An error occurred:

Check: CD12-00-006200

Crunchy Data PostgreSQL STIG: CD12-00-006200 (in versions v2 r2 through v1 r1)

Title

PostgreSQL must generate audit records when concurrent logons/connections by the same user from different workstations occur. (Cat II impact)

Discussion

For completeness of forensic analysis, it is necessary to track who logs on to PostgreSQL. Concurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the CAC for authentication, may indicate unauthorized account sharing, or may be because an account has been compromised. (If the fact of multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events (logons/connections; voluntary and involuntary disconnections), then it is not mandatory to create additional log entries specifically for this).

Check Content

First, as the database administrator, verify that log_connections and log_disconnections are enabled by running the following SQL: $ sudo su - postgres $ psql -c "SHOW log_connections" $ psql -c "SHOW log_disconnections" If either is off, this is a finding. Next, verify that log_line_prefix contains sufficient information by running the following SQL: $ sudo su - postgres $ psql -c "SHOW log_line_prefix" If log_line_prefix does not contain at least %m %u %d %c, this is a finding.

Fix Text

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. To ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. First, as the database administrator (shown here as "postgres"), edit postgresql.conf: $ sudo su - postgres $ vi ${PGDATA?}/postgresql.conf Edit the following parameters as such: log_connections = on log_disconnections = on log_line_prefix = '< %m %u %d %c: >' Where: * %m is the time and date * %u is the username * %d is the database * %c is the session ID for the connection Now, as the system administrator, reload the server with the new configuration: $ sudo systemctl reload postgresql-${PGVER?}

Additional Identifiers

Rule ID: SV-233569r879877_rule

Vulnerability ID: V-233569

Group Title: SRG-APP-000506-DB-000353

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000172

The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-12

Audit Generation