Check: PGS9-00-005200
PostgreSQL 9.x STIG:
PGS9-00-005200
(in versions v2 r4 through v1 r1)
Title
PostgreSQL must generate audit records when security objects are deleted. (Cat II impact)
Discussion
The removal of security objects from the database/PostgreSQL would seriously degrade a system's information assurance posture. If such an event occurs, it must be logged.
Check Content
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA. First, as the database administrator (shown here as "postgres"), create a test table stig_test, enable row level security, and create a policy by running the following SQL: $ sudo su - postgres $ psql -c "CREATE TABLE stig_test(id INT)" $ psql -c "ALTER TABLE stig_test ENABLE ROW LEVEL SECURITY" $ psql -c "CREATE POLICY lock_table ON stig_test USING ('postgres' = current_user)" Next, drop the policy and disable row level security: $ psql -c "DROP POLICY lock_table ON stig_test" $ psql -c "ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY" Now, as the database administrator (shown here as "postgres"), verify the security objects deletions were logged: $ cat ${PGDATA?}/pg_log/<latest_log> 2016-03-30 14:54:18.991 EDT postgres postgres LOG: AUDIT: SESSION,11,1,DDL,DROP POLICY,,,DROP POLICY lock_table ON stig_test;,<none> 2016-03-30 14:54:42.373 EDT postgres postgres LOG: AUDIT: SESSION,12,1,DDL,ALTER TABLE,,,ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY;,<none> If audit records are not produced when security objects are dropped, this is a finding.
Fix Text
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. Using pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for documentation on installing pgaudit. With pgaudit installed the following configurations can be made: $ sudo su - postgres $ vi ${PGDATA?}/postgresql.conf Add the following parameters (or edit existing parameters): pgaudit.log = 'ddl' Now, as the system administrator, reload the server with the new configuration: # SYSTEMD SERVER ONLY $ sudo systemctl reload postgresql-${PGVER?} # INITD SERVER ONLY $ sudo service postgresql-${PGVER?} reload
Additional Identifiers
Rule ID: SV-214093r879872_rule
Vulnerability ID: V-214093
Group Title: SRG-APP-000501-DB-000336
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |