owned by users not authorized to own database objects, this is a finding.","fixText":"Assign ownership of authorized objects to authorized object owner accounts by running this SQL command for each object to be changed:\n\nALTER

';\n\nIf a policy is not enabled for the table requiring security labeling, this is a finding.","fixText":"Create a row-level policy for all required tables as defined here: \n\nhttp://www.enterprisedb.com/docs/en/9.5/oracompat/Database_Compatibility_for_Oracle_Developers_Guide.1.201.html#pID0E0D5J0HA"},{"id":"4b4249ee-0975-463c-9450-8dfbabedb14a","vulnId":"V-213617","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"$3b","checkContent":"Review the system documentation to obtain the definition of the database/DBMS functionality considered privileged in the context of the system in question.\n\nIf any functionality considered privileged has access privileges granted to non-privileged users, this is a finding.","fixText":"Revoke any privileges to privileged functionality by executing the REVOKE command as documented here: \n\nhttp://www.postgresql.org/docs/current/static/sql-revoke.html"},{"id":"e20eefb9-60f4-4895-9443-8152d7119078","vulnId":"V-213618","severity":"medium","ruleTitle":"Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.","description":"$3c","checkContent":"Review the system documentation and source code of the application(s) using the database.\n\nIf elevation of DBMS privileges is used but not documented, this is a finding.\n\nIf elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding.\n\nIf the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding.\n\nExecute the following SQL to find any SECURITY DEFINER functions (meaning they are executed as owner rather than invoker):\n\nselect proname from pg_proc where prosecdef = true;\n\nIf any of these functions should not be SECURITY DEFINER, this is a finding.","fixText":"Determine where, when, how, and by what principals/subjects elevated privilege is needed. \n\nModify the system and the application(s) using the database to ensure privilege elevation is used only as required.\n\nTo alter a function to use SECURITY INVOKER instead of SECURITY DEFINER, execute the following SQL:\n\nALTER FUNCTION SECURITY INVOKER;"},{"id":"bdf7afc9-0c8d-47a7-8886-b5bb32ace7bf","vulnId":"V-213619","severity":"medium","ruleTitle":"Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.","description":"$3d","checkContent":"Review the system documentation and source code of the application(s) using the database.\n\nIf elevation of DBMS privileges is used but not documented, this is a finding.\n\nIf elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding.\n\nIf the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding.\n\nExecute the following SQL to find any users with BYPASS RLS permissions:\n\nselect rolname from pg_roles where rolbypassrls = true;\n\nIf any of these users are not superusers that should bypass RLS, this is a finding.","fixText":"Determine where, when, how, and by what principals/subjects elevated privilege is needed. \n\nModify the system and the application(s) using the database to ensure privilege elevation is used only as required.\n\nTo alter a user to not allow bypassing RLS, execute the following SQL:\n\nALTER USER NOBYPASSRLS;"},{"id":"fef423e9-3c99-49c2-b4d7-a8c8fda6be64","vulnId":"V-213620","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must utilize centralized management of the content captured in audit records generated by all components of the EDB Postgres Advanced Server.","description":"Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThe content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. \n\nThe DBMS may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.","checkContent":"If a centralized log collecting tool such as Postgres Enterprise Manager (PEM) is not installed and configured to automatically collect audit logs, this is a finding. \n\nReview the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.","fixText":"Install a centralized log collecting tool and configure it as instructed in its documentation. \n\nIf using PEM, find the instructions at \nhttp://www.enterprisedb.com/docs/en/6.0/pemgetstarted/toc.html"},{"id":"3af8abe8-f3ee-42ad-846f-93e0f46b6e6a","vulnId":"V-213621","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide centralized configuration of the content to be captured in audit records generated by all components of the EDB Postgres Advanced Server.","description":"If the configuration of the DBMS's auditing is spread across multiple locations in the database management software, or across multiple commands, only loosely related, it is harder to use and takes longer to reconfigure in response to events.\n\nThe DBMS must provide a unified tool for audit configuration.","checkContent":"If a unified tool for audit configuration such as PEM (Postgres Enterprise Manager) is not installed and configured to automatically collect audit logs, this is a finding.\n\nReview the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.","fixText":"Install a centralized log collecting tool and configure it as instructed in its documentation. \n\nIf using PEM, find the instructions at \nhttp://www.enterprisedb.com/docs/en/6.0/pemgetstarted/toc.html"},{"id":"4a07ab02-c78c-40a6-aea1-edc1f90f775b","vulnId":"V-213622","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.","description":"$3e","checkContent":"Investigate whether there have been any incidents where the DBMS ran out of audit log space since the last time the space was allocated or other corrective measures were taken.\n\nIf there have been, this is a finding.","fixText":"Allocate sufficient audit file space to \"/edb_audit\" to support peak demand."},{"id":"b9d95f63-2b54-4ca8-8851-a666bdc05b17","vulnId":"V-213623","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.","description":"Organizations are required to use a central log management system, so under normal conditions, the audit space allocated to the DBMS on its own server will not be an issue. However, space will still be required on the DBMS server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result.\n\nIf support personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. \n\nThe appropriate support staff include, at a minimum, the ISSO and the DBA/SA.","checkContent":"If Postgres Enterprise Manager (PEM) or another similar monitoring capability is not installed and configured to probe storage volume utilization of \"\" and notify appropriate support staff upon storage volume utilization reaching 75 percent, this is a finding.\n\n(The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)","fixText":"$3f"},{"id":"114971fd-57c4-4600-8c04-e25fdd22b23a","vulnId":"V-213624","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. \n\nThe appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n\nA failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions\n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).","checkContent":"Review Postgres Enterprise Manager (PEM) alert settings, OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason.\n\nIf real-time alerts are not sent upon auditing failure, this is a finding.","fixText":"Install PEM and configure audit failure event alerting as documented here: http://www.enterprisedb.com/docs/en/5.0/pemgetstarted/PEM_Getting_Started_Guide.1.28.html\n\nAn example for creating an alert that ensure the audit directory does not fill up is included below, using the thin client (browser) PEM interface. Refer also to the Supplemental Procedures document, supplied with this STIG.\n\nOpen the PEM web console in a browser\n\n - Log in\n - Click on the agent for the machine to be monitored\n - Select \"Management | Probe Configuration\"\n - Select \"Disk Space\" and set the check interval as you like\n - Select \"Management | Alerting\"\n - Name the definition \"Audit Log Full\"\n - Select Template \"Disk Consumption Percentage\"\n - Set Frequency, Comparison Operator, and Thresholds (1 minute, >, \n95/96/97 for example)\n - Enter the Mount Point for where the audit log is\n - Click Notification tab\n - Click Email all alerts\n - Click \"Execute Script\" on Monitored Server"},{"id":"16e69b85-d699-4f29-9e82-ec0e7ba7f492","vulnId":"V-213625","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.","description":"$40","checkContent":"If EDB Postgres supports only software development, experimentation, and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding. \n\nReview the EDB Postgres security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. These psql commands can help with showing existing permissions of databases and schemas:\n\n\\l\n\\dn+\n\nIf any such permissions exist and are not documented and approved, this is a finding.","fixText":"Document and obtain approval for any non-administrative users who require the ability to create, alter, or replace logic modules. \n\nImplement the approved permissions. Revoke (or deny) any unapproved permissions and remove any unauthorized role memberships."},{"id":"7195e101-a669-4375-abc1-5d725579bec1","vulnId":"V-213626","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).","description":"Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.","checkContent":"Review the security configuration of the EDB Postgres database(s). \n\nIf unauthorized users can start the SQL Server Configuration Manager or SQL Server Management Studio, this is a finding. \n\nIf EDB Postgres does not enforce access restrictions associated with changes to the configuration of the database(s), this is a finding. \n\n- - - - - \n\nTo assist in conducting reviews of permissions, the following psql commands describe permissions of databases, schemas, and users: \n\n\\l\n\\dn+\n\\du\n\nPermissions of concern in this respect include the following, and possibly others: \n\n- any user with SUPERUSER privileges \n- any database or schema with \"C\" (create) or \"w\" (update) privileges that are not necessary","fixText":"Configure EDB PPAS to enforce access restrictions associated with changes to the configuration of the EDB Postgres database(s)."},{"id":"38b87530-09b0-4f77-864c-48eaccf9f620","vulnId":"V-213627","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).","description":"Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an audit trail would not be available for forensic investigation for after-the-fact actions. \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"c756ef0d-220e-45ba-a4e8-f0baa2345cba","vulnId":"V-213628","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.","description":"Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.\n\nA database cluster listens on a single port (usually 5444 for Postgres Plus Advanced Server). The Postgres Enterprise Manager (PEM) agents do not listen on ports, they only act as clients to the PEM server. The PEM server has two components (a repository which is a Postgres database) and a PHP application. The PHP application listens on a port configured in Apache, generally 8080 or 8443.\n\nThe ports to check are: 1) The primary Postgres cluster port, 2) The PEM PHP port, and 3) The PEM Repository DB port. Generally 2 and 3 should be installed on an isolated management machine without access from anyone other than administrators.","checkContent":"Review the network functions, ports, protocols, and services supported by the DBMS.\n\nIf any protocol is prohibited by the PPSM guidance and is enabled, this is a finding.\n\nOpen \"/pg_hba.conf\" in a viewer. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.) If any rows have a TYPE that is \"host\" or \"hostnossl\", this is a finding.\n\nExecute the following SQL as enterprisedb:\n\nSHOW port;\n \nIf the displayed port is not allowed, this is a finding.","fixText":"Disable each prohibited network function, port, protocol, or service prohibited by the PPSM guidance.\n\nOpen \"/pg_hba.conf\" in an editor. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.) Change the TYPE of any rows not starting with a \"#\" to be either \"local\" or \"hostssl\". The METHOD for the local rows should be \"peer\", which will authenticate based on the operating system name. The METHOD for the hostssl rows should be one of these (in preferred order): cert, ldap, sspi, pam, md5\n\nExecute the following SQL as enterprisedb:\n\nALTER SYSTEM SET port = ;\n\nExecute the following operating system command as root:\n\nsystemctl restart ppas-9.5.service"},{"id":"76d57569-1542-40fb-8529-4b12120a6ec7","vulnId":"V-213629","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.","description":"$41","checkContent":"If organization-defined circumstances or situations require re-authentication, and these situations are not configured to terminate existing logins to require re-authentication, this is a finding.","fixText":"Determine the organization-defined circumstances or situations that require re-authentication and ensure that the following SQL is executed in those situations. To require a single user to re-authenticate, use this SQL: \"select pg_terminate_backend(pid) from pg_stat_activity where user='';\" To require all users to re-authenticate, use this SQL: \"select pg_terminate_backend(pid) from pg_stat_activity where user like '%';\"."},{"id":"ab5be55f-6b0b-4bf3-ae3f-51d36aaa84ee","vulnId":"V-213630","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.","description":"Only DoD-approved external PKIs have been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users. \n\nThe authoritative list of DoD-approved PKIs is published at http://iase.disa.mil/pki-pke/interoperability.\n\nThis requirement focuses on communications protection for the DBMS session rather than for the network packet.","checkContent":"Verify that the root.crt certificate was issued by a valid DoD entity.\n\n> openssl x509 -in /root.crt –text | grep –i “issuer”. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.)\n\nIf any issuers are listed that are not valid DoD certificate authorities, this is a finding.","fixText":"Remove any certificate that was not issued by a valid DoD certificate authority.\n\nContact the organization's certificate issuer and request a new certificate that is issued by a valid DoD certificate authorities."},{"id":"f84f25b0-1427-4b4c-a1f2-01c675dc2ab9","vulnId":"V-213631","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.","description":"DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of the DBMS, operating system/file system, and additional software as relevant.\n\nIf any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.","fixText":"Create an encrypted partition to host the \"\" directory. This can be done at the OS level with a technology such as db-crypt or other encryption technologies provided by third-party tools.\n\nIf only certain columns require encryption, use pgcrypt to encrypt those columns as documented here: \n\nhttp://www.postgresql.org/docs/current/static/pgcrypto.html"},{"id":"67f1181d-55d1-40cd-a17a-496ff7f87d8e","vulnId":"V-213632","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.","description":"DBMSs handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.","checkContent":"Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of the DBMS, operating system/file system, and additional software as relevant.\n\nIf any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.","fixText":"Create an encrypted partition to host the \"\" directory. This can be done at the OS level with a technology such as db-crypt or other encryption technologies provided by third-party tools.\n\nIf only certain columns need encryption, use pgcrypt to encrypt those columns as documented here: \n\nhttp://www.postgresql.org/docs/current/static/pgcrypto.html"},{"id":"a4d9bd6f-5e4e-4dce-998a-c441569dd9be","vulnId":"V-213633","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must maintain the confidentiality and integrity of information during preparation for transmission.","description":"$42","checkContent":"If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding.\n\nOpen \"/pg_hba.conf\" in a viewer or editor. (The default path for the postgresql data directory is /var/lib/ppas/9.5/data, but this will vary according to local circumstances.) \n\nIf any rows do not have TYPE of \"hostssl\" as well as a METHOD of \"cert\", this is a finding.","fixText":"$43"},{"id":"b4bc180f-32b8-42ff-a6a6-07305276593a","vulnId":"V-213634","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must maintain the confidentiality and integrity of information during reception.","description":"$44","checkContent":"$45","fixText":"$46"},{"id":"feff7a2a-57da-4ea5-952d-c200a17196df","vulnId":"V-213635","severity":"medium","ruleTitle":"When invalid inputs are received, the EDB Postgres Advanced Server must behave in a predictable and documented manner that reflects organizational and system objectives.","description":"$47","checkContent":"Execute the following SQL as enterprisedb:\n\nSELECT * FROM sqlprotect.list_protected_users;\n\nIf the database and user that handles user input is not listed or if sqlprotect.list_protected_users does not exist (meaning SQL/Protect is not installed), and an alternative means of reviewing for vulnerable code is not in use, this is a finding.","fixText":"Install and configure SQL/Protect as documented here: \n\nhttp://www.enterprisedb.com/docs/en/9.5/eeguide/Postgres_Plus_Enterprise_Edition_Guide.1.072.html#\n\nAlternatively, implement, document, and maintain another method of checking for the validity of inputs."},{"id":"b64fa9c8-0b45-4bfd-b1e1-63bdfbb223a4","vulnId":"V-213636","severity":"medium","ruleTitle":"Security-relevant software updates to the EDB Postgres Advanced Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"$48","checkContent":"Obtain evidence that software patches are obtained from EnterpriseDB and are consistently applied to the DBMS within the timeframe defined for each patch.\n\nIf such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding.\n\nIf an administrator is not registered on the EDB Support Portal with an email address for monitoring technical alerts, this is a finding.","fixText":"Institute and adhere to policies and procedures to ensure that patches are consistently obtained from EnterpriseDB and applied to the DBMS within the time allowed.\n\nEnsure that a monitored email address is registered as a user on the EDB support portal and is receiving technical alerts."},{"id":"e7a6ed8e-4eab-412c-9c56-07374167cca8","vulnId":"V-213637","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when security objects are accessed.","description":"Changes to the security configuration must be tracked.\n\nThis requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via specialized security functionality.\n\nIn an SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"259e8443-a89d-40fc-b502-6145f7f70a93","vulnId":"V-213638","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to access security objects occur.","description":"Changes to the security configuration must be tracked.\n\nThis requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via specialized security functionality.\n\nIn an SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"da5d286f-7d66-40c9-bdb7-f99b9e4faa07","vulnId":"V-213639","severity":"medium","ruleTitle":"The DBMS must generate audit records when categories of information (e.g., classification levels/security levels) are accessed.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"5cd56257-94a5-45ea-953c-b6af4463d811","vulnId":"V-213640","severity":"medium","ruleTitle":"Audit records must be generated when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"40649446-eb2f-4235-a898-3a9fd49c9b42","vulnId":"V-213641","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when privileges/permissions are added.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individuals' and groups' privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.\n\nIn an SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the REVOKE command.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"8f5028ec-ea02-4ebe-bddf-fdbcb3a48e1d","vulnId":"V-213642","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to add privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individuals' and groups' privileges could go undetected. \n\nIn an SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the REVOKE command. \n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"903a0d6b-6030-49b9-a239-2b79b65a1807","vulnId":"V-213643","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when security objects are modified.","description":"Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized changes to the security subsystem could go undetected. The database could be severely compromised or rendered inoperative.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"f0ad50d7-273b-4da2-bf68-5ec20845d174","vulnId":"V-213644","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to modify security objects occur.","description":"Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized changes to the security subsystem could go undetected. The database could be severely compromised or rendered inoperative.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"81dd1844-32d7-4b5d-961d-6b99af634860","vulnId":"V-213645","severity":"medium","ruleTitle":"Audit records must be generated when categorized information (e.g., classification levels/security levels) is created.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"eaacc428-b993-453b-8b7e-f45ae9cacfc4","vulnId":"V-213646","severity":"medium","ruleTitle":"Audit records must be generated when categorized information (e.g., classification levels/security levels) is modified.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"983c55b4-bc68-4766-be2a-31963e0ccba1","vulnId":"V-213647","severity":"medium","ruleTitle":"Audit records must be generated when unsuccessful attempts to create categorized information (e.g., classification levels/security levels) occur.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"96d7c4a5-e306-48fb-bb41-17613fd76590","vulnId":"V-213648","severity":"medium","ruleTitle":"Audit records must be generated when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"5648d7ff-745e-4861-bd42-f455564b108b","vulnId":"V-213649","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when privileges/permissions are deleted.","description":"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individuals' and groups' privileges could go undetected. Elevated privileges give users access to information and functionality that they should not have; restricted privileges wrongly deny access to authorized users.\n\nIn an SQL environment, deleting permissions is typically done via the REVOKE command.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"1f56b6f5-6f03-4268-94e2-8f9cc1db83bb","vulnId":"V-213650","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to delete privileges/permissions occur.","description":"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individuals' and groups' privileges could go undetected. \n\nIn an SQL environment, deleting permissions is typically done via the REVOKE command. \n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"3d266fc4-7585-4438-80b9-8fecbb3c4480","vulnId":"V-213651","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when security objects are deleted.","description":"The removal of security objects from the database/DBMS would seriously degrade a system's information assurance posture. If such an event occurs, it must be logged.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"d38a562a-ae3b-4b37-a84e-be92de81bb7b","vulnId":"V-213652","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to delete security objects occur.","description":"The removal of security objects from the database/DBMS would seriously degrade a system's information assurance posture. If such an action is attempted, it must be logged.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"467e454d-5835-4000-99a8-9ec0f0416cb5","vulnId":"V-213653","severity":"medium","ruleTitle":"Audit records must be generated when categorized information (e.g., classification levels/security levels) is deleted.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"74ff37a2-bcdd-4608-80c5-d1d12c992412","vulnId":"V-213654","severity":"medium","ruleTitle":"Audit records must be generated when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur.","description":"Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\n\nFor detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.","checkContent":"Review the system documentation to determine whether it is required to track categorized information, such as classification or sensitivity level. If it is not, this is not applicable (NA).\n\t\nExecute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"de86929d-d237-4d53-9253-98a504f95caf","vulnId":"V-213655","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when successful logons or connections occur.","description":"For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to the DBMS.","checkContent":"Execute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_connect;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_connect;\n\t\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.\n\t\nFix Text: Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_connect = 'all';\nALTER SYSTEM SET edb_audit_disconnect = 'all';\nSELECT pg_reload_conf(); \n\t\nor\n\t\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"ec3be05f-dae2-4784-9aea-fbc39dee4b60","vulnId":"V-213656","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful logons or connection attempts occur.","description":"For completeness of forensic analysis, it is necessary to track failed attempts to log on to the DBMS. While positive identification may not be possible in a case of failed authentication, as much information as possible about the incident must be captured.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_connect;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\nALTER SYSTEM SET edb_audit_connect = 'all';\nALTER SYSTEM SET edb_audit_disconnect = 'all';\nSELECT pg_reload_conf(); \n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"48cbe69e-0ccb-4ecc-9e8d-c03cf24517c8","vulnId":"V-213657","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records for all privileged activities or other system-level access.","description":"$49","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"fd74a086-920e-4f8e-b041-8e96481ff554","vulnId":"V-213658","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.","description":"Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nSystem documentation should include a definition of the functionality considered privileged.\n\nA privileged function in this context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In an SQL environment, it encompasses, but is not necessarily limited to:\nCREATE\nALTER\nDROP\nGRANT\nREVOKE\n\nNote that it is particularly important to audit, and tightly control, any action that weakens the implementation of this requirement itself, since the objective is to have a complete audit trail of all administrative activity.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"a97a5029-20a9-45d0-bd4d-9d5ccdafd426","vulnId":"V-213659","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records showing starting and ending time for user access to the database(s).","description":"For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to the DBMS lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs. \n\nDisconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_connect;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\nALTER SYSTEM SET edb_audit_connect = 'all';\nALTER SYSTEM SET edb_audit_disconnect = 'all';\nSELECT pg_reload_conf(); \n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"ce349be7-723b-4172-8fa4-77b10312d2e7","vulnId":"V-213660","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when concurrent logons/connections by the same user from different workstations occur.","description":"For completeness of forensic analysis, it is necessary to track who logs on to the DBMS.\n\nConcurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the CAC for authentication; or they may indicate unauthorized account sharing; or they may be because an account has been compromised.\n\n(If the fact of multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events (logons/connections; voluntary and involuntary disconnections), then it is not mandatory to create additional log entries specifically for this.)","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_connect;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\nALTER SYSTEM SET edb_audit_connect = 'all';\nALTER SYSTEM SET edb_audit_disconnect = 'all';\nSELECT pg_reload_conf(); \n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"4550712f-1f25-44fc-a8d6-441fae7aa259","vulnId":"V-213661","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must be able to generate audit records when successful accesses to objects occur.","description":"Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nIn an SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"d3ebe8fe-1f0d-4cdd-88e4-c1617252c2f8","vulnId":"V-213662","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful accesses to objects occur.","description":"Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nIn an SQL environment, types of access include, but are not necessarily limited to:\nSELECT\nINSERT\nUPDATE\nDELETE\nEXECUTE\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as enterprisedb:\n\nSHOW edb_audit_statement;\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nSELECT pg_reload_conf();\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"c10f005c-53f8-494b-adab-2af44d0db700","vulnId":"V-213663","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records for all direct access to the database(s).","description":"In this context, direct access is any query, command, or call to the DBMS that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.","checkContent":"Execute the following SQL as enterprisedb:\n\t\nSHOW edb_audit_statement;\nSHOW edb_audit_connect;\nSHOW edb_audit_disconnect; \n\t\nIf the result is not \"all\" for any or if the current settings for this requirement have not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as enterprisedb:\n\t\nALTER SYSTEM SET edb_audit_statement = 'all';\nALTER SYSTEM SET edb_audit_connect = 'all';\nALTER SYSTEM SET edb_audit_disconnect = 'all';\nSELECT pg_reload_conf(); \n\t\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"8855b9fa-90ac-46ad-8e9d-80495960a618","vulnId":"V-213664","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nFor detailed information, refer to NIST FIPS Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"If a FIPS-certified OpenSSL library is not installed, this is a finding.\n\nRun the command \"cat /proc/sys/crypto/fips_enabled\". \n\nIf the output is not \"1\", this is a finding.","fixText":"If fips_enabled = 0, configure OpenSSL to be FIPS compliant.\n\nConfigure per operating system documentation: \nRedHat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations\nUbuntu: https://security-certs.docs.ubuntu.com/en/fips"},{"id":"294fc1e0-4295-4a28-ae0f-bbb4bb9c3806","vulnId":"V-213665","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nFor detailed information, refer to NIST FIPS Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"If a FIPS-certified OpenSSL library is not installed, this is a finding.\n\nRun the command \"cat /proc/sys/crypto/fips_enabled\". \n\nIf the output is not \"1\", this is a finding.","fixText":"If fips_enabled = 0, configure OpenSSL to be FIPS compliant.\n\nConfigure per operating system documentation: \nRedHat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations\nUbuntu: https://security-certs.docs.ubuntu.com/en/fips"},{"id":"ec0eec82-9924-4eb7-8e4f-9b7ed7e705fb","vulnId":"V-213666","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the requirements of the data owner.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"If a FIPS-certified OpenSSL library is not installed, this is a finding.\n\nRun the command \"cat /proc/sys/crypto/fips_enabled\". \n\nIf the output is not \"1\", this is a finding.","fixText":"If fips_enabled = 0, configure OpenSSL to be FIPS compliant.\n\nConfigure per operating system documentation: \nRedHat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations\nUbuntu: https://security-certs.docs.ubuntu.com/en/fips"},{"id":"e4b493e7-6085-4852-9506-290af6a45189","vulnId":"V-213667","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity. \n\nThe DBMS may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.","checkContent":"If Postgres Enterprise Manager (PEM) or another log collection tool is not installed and configured to automatically collect audit logs, this is a finding. \n\nReview the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.","fixText":"Install PEM and configure the centralized audit manager as documented here: http://www.enterprisedb.com/docs/en/5.0/pemgetstarted/PEM_Getting_Started_Guide.1.32.html#\n\nIf another tool other than PEM is used, configure it to meet this requirement."},{"id":"152839b0-be9e-4adf-b5b9-93faf97a9a79","vulnId":"V-213668","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 ior 140-3 nstallation of OpenSSL.","description":"PostgreSQL uses OpenSSL for the underlying encryption layer. It must be installed on an operating system that contains a certified FIPS 140-2 or 140-3 distribution of OpenSSL. For other operating systems, users must obtain or build their own FIPS 140 OpenSSL libraries.","checkContent":"If the deployment incorporates a custom build of the operating system and PostgreSQL guaranteeing the use of FIPS 140-2 or 140-3 compliant OpenSSL, this is not a finding. \n\nIf PostgreSQL is not installed on an OS found in the CMVP (https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules), this is a finding. \n\nIf FIPS encryption is not enabled, this is a finding.","fixText":"Install PostgreSQL with FIPS-compliant cryptography enabled on an OS found in the CMVP (https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules) or by other means, ensure that FIPS 140-2 or 140-3 certified OpenSSL libraries are used by the DBMS."},{"id":"c4a8456c-3a8a-417c-996f-fe1dbb56ffff","vulnId":"V-259741","severity":"high","ruleTitle":"EDB Postgres Advanced Server products must be a version supported by the vendor.","description":"Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.\n\nSystems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nWhen maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.","checkContent":"If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system:\n\nTo list the version of installed PostgreSQL using psql:\n\n$ sudo su - postgres\n$ psql --version\n\nTo list the current version of software for RPM:\n\n$ rpm -qa | grep postgres\n\nTo list the current version of software for APT:\n\n$ apt-cache policy postgres\n\nAll versions of PostgreSQL will be listed here:\nhttp://www.postgresql.org/support/versioning/\n\nAll security-relevant software updates for PostgreSQL will be listed here:\nhttp://www.postgresql.org/support/security/\n\nIf PostgreSQL is not at the latest version, this is a finding.","fixText":"Remove or decommission all unsupported software products.\n\nUpgrade unsupported DBMS or unsupported components to a supported version of the product."}]}]]}]

EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide

Checks (109)