13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide"}],false,["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Jun 10, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"EPAS_STIG","children":"EPAS_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":118}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",13]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",105]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=EnterpriseDB%20Postgres%20Advanced%20Server%20(EPAS)%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=EnterpriseDB%20Postgres%20Advanced%20Server%20(EPAS)%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=EnterpriseDB%20Postgres%20Advanced%20Server%20(EPAS)%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EPAS_V2R1_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1e",null,{"checks":[{"id":"bd08bb50-a834-472f-84ab-2af4c934e8f2","vulnId":"V-259210","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.","description":"$1f","checkContent":"Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users.\n\nExecute the following as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SELECT rolname, rolconnlimit FROM pg_roles where rolname not like 'pg_%' and rolname not like 'aq_%'\"\n\nIf rolconnlimit is -1 or larger than the system documentation limits for any rolname, this is a finding.","fixText":"For any roles where rolconnlimit is -1 or larger than the system documentation limits, execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER USER WITH CONNECTION LIMIT \""},{"id":"95b29376-6aff-487a-b300-f2e2d15a7138","vulnId":"V-259211","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.","description":"$20","checkContent":"Verify that pg_hba.conf is not using: \"trust\", \"md5\", or \"password\" as allowable access methods.\n\n> cat /pg_hba.conf | egrep -I \"trust|md5|password\"| grep -v \"^\\#\"\nNOTE: A command line text editor such as VIM or EMACS can also be used to search for \"MD5\".\nThe default path for PGDATA is /var/lib/edb/as/data, but this will vary according to local circumstances.\n\nIf any output is produced, verify the users are documented as being authorized to use one of these access methods.\n\nIf the users are not authorized to use these access methods, this is a finding.","fixText":"Identify any user that is using \"trust\", \"md5\", or \"password\" as allowable access methods.\n\n> cat /pg_hba.conf | egrep -I \"trust|md5|password\"| grep -v \"^\\#\"\nNOTE: A command line text editor such as VIM or EMACS can also be used such as VIM or EMACS to search for \"MD5\". \nThe default path for PGDATA is /var/lib/edb/as/data, but this will vary according to local circumstances.\n\nDocument any rows that have \"trust\", \"md5\", or \"password\" specified for the \"METHOD\" column and obtain appropriate approval for each user specified in the \"USER\" column (i.e., all DBMS managed accounts).\n\nFor any users that are not documented and approved as DBMS managed accounts, change the \"METHOD\" column to one of the externally managed (not \"trust\", \"md5\", or \"password\") options defined here: https://www.postgresql.org/docs/current/auth-methods.html\n\nUse a command line text editor such as VIM or EMACS to make changes. Example: > vim /pg_hba.conf"},{"id":"ed42b244-525b-4e42-b588-c14220dcf03a","vulnId":"V-259212","severity":"high","ruleTitle":"The EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"$21","checkContent":"$22","fixText":"To determine current user access to database objects, run the following as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SELECT grantee, privilege_type, table_name FROM information_schema.role_table_grants WHERE grantee=''\"\n\nUse GRANT, REVOKE, and ALTER statements to add and/or remove permissions on server-level securables, bringing them in line with the documented requirements."},{"id":"33a117d2-85d9-4541-bc43-e54e8a66a36b","vulnId":"V-259213","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect against a user falsely repudiating having performed organization-defined actions.","description":"Nonrepudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.\n\nNonrepudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables, and configuring the DBMS' audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, group account.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit\"\n \nIf the result is not \"csv\" or \"xml\", this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit = csv\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit = xml\"\n> psql edb -c \"SELECT pg_reload_conf()\""},{"id":"b1331bb8-ae44-404a-b077-a94bc19ac6cc","vulnId":"V-259214","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must provide audit record generation capability for DOD-defined auditable events within all EDB Postgres Advanced Server/database components.","description":"$23","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit\"\n \nIf the result is not \"csv\" or \"xml\", this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit = csv\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit = xml\"\n> psql edb -c \"SELECT pg_reload_conf()\""},{"id":"e5ef7f6f-22c2-4226-ac88-1337b6e16b46","vulnId":"V-259215","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Run the command \"ls -al postgresql*.conf\" to show file permissions. The default path for the postgresql*.conf files is /var/lib/edb/as/data, but this will vary according to local circumstances.\n\nIf the files are not owned by enterprisedb (user)/enterprisedb (group) or do not have RW permission for the user only, this is a finding.","fixText":"Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb postgresql*.conf\n> chgrp enterprisedb postgresql*.conf\n> chmod 600 postgresql*.conf\n\nThe default path for the postgresql*.conf files is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances. Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb postgresql*.conf\n> chgrp enterprisedb postgresql*.conf\n> chmod 600 postgresql*.conf\n\nThe default path for the postgresql*.conf files is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances."},{"id":"6a854b3e-7cad-43ae-b240-2ed5f447b427","vulnId":"V-259216","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when privileges/permissions are retrieved.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"7d65f19a-2ec4-4a96-8cda-012f3199aa4f","vulnId":"V-259217","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.","description":"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions.\n\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.\n\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\npsql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\npsql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"58cdcbdb-e360-4f93-8064-8f481feb1b13","vulnId":"V-259218","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must initiate support of session auditing upon startup.","description":"Session auditing is for use when a user's activities are under investigation.\n\nTypically, this DBMS capability would be used in conjunction with comparable monitoring of a user's online session, involving other software components such as operating systems, web servers, and front-end user applications. The current requirement, however, deals specifically with the DBMS.\n\nTo be sure of capturing all activity during those periods when session auditing is in use, database auditing needs to be in operation for the whole time the DBMS is running.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\npsql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\npsql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"7a881269-4651-4acc-bb88-b462bf48de41","vulnId":"V-259219","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish what type of events occurred.","description":"$24","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"8410ed7b-cf0f-4160-ac6b-997cfceed94c","vulnId":"V-259220","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing time stamps to establish when the events occurred.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. \n\nDatabase software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when specific actions were performed. This requires the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"8ed6304c-d50d-4adc-9c49-980ff4ac30ab","vulnId":"V-259221","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish where the events occurred.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality.\n\nAssociating information about where the event occurred within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"37cc3cf6-152f-4957-b510-54138ef494b5","vulnId":"V-259222","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the sources (origins) of the events.","description":"Information system auditing capability is critical for accurate forensic analysis. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event.\n\nAssociating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"45cd48be-2890-45f0-aebd-c34146737c75","vulnId":"V-259223","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.","description":"Information system auditing capability is critical for accurate forensic analysis. Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"0d06d098-3d1e-475d-b563-11b4829e519a","vulnId":"V-259224","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.","description":"Information system auditing capability is critical for accurate forensic analysis. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nIdentifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers.","checkContent":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nIf the result is not \"all\" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.","fixText":"Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\"\n\nor\n\nUpdate the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement."},{"id":"5621982c-b1b1-4f59-9000-38b088f0a11d","vulnId":"V-259225","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.","description":"$25","checkContent":"Review the system documentation to identify what additional information the organization has determined necessary.\n\nCheck application and database design, and existing audit records to verify that all organization-defined additional, more detailed information is in the audit records for audit events identified by type, location, or subject.\n\nIf any additional information is defined and is not included in the audit records, this is a finding.","fixText":"Execute the following SQL to set additional detailed information for the audit records in the session:\n\nset edb_audit_tag = '';\n\nReplace with a character string holding the additional data that must be captured.\n\nTo set this in a trigger, an example is included below. Keep in mind that the edb_audit_tag is set for the life of the session, not just the life of the insert command:\n\nCREATE OR REPLACE FUNCTION add_audit_info()\n RETURNS trigger AS\n$BODY\n$BEGIN\n SET edb_audit_tag = ''; \n RETURN NEW;\nEND;\n$BODY\n$LANGUAGE plpgsql;\n\nCREATE TRIGGER add_audit_info_trigger\n BEFORE INSERT\n ON \n FOR EACH ROW\n EXECUTE PROCEDURE add_audit_info();"},{"id":"aa33ee58-399b-4944-85f5-e52ed53e9cf9","vulnId":"V-259226","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.","description":"It is critical that when the DBMS is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen the need for system availability does not outweigh the need for a complete audit trail, the DBMS should shut down immediately, rolling back all in-flight transactions.\n\nSystems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.","checkContent":"If the application owner has determined that the need for system availability outweighs the need for a complete audit trail, this is not applicable.\n\nIf Postgres Enterprise Manager (PEM) is installed and configured to shut down the database when the audit log is full, this is not a finding.\n\nOtherwise, review the procedures, manual and/or automated, for monitoring the space used by audit trail(s) and for off-loading audit records to a centralized log management system.\n\nIf the procedures do not exist, this is a finding.\n\nIf the procedures exist, request evidence that they are followed. If the evidence indicates that the procedures are not followed, this is a finding.\n\nIf the procedures exist, inquire if the system has ever run out of audit trail space in the last two years or since the last system upgrade, whichever is more recent. If it has run out of space in this period, and the procedures have not been updated to compensate, this is a finding.","fixText":"Modify DBMS, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached.\n\nIf PEM is in use, it may be configured to issue an alert, send an email to designated personnel, and shut down the EDB Postgres Advanced Server instance when the audit log mount point is at 99 percent full. Refer to the Supplemental Procedures document supplied with this STIG for guidance on configuring PEM alerts."},{"id":"61540a0c-88b9-4b68-b08d-bf8aa8c2022d","vulnId":"V-259227","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.","description":"$26","checkContent":"If an externally managed and monitored partition or logical volume that can be grown dynamically is being used for logging, this is not a finding.\n\nIf EDB Postgres Advanced Server is auditing to a directory that is not being actively checked for availability of disk space, and if logrotate is not configured to rotate logs based on the size of the audit log directory with oldest logs being replaced by newest logs, this is a finding.","fixText":"$27"},{"id":"09781de6-bc56-4541-887b-0c061a79d55c","vulnId":"V-259228","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized read access.","description":"$28","checkContent":"Verify User ownership, Group ownership, and permissions on the \"edb_audit\" directory:\n\n> ls -ld /edb_audit\n\nIf the User owner is not \"enterprisedb\", this is a finding.\nIf the Group owner is not \"enterprisedb\", this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances.","fixText":"Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb edb_audit\n> chgrp enterprisedb edb_audit\n> chmod 700 edb_audit\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances."},{"id":"81a164b3-feee-4433-92ac-7a5da2ab20cc","vulnId":"V-259229","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized modification.","description":"$29","checkContent":"Verify User ownership, Group ownership, and permissions on the \"edb_audit\" directory:\n\n> ls -ld /edb_audit\n\nIf the User owner is not \"enterprisedb\", this is a finding.\nIf the Group owner is not \"enterprisedb\", this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances.","fixText":"Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb edb_audit\n> chgrp enterprisedb edb_audit\n> chmod 700 edb_audit\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances."},{"id":"efb3e57b-3fae-45c7-86c5-cb99622668f3","vulnId":"V-259230","severity":"medium","ruleTitle":"The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized deletion.","description":"$2a","checkContent":"Verify User ownership, Group ownership, and permissions on the \"edb_audit\" directory:\n\n> ls -ld /edb_audit\n\nIf the User owner is not \"enterprisedb\", this is a finding.\nIf the Group owner is not \"enterprisedb\", this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances.","fixText":"Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb edb_audit\n> chgrp enterprisedb edb_audit\n> chmod 700 edb_audit\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances."},{"id":"ab2b62b5-6bde-43c7-8986-62b9b3c11467","vulnId":"V-259231","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit features from unauthorized access.","description":"$2b","checkContent":"Verify User ownership, Group ownership, and permissions on the \"edb_audit\" directory:\n\n> ls -ld /edb_audit\n\nIf the User owner is not \"enterprisedb\", this is a finding.\nIf the Group owner is not \"enterprisedb\", this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances.","fixText":"Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb edb_audit\n> chgrp enterprisedb edb_audit\n> chmod 700 edb_audit\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances."},{"id":"5e246df6-1929-4730-8084-2e5273176375","vulnId":"V-259232","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit configuration from unauthorized modification.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Verify User ownership, Group ownership, and permissions on the \"edb_audit\" directory:\n\n> ls -ld /edb_audit\n\nIf the User owner is not \"enterprisedb\", this is a finding\nIf the Group owner is not \"enterprisedb\", this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances.","fixText":"Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb edb_audit\n> chgrp enterprisedb edb_audit\n> chmod 700 edb_audit\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances."},{"id":"ff50eeb8-d45c-446e-bbc2-8af15a65866a","vulnId":"V-259233","severity":"medium","ruleTitle":"The EDB Postgres Advanced Server must protect its audit features from unauthorized removal.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Verify User ownership, Group ownership, and permissions on the \"edb_audit\" directory:\n\n> ls -ld /edb_audit\n\nIf the User owner is not \"enterprisedb\", this is a finding.\nIf the Group owner is not \"enterprisedb\", this is a finding.\nIf the directory is more permissive than 700, this is a finding.\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances.","fixText":"Run these commands as the \"root\" user (or user with sudo privileges) from the EDB Postgres Advanced Server data (PGDATA) directory:\n\n> chown enterprisedb edb_audit\n> chgrp enterprisedb edb_audit\n> chmod 700 edb_audit\n\nThe default path for the edb_audit directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances."},{"id":"60d8b2e8-8e09-4762-bfe8-43683c4dd99c","vulnId":"V-259234","severity":"medium","ruleTitle":"Software, applications, and configuration files that are part of, or related to, the EDB Postgres Advanced Server installation must be monitored to discover unauthorized changes.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is done.\n\nVerify the list of files and directories being monitored is complete.\n\nIf monitoring does not occur or is not complete, this is a finding.","fixText":"Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest (including file permissions and sizes) and compares them to the baseline report for the same will meet the requirement.\n\nUse file hashes or checksums for comparisons, as file dates may be manipulated by malicious users."},{"id":"84eb4014-2355-4472-ac66-2fc1efe3a261","vulnId":"V-259235","severity":"medium","ruleTitle":"EDB Postgres Advanced Server software modules, to include stored procedures, functions, and triggers must be monitored to discover unauthorized changes.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective.\n\nUnmanaged changes that occur to the logic modules within the database can lead to unauthorized or compromised installations.","checkContent":"Check the EDB Postgres configuration for a timed job that automatically checks all system and user-defined procedures, functions, and triggers for being modified by running the following EDB Postgres query:\n\nselect job, what from ALL_JOBS;\n\nAdditionally, in Postgres Enterprise Manager, navigate to the \"Jobs\" node of the database and examine the job from there.\n\nIf a timed job or the relation \"ALL_JOBS\" does not exist, check if the EDB Audit utility has been enabled to capture these changes. As the \"enterprisedb\" operating system user, run the following command:\n\n> psql edb -c \"SHOW edb_audit_statement\"\n\nThe output should return \"all\".\n\nIf neither a timed job or some other method is not implemented to check for procedures, functions, and triggers being modified such as enabling EDB auditing, this is a finding.","fixText":"Configure an EDB Postgres timed job that automatically checks all system and user-defined procedures, functions, and triggers for being modified, and in the event of such changes informs the proper personnel for evaluation and possible action. Refer to the EDB documentation for further information on how to configure a job using the DBMS_JOB package: https://www.enterprisedb.com/docs/epas/latest/reference/oracle_compatibility_reference/epas_compat_bip_guide/03_built-in_packages/05_dbms_job/\n\nAlternatively, the EDB audit utility can capture these changes by enabling as follows: Execute the following SQL as the \"enterprisedb\" operating system user:\n\n> psql edb -c \"ALTER SYSTEM SET edb_audit_statement = 'all'\"\n> psql edb -c \"SELECT pg_reload_conf()\""},{"id":"f407b25c-875c-4284-a995-f914104d493b","vulnId":"V-259236","severity":"high","ruleTitle":"The EDB Postgres Advanced Server software installation account must be restricted to authorized users.","description":"When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system.\n\nIf the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nDBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.","checkContent":"Review procedures for controlling, granting access to, and tracking use of the DBMS software installation account.\n\nIf access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.","fixText":"Develop, document, and implement procedures to restrict and track use of the DBMS software installation account."},{"id":"58f14e05-7796-4eb4-adde-cc2c59140787","vulnId":"V-259237","severity":"medium","ruleTitle":"Database software, including EDB Postgres Advanced Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.","description":"$2c","checkContent":"Review the DBMS software library directory and note other root directories located on the same disk directory or any subdirectories.\n\nIf any non-DBMS software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the DBMS, this is a finding.\n\nOnly applications that are required for the functioning and administration, not use, of the DBMS should be located in the same disk directory as the DBMS software libraries.\n\nIf other applications are located in the same directory as the DBMS, this is a finding.","fixText":"Install all applications on directories separate from the DBMS software library directory. Relocate any directories or reinstall other application software that currently shares the DBMS software library directory."},{"id":"b36472d0-0db0-4d0a-8794-f5454188a074","vulnId":"V-259238","severity":"medium","ruleTitle":"Database objects must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.","description":"Database objects include but are not limited to tables, indexes, storage, stored procedures, functions, triggers, and links to software external to the EDB Postgres Advanced Server, etc.\n\nWithin the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions as if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.","checkContent":"Review system documentation to identify accounts authorized to own database objects. Review accounts that own objects in the database(s) by running the following SQL command as the \"enterprisedb\" user:\n\npsql edb -c \"SELECT * FROM sys.all_objects;\"\n\nIf any database objects are found to be owned by users not authorized to own database objects, this is a finding.","fixText":"Assign ownership of authorized objects to authorized object owner accounts by running the following SQL command for each object to be changed:\n\nALTER

EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide

Checks (118)