Check: PPS9-00-001200
EDB Postgres Advanced Server v9.6 STIG:
PPS9-00-001200
(in versions v2 r3 through v1 r3)
Title
The EDB Postgres Advanced Server must generate audit records when privileges/permissions are retrieved. (Cat II impact)
Discussion
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.
Check Content
Execute the following SQL as enterprisedb: SHOW edb_audit_statement; If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.
Fix Text
Execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit_statement = 'all'; SELECT pg_reload_conf(); or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.
Additional Identifiers
Rule ID: SV-213567r879561_rule
Vulnerability ID: V-213567
Group Title: SRG-APP-000091-DB-000066
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |