An error occurred:

Check: CD16-00-011200

Crunchy Data Postgres 16 STIG: CD16-00-011200 (in version v1 r1)

Title

PostgreSQL must generate audit records when successful logons or connections occur. (Cat II impact)

Discussion

For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to PostgreSQL.

Check Content

Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG. As the database administrator (shown here as "postgres"), check if log_connections is enabled by running the following SQL: $ sudo su - postgres $ psql -c "SHOW log_connections" If log_connections is off, this is a finding. Verify the logs that the previous connection to the database was logged: $ sudo su - postgres $ cat ${PGDATA?}/${PGLOG?}/<latest_log> < 2024-02-16 15:54:03.934 UTC postgres postgres 56c64b8b.aeb: >LOG: connection authorized: user=postgres database=postgres If an audit record is not generated each time a user (or other principal) logs on or connects to PostgreSQL, this is a finding.

Fix Text

Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C. If logging is enabled the following configurations must be made to log connections, date/time, username, and session identifier. As the database administrator (shown here as "postgres"), edit postgresql.conf: $ sudo su - postgres $ vi ${PGDATA?}/postgresql.conf Edit the following parameters as such: log_connections = on log_line_prefix = '< %m %u %d %c: >' Where: * %m is the time and date * %u is the username * %d is the database * %c is the session ID for the connection As the system administrator, reload the server with the new configuration: $ sudo systemctl reload postgresql-${PGVER?}

Additional Identifiers

Rule ID: SV-261956r1000975_rule

Vulnerability ID: V-261956

Group Title: SRG-APP-000503-DB-000350

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-12

Audit Generation