EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide

  • Version/Release: V2R3
  • Published: 2024-01-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
b
The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
AC-10 - Medium - CCI-000054 - V-224130 - SV-224130r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
EP11-00-000100
Vuln IDs
  • V-224130
  • V-100287
Rule IDs
  • SV-224130r879511_rule
  • SV-109391
Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources; a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts and it does not deal with the total number of sessions across all accounts. The capability to limit the number of concurrent sessions per user must be configured in, or added to, the DBMS (for example, by use of a logon trigger), when this is technically feasible. Note: it is not sufficient to limit sessions via a web server or application server alone, because legitimate users and adversaries can potentially connect to the DBMS by other means. The organization will need to define the maximum number of concurrent sessions by account type, by account, or a combination thereof. In deciding on the appropriate number, it is important to consider the work requirements of the various types of users. For example, two might be an acceptable limit for general users accessing the database via an application; but ten might be too few for a database administrator using a database management GUI tool, where each query tab and navigation pane may count as a separate session. (Sessions may also be referred to as connections or logons, which for the purposes of this requirement are synonyms.) Note that by default if no connection limit is specified, when a Postgres database user is created it will be allowed to have an unlimited number of concurrent sessions. The EDB Postgres CREATE USER and the PostgreSQL CREATE ROLE sql commands, which are used to create database users, provide a CONNECTION LIMIT option for configuring the allowable number of concurrent sessions for a user. It is good administrative practice to use this option to set the connection limit when new users are created. However, if a user was created without a connection limit or if the assigned connection limit needs to be changed, the CONNECTION LIMIT option can be set using the ALTER USER and ALTER ROLE commands.
Checks: C-25803r495410_chk

Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users. Execute the following SQL as enterprisedb: SELECT rolname, rolconnlimit FROM pg_roles; If rolconnlimit is -1 or larger than the system documentation limits for any rolname, this is a finding.

Fix: F-25791r495411_fix

Execute the following SQL as enterprisedb: SELECT rolname, rolconnlimit FROM pg_roles; For any roles where rolconnlimit is -1 or larger than the system documentation limits, execute this SQL as enterprisedb: ALTER USER <role> WITH CONNECTION LIMIT <desired connection limit>;

c
The EDB Postgres Advanced Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
AC-2 - High - CCI-000015 - V-224131 - SV-224131r879522_rule
RMF Control
AC-2
Severity
High
CCI
CCI-000015
Version
EP11-00-000700
Vuln IDs
  • V-224131
  • V-100289
Rule IDs
  • SV-224131r879522_rule
  • SV-109393
Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization. A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores, such as multiple servers. Account management functions can also include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage. The EDB Postgres Advanced Server must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy. Automation may be comprised of differing technologies that when placed together contain an overall mechanism supporting an organization's automated account management requirements.
Checks: C-25804r495413_chk

Verify that the Postgres host-based authentication file (i.e., pg_hba.conf) has been configured so that database users are authenticated using credentials supplied by the organization-level authentication/access system. If it has been configured correctly, this is not a finding. Actions to verify: Verify none of the uncommented entries in the pg_hba.conf include: "trust", "sha-256-scram", "md5", "ident", "peer”, or "password" as allowable access methods. Verify options are set to the correct values for the specific environment. Note: The default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW hba_file" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). To verify the pg_hba.conf file is not using the access methods listed above, open the pg_hba.conf file in a text editor and inspect the contents of the file, looking for uncommented lines with these methods. Optionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: type &lt;postgresql pg_hba.conf directory&gt;\pg_hba.conf | findstr /N "scram-sha-256 md5 trust password peer ident" | find /V /N "#" Note: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) must be placed in double quotes. If any uncommented lines are identified, verify that the users are documented as being authorized to use one of these access methods. If the users are not authorized to use these access methods, this is a finding.

Fix: F-25792r495414_fix

Identify any user using "trust", "sha-256-scram", md5", "ident", "peer" or "password" as allowable access methods. To identify users in the pg_hba.conf file using the methods listed above, open the pg_hba.conf file in a text editor, and inspect the contents of the file, looking for uncommented lines with these methods. Optionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: type <postgresql pg_hba.conf directory>\pg_hba.conf | findstr /N "scram-sha-256 md5 trust password peer ident" | find /V /N "#" Note: If the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes. Document any rows that have "trust", "sha-256-scram", "md5", "ident", "peer”, or "password" specified for the "METHOD" column and obtain appropriate approval for each user specified in the "USER" column (i.e., all DBMS managed accounts). For any users not documented and approved as DBMS managed accounts, change the "METHOD" column to one of the externally managed (not "trust", "sha-256-scram", "md5", "ident", "peer" or "password") options defined here: https://www.postgresql.org/docs/current/static/auth-methods.html

c
The EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-3 - High - CCI-000213 - V-224132 - SV-224132r879530_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
EP11-00-000800
Vuln IDs
  • V-224132
  • V-100291
Rule IDs
  • SV-224132r879530_rule
  • SV-109395
Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access the DBMS. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems, including databases, must be properly configured to implement access control policies. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. This requirement is applicable to access control enforcement applications, a category that includes database management systems. If the DBMS does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.
Checks: C-25805r495416_chk

Review the system security plan or equivalent documentation to determine the allowed permissions on database objects for each database role or user as well as the database authentication methods that are allowed for each role or user. If this documentation is missing, this is a finding. Review the permissions actually in place for the EDB postgres cluster (i.e., instance). First check the privileges of all users and roles in the database by running the following command from the Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "\du" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If any users or roles have privileges that exceed those that are documented, this is a finding. Next check the privileges that have been granted on the tables, views, and sequences in the database by running the following command from the Windows command prompt for each database in the EDB postgres instance: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "\dp" If the privileges assigned to these objects for any users or roles exceeds those that have been documented, this is a finding. Next as a user that has permission to view the contents of the pg_hba.conf file, review the authentication settings that are configured in that file. Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW hba_file" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If any entries do not match the documented authentication requirements, this is a finding.

Fix: F-25793r495417_fix

Use GRANT, REVOKE, ALTER statements to add and remove permissions on database objects, bringing them into line with the documented requirements. To change authentication requirements for the database, as a user with permissions to edit the pg_hba.conf, edit the entries in the file to comply with the documented organizational authentication requirements. See the official PostgreSQL documentation for the complete list of options for authentication: http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html

b
The EDB Postgres Advanced Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
AU-10 - Medium - CCI-000166 - V-224133 - SV-224133r879554_rule
RMF Control
AU-10
Severity
Medium
CCI
CCI-000166
Version
EP11-00-000900
Vuln IDs
  • V-224133
  • V-100293
Rule IDs
  • SV-224133r879554_rule
  • SV-109397
Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. In designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables, and configuring the DBMS' audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, group account.
Checks: C-25806r495419_chk

If there are no shared accounts available to more than one user, this is not a finding. If a shared account is used by an application to interact with the database, review the System Security Plan, the tables in the database, and the application source code/documentation to determine whether the application captures the individual user's identity and stores that identity in the audit log or along with all data inserted and updated (also with all records of reads and/or deletions, if these are required to be logged). The EDB audit feature provides the ability to include application user information with the database audit log using the edb_audit_tag session parameter. If all database shared accounts are accessed via an application that uses the edb_audit_tag parameter to identify individual applications users, this is not a finding. If there are gaps in the application's ability to capture an individual user's identity, and the gaps and the risk are not defined in the system documentation and accepted by the AO, this is a finding. If users are sharing a group account to log on to EDB Postgres tools or third-party products that access the database, this is a finding. To ensure EDB auditing is enabled, execute the following SQL as enterprisedb: SHOW edb_audit; If the result is not "csv" or "xml", this is a finding.

Fix: F-25794r495420_fix

Use accounts assigned to individual users where feasible. Configure the DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account. Modify any applications that use a shared database account to capture individual application user identities to the audit log using the edb_audit_tag or to the data tables. Create and enforce the use of individual user IDs for logging on to EDB Postgres tools and third-party products. If EDB auditing is not already enabled, enable it. Execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit = csv; SELECT pg_reload_conf(); or ALTER SYSTEM SET edb_audit = xml; SELECT pg_reload_conf();

b
The EDB Postgres Advanced Server must be configured to provide audit record generation capability for DoD-defined auditable events within all EDB Postgres Advanced Server/database components.
AU-12 - Medium - CCI-000169 - V-224134 - SV-224134r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
EP11-00-001000
Vuln IDs
  • V-224134
  • V-100295
Rule IDs
  • SV-224134r879559_rule
  • SV-109399
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the DBMS (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the DBMS will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities, or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions. Organizations may define additional events requiring continuous or ad hoc auditing.
Checks: C-25807r495422_chk

Verify, using vendor and system documentation if necessary, that the DBMS is configured to use EDB's auditing features and configured to satisfy this requirement. Execute the following SQL as the enterprisedb database user or another database superuser to check if EDB auditing is enabled: SHOW edb_audit; If the result is not "csv" or "xml", this is a finding. If organization-defined auditable events are not being audited, this is a finding.

Fix: F-25795r495423_fix

Configure the DBMS's auditing to audit organization-defined auditable events. Execute the following SQL as enterprisedb to ensure that EDB Auditing is enabled: ALTER SYSTEM SET edb_audit = csv; SELECT pg_reload_conf(); or ALTER SYSTEM SET edb_audit = xml; SELECT pg_reload_conf(); Configure EDB audit settings to audit organization-defined auditable events in accordance with the information documented in the EDB Postgres Advanced Server Guide.

b
The EDB Postgres Advanced Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
AU-12 - Medium - CCI-000171 - V-224135 - SV-224135r879560_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
EP11-00-001100
Vuln IDs
  • V-224135
  • V-100297
Rule IDs
  • SV-224135r879560_rule
  • SV-109401
Without the capability to restrict the types of roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. Suppression of auditing could permit an adversary to evade detection. Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-25808r495425_chk

Check DBMS settings and documentation to determine whether designated personnel can select which auditable events are being audited. If designated personnel are not able to configure auditable events, this is a finding. If EDB Audit is being used, the EDB Audit settings may only be configured by Operating System users authorized to edit the cluster's postgresql.conf file or by database superusers. As such, the permissions associated with the postgresql.conf file must be checked as well as the database roles assigned to database users. In addition, database parameters, including the EDB Audit settings, may be specified via server startup command options. Users assigned "Modify" permission or greater on the postgresql data directory and its contents will be able to start the postgres database cluster. Therefore, only authorized users should be assigned these permissions. 1) Check Postgresql Data Directory Ownership and Permissions: First, determine ownership of the postgresql data directory folder. This can be done using Windows Explorer or via a Windows command prompt. Note: The default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Using Windows Explorer: Browse to the directory where the postgresql data directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command: dir "&lt;postgresql data directory&gt;" /Q /S Note: The above command will list all of the files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the data directory is not authorized to own the folder and its content, this is a finding. Next, check the permissions assigned to the postgresql data directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the postgresql data directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;postgresql data directory&gt;" icacls "&lt;postgresql data directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to start a postgresql database cluster are listed, this is a finding. 2) Check Postgresql Configuration File Ownership and Permissions: First, determine ownership of the postresql.conf file(s). This can be done using Windows Explorer or via a Windows command prompt. Note that the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW config_file" Using Windows Explorer: Browse to the directory where the postgresql.conf file is located. Select and right-click on the postgresql.conf file, select "Properties", and select the "Details" tab. Note the Value of the Owner field. Using the Windows command prompt, enter the following command: dir "&lt;directory where postgresql.conf is located&gt;\postgresql*.conf" /Q Review the system security documentation. If the owner listed for the file(s) is not authorized to own the file(s) this is a finding. Next, check the permissions assigned to the postgresql configuration files. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the postgresql.conf file is located. Select and right-click on the postgresql.conf file, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the file. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;directory where postgresql.conf is located&gt;\postgresql*.conf" Review the users and groups and permissions assigned to them for the file(s). Review the system security documentation. If permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to make changes to the configuration parameters of this database are listed, this is a finding. Note: Since the postgresql.conf file may utilize include and include_dir statements to include additional parameter organizational specified configuration files, review the contents of the postgresql.conf file to determine if any uncommented include or include_dir statements are specified in the file. If these statements are found, the file ownership and permissions assigned to the files specified by these statements should also be checked. If any unauthorized users are owners of the files or have permission to edit the files this is a finding. 3) Check Database Users Assigned Superuser Privileges: Use psql to connect to the db as enterprisedb and run this command: \du If any unauthorized users/roles are listed as a superuser, this is a finding.

Fix: F-25796r495426_fix

If a non-EDB provided database auditing solution or a custom auditing solution is being used, configure the DBMS's settings according to the documentation provided for those solutions to allow designated personnel to select which auditable events are audited. If EDB Auditing is being used, perform the following actions as necessary to address any findings: 1) Postgresql Data Directory Ownership and Permissions: If the postgresql data directory and its contents are owned by unauthorized users, change ownership to an authorized user. Restrict access on the postgresql data directory to the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to start a postgresql database cluster. 2) Postgresql Configuration File Ownership and Permissions: If the postgresql configuration file(s) is owned by an unauthorized user, change ownership to an authorized user. Restrict write access on Postgres configuration file(s) the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to edit the file(s). 3) Database Users Assigned Superuser Privileges: Remove superuser rights from unauthorized database users via the ALTER ROLE or ALTER USER SQL command. The syntax is: ALTER ROLE <role> NOSUPERUSER or ALTER USER <user> NOSUPERUSER Example: ALTER ROLE testuser NOSUPERUSER; OR ALTER USER testuser NOSUPERUSER; See PostgreSQL and/or EDB Postgres Advanced Server documentation for details.

b
The EDB Postgres Advanced Server must generate audit records for DoD-defined auditable events.
AU-12 - Medium - CCI-000172 - V-224136 - SV-224136r879561_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
EP11-00-001200
Vuln IDs
  • V-224136
  • V-100299
Rule IDs
  • SV-224136r879561_rule
  • SV-109403
The EDB Postgres Advanced Server must generate audit records for DoD-defined auditable events within all DBMS/database components. Audit records should contain (at a minimum): -Time stamps to establish when the events occurred -Sufficient information to establish what type of events occurred -Sufficient information to establish where the events occurred -Sufficient information to establish the sources (origins) of the events -Sufficient information to establish the outcome (success or failure) of the events -Sufficient information to establish the identity of any user/subject or process associated with the event Audit record content which may be necessary to investigate the events relating to an incident or identify those responsible for one. Audit policy includes, for example, time stamps, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as application components, modules, session identifiers, filenames, host names, and functionality. The list of minimum DoD-defined audit events includes: -When privileges/permissions are retrieved, added, modified or deleted -When unsuccessful attempts to retrieve, add, modify, delete privileges/permissions occur -Enforcement of access restrictions associated with changes to the configuration of the database(s) -When security objects are accessed, modified, or deleted -When unsuccessful attempts to access, modify, or delete security objects occur -When categories of information (e.g., classification levels/security levels) are accessed, created, modified, or deleted -When unsuccessful attempts to access, create, modify, or delete categorized information occur -All privileged activities or other system-level access -When unsuccessful attempts to execute privileged activities or other system-level access occur -When successful or unsuccessful access to objects occur For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. Satisfies: SRG-APP-000095-DB-000039, SRG-APP-000091-DB-000325, SRG-APP-000096-DB-000040, SRG-APP-000097-DB-000041, SRG-APP-000098-DB-000042, SRG-APP-000099-DB-000043, SRG-APP-000100-DB-000201, SRG-APP-000381-DB-000361, SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333, SRG-APP-000494-DB-000344, SRG-APP-000494-DB-000345, SRG-APP-000495-DB-000326, SRG-APP-000495-DB-000327, SRG-APP-000495-DB-000328, SRG-APP-000495-DB-000329, SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000498-DB-000346, SRG-APP-000498-DB-000347, SRG-APP-000499-DB-000330, SRG-APP-000499-DB-000331, SRG-APP-000501-DB-000336, SRG-APP-000501-DB-000337, SRG-APP-000502-DB-000348, SRG-APP-000502-DB-000349, SRG-APP-000504-DB-000354, SRG-APP-000504-DB-000355, SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357
Checks: C-25809r495428_chk

Execute the following SQL as enterprisedb: SHOW edb_audit_statement; If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.

Fix: F-25797r495429_fix

Execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit_statement = 'all'; SELECT pg_reload_conf(); or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.

b
The EDB Postgres Advanced Server must initiate support of session auditing upon startup.
AU-14 - Medium - CCI-001464 - V-224138 - SV-224138r879562_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
EP11-00-001400
Vuln IDs
  • V-224138
  • V-100303
Rule IDs
  • SV-224138r879562_rule
  • SV-109407
Session auditing is used when a user's activities are under investigation. To ensure all activity is captured during those periods when session auditing is in use, it must be in operation for the entire time the DBMS is running.
Checks: C-25811r495434_chk

Execute the following SQL as enterprisedb to ensure auditing is enabled: SHOW edb_audit; If the result is not "csv" or "xml", this is a finding. Execute the following SQL as enterprisedb to check which events are configured to be audited: SHOW edb_audit_statement; If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.

Fix: F-25799r495435_fix

If EDB Auditing is not enabled, execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit = csv; SELECT pg_reload_conf(); or ALTER SYSTEM SET edb_audit = xml; SELECT pg_reload_conf(); If the edb_audit_statement parameter values is not set to "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit_statement = 'all'; SELECT pg_reload_conf(); or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.

b
The EDB Postgres Advanced Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
AU-3 - Medium - CCI-000135 - V-224145 - SV-224145r879569_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
EP11-00-002200
Vuln IDs
  • V-224145
  • V-100317
Rule IDs
  • SV-224145r879569_rule
  • SV-109421
Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. To support analysis, some types of events will need information to be logged that exceeds the basic requirements of event type, time stamps, location, source, outcome, and user identity. If additional information is not available, it could negatively impact forensic investigations into user actions or other malicious events. The organization must determine what additional information is required for complete analysis of the audited events. The additional information required is dependent on the type of information (e.g., sensitivity of the data and the environment within which it resides). At a minimum, the organization must employ either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Examples of detailed information the organization may require in audit records are full-text recording of privileged commands or the individual identities of group account users. In EnterpriseDB Postgres Plus Advanced Server, the edb_audit_tag can be used to record additional information. This tag can be set to different values by different sessions (connections), and can be set to new values any number of times. How to recognize the conditions for producing such audit data must be determined and coded for as part of application and database design.
Checks: C-25818r495455_chk

Review the system documentation to identify what additional information the organization has determined necessary. Check application and database design, and existing audit records to verify that all organization-defined additional, more detailed information is in the audit records for audit events identified by type, location, or subject. If any additional information is defined and is not included in the audit records, this is a finding.

Fix: F-25806r495456_fix

Execute the following SQL to set additional detailed information for the audit records in the session: set edb_audit_tag = '<information>'; Replace <information> with a character string holding the additional data that must be captured. To set this in a trigger, an example is included below. Keep in mind that the edb_audit_tag is set for the life of the session, not just the life of the insert command: CREATE OR REPLACE FUNCTION add_audit_info() RETURNS trigger AS $BODY $BEGIN SET edb_audit_tag = '<information>'; RETURN NEW; END; $BODY $LANGUAGE plpgsql; CREATE TRIGGER add_audit_info_trigger BEFORE INSERT ON <table> FOR EACH ROW EXECUTE PROCEDURE add_audit_info();

b
The EDB Postgres Advanced Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
AU-5 - Medium - CCI-000140 - V-224146 - SV-224146r879571_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
EP11-00-002300
Vuln IDs
  • V-224146
  • V-100319
Rule IDs
  • SV-224146r879571_rule
  • SV-109423
It is critical that when the DBMS is at risk of failing to process audit logs as required, action be taken to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When the need for system availability does not outweigh the need for a complete audit trail, the DBMS should shut down immediately, rolling back all in-flight transactions. Systems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.
Checks: C-25819r495458_chk

If Postgres Enterprise Manager (PEM) is installed and configured to shut down the database when the audit log is full, this is not a finding. Otherwise, review the procedures, manual and/or automated, for monitoring the space used by audit trail(s) and for off-loading audit records to a centralized log management system. If the procedures do not exist, this is a finding. If the procedures exist, request evidence that they are followed. If the evidence indicates that the procedures are not followed, this is a finding. If the procedures exist, inquire if the system has ever run out of audit trail space in the last two years or since the last system upgrade, whichever is more recent. If it has run out of space in this period, and the procedures have not been updated to compensate, this is a finding.

Fix: F-25807r495459_fix

Modify DBMS, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached. If EDB Postgres Enterprise Manager (PEM) is in use, it may be configured to issue an alert, send an email to designated personnel, and shut down the EDB Postgres Advanced Server instance when the audit log mount point is at 99 percent full. Refer to the Supplemental Procedures document, supplied with this STIG, for guidance on configuring PEM alerts.

c
The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
AU-5 - High - CCI-000140 - V-224147 - SV-224147r879571_rule
RMF Control
AU-5
Severity
High
CCI
CCI-000140
Version
EP11-00-002400
Vuln IDs
  • V-224147
  • V-100321
Rule IDs
  • SV-224147r879571_rule
  • SV-109425
It is critical that when the DBMS is at risk of failing to process audit logs as required, action be taken to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, approved actions in response to an audit failure are as follows: (i) If the failure was caused by the lack of audit record storage capacity, the DBMS must continue generating audit records, if possible (automatically restarting the audit service if necessary), and overwriting the oldest audit records in a first-in-first-out manner. (ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the DBMS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server. Systems where availability is paramount will most likely be MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid audit data loss in all but the most extreme situations.
Checks: C-25820r495461_chk

If the system documentation indicates audit trail completeness takes precedence over availability this is not applicable (NA). If an externally managed and monitored partition or logical volume that can be grown dynamically is being used for logging, this is not a finding. If EDB Postgres Advanced Server (EPAS) is auditing to a directory that is not being actively checked for availability of disk space, and if a tool, utility, script, or other mechanism is not being used to ensure sufficient disk space is available for the creation of new audit logs, this is a finding. If a tool, utility, script, or other mechanism is being used to rotate audit logs and oldest logs are not being removed to ensure sufficient space for newest logs or oldest logs are not being replaced by newest logs, this is a finding.

Fix: F-25808r495462_fix

Establish a process with accompanying tools for monitoring available disk space and ensuring that sufficient disk space is maintained in order to continue generating audit logs, overwriting the oldest existing records if necessary. If the organization does not employ an existing log management utility, the following example identifies one approach that may be followed to rotate EDB audit log files on Windows. Determine the maximum size of the audit log directory. For this example fix, assume the audit log directory must have a maximum size of 100MB. Divide the maximum size of the directory by 10 to determine the size of the log files for rotation. For this example, the audit log file size will be set to 10Mb. Perform the following steps to ensure that the audit log directory is never more than 90% full and the oldest logs are removed to make room for new logs: 1) Execute the following SQL statements to review current auditing related settings and to configure EPAS to generate a new audit log file when the current log file has reached the log file size determined above (10 Mb): -- List current EDB Audit settings SELECT name, setting FROM pg_settings WHERE category LIKE 'EnterpriseDB Audit%' ORDER BY name; /* * Note: If edb_audit is not set to 'csv' or 'xml', auditing is not enabled. * To enable EDB auditing, issue one of the following SQL statements: * * ALTER SYSTEM SET edb_audit TO 'xml'; * * or * * ALTER SYSTEM SET edb_audit TO 'csv'; * */ -- Set edb_audit_filename parameter to ensure unique name for each log file that is generated ALTER SYSTEM SET edb_audit_filename TO 'audit-%Y%m%d_%H%M%S'; -- Set edb_audit_rotation_size to desired maximum file size (e.g., 10 Mb) ALTER SYSTEM SET edb_audit_rotation_size TO 10; -- Reload configuration settings to put the updated settings into effect SELECT pg_reload_conf(); -- List current EDB Audit settings to confirm updates are in place SELECT name, setting FROM pg_settings WHERE category LIKE 'EnterpriseDB Audit%' ORDER BY name; 2) Using a text editor, create a Windows batch file with the following content: @ECHO OFF SETLOCAL SET "targetdir=<Path to edb_audit Directory>" SET /a retain=8 FOR /f "skip=%retain%delims=" %%a IN ( 'dir /b /a-d /o-d "%targetdir%\audit-????????_??????.xml" ' ) DO DEL "%targetdir%\%%a" GOTO :EOF 3) Replace "<Path to edb_audit Directory>" for "targetdir" variable in the batch file (3rd line) to correspond to the EDB audit log directory configured for your EPAS instance. Note that the EDB audit log directory is configured by the edb_audit_directory parameter. By default, the edb_audit_directory is set to "edb_audit", which results in an "edb_audit" directory being created under the EPAS cluster's data directory for audit logs if auditing is enabled. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d <database name> -U <database superuser name> -c "SHOW data_directory" where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be <EDB Postgres data directory>\edb_audit. 4) Update the "retain" variable in the batch file (4th line) to correspond to the desired minimum number of audit log files that should be retained in the directory. It should be set so that sufficient headroom is maintained in the directory for log files generated between runs of the batch file. 5) Save the batch file to a location that would be accessible to the Windows Task Scheduler. For this example, save the file to "C:\Windows\System32\Manage_EDB_Audit_Logs.bat". 6) Using the Windows Task Scheduler, create a scheduled task to execute the Manage_EDB_Audit_Logs.bat file on a periodic basis. At a minimum, it is recommended that the task be scheduled to perform this action at least on an hourly basis. Depending on the various audit log settings and database activity, it may be necessary to configure the task to be run more frequently.

b
The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized read access.
AU-9 - Medium - CCI-000162 - V-224148 - SV-224148r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
EP11-00-002600
Vuln IDs
  • V-224148
  • V-100323
Rule IDs
  • SV-224148r879576_rule
  • SV-109427
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, copy, etc. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file system protections and limiting log data location. Additionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring that audit information is protected from unauthorized access. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Checks: C-25821r495464_chk

The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to "edb_audit", which results in a directory name "edb_audit" being created under the postgresql data directory. The location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW edb_audit_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If the default path is used for the postgresql data directory and the default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be &lt;EDB Postgres data directory&gt;\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different. First, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB Audit directory&gt; with the correct path for the EDB audit directory: dir "&lt;EDB Audit directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB Audit directory&gt;" icacls "&lt;EDB Audit directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account not identified in the system documentation as being approved for the permission, this is a finding.

Fix: F-25809r495465_fix

1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account. If the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.

b
The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-224149 - SV-224149r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
EP11-00-002700
Vuln IDs
  • V-224149
  • V-100325
Rule IDs
  • SV-224149r879577_rule
  • SV-109429
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods that will depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Modification of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.
Checks: C-25822r495467_chk

The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to "edb_audit", which results in a directory name "edb_audit" being created under the postgresql data directory. The location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW edb_audit_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If the default path is used for the postgresql data directory and the default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be &lt;EDB Postgres data directory&gt;\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different. First, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB Audit directory&gt; with the correct path for the EDB audit directory: dir "&lt;EDB Audit directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB audit directory folder and its content. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB Audit directory&gt;" icacls "&lt;EDB Audit directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.

Fix: F-25810r495468_fix

1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account. If the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.

b
The audit information produced by the EDB Postgres Advanced Server must be protected from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-224150 - SV-224150r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
EP11-00-002800
Vuln IDs
  • V-224150
  • V-100327
Rule IDs
  • SV-224150r879578_rule
  • SV-109431
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files enjoy the proper file system permissions utilizing file system protections; restricting access; and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Deletion of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.
Checks: C-25823r495470_chk

The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to "edb_audit", which results in a directory name "edb_audit" being created under the postgresql data directory. The location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW edb_audit_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If the default path is used for the postgresql data directory and the default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be &lt;EDB Postgres data directory&gt;\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different. First, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB Audit directory&gt; with the correct path for the EDB audit directory: dir "&lt;EDB Audit directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB Audit directory&gt;" icacls "&lt;EDB Audit directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.

Fix: F-25811r495471_fix

1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account. If the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.

b
The EDB Postgres Advanced Server must protect its audit features from unauthorized access.
AU-9 - Medium - CCI-001493 - V-224151 - SV-224151r879579_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
EP11-00-002900
Vuln IDs
  • V-224151
  • V-100329
Rule IDs
  • SV-224151r879579_rule
  • SV-109433
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, OS-provided audit tools, vendor-provided audit tools, and open source audit tools needed to successfully view and manipulate audit information system activity and records. If an attacker were to gain access to audit tools, he could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.
Checks: C-25824r495473_chk

The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to "edb_audit", which results in a directory name "edb_audit" being created under the postgresql data directory. The location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW edb_audit_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If the default path is used for the postgresql data directory and the default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be &lt;EDB Postgres data directory&gt;\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different. First, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB Audit directory&gt; with the correct path for the EDB audit directory: dir "&lt;EDB Audit directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB Audit directory&gt;" icacls "&lt;EDB Audit directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.

Fix: F-25812r495474_fix

1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account. If the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.

b
The EDB Postgres Advanced Server must protect its audit configuration from unauthorized modification.
AU-9 - Medium - CCI-001494 - V-224152 - SV-224152r879580_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001494
Version
EP11-00-003000
Vuln IDs
  • V-224152
  • V-100331
Rule IDs
  • SV-224152r879580_rule
  • SV-109435
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-25825r495476_chk

The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to "edb_audit", which results in a directory name "edb_audit" being created under the postgresql data directory. The location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW edb_audit_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If the default path is used for the postgresql data directory and the default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be &lt;EDB Postgres data directory&gt;\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different. First, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB Audit directory&gt; with the correct path for the EDB audit directory: dir "&lt;EDB Audit directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB audit directory folder and its content. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB Audit directory&gt;" icacls "&lt;EDB Audit directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.

Fix: F-25813r495477_fix

1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account. If the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.

b
The EDB Postgres Advanced Server must protect its audit features from unauthorized removal.
AU-9 - Medium - CCI-001495 - V-224153 - SV-224153r879581_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001495
Version
EP11-00-003100
Vuln IDs
  • V-224153
  • V-100333
Rule IDs
  • SV-224153r879581_rule
  • SV-109437
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-25826r495479_chk

The location of the EDB audit directory is specified via the edb_audit_directory parameter. By default, this parameter is set to "edb_audit", which results in a directory name "edb_audit" being created under the postgresql data directory. The location of the EDB Audit directory for a running EDB Postgres Advanced Server instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW edb_audit_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If the default path is used for the postgresql data directory and the default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be &lt;EDB Postgres data directory&gt;\edb_audit. Depending on the version of EPAS that is installed, the options that were selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different. First, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB Audit directory&gt; with the correct path for the EDB audit directory: dir "&lt;EDB Audit directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB Audit directory&gt;" icacls "&lt;EDB Audit directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding.

Fix: F-25814r495480_fix

1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account. If the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.

b
Software, applications, and configuration files that are part of, or related to, the Postgres Plus Advanced Server installation must be monitored to discover unauthorized changes.
CM-5 - Medium - CCI-001499 - V-224154 - SV-224154r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
EP11-00-003200
Vuln IDs
  • V-224154
  • V-100335
Rule IDs
  • SV-224154r879586_rule
  • SV-109439
If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.
Checks: C-25827r495482_chk

Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is done. Verify the list of files and directories being monitored is complete. If monitoring does not occur or is not complete, this is a finding.

Fix: F-25815r495483_fix

Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. Use file hashes or checksums for comparisons, as file dates may be manipulated by malicious users.

b
EDB Postgres Advanced Server software modules, to include stored procedures, functions, and triggers must be monitored to discover unauthorized changes.
CM-5 - Medium - CCI-001499 - V-224155 - SV-224155r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
EP11-00-003210
Vuln IDs
  • V-224155
  • V-100337
Rule IDs
  • SV-224155r879586_rule
  • SV-109441
If the system were to allow any user to make changes to software modules implemented within the database, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.
Checks: C-25828r495485_chk

Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is being performed. If the database schema (includes functions, procedures, schemas, extensions, etc.) is not being regularly checked for changes, this is a finding.

Fix: F-25816r495486_fix

Regularly run a check similar to this: move <postgresql data directory>\latest.schema <postgresql data directory>\previous.schema C:\Program Files\edb\as<version>\bin\pg_dump -s -d edb -f <postgresql data directory>\latest.schema FC <postgresql data directory>\previous.schema <postgresql data directory>\latest.schema If any differences are shown, ensure the differences are expected.

c
The EDB Postgres Advanced Server software installation account must be restricted to authorized users.
CM-5 - High - CCI-001499 - V-224156 - SV-224156r879586_rule
RMF Control
CM-5
Severity
High
CCI
CCI-001499
Version
EP11-00-003300
Vuln IDs
  • V-224156
  • V-100339
Rule IDs
  • SV-224156r879586_rule
  • SV-109443
When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications. DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.
Checks: C-25829r495488_chk

Review procedures for controlling, granting access to, and tracking use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.

Fix: F-25817r495489_fix

Develop, document, and implement procedures to restrict and track use of the DBMS software installation account.

b
Database software, including EDB Postgres Advanced Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
CM-5 - Medium - CCI-001499 - V-224157 - SV-224157r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
EP11-00-003400
Vuln IDs
  • V-224157
  • V-100341
Rule IDs
  • SV-224157r879586_rule
  • SV-109445
When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.
Checks: C-25830r495491_chk

Review the DBMS software library directory and note other root directories located on the same disk directory or any subdirectories. If any non-DBMS software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the DBMS, this is a finding. Only applications that are required for the functioning and administration, not use, of the DBMS should be located in the same disk directory as the DBMS software libraries. If other applications are located in the same directory as the DBMS, this is a finding.

Fix: F-25818r495492_fix

Install all applications on directories separate from the DBMS software library directory. Relocate any directories or reinstall other application software that currently shares the DBMS software library directory.

b
Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be owned by database/EDB Postgres Advanced Server principals authorized for ownership.
CM-5 - Medium - CCI-001499 - V-224158 - SV-224158r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
EP11-00-003500
Vuln IDs
  • V-224158
  • V-100343
Rule IDs
  • SV-224158r879586_rule
  • SV-109447
Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who utilizes the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.
Checks: C-25831r495494_chk

Review system documentation to identify accounts authorized to own database objects. Review accounts that own objects in the database(s) by running this SQL command: select * from sys.all_objects; If any database objects are found to be owned by users not authorized to own database objects, this is a finding.

Fix: F-25819r495495_fix

Assign ownership of authorized objects to authorized object owner accounts by running this SQL command for each object to be changed: ALTER <type> <object name> OWNER TO <new owner>; For example: ALTER TABLE my_table OWNER TO APP_USER;

b
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the EDB Postgres Advanced Server, etc.) must be restricted to authorized users.
CM-5 - Medium - CCI-001499 - V-224159 - SV-224159r879586_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
EP11-00-003600
Vuln IDs
  • V-224159
  • V-100345
Rule IDs
  • SV-224159r879586_rule
  • SV-109449
If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.
Checks: C-25832r495496_chk

Use psql to connect to the db as enterprisedb and run this command: \dp *.* If any unauthorized roles have unauthorized accesses, this is a finding. Definitions of the access privileges are defined here: http://www.postgresql.org/docs/current/static/sql-grant.html

Fix: F-25820r495497_fix

Revoke unauthorized privileges. The syntax is: REVOKE <privilege> ON <object> FROM <role>. Example: REVOKE INSERT ON a FROM PUBLIC; See PostgreSQL documentation for details.

b
Default, demonstration and sample databases, database objects, and applications must be removed.
CM-7 - Medium - CCI-000381 - V-224160 - SV-224160r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
EP11-00-003700
Vuln IDs
  • V-224160
  • V-100347
Rule IDs
  • SV-224160r879587_rule
  • SV-109451
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plugins not related to requirements or providing a wide array of functionality, not required for every mission, that cannot be disabled. DBMSs must adhere to the principles of least functionality by providing only essential capabilities. Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system.
Checks: C-25833r495498_chk

If EDB Postgres Advanced Server (EPAS) is hosted on a server that does not support production systems, and is designated for the deployment of samples and demonstrations, this is not applicable (NA). Review documentation and websites from EnterpriseDB and any other relevant vendors for vendor-provided demonstration or sample databases, database applications, schemas, objects, and files. Review the EPAS DBMS to determine if any of the demonstration and sample databases, schemas, database applications, or objects are installed in the database or are included with the DBMS application. If any are present in the database or are included with the DBMS application, this is a finding. Check for the existence of EDB Postgres sample databases: postgres and edb. To check Execute the following SQL as enterprisedb: SELECT datname FROM pg_database WHERE datistemplate = false; If any databases are listed here that are not documented as being used by the application, this is a finding. EDB Postgres provides the ability to install a set of sample tables and related objects in a postgres database via the installer or via the edb-sample.sql script installed with EDB Postgres Advanced Server (located in the &lt;EDB Postgres Installation Directory&gt;\installer\server directory by default). To check whether these sample tables have been installed, execute the following SQL as enterprisedb: SELECT * FROM dba_tables WHERE table_name IN ('EMP', 'DEPT', 'JOBHIST'); If any rows are returned that do not correspond to application tables, this is a finding. Postgres provides the ability to install a set of tables for benchmark purposes using the pgbench utility. To check whether these pgbench tables have been installed, execute the following SQL as enterprisedb: SELECT * FROM dba_tables WHERE table_name LIKE 'PGBENCH%'; If any rows are returned that do not correspond to application tables, this is a finding.

Fix: F-25821r495499_fix

Remove any unused sample databases or sample objects within a database from the DBMS. To remove a database, execute the follow SQL: DROP DATABASE <database>; To remove objects within a database, use the appropriate DROP statement (DROP TABLE, DROP VIEW, etc.).

b
Unused database components, EDB Postgres Advanced Server software, and database objects must be removed.
CM-7 - Medium - CCI-000381 - V-224161 - SV-224161r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
EP11-00-003800
Vuln IDs
  • V-224161
  • V-100349
Rule IDs
  • SV-224161r879587_rule
  • SV-109453
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. DBMSs must adhere to the principles of least functionality by providing only essential capabilities.
Checks: C-25834r495501_chk

Open Control Program &gt;&gt; Programs &gt;&gt; Programs and Features. Look specifically for publishers of EnterpriseDB, pgAdmin, or PostgreSQL. If any programs are installed which are not documented as needed by the government program, this is a finding.

Fix: F-25822r495502_fix

Open Control Program >> Programs >> Programs and Features. Select any programs that should not be installed, click "uninstall", and then follow the prompts to uninstall the software.

b
Unused database components which are integrated in the EDB Postgres Advanced Server and cannot be uninstalled must be disabled.
CM-7 - Medium - CCI-000381 - V-224162 - SV-224162r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
EP11-00-003900
Vuln IDs
  • V-224162
  • V-100351
Rule IDs
  • SV-224162r879587_rule
  • SV-109455
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. DBMSs must adhere to the principles of least functionality by providing only essential capabilities. Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled. The techniques available for disabling components will vary by DBMS product, OS, and the nature of the component, and may include DBMS configuration settings, OS service settings, OS file access security, and DBMS user/role permissions.
Checks: C-25835r495504_chk

Open Control Program &gt;&gt; Programs &gt;&gt; Programs and Features. Look specifically for publishers of EnterpriseDB, pgAdmin, or PostgreSQL. If any programs are installed which are not documented as needed by the government program, this is a finding.

Fix: F-25823r495505_fix

Open Control Program >> Programs >> Programs and Features. Select any programs that should not be installed, click "uninstall", and then follow the prompts to uninstall the software.

b
Access to external executables must be disabled or restricted.
CM-7 - Medium - CCI-000381 - V-224163 - SV-224163r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
EP11-00-004000
Vuln IDs
  • V-224163
  • V-100353
Rule IDs
  • SV-224163r879587_rule
  • SV-109457
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Applications must adhere to the principles of least functionality by providing only essential capabilities. EDB Postgres Advanced Server may spawn additional external processes to execute procedures that are defined in EDB Postgres Advanced Server but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than EDB Postgres Advanced Server and provide unauthorized access to the host system.
Checks: C-25836r495507_chk

Check for EDB Postgres Advanced Server related programs that have been installed but not documented as approved. Open Control Program &gt;&gt; Programs &gt;&gt; Programs and Features. Look specifically for publishers of EnterpriseDB, pgAdmin, or PostgreSQL. If any programs are installed which are not documented as needed by the organization for the system, this is a finding. The Postgres COPY command provides options for reading or writing files or running a program that the server has privileges to access. These options are only allowed for users who have been granted superuser privilege or have been granted the pg_read_server_files, pg_write_server_files, or pg_execute_server_program roles. The SUPERUSER privilege and the roles that provide access to files on the underlying server should only be granted to approved users. To check for user and group roles that have been granted the SUPERUSER privilege, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, how_superuser, root_role_name ) AS ( SELECT NULL::oid granted_role_id , NULL::name granted_role_name , r1.oid role_id , r1.rolname role_name , r1.rolcanlogin can_login , 'Assigned Superuser Privilege' how_superuser , r1.rolname root_role_name FROM pg_authid r1 WHERE r1.rolsuper = 't' UNION SELECT m.roleid , r3.rolname , m.member , r2.rolname , r2.rolcanlogin , 'Granted Role with Superuser Privilege' , r1.root_role_name FROM pg_auth_members m JOIN pg_authid r2 ON r2.oid = m.member JOIN pg_authid r3 ON r3.oid = m.roleid JOIN roles r1 ON m.roleid = r1.role_id ) SELECT DISTINCT r.role_name, r.can_login, hs.how_superuser, gr.granted_roles, rr.root_superuser_roles FROM roles r JOIN ( SELECT role_name, string_agg(how_superuser, ', ') how_superuser FROM ( SELECT DISTINCT role_name, how_superuser FROM roles ORDER BY 2 ) GROUP BY role_name ) hs ON r.role_name = hs.role_name JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) gr ON r.role_name = gr.role_name JOIN ( SELECT role_name, string_agg(root_role_name, ', ') root_superuser_roles FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) rr ON r.role_name = rr.role_name ORDER BY 3,1; The above query will list all user and group roles that have either been granted the SUPERUSER privilege explicitly or via one of the roles in the hierarchy of roles they have been granted. If a user or group roles has the SUPERUSER privilege either directly or via one of the roles in the hierarchy of roles it has been granted, and the role is not documented as being approved to have this privilege, this is a finding. To check for user and group roles that have been granted any of the pg_read_server_files, pg_write_server_files, or pg_execute_server_program roles, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, root_role_name ) AS ( SELECT NULL::oid granted_role_id , NULL::name granted_role_name , r1.oid role_id , r1.rolname role_name , r1.rolcanlogin can_login , r1.rolname root_role_name FROM pg_authid r1 WHERE r1.rolname IN ( 'pg_read_server_files', 'pg_write_server_files', 'pg_execute_server_program' ) UNION SELECT m.roleid , r3.rolname , m.member , r2.rolname , r2.rolcanlogin , r1.root_role_name FROM pg_auth_members m JOIN pg_authid r2 ON r2.oid = m.member JOIN pg_authid r3 ON r3.oid = m.roleid JOIN roles r1 ON m.roleid = r1.role_id ) SELECT DISTINCT r.role_name, r.can_login, gr.granted_roles, rr.server_os_access_roles FROM roles r JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) gr ON r.role_name = gr.role_name JOIN ( SELECT role_name, string_agg(root_role_name, ', ') server_os_access_roles FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) rr ON r.role_name = rr.role_name WHERE gr.granted_roles IS NOT NULL ORDER BY 1; The above query will list all user and group roles that have been granted one of these roles either explicitly or via one of the roles in the hierarchy of roles they have been granted. If a user or group roles has been granted one of these roles either explicitly or via one of the roles in the hierarchy of roles they have been granted, and the role is not documented as being approved to have this role, this is a finding. It is possible for a Postgres database extension to contain code that could access external executables via SQL. To list all installed extensions, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: SELECT * FROM pg_available_extensions WHERE installed_version IS NOT NULL ORDER BY 1; If any extensions are installed that are not documented as being approved, this is a finding. It is possible to create database functions that are written in C or other procedural languages that reference code in externally loaded modules that may enable interaction with the OS. To list such functions, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: SELECT n.nspname "Schema", p.proname "Function", p.prosrc "Source", p.probin "Library", l.lanname "Language" FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_language l on p.prolang = l.oid WHERE n.nspname NOT IN ('pg_catalog', 'sys', 'information_schema') AND (l .lanpltrusted = 'f' AND l.lanname != 'internal' ) ORDER BY 4, 1, 2, 3; If any C-language or other procedural language function is listed that is not documented as being approved, this is a finding.

Fix: F-25824r495508_fix

To uninstall programs that are not approved, open Control Program | Programs | Programs and Features. Select any programs that should not be installed, click the "uninstall" button, and follow the prompts to uninstall the software. To remove the SUPERUSER privilege from a role, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: ALTER ROLE <role name> WITH NOSUPERUSER; To remove a role that has been granted to another role, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: REVOKE ROLE <name of role to be removed> FROM <role name>; To remove an extension from a Postgres database, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: DROP EXTENSION <name of extension to be removed>; To remove a function from a Postgres database, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: DROP FUNCTION <name of function to be removed>; If the unapproved function is contained in an EDB-SPL database package, drop the package specification and body or replace the package specification and package body source with an updated version of the source that does not include the unapproved function. To drop a package, execute the following SQL statements in psql or another EDB Postgres Advanced Server SQL client as enterprisedb: DROP PACKAGE BODY <name of package to be dropped>; DROP PACKAGE <name of package to be dropped>; To update a package, execute the "CREATE OR REPLACE PACKAGE <package name>" and "CREATE OR REPLACE PACKAGE BODY <package name>" SQL statements in psql or another EDB Postgres Advanced Server SQL client. See the EnterpriseDB "Database Compatibility for Oracle Developers Reference Guide" for more information about the commands for creating, replacing, and dropping database packages.

b
The EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-224164 - SV-224164r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
EP11-00-004100
Vuln IDs
  • V-224164
  • V-100355
Rule IDs
  • SV-224164r879588_rule
  • SV-109459
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols/services on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. Database Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and through the database to other components of the information system. A Postgres database cluster (i.e., instance) listens for connections on a single TCP port. The default port for an EDB Postgres Advanced Server cluster is 5444; however, the port number that is used is configurable via the Postgres "port" parameter. A database restart is required to apply a change to the port parameter. Also by default, a Postgres cluster will listen for connections on all interfaces on the host. The "listen_addresses" parameter can be used to configure specific interfaces on the host to listen for connections. The default value of "*" indicates all interfaces are used. To listen only on specific interfaces, the listen_addresses parameter is configured with a comma-separated list of host names and/or numeric IP addresses corresponding to the interfaces that should be used. As with the port parameter, changes to the listen_addresses parameter requires a cluster restart to take effect.
Checks: C-25837r495510_chk

Review documentation for approved list of ports, protocols, and addresses. To list the port that is being used, execute the following SQL as enterprisedb: SHOW port; If the port returned by the above command is not approved, this is a finding. To list the interface addresses that are being used, execute the following SQL as enterprisedb: SHOW listen_addresses; For the above statement, a return value of "*" indicates that the database cluster (i.e., instance) is configured to listen on all interfaces on the database host. If the addresses returned are not approved, this is a finding.

Fix: F-25825r495511_fix

Execute the following SQL as enterprisedb: ALTER SYSTEM SET port = <port>; ALTER SYSTEM SET listen_addresses = <comma separated addresses>; Restart the database service. For EDB Postgres Advanced Server, the default service name is "edb-as-<EDB Version #>" with a default display name of "edb-as-<EDB Version #> - Advanced Server <EDB Version #>": To restart the database service, using the Windows Services Control Manager: 1. Open the Windows Services Control Manager. 2. Select the database service from the list of services, right-click it, and select "Restart". Alternatively, the database can be restarted via the Windows command line using either the NET or SC command as follows: NET STOP <service name> NET START <service name> or SC STOP <service name> SC START <service name> Note that if pgAgent is installed and running, the corresponding pgAgent service is dependent on the EDB Postgres database service and will first need to be stopped in order to restart the database service. After restarting the database service, the pgAgent service may be started again.

b
The EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - V-224165 - SV-224165r879589_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
EP11-00-004200
Vuln IDs
  • V-224165
  • V-100357
Rule IDs
  • SV-224165r879589_rule
  • SV-109461
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following: (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
Checks: C-25838r495513_chk

Verify that the pg_hba.conf is not using the "trust" authentication method. Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW hba_file" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). To verify that the pg_hba.conf file is not using the methods listed above, open the pg_hba.conf file in a text editor and inspect the contents of the file. If any uncommented lines have "trust" specified for the "METHOD" column and the setting has not been documented with sufficient justification and approved, this is a finding. Optionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: type &lt;postgresql data directory&gt;\pg_hba.conf | findstr /N "trust" | find /V /N "#" Note: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes. If any uncommented lines showing that the "trust" authentication method has been specified are reported via the above command and the setting has not been documented with sufficient justification and approved, this is a finding.

Fix: F-25826r495514_fix

Open "<postgresql data directory>\pg_hba.conf" in an editor. Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d <database name> -U <database superuser name> -c "SHOW hba_file" where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If any rows have "trust" specified for the "METHOD" column that are not documented and approved, delete the rows or change them to other authentication methods. Permitted methods in preferred order are: peer (local only), cert, ldap, sspi, pam, sha-256-scram, md5

c
If DBMS authentication, using passwords, is employed, EDB Postgres Advanced Server must enforce the DoD standards for password complexity and lifetime.
IA-5 - High - CCI-000192 - V-224166 - SV-224166r879601_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000192
Version
EP11-00-004250
Vuln IDs
  • V-224166
  • V-100359
Rule IDs
  • SV-224166r879601_rule
  • SV-109463
OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DoD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.
Checks: C-25839r495516_chk

If DBMS authentication, using passwords, is not employed, this is not a finding. In a SQL window, run this command: select * from dba_profiles; If there are UNLIMITED or NULL values in the "limit" column, this is a finding. Review the password verification functions specified for the PASSWORD_VERIFY_FUNCTION settings for each profile. Determine whether the following rules are enforced by the code in those functions. If any are not, this is a finding. a. minimum of 15 characters, including at least one of each of the following character sets: - Upper-case - Lower-case - Numerics - Special characters (e.g., ~ ! @ # $ % ^ &amp; * ( ) _ + = - ' [ ] / ? &gt; &lt;) b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight Review the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding. a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days c. Number of password changes before an old one may be reused: Minimum of five

Fix: F-25827r495517_fix

After creating a password verification function, configure the default profile to use it and to the other required password related settings. To facilitate checking that a new password is sufficiently different from a previously used one, the dod_verify_password function uses the Levenshtein function, which is available as part of the PostgreSQL fuzzystrmatch extension. Before creating the password verification function, check whether the fuzzystrmatch extension is installed by executing the following SQL query as enterprisedb: SELECT extname FROM pg_extension; If "fuzzystrmatch" is not listed, execute the following SQL to install the extension as enterprisedb: CREATE EXTENSION fuzzystrmatch; With the fuzzystrmatch extension installed, execute the following SQL statements as enterprisedb: CREATE OR REPLACE FUNCTION sys.dod_verify_password(user_name varchar2, new_password varchar2, old_password varchar2) RETURN boolean IMMUTABLE IS pwd_length integer := NVL( length(new_password), 0 ); min_length integer := 15; min_lower integer := 1; min_upper integer := 1; min_numeric integer := 1; min_special integer := 1; min_diff integer := ceil(min_length::numeric / 2); cnt_lower integer := 0; cnt_upper integer := 0; cnt_numeric integer := 0; cnt_special integer := 0; cnt_diff integer := 0; i integer ; curr_char CHAR(1); BEGIN -- -- Check Length of new password -- IF ( pwd_length < min_length ) THEN raise_application_error(-20001, 'Password is too short. Password must be at least '||min_length||' characters long.'); END IF; -- -- Get count of each character type in new password. -- FOR i in 1..pwd_length LOOP curr_char := substr(new_password, i, 1); IF ( curr_char SIMILAR TO '[a-z]' ) THEN cnt_lower := cnt_lower + 1; ELSIF ( curr_char SIMILAR TO '[A-Z]' ) THEN cnt_upper := cnt_upper + 1; ELSIF ( curr_char SIMILAR TO '[0-9]' ) THEN cnt_numeric := cnt_numeric + 1; ELSE cnt_special := cnt_special + 1; END IF; END LOOP; -- -- Calculate Levenshtein difference between old and new password -- cnt_diff := levenshtein( old_password, new_password ); -- Check if new password has minimum number of lowercase characters IF cnt_lower < min_lower THEN raise_application_error(-20004, 'Password must contain at least '||min_lower||' lowercase character(s)'); END IF; -- Check if new password has minimum number of uppercase characters IF cnt_upper < min_upper THEN raise_application_error(-20003, 'Password must contain at least '||min_upper||' uppercase character(s)'); END IF; -- Check if new password has minimum number of numeric characters IF cnt_numeric < min_numeric THEN raise_application_error(-20005, 'Password must contain at least '||min_numeric||' numeric character(s)'); END IF; -- Check if new password has minimum number of special characters IF cnt_special < min_special THEN raise_application_error(-20006, 'Password must contain at least '||min_special||' special character(s)'); END IF; -- Check if new password differs from old password by minimum number of required characters IF cnt_diff < min_diff THEN raise_application_error(-20007, 'Password must differ from old password by at least '||min_diff||' character(s)'); END IF; RETURN true; END; ALTER FUNCTION sys.dod_verify_password(varchar2, varchar2, varchar2) OWNER TO enterprisedb; Next, execute the following statement (or a variant of this) to set the default profile for DoD standards: ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 PASSWORD_LIFE_TIME 60 PASSWORD_GRACE_TIME 3 PASSWORD_REUSE_TIME 180 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION dod_verify_password; Note that the above statement assumes that the password verification function is named "dod_verify_password". If the function was created with a different name, update the ALTER PROFILE statement above as appropriate.

c
If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.
IA-5 - High - CCI-000196 - V-224167 - SV-224167r879608_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000196
Version
EP11-00-004300
Vuln IDs
  • V-224167
  • V-100361
Rule IDs
  • SV-224167r879608_rule
  • SV-109465
The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS. In Postgres, encrypted passwords may be generated and stored using either MD5 or SRAM-SHA-256 encryption algorithms. The Postgres password_encryption parameter identifies which algorithm is being used by the Postgres cluster (i.e., instance). In general, MD5 is not approved for use within DoD systems. However, SCRAM-SHA-256 is approved for use within the DoD.
Checks: C-25840r495519_chk

Execute the following SQL as enterprisedb: SHOW password_encryption; If the value returned for the password_encryption parameter is not "scram-sha-256", this is a finding unless otherwise documented as approved for the system.

Fix: F-25828r495520_fix

Execute the following SQL as enterprisedb: ALTER SYSTEM SET password_encryption = "scram-sha-256"; SELECT pg_reload_conf();

c
If passwords are used for authentication, the EDB Postgres Advanced Server must transmit only encrypted representations of passwords.
IA-5 - High - CCI-000197 - V-224168 - SV-224168r879609_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
EP11-00-004400
Vuln IDs
  • V-224168
  • V-100363
Rule IDs
  • SV-224168r879609_rule
  • SV-109467
The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.
Checks: C-25841r495522_chk

Verify that the pg_hba.conf is not using the "password" authentication method. Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW hba_file" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). To verify that the pg_hba.conf file is not using the methods listed above, open the pg_hba.conf file in a text editor and inspect the contents of the file. If any uncommented lines have "password" specified for the "METHOD" column, this is a finding. Optionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: type &lt;postgresql data directory&gt;\pg_hba.conf | findstr /N "password" | find /V /N "#" Note: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes. If any uncommented lines showing that the "password" authentication method has been specified are reported via the above command, this is a finding.

Fix: F-25829r495523_fix

Open "<postgresql data directory>\pg_hba.conf" in an editor. Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d <database name> -U <database superuser name> -c "SHOW hba_file" where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). For any rows that have "password" specified for the "METHOD" column, change the value to "sha-256-scram" or "md5".

b
The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
IA-5 - Medium - CCI-000185 - V-224169 - SV-224169r879612_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
EP11-00-004500
Vuln IDs
  • V-224169
  • V-100365
Rule IDs
  • SV-224169r879612_rule
  • SV-109469
The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. Database Management Systems that do not validate certificates by performing RFC 5280-compliant certification path validation are in danger of accepting certificates that are invalid and/or counterfeit. This could allow unauthorized access to the database.
Checks: C-25842r495525_chk

Verify that hostssl entries in pg_hba.conf have "clientcert=1" enabled. Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW hba_file" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Open the pg_hba.conf file in a text editor and inspect the contents of the file. If any uncommented lines have TYPE of "hostssl" but do not include "clientcert=1" in the OPTIONS column at the end of the line, this is a finding. Optionally, the following command can be run from a Windows command prompt to identify any uncommented lines in the pg_hba.conf file that may be using these methods: type &lt;postgresql data directory&gt;\pg_hba.conf | findstr /N "hostssl" | find /V /N "#" Note: For the command above, if the path to the pg_hba.conf file contains spaces in it, the path to the file (including the file name) should be placed in double quotes. If any uncommented lines are reported using the above command that show a TYPE of "hostssl" but do not include "clientcert=1" in the OPTIONS column at the end of the line, this is a finding.

Fix: F-25830r495526_fix

Open the "<postgresql data directory>\pg_hba.conf" in an editor. Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d <database name> -U <database superuser name> -c "SHOW hba_file" where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). For any rows that have TYPE of "hostssl", append "clientcert=1" in the OPTIONS column at the end of the line.

c
The EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/utilized by the EDB Postgres Advanced Server.
IA-5 - High - CCI-000186 - V-224170 - SV-224170r879613_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000186
Version
EP11-00-004600
Vuln IDs
  • V-224170
  • V-100367
Rule IDs
  • SV-224170r879613_rule
  • SV-109471
The DoD standard for authentication is DoD-approved PKI certificates. PKI certificate-based authentication is performed by requiring the certificate holder to cryptographically prove possession of the corresponding private key. If the private key is stolen, an attacker can use the private key(s) to impersonate the certificate holder. In cases where the DBMS-stored private keys are used to authenticate the DBMS to the system’s clients, loss of the corresponding private keys would allow an attacker to successfully perform undetected man in the middle attacks against the DBMS system and its clients. Both the holder of a digital certificate and the issuing authority must take careful measures to protect the corresponding private key. Private keys should always be generated and protected in FIPS 140-2 or 140-3 validated cryptographic modules. All access to the private key(s) of the DBMS must be restricted to authorized and authenticated users. If unauthorized users have access to one or more of the DBMS's private keys, an attacker could gain access to the key(s) and use them to impersonate the database on the network or otherwise perform unauthorized actions.
Checks: C-25843r495528_chk

Verify User ownership, Group ownership, and permissions on the "server.key" file: Right-click and select "Properties" on &lt;postgresql data directory&gt;\server.key If any users other than the database administrator user (enterprisedb by default) or other users documented in the program security guide have any permissions on this file, this is a finding.

Fix: F-25831r495529_fix

Right-click and select "Properties" on <postgresql data directory>\server.key Give the database administrator (default "enterprisedb") full control of the file.

c
Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
IA-6 - High - CCI-000206 - V-224171 - SV-224171r879615_rule
RMF Control
IA-6
Severity
High
CCI
CCI-000206
Version
EP11-00-004810
Vuln IDs
  • V-224171
  • V-100369
Rule IDs
  • SV-224171r879615_rule
  • SV-109473
The DoD standard for authentication is DoD-approved PKI certificates. Normally, with PKI authentication, the interaction with the user for authentication will be handled by a software component separate from the DBMS, such as ActivIdentity ActivClient. However, in cases where the DBMS controls the interaction, this requirement applies. To prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. Obfuscation of user-provided authentication secrets when typed into the system is a method used in addressing this risk. Displaying asterisks when a user types in a password or a smart card PIN is an example of obscuring feedback of authentication secrets. This calls for review of applications, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At minimum, the DBA must attempt to obtain assurances from the development organization the issue has been addressed, and must document what has been discovered.
Checks: C-25844r495531_chk

Determine whether any applications that access the database allow for entry of the account name and password or PIN. If any do, determine whether these applications obfuscate authentication data. If they do not, this is a finding.

Fix: F-25832r495532_fix

Configure or modify applications to prohibit display of passwords in clear text.

c
When using command-line tools such as psql, users must use a logon method that does not expose the password.
IA-6 - High - CCI-000206 - V-224172 - SV-224172r879615_rule
RMF Control
IA-6
Severity
High
CCI
CCI-000206
Version
EP11-00-004820
Vuln IDs
  • V-224172
  • V-100371
Rule IDs
  • SV-224172r879615_rule
  • SV-109475
To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. Obfuscation of user-provided information when typed into the system is a method used in addressing this risk. For example, displaying asterisks when a user types in a password or PIN, is an example of obscuring feedback of authentication information. This requirement is applicable when md5-based password authentication is enabled. When this is the case, password-authenticated accounts can be created in and authenticated by EDB Postgres Advanced Server. Other STIG requirements prohibit the use of password authentication except when justified and approved. This deals with the exceptions. The psql command line tool is part of any PostgreSQL installation. Other command-line tools may also exist. These tools can accept a plain-text password, but do offer alternative techniques. Since the typical user of these tools is a database administrator, the consequences of password compromise are particularly serious. Therefore, the use of plain-text passwords must be prohibited, as a matter of practice and procedure.
Checks: C-25845r495534_chk

For psql, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. If not, this is a finding. Request evidence that all users of the tool are trained in the importance of using the "-W" option (and not using the plain-text password option), how to keep the password hidden, and that they adhere to this practice. If not, this is a finding.

Fix: F-25833r495535_fix

For psql, which can accept a plain-text password, and any other essential tool with the same limitation: 1) Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval. 2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden by using the "-W" option.

b
The EDB Postgres Advanced Server password file must not be used.
CM-6 - Medium - CCI-000366 - V-224173 - SV-224173r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
EP11-00-004850
Vuln IDs
  • V-224173
  • V-101109
Rule IDs
  • SV-224173r879887_rule
  • SV-110213
The EDB Postgres password file can contain passwords to be used if the connection allows a password (and no password has been specified otherwise). This file contain lines of the following format: hostname:port:database:username:password It is critically important to system security that use of a password file be avoided as it stores passwords in plain text. Any user with access to these could potentially compromise the security of the database.
Checks: C-25846r495537_chk

Check DBMS settings to determine whether a password file is being used. On Windows the default file name and location is: %APPDATA%\postgresql\pgpass.conf (where %APPDATA% refers to the Application Data subdirectory in the user's profile). Alternatively, a password file can be specified using the connection parameter passfile or the environment variable PGPASSFILE. If a password file exists, this is a finding. If a password file is not in use, this is not a finding.

Fix: F-25834r495538_fix

Remove any password files present on the server and implement a more secure form of authentication. The DoD standard for authentication is DoD-approved PKI certificates.

c
The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.
IA-7 - High - CCI-000803 - V-224174 - SV-224174r879616_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
EP11-00-004900
Vuln IDs
  • V-224174
  • V-100373
Rule IDs
  • SV-224174r879616_rule
  • SV-109477
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of the DBMS. Applications, including DBMSs, utilizing cryptography are required to use approved NIST FIPS 140-2 or 140-3 validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The standard for validating cryptographic modules will transition to the NIST FIPS 140-3 publication. FIPS 140-2 modules can remain active for up to 5 years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list. Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules More information on the FIPS 140-3 transition can be found here: https://csrc.nist.gov/Projects/fips-140-3-transition-effort/ When the EDB FIPS 140 certified cryptographic modules are configured properly, an EDB Postgres Advanced Server will fail to start if non-FIPS 140 ciphers are specified for the Postgres ssl_ciphers parameter. To test whether the FIPS 140 compliant configuration is working, temporarily set the "ssl_ciphers" parameter in the postgresql.conf file to 'RC4-SHA' and then attempt to restart the database service. Since "RC4-SHA" is not a FIPS 140 approved cipher, the database will fail to start. Using the Event Viewer in Windows, a "FATAL: could not set the cipher list (no valid ciphers available)" error will be found under "Event Viewer (Local) >> Windows Logs >> Application". Satisfies: SRG-APP-000179-DB-000114,SRG-APP-000514-DB-000382,SRG-APP-000514-DB-000383
Checks: C-25847r860645_chk

If any uncommented lines in &lt;postgresql data dir&gt;\pg_hba.conf do not start with "hostssl", this is a finding. The "ssleay32_dll" and "libeay32.dll" files in &lt;EDB Postgres Advanced Server Home&gt;\bin should be FIPS 140-2 or 140-3 compliant DLLs from EnterpriseDB. These are included in EDB Postgres Advanced Server v11 update 6 (i.e., 11.6) and greater. If the installed EDB v11 is not update 11.6 or greater, this is a finding. If C:\usr\local\ssl\openssl.cnf does not exist with these contents, or if an System Environment variable called OPENSSL_CONF pointing to a file with these contents has not been created, this is a finding: HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf=openssl_conf_section [openssl_conf_section] alg_section=evp_settings [evp_settings] fips_mode=yes

Fix: F-25835r860646_fix

Edit <postgresql data dir>\pg_hba.conf so that each uncommented line starts with "hostssl" If the EDB Postgres Advanced Server minor version is less than version 11.6, install the 11.6 update or later version or contact EnterpriseDB to obtain a copy of the FIPS 140 compliant versions of the "ssleay32.dll" and "libeay32.dll" files and replace the "ssleay32.dll" and "libeay32.dll" files in <EDB Postgres Advanced Server Home>\bin with FIPS 140 compliant DLLs from EnterpriseDB. If the EDB Postgres Advanced Server minor version is 11.6 or greater, the FIPS 140 compliant versions of these DLLs are installed by default and do not need to be replaced. Create C:\usr\local\ssl\openssl.cnf or another file referenced by a System Environment variable called OPENSSL_CONF with these contents: HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf=openssl_conf_section [openssl_conf_section] alg_section=evp_settings [evp_settings] fips_mode=yes Restart the Postgres server via the Services administration GUI.

b
The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
IA-8 - Medium - CCI-000804 - V-224175 - SV-224175r879617_rule
RMF Control
IA-8
Severity
Medium
CCI
CCI-000804
Version
EP11-00-005000
Vuln IDs
  • V-224175
  • V-100375
Rule IDs
  • SV-224175r879617_rule
  • SV-109479
Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server. Accordingly, a risk assessment is used in determining the authentication needs of the organization. Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. With Postgres, all database users are uniquely identified. To discriminate non-organizational users from organizational users, applications often create and utilize one or more tables to record additional information about the users, including their organizational affiliations. Another approach that may be used is to create and assign database roles corresponding to the different organizations. The EDB Postgres Advanced Server session audit log tagging feature can also be used to log additional information about the user associated with a database session such as organizational affiliation. The session audit tagging feature uses the edb_audit_tag parameter. Typically, this parameter would be set on a session by session basis via the application that connects to the EDB Postgres Advanced Server database.
Checks: C-25848r495543_chk

Review documentation, EDB Postgres Advanced Server settings, and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system. EDB Postgres Advanced Server uniquely identifies and authenticates Postgres users through the use of DBMS roles. To list the user and group roles in an EDB Postgres Advanced Server instance, execute the following command in psql as the enterprisedb user: \du If accounts are determined to be shared, determine if individuals are first individually authenticated. Where an application connects to EDB Postgres Advanced Server using a standard, shared account, ensure it also captures the individual user identification, and passes it to EDB Postgres Advanced Server. If the EDB session audit log tagging feature is being used to capture individual user identification and organizational affiliation, review the EDB audit log to verify that the information documented as being required is logged to the "audit_tag" field. If the required information is not logged, this is a finding. If the documentation indicates that this is a public-facing, read-only (from the point of view of public users) database that does not require individual authentication, this is not a finding. If non-organizational users are not uniquely identified and authenticated, this is a finding.

Fix: F-25836r495544_fix

Ensure all logins are uniquely identifiable and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of application, operating system, and EDB Postgres Advanced Server configuration settings. Verify server documentation to ensure accounts are documented and unique.

b
The EDB Postgres Advanced Server must separate user functionality (including user interface services) from database management functionality.
SC-2 - Medium - CCI-001082 - V-224176 - SV-224176r879631_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
EP11-00-005100
Vuln IDs
  • V-224176
  • V-101195
Rule IDs
  • SV-224176r879631_rule
  • SV-110299
Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. An example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. This may include isolating the administrative interface on a different domain and with additional access controls. If administrative functionality or information regarding DBMS management is presented on an interface available for users, information on DBMS settings may inadvertently be made available to the user.
Checks: C-25849r495546_chk

Check EDB Postgres Advanced Server permission settings to verify that administrative functionality is kept separate from user functionality. As a database superuser user (e.g., enterprisedb), list the user and group roles and their permissions in an EDB Postgres Advanced Server instance; execute the following command in psql: \du If any non-administrative role has the attribute "Superuser", "Create role", "Create DB" or "Bypass RLS", this is a finding. If administrator and general user functionality is not separated either physically or logically, this is a finding.

Fix: F-25837r495547_fix

Configure EDB Postgres Advanced Server to separate database administration and general user functionality. Use the ALTER ROLE SQL command to remove "SUPERUSER", "CREATE Role", "Create DB", or "Bypass RLS" privileges from user and group roles that are not authorized for those roles. For example: ALTER ROLE <username> NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;

b
In the event of a system failure, the DBMS must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SC-24 - Medium - CCI-001665 - V-224177 - SV-224177r879641_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
EP11-00-005600
Vuln IDs
  • V-224177
  • V-100377
Rule IDs
  • SV-224177r879641_rule
  • SV-109481
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving information system state information helps to facilitate system restart and return to the operational mode of the organization with less disruption of mission/business processes. Since it is usually not possible to test this capability in a production environment, systems should either be validated in a testing environment or prior to installation. This requirement is usually a function of the design of the IDPS component. Compliance can be verified by acceptance/validation processes or vendor attestation. At all times, Postgres maintains a write ahead log (WAL) in the pg_wal/ subdirectory of the cluster's data directory. The log records every change made to the database's data files. This log exists primarily for crash-safety purposes: if the system crashes, the database can be restored to consistency by “replaying” the log entries made since the last checkpoint. Under the covers, Postgres uses fsync system calls to help ensure that modified database information held in memory is written to disk. To support certain specialized use cases where crash recovery is not as important as system performance, Postgres provides an fsync parameter that can be set to "off" to disable the use of fsync. By default, this parameter is set to "on" and except for the rare use cases should not be set to "off". To support being able to determine what may have caused a database failure, Postgres inherently logs failures.
Checks: C-25850r495549_chk

To check whether fsync() has been enabled for the EDB Postgres Advanced Server cluster, connect to the database as a database superuser using psql and execute the following psql command: SHOW fsync If the parameter is set to "off" and this setting has not been documented as approved with justification, this is a finding.

Fix: F-25838r495550_fix

To set the fsync parameter to "on", connect to the database as a database superuser using psql and execute the following SQL commands: ALTER SYSTEM SET fsync = on; SELECT pg_reload_conf();

c
The EDB Postgres Advanced Server must protect the confidentiality and integrity of all information at rest.
SC-28 - High - CCI-001199 - V-224178 - SV-224178r879642_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
EP11-00-005700
Vuln IDs
  • V-224178
  • V-100379
Rule IDs
  • SV-224178r879642_rule
  • SV-109483
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use. User data generated, as well as application-specific configuration data, must be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate. If the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.
Checks: C-25851r495552_chk

If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. Right-click on &lt;postgresql data directory&gt;, select properties, then select the General tab and the Advanced button. If the "Encrypt contents to secure data" check box is not checked, this is a finding.

Fix: F-25839r495553_fix

Complete these steps as the Windows user that serves as the user who is configure to run the EDB Postgres database service. If done as a different user, the Windows database service user will be unable to view this folder and therefore unable to start the database. By default, the service is configured to be run by the NetworkService account, which is a special Windows account that may not have the ability to encrypt the data directory. As a result, it may be necessary to change the service to run under a different account that can access the directory and encrypt it. Use the following steps, to update the service, encrypt the data directory, and restart the service: 1. Change the edb-as-11 service to run as a local user account that is the same domain user that will be used to encrypt the data directory (ex. "administrator"). Open Computer Management >> Services. Highlight the "edb-as-11 service". Stop the service. Select the service properties. Select the "Log On" tab, and update the "Log on as" setting to an account such as "Administrator". 2. Encrypt the data directory by following these instructions (logged in as the user who runs the service): Right-click on <postgresql data directory>, select properties, select the Advanced button in the General tab, and then select the "Encrypt contents to secure data" checkbox in the "Advanced Attributes" window. Select the option to apply to subfolders and files when prompted. 3. Restart the EDB service after encrypting the drive.

b
The EDB Postgres Advanced Server must isolate security functions from non-security functions.
SC-3 - Medium - CCI-001084 - V-224179 - SV-224179r879643_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
EP11-00-005800
Vuln IDs
  • V-224179
  • V-100381
Rule IDs
  • SV-224179r879643_rule
  • SV-109485
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Database Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality.
Checks: C-25852r495555_chk

All PPAS built-in security packages are in the sys, pg_catalog, information_schema, and dbo schemas. If any application-specific packages have been added to these schemas, this is a finding.

Fix: F-25840r495556_fix

Remove all application-specific packages that were added to the sys, pg_catalog, information_schema, and dbo schemas.

b
Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.
SC-4 - Medium - CCI-001090 - V-224180 - SV-224180r879649_rule
RMF Control
SC-4
Severity
Medium
CCI
CCI-001090
Version
EP11-00-005900
Vuln IDs
  • V-224180
  • V-100383
Rule IDs
  • SV-224180r879649_rule
  • SV-109487
Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed. Copies of sensitive data must not be misplaced or left in a temporary location without the proper controls.
Checks: C-25853r495558_chk

Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exist for the movement of production data to development/test systems or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.

Fix: F-25841r495559_fix

Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy and to ensure copies of production data are not left in unsecured locations.

b
Access to database files must be limited to relevant processes and to authorized, administrative users.
SC-4 - Medium - CCI-001090 - V-224181 - SV-224181r879649_rule
RMF Control
SC-4
Severity
Medium
CCI
CCI-001090
Version
EP11-00-006100
Vuln IDs
  • V-224181
  • V-100385
Rule IDs
  • SV-224181r879649_rule
  • SV-109489
Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.
Checks: C-25854r495561_chk

Verify User ownership, Group ownership, and permissions on the &lt;postgressql data directory&gt; directory. Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). 1) Check Ownership of Postgresql Data Directory: First, determine ownership of the postgresql data directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the postgresql data directory folder is located. Select and right-click on the folder, select "Properties", and select the "Details" tab. Note the Value of the Owner field. Using the Windows command prompt, enter the following command: dir "&lt;postgresql data directory&gt;" /Q /S Note: The above command will list all of the files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the data directory is not the database service account and the configuration has not been documented and approved, this is a finding. 2) Check Permissions on Postgresql Data Directory Check the permissions assigned to the postgresql data directory folder and its content. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the postgresql data directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;postgresql data directory&gt;" icacls "&lt;postgresql data directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. Verify that at most the following permissions are applied: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Full Control) Users (none) If other permissions have been granted to other users or groups and the permission setting has not been documented with sufficient documentation and approved, this is a finding.

Fix: F-25842r495562_fix

If the postgresql data directory and its contents are not owned by the database service account or other user as documented and approved in the system documentation, change ownership to an authorized user. Modify permissions on the data directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Full Control) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement.

b
The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.
SI-10 - Medium - CCI-001310 - V-224182 - SV-224182r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
EP11-00-006200
Vuln IDs
  • V-224182
  • V-100387
Rule IDs
  • SV-224182r879652_rule
  • SV-109491
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. Even when no such hijacking takes place, invalid input that is recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25855r495564_chk

Review DBMS code (trigger procedures, functions), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. If code exists that allows invalid data to be acted upon or input into the database, this is a finding. If column/field definitions do not exist in the database, this is a finding. If columns/fields do not contain constraints and validity checking where required, this is a finding. Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. Where a column/field is clearly identified by name, caption, or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding. Check application code that interacts with the EDB Postgres Advanced Server database for the use of prepared statements. If prepared statements are not used, this is a finding. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs. 1) Execute the following SQL as enterprisedb: SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\'; If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding. 2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: \dn If the "sqlprotect" schema is not listed, this is a finding. 3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: SELECT * FROM sqlprotect.list_protected_users; If the database and user that handles user input is not listed, or the remaining settings are not set to approved values, this is a finding.

Fix: F-25843r495565_fix

Modify database code to properly validate data before it is put into the database or acted upon by the database. Modify the database to contain column/field definitions for each column/field in the database. Modify the database to contain constraints and validity checking on database columns and tables that require them for data integrity. Use prepared statements for user supplied inputs. Do not allow general users direct console access to the EDB Postgres Advanced Server database. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here: https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#

b
The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.
SI-10 - Medium - CCI-001310 - V-224183 - SV-224183r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
EP11-00-006300
Vuln IDs
  • V-224183
  • V-100389
Rule IDs
  • SV-224183r879652_rule
  • SV-109493
With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. The principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers). This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25856r495567_chk

Review DBMS source code (stored procedures, functions, triggers) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements. If dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, this is a finding. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs. 1) Execute the following SQL as enterprisedb: SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\'; If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding. 2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: \dn If the "sqlprotect" schema is not listed, this is a finding. 3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: SELECT * FROM sqlprotect.list_protected_users; If the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.

Fix: F-25844r495568_fix

Where dynamic code execution is employed in circumstances where the objective could practically be satisfied by static execution with strongly typed parameters, modify the code to do so. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here: https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#

b
The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
SI-10 - Medium - CCI-001310 - V-224184 - SV-224184r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
EP11-00-006400
Vuln IDs
  • V-224184
  • V-100391
Rule IDs
  • SV-224184r879652_rule
  • SV-109495
With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code (which may be within the database or separate from it) and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. The principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be utilized otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers). When dynamic execution is necessary, ways to mitigate the risk include the following, which should be implemented both in the on-screen application and at the database level, in the stored procedures: -- Allow strings as input only when necessary. -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid values. If substituting other values for them, think carefully about whether this could be subverted. -- Limit the size of input strings to what is truly necessary. -- If single quotes/apostrophes, double quotes, semicolons, equals signs, angle brackets, or square brackets will never be valid as input, reject them. -- If comment markers will never be valid as input, reject them. In SQL, these are -- or /* */ -- If HTML and XML tags, entities, comments, etc., will never be valid, reject them. -- If wildcards are present, reject them unless truly necessary. In SQL these are the underscore and the percentage sign, and the word ESCAPE is also a clue that wildcards are in use. -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP, ESCAPE, UNION, GRANT, and REVOKE will never be valid, reject them. Use case-insensitive comparisons when searching for these. Bear in mind that some of these words, particularly “Grant” (as a person's name), could also be valid input. -- If there are range limits on the values that may be entered, enforce those limits. -- Institute procedures for inspection of programs for correct use of dynamic coding, by a party other than the developer. -- Conduct rigorous testing of program modules that use dynamic coding, searching for ways to subvert the intended use. -- Record the inspection and testing in the system documentation. -- Bear in mind that all this applies not only to screen input, but also to the values in an incoming message to a web service or to a stored procedure called by a software component that has not itself been hardened in these ways. Not only can the caller be subject to such vulnerabilities; it may itself be the attacker. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25857r495570_chk

Review DBMS source code (stored procedures, functions, triggers) and application source code to identify cases of dynamic code execution. If dynamic code execution is employed without protective measures against code injection, this is a finding. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, verify that it has been configured according to documented organizational needs. 1) Execute the following SQL as enterprisedb: SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\'; If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding. 2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: \dn If the "sqlprotect" schema is not listed, this is a finding. 3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: SELECT * FROM sqlprotect.list_protected_users; If the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.

Fix: F-25845r495571_fix

Where dynamic code execution is used, modify the code to implement protections against code injection (i.e., prepared statements). If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from possible SQL injection attacks, install and configure SQL/Protect as documented here: https://www.enterprisedb.com/docs/en/11.0/EPAS_Guide_v11/EDB_Postgres_Advanced_Server_Guide.1.048.html#

b
The EDB Postgres Advanced Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SI-11 - Medium - CCI-001312 - V-224185 - SV-224185r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
EP11-00-006500
Vuln IDs
  • V-224185
  • V-100393
Rule IDs
  • SV-224185r879655_rule
  • SV-109497
Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages must be carefully considered by the organization and development team. Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system. Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25858r495573_chk

Check custom database code to verify that error messages do not contain information beyond what is needed for troubleshooting the issue. If custom database errors contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.

Fix: F-25846r495574_fix

Configure custom database code and associated application code not to divulge sensitive information or information useful for system identification in error messages.

b
The EDB Postgres Advanced Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
SI-11 - Medium - CCI-001314 - V-224186 - SV-224186r879656_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
EP11-00-006600
Vuln IDs
  • V-224186
  • V-100395
Rule IDs
  • SV-224186r879656_rule
  • SV-109499
If EDB Postgres Advanced Server provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Some default EDB Postgres Advanced Server error messages can contain information that could aid an attacker in, among others things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information. It is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, "An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk" would be relevant. A message such as "Warning: your transaction generated a large number of page splits" would likely not be relevant. Administrative users authorized to review detailed error messages typically are the ISSO, ISSM, SA, and DBA. Other individuals or roles may be specified according to organization-specific needs, with appropriate approval. In addition to ensuring that access to EDB Postgres Advanced Server database and audit logs is restricted to authorized users and that EDB Postgres Advanced Server is configured to emit minimal information to clients related to Postgres generated errors, custom database code and external application code should also be designed to not emit detailed error messages to a client. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25859r495576_chk

# Verify client_min_messages setting Check the level of detail for errors exposed to clients, connect to the database as a database superuser using psql and execute the following psql command: SHOW client_min_messages If client_min_messages is set to LOG or DEBUG, this is a finding. # Verify access to database logs and audit log restricted to authorized users Verify that only authorized users are able to access EDB Postgres Advanced Server database and audit logs that may contain detailed error messages. By default, these logs are written to directories under the EDB Postgres Advanced Server data directory. The full path of the data directory can be determined by connecting to the database as a database superuser using psql and execute the following psql command: SHOW data_directory To check the access permissions assigned to the database logs, first determine where the logs are being written by connecting to the database as a database superuser using psql and execute the following psql command: SHOW log_destination # Verify access to database logs (stderr or csvlog) If the log_destination parameter is set to "stderr" or "csvlog", next determine the directory on the files system where the logs are being written by connecting to the database as a database superuser using psql and execute the following psql command: SHOW log_directory If the log_directory parameter is set to a relative path, database logs have been configured to be written to the named directory under the EDB Postgres Advanced Server data directory. If the log_directory parameter is set to an absolute path, database logs have been configured to be written to that location. Next, determine ownership of the log directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the log directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB log directory&gt; with the correct path for the log directory: dir "&lt;EDB log directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB log directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB log directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB log directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB log directory&gt;" icacls "&lt;EDB log directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the log directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding. # Verify access to database logs (eventlog) If the log_destination parameter is set to "eventlog", logs are written to the Windows Application event log. Review system security documentation and the Windows event log local and group policy settings. If the configured Windows Event Log policies give access to the Windows Application event log to any system users who are not documented as approved to view EDB Postgres Advanced Server logs, this is a finding. # Verify access to audit logs First determine the directory on the files system where the EDB Audit logs are being written by connecting to the database as a database superuser using psql and execute the following psql command: SHOW edb_audit_directory If the edb_audit_directory parameter is set to a relative path, database logs have been configured to be written to the named directory under the EDB Postgres Advanced Server data directory. If the log_directory parameter is set to an absolute path, database logs have been configured to be written to that location. Next, determine ownership of the EDB audit directory folder. This can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Security" tab, and select the "Advanced" button. Note the Value of the Owner field. Using the Windows command prompt, enter the following command, replacing &lt;EDB Audit directory&gt; with the correct path for the EDB audit directory: dir "&lt;EDB Audit directory&gt;" /Q /S Note: The above command will list all of the files and folders under the audit directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If the owner listed for the folder and any of the files and subfolders in the EDB audit directory and its content is not the service account responsible for running the Advanced Server database service this is a finding. Next, check the permissions assigned to the EDB audit directory folder and its content. Again, this can be done using Windows Explorer or via a Windows command prompt. Using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Review the users and groups and permissions assigned to them for the folder. Using a Windows command prompt, the following command may be used to list file permissions: icacls "&lt;EDB Audit directory&gt;" icacls "&lt;EDB Audit directory&gt;\*" Review the users and groups and permissions assigned to them for the file(s). Note: The above commands will list the permissions for all files and folders under the data directory. To make the output of this command easier to review, it may be redirected to a text file. Review the system security documentation. If read or greater permissions are granted to Everyone or to the Users group, this is a finding. If any account other than the database service account, Administrators, or other documented users are listed as having Read permission, this is a finding. If any account other than the database service account or other documented users are listed as having the Full Control permission, this is a finding. If any permissions are listed for any account other than the database service account that are not identified in the system documentation as being approved for the permission, this is a finding. # Verify custom database code and application does not display detailed error messages Check custom database code and application code to determine if detailed error messages are ever displayed to unauthorized individuals. If detailed error messages are displayed to individuals not authorized to view them, this is a finding.

Fix: F-25847r495577_fix

# Set client_min_messages To set the level of detail for errors messages exposed to clients, connect to the database as a database superuser using psql and execute the following commands: ALTER SYSTEM SET client_min_messages = notice; SELECT pg_reload_conf(); # Update EDB Postgres Advanced Server database log permissions. If the EDB Postgres Advanced Server log_destination parameter is set to "stderr" or "csvlog": 1) Change ownership of EDB Postgres Advanced Server database log directory and its contents to the database service account if they are not owned by the database service account. If the EDB Postgres Advanced Server database log directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the log directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Postgres Advanced Server database log directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the log directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If the EDB Postgres Advanced Server log_destination parameter is set to "eventlog", update the Windows policy settings to only allow access to the Windows Application event log to authorized users. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement. # Update EDB Audit log permissions. 1) Change ownership of EDB Audit directory and its contents to the database service account if they are not owned by the database service account. If the EDB Audit directory and its contents are not owned by the database service account, change ownership to the service account responsible for running the Advanced Server database service. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", select the "Securities" tab, and select the "Advanced" button. Select the "Change" link shown next to the owner of the folder to change the folder's owner. Alternatively, the Windows TAKEOWN command or the ICACLS command (with the /SETOWNER option) may be used to change ownership of folders and files using the Windows command prompt. 2) Modify permissions on the EDB Audit directory and its contents to meet the requirement to protect against unauthorized access. This may be done using Windows Explorer: Browse to the directory where the EDB audit directory folder is located. Select and right-click on the folder, select "Properties", and select the "Security" tab. Modify the security permissions to: NT AUTHORITY/NetworkService (or configured database service account) (Full Control) Administrators (Read) Users (none) Alternatively, the Windows ICACLS command may be used to modify permissions on folders and files using the Windows command prompt. If other permissions have been granted to other users or groups, ensure that the system documentation is updated to note the organizationally approved permission setting and corresponding justification of the permission settings for this requirement. # Update custom database code and application code Configure custom database code and associated application code not to display detailed error messages to those not authorized to view them.

b
The EDB Postgres Advanced Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
AC-12 - Medium - CCI-002361 - V-224187 - SV-224187r879673_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
EP11-00-006700
Vuln IDs
  • V-224187
  • V-100397
Rule IDs
  • SV-224187r879673_rule
  • SV-109501
This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance.
Checks: C-25860r495579_chk

Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination. If the documentation explicitly states that such termination is not required or is prohibited, this is not a finding. If the documentation requires automatic session termination but the DBMS is not configured via triggers, scripts, or other organization-defined manners to terminate sessions when required, this is a finding.

Fix: F-25848r495580_fix

Execute this SQL command in the places where the documentation requires automatic session termination: SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE usename = '<username>'

b
The EDB Postgres Advanced Server must associate organization-defined types of security labels having organization-defined security label values with information in storage.
AC-16 - Medium - CCI-002262 - V-224188 - SV-224188r879689_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002262
Version
EP11-00-006900
Vuln IDs
  • V-224188
  • V-100399
Rule IDs
  • SV-224188r879689_rule
  • SV-109503
Without the association of security labels to information, there is no basis for EDB Postgres Advanced Server to make security-related access-control decisions. Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. The mechanism used to support security labeling may be a feature of EDB Postgres Advanced Server, a third-party product, or custom application code. In addition to being able to grant privileges on tables using standard SQL features, EDB Postgres Advanced Server provides a Row Level Security (RLS) feature. This feature provides the ability to define and enable row-level security policies that restrict insert, update, delete, and select access on the rows of a table on a per user basis. For deployments within the DoD, RLS policies are configured to use the assigned security labels.
Checks: C-25861r495582_chk

If security labeling is not required, this is not a finding. If security labeling requirements have been specified, execute the following SQL as enterprisedb: SELECT * from ALL_POLICIES where OBJECT_NAME = '&lt;table name&gt;'; If a policy is not enabled for the table requiring security labeling, this is a finding. If security labeling is required and not implemented according to the system documentation, this is a finding. If security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding.

Fix: F-25849r495583_fix

Deploy EDB Postgres Advanced Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements, and application code, to provide reliable security labeling of information in storage. https://www.enterprisedb.com/docs/en/11.0/EPAS_BIP_Guide_v11/Database_Compatibility_for_Oracle_Developers_Built-in_Package_Guide.1.31.html#pID0E0UUD0HA

b
The EDB Postgres Advanced Server must associate organization-defined types of security labels having organization-defined security label values with information in process.
AC-16 - Medium - CCI-002263 - V-224189 - SV-224189r879690_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002263
Version
EP11-00-007000
Vuln IDs
  • V-224189
  • V-100401
Rule IDs
  • SV-224189r879690_rule
  • SV-109505
Without the association of security labels to information, there is no basis for EDB Postgres Advanced Server to make security-related access-control decisions. Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. The mechanism used to support security labeling may be a feature of EDB Postgres Advanced Server, a third-party product, or custom application code. In addition to being able to grant privileges on tables using standard SQL features, EDB Postgres Advanced Server provides a Row Level Security (RLS) feature. This feature provides the ability to define and enable row level security policies that restrict insert, update, delete, and select access on the rows of a table on a per user basis. For deployments within the DoD, RLS policies are configured to use the assigned security labels.
Checks: C-25862r495585_chk

If security labeling is not required, this is not applicable (NA). If security labeling requirements have been specified, execute the following SQL as enterprisedb: SELECT * from ALL_POLICIES where OBJECT_NAME = '&lt;table name&gt;'; If a policy is not enabled for the table requiring security labeling, this is a finding. If security labeling is required and not implemented according to the system documentation, this is a finding. If security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in process, this is a finding.

Fix: F-25850r495586_fix

Deploy EDB Postgres Advanced Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. https://www.enterprisedb.com/docs/en/11.0/EPAS_BIP_Guide_v11/Database_Compatibility_for_Oracle_Developers_Built-in_Package_Guide.1.31.html#pID0E0UUD0HA

b
The EDB Postgres Advanced Server must associate organization-defined types of security labels having organization-defined security label values with information in transmission.
AC-16 - Medium - CCI-002264 - V-224190 - SV-224190r879691_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002264
Version
EP11-00-007100
Vuln IDs
  • V-224190
  • V-100403
Rule IDs
  • SV-224190r879691_rule
  • SV-109507
Without the association of security labels to information, there is no basis for EDB Postgres Advanced Server to make security-related access-control decisions. Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. The mechanism used to support security labeling may be a feature of EDB Postgres Advanced Server, a third-party product, or custom application code. In addition to being able to grant privileges on tables using standard SQL features, EDB Postgres Advanced Server provides a Row Level Security (RLS) feature. This feature provides the ability to define and enable row level security policies that restrict insert, update, delete, and select access on the rows of a table on a per user basis. For deployments within the DoD, RLS policies are configured to use the assigned security labels.
Checks: C-25863r495588_chk

If security labeling is not required, this is not applicable (NA). If security labeling requirements have been specified, execute the following SQL as enterprisedb: SELECT * from ALL_POLICIES where OBJECT_NAME = '&lt;table name&gt;'; If a policy is not enabled for the table requiring security labeling, this is a finding. If security labeling is required and not implemented according to the system documentation, this is a finding. If security labeling requirements have been specified, but neither a third-party solution nor an EDB Postgres Advanced Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding.

Fix: F-25851r495589_fix

Deploy EDB Postgres Advanced Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission. https://www.enterprisedb.com/docs/en/11.0/EPAS_BIP_Guide_v11/Database_Compatibility_for_Oracle_Developers_Built-in_Package_Guide.1.31.html#pID0E0UUD0HA

b
EDB Postgres Advanced Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
AC-3 - Medium - CCI-002165 - V-224191 - SV-224191r879705_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
EP11-00-007300
Vuln IDs
  • V-224191
  • V-101197
Rule IDs
  • SV-224191r879705_rule
  • SV-110301
Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
Checks: C-25864r495591_chk

Review system documentation to identify the required discretionary access control (DAC). Review the security configuration of the database and EDB Postgres Advanced Server. If applicable, review the security configuration of the application(s) using the database. If the discretionary access control defined in the documentation is not implemented in the security configuration, this is a finding. Check the EDB Postgres instance for the ownership and privileges assigned to database objects. # Check for object ownership and privileges # Check for database owners and granted privileges To list all the databases contained in an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the databases, connect to a database as a database superuser using psql and execute the following psql command: \l Review the results of the above command. If any database is owned by a user or group role that is not documented as being approved to own the database, this is a finding. If any user or group role has been granted privileges on a database that is not documented and approved, this is a finding. # Check for schema owners and granted privileges To list all the schemas contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following psql command: \dn+ * Review the results of the above command. If any schema is owned by a user or group role that is not documented as being approved to own the schema, this is a finding. If any user or group role has been granted privileges on a schema that is not documented and approved, this is a finding. # Check for table, sequence, and view owners To list all the tables, sequences, and views contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners, connect to the database as a database superuser using psql and execute the following psql commands: \dt *.* \ds *.* \dv *.* Review the results of the above commands. If any table, sequence, or view is owned by a user or group role that is not documented as being approved to own the object, this is a finding. # Check for table, sequence, and view access privileges To list all the privileges that have been granted on the tables, sequences, and views in a database, connect to the database as a database superuser using psql and execute the following psql command: \dp *.* Review the results of the above command. If any user or group role has been granted privileges on an object that is not documented and approved, this is a finding. # Check for function/procedure owners and access privileges To list all the functions and procedures contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following SQL statement: SELECT r.rolname as owner , n.nspname as namespace , p.proname as name , pg_get_function_identity_arguments(p.oid) , p.prokind as kind , p.proacl as access_privileges FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid r ON p.proowner = r.oid ORDER BY 1, 2, 3, 4; Review the results of the above query. If any function or procedure is owned by a user or group role that is not documented as being approved to own the object, this is a finding. If any user or group role has been granted privileges on a function or procedure that is not documented and approved, this is a finding.

Fix: F-25852r495592_fix

Implement the organization's DAC policy in the security configuration of the database and EDB Postgres Advanced Server, and, if applicable, the security configuration of the application(s) using the database. If an unapproved user or group role is the owner of a database object, change the owner to an approved user or group role using one of the following ALTER SQL commands as appropriate: The syntax is: ALTER DATABASE <database name> OWNER TO <new_owner> ALTER SCHEMA <schema name> OWNER TO <new_owner> ALTER TABLE <table name> OWNER TO <new_owner> ALTER SEQUENCE <sequence name> OWNER TO <new_owner> ALTER VIEW <view name> OWNER TO <new_owner> ALTER FUNCTION <function name> (<args>) OWNER TO <new_owner> ALTER PROCEDURE <procedure name> (<args>) OWNER TO <new_owner> Examples: ALTER DATABASE test_db OWNER TO app_admin ALTER SCHEMA test_schema OWNER TO app_admin ALTER TABLE test_tbl OWNER TO app_admin ALTER SEQUENCE test_seq OWNER TO app_admin ALTER VIEW test_vw OWNER TO app_admin ALTER FUNCTION test_func (p1 numeric, p2 text) OWNER TO app_admin ALTER PROCEDURE test_proc (p1 numeric, p2 text) OWNER TO app_admin If a user or group role has been granted an unapproved role or object privilege, execute the appropriate REVOKE command as documented here: http://www.postgresql.org/docs/current/static/sql-revoke.html

b
The EDB Postgres Advanced Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
AC-6 - Medium - CCI-002235 - V-224192 - SV-224192r879717_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
EP11-00-007400
Vuln IDs
  • V-224192
  • V-100405
Rule IDs
  • SV-224192r879717_rule
  • SV-109509
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. System documentation should include a definition of the functionality considered privileged. Depending on circumstances, privileged functions can include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. A privileged function in the DBMS/database context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In an SQL environment, it encompasses, but is not necessarily limited to: CREATE ALTER DROP GRANT REVOKE There may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples include: TRUNCATE TABLE; DELETE, or DELETE affecting more than n rows, for some n, or DELETE without a WHERE clause; UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a WHERE clause; any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal. Depending on the capabilities of the DBMS and the design of the database and associated applications, the prevention of unauthorized use of privileged functions may be achieved by means of DBMS security features, database triggers, other mechanisms, or a combination of these. In Postgres, a user or group role that has been granted the SUPERUSER privilege can perform any action in the database. As such, the SUPERUSER privilege should only be granted to a limited set of approved users. The SUPERUSER privilege can be assigned to a role when the role is created. It can also be assigned or removed from a role via an ALTER ROLE statement. Postgres also provides the CREATEROLE, CREATEDB, REPLICATION, and BYPASSURLS privileges that can be granted to non-superuser roles to allow them to perform a limited set of privileged activities such as creating databases, creating user and group roles, managing replication slots, and bypassing row level security restrictions. Although not as all-encompassing as the SUPERUSER privilege, these privileges must only be granted to users who are approved to perform these activities. Like the SUPERUSER privilege, these privileges can be assigned to a role when the role is created. They can also be assigned or removed from a role via an ALTER ROLE statement. The PostgreSQL CREATE ROLE documentation provides more information about these privileges. See: https://www.postgresql.org/docs/current/sql-createrole.html In addition to the SUPERUSER, CREATEDB, and CREATEROLE privileges, a user may be granted one or more default roles that provide access to certain privileged capabilities and activities. A listing and description of the default roles provided with Postgres is documented at the following link: https://www.postgresql.org/docs/current/default-roles.html Roles and privileges on database objects can be granted to or revoked from a user using the GRANT and REVOKE statements. Users that are granted a role with the ADMIN OPTION can in turn grant the role to other users and roles. The ADMIN OPTION should only be granted to user and group roles that are approved to grant the roles. A description of the available privileges that may be granted to the different types of Postgres database objects is documented at the following link: https://www.postgresql.org/docs/current/ddl-priv.html Also in Postgres, for most object types, object owners can perform any action on the objects they own, including dropping or altering them and assigning or revoking privileges on them. As such, database objects should only be owned by users who are approved to own them. Another security risk to consider, is that Postgres can be extended with additional procedural languages that can be used to create user defined functions (i.e., not provided by EDB Postgres Advanced Server out-of-the-box). Some of these languages, such as pl/Python and pl/R are defined as "untrusted" languages. Any users who are granted access to these untrusted languages are able to run user defined functions to escalate privileges and perform unintended functions. These languages allow a Postgres database to be extended with additional capabilities that may be of benefit to a system. However, usage of these languages should only be granted to approved users for documented and approved purposes.
Checks: C-25865r495594_chk

Review the system documentation to obtain the definition of the EDB Postgres Advanced Server functionality considered privileged in the context of the system in question. Review the EDB Postgres Advanced Server security configuration and/or other means used to protect privileged functionality from unauthorized use. If the configuration does not protect all of the actions defined as privileged, this is a finding. To list the user and group roles in an EDB Postgres Advanced Server along with the privileges that have been assigned to each role and the roles that have been granted to each role, execute the following command in psql as a database superuser: \du+ If any user or group role is assigned a privilege or is a member of a role that provides the ability to perform an action that is considered privileged and is not documented as being approved to have these privileges or roles, this is a finding. # Check for SUPERUSER privilege To check for user and group roles that have been granted the SUPERUSER privilege, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, how_superuser, root_role_name ) AS ( SELECT NULL::oid granted_role_id , NULL::name granted_role_name , r1.oid role_id , r1.rolname role_name , r1.rolcanlogin can_login , 'Assigned Superuser Privilege' how_superuser , r1.rolname root_role_name FROM pg_authid r1 WHERE r1.rolsuper = 't' UNION SELECT m.roleid , r3.rolname , m.member , r2.rolname , r2.rolcanlogin , 'Granted Role with Superuser Privilege' , r1.root_role_name FROM pg_auth_members m JOIN pg_authid r2 ON r2.oid = m.member JOIN pg_authid r3 ON r3.oid = m.roleid JOIN roles r1 ON m.roleid = r1.role_id ) SELECT DISTINCT r.role_name, r.can_login, hs.how_superuser, gr.granted_roles, rr.root_superuser_roles FROM roles r JOIN ( SELECT role_name, string_agg(how_superuser, ', ') how_superuser FROM ( SELECT DISTINCT role_name, how_superuser FROM roles ORDER BY 2 ) GROUP BY role_name ) hs ON r.role_name = hs.role_name JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) gr ON r.role_name = gr.role_name JOIN ( SELECT role_name, string_agg(root_role_name, ', ') root_superuser_roles FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) rr ON r.role_name = rr.role_name ORDER BY 3,1; The above query will list all user and group roles that have either been granted the SUPERUSER privilege explicitly, or via one of the roles in the hierarchy of roles they have been granted. If a user or group role has the SUPERUSER privilege either directly or via one of the roles in the hierarchy of roles it has been granted and the role is not documented as being approved to have this privilege, this is a finding. # Check for CREATEROLE, CREATEDB, REPLICATION, and BYPASSURLS privileges To check for user and group roles that have been granted the CREATEROLE, CREATEDB, REPLICATION, or BYPASSSRLS privileges, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb: WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, how_privileged, root_role_name ) AS ( SELECT NULL::oid granted_role_id , NULL::name granted_role_name , r1.oid role_id , r1.rolname role_name , r1.rolcanlogin can_login , 'Assigned Privilege' how_privileged , r1.rolname root_role_name , pr.privilege , pr.sortkey FROM ( SELECT 1 sortkey, oid, 'CREATEROLE' privilege FROM pg_authid WHERE rolcreaterole = 't' UNION SELECT 2 sortkey, oid, 'CREATEDB' privilege FROM pg_authid WHERE rolcreatedb = 't' UNION SELECT 3 sortkey, oid, 'REPLICATION' privilege FROM pg_authid WHERE rolreplication = 't' UNION SELECT 4 sortkey, oid, 'BYPASSRLS' privilege FROM pg_authid WHERE rolbypassrls = 't' ) pr JOIN pg_authid r1 ON pr.oid = r1.oid UNION SELECT m.roleid , r3.rolname , m.member , r2.rolname , r2.rolcanlogin , 'Granted Role with Privilege' , r1.root_role_name , r1.privilege , r1.sortkey FROM pg_auth_members m JOIN pg_authid r2 ON r2.oid = m.member JOIN pg_authid r3 ON r3.oid = m.roleid JOIN roles r1 ON m.roleid = r1.role_id ) SELECT DISTINCT r.sortkey, r.privilege, r.role_name, r.can_login, hs.how_privileged, gr.granted_roles, rr.root_roles_with_priv FROM roles r JOIN ( SELECT role_name, string_agg(how_privileged, ', ') how_privileged FROM ( SELECT DISTINCT role_name, how_privileged FROM roles ORDER BY 2 ) GROUP BY role_name ) hs ON r.role_name = hs.role_name JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) gr ON r.role_name = gr.role_name JOIN ( SELECT role_name, string_agg(root_role_name, ', ') root_roles_with_priv FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) rr ON r.role_name = rr.role_name ORDER BY r.sortkey, r.privilege, hs.how_privileged, r.role_name; The above query will list all user and group roles that have either been granted the CREATEROLE, CREATEDB, REPLICATION, or BYPASSRLS privileges explicitly or via one of the roles in the hierarchy of roles they have been granted. If a user or group role has one of these privileges either directly or via one of the roles in the hierarchy of roles it has been granted and the role is not documented as being approved to have this privilege, this is a finding. # Check for default role assignments In addition to the SUPERUSER, CREATEDB, and CREATEROLE privileges, a user may be granted one or more default roles that provide access to certain privileged capabilities and activities. A listing and description of the default roles provided with Postgres is documented at the following link: https://www.postgresql.org/docs/current/default-roles.html To check for user and group roles that have been granted a role, execute the following SQL statement in psql or another Postgres SQL client as a database administrator, replacing &lt;ROLE NAME&gt; with the name of the role to be checked: WITH RECURSIVE roles( granted_role_id, granted_role_name, role_id, role_name, can_login, root_role_name ) AS ( SELECT NULL::oid granted_role_id , NULL::name granted_role_name , r1.oid role_id , r1.rolname role_name , r1.rolcanlogin can_login , r1.rolname root_role_name FROM pg_authid r1 WHERE r1.rolname = '&lt;ROLE NAME&gt;' UNION SELECT m.roleid , r3.rolname , m.member , r2.rolname , r2.rolcanlogin , r1.root_role_name FROM pg_auth_members m JOIN pg_authid r2 ON r2.oid = m.member JOIN pg_authid r3 ON r3.oid = m.roleid JOIN roles r1 ON m.roleid = r1.role_id ) SELECT DISTINCT r.role_name, r.can_login, gr.granted_roles, rr.server_os_access_roles FROM roles r JOIN ( SELECT role_name, string_agg(granted_role_name, ', ') granted_roles FROM ( SELECT DISTINCT role_name, granted_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) gr ON r.role_name = gr.role_name JOIN ( SELECT role_name, string_agg(root_role_name, ', ') server_os_access_roles FROM ( SELECT DISTINCT role_name, root_role_name FROM roles ORDER BY 2 ) GROUP BY role_name ) rr ON r.role_name = rr.role_name WHERE gr.granted_roles IS NOT NULL ORDER BY 1; Note that in the above query, to do a check for more than one role in a single query, replace "r1.rolname = '&lt;ROLE NAME&gt;'" with a comma separated list of roles in an SQL "IN" clause (e.g., "r1.rolname IN ( '&lt;ROLE 1 NAME&gt;', '&lt;ROLE 2 NAME&gt;', &lt;'ROLE N NAME'&gt; )"). The above query will list all user and group roles that have been granted the specified role(s) either explicitly or via one of the roles in the hierarchy of roles they have been granted. If a user or group role has been granted one of the default privileged roles explicitly or via one of the roles in the hierarchy of roles they have been granted, and the role is not documented as being approved to have this role, this is a finding. # Check for object ownership and privileges # Check for database owners and granted privileges To list all the databases contained in an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the databases, connect to a database as a database superuser using psql and execute the following psql command: \l Review the results of the above command. If any database is owned by a user or group role that is not documented as being approved to own the database, this is a finding. If any user or group role has been granted privileges on a database that is not documented and approved, this is a finding. # Check for schema owners and granted privileges To list all the schemas contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following psql command: \dn+ * Review the results of the above command. If any schema is owned by a user or group role that is not documented as being approved to own the schema, this is a finding. If any user or group role has been granted privileges on a schema that is not documented and approved, this is a finding. # Check for table, sequence, and view owners To list all the tables, sequences, and views contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners, connect to the database as a database superuser using psql and execute the following psql commands: \dt *.* \ds *.* \dv *.* Review the results of the above commands. If any table, sequence, or view is owned by a user or group role that is not documented as being approved to own the object, this is a finding. # Check for table, sequence, and view access privileges To list all the privileges that have been granted on the tables, sequences, and views in a database, connect to the database as a database superuser using psql and execute the following psql command: \dp *.* Review the results of the above command. If any user or group role has been granted privileges on an object that is not documented and approved, this is a finding. # Check for function/procedure owners and access privileges To list all the functions and procedures contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) as well as their owners and the privileges that have been granted on the schemas, connect to the database as a database superuser using psql and execute the following SQL statement: SELECT r.rolname as owner , n.nspname as namespace , p.proname as name , pg_get_function_identity_arguments(p.oid) , p.prokind as kind , p.proacl as access_privileges FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid r ON p.proowner = r.oid ORDER BY 1, 2, 3, 4; Review the results of the above query. If any function or procedure is owned by a user or group role that is not documented as being approved to own the object, this is a finding. If any user or group role has been granted privileges on a function or procedure that is not documented and approved, this is a finding. # Check for additional installed procedural languages To list the procedural languages that are available for use in a database within an EDB Postgres Advanced Server database, connect to the database as a database superuser using psql and execute the following psql command: \dL+ Review the results of the above command. A value of "f" in the "Trusted" column of the results indicates that the language is defined as an "untrusted" language. If no Access Privileges are listed for a particular language, this means that default privileges are assigned. In Postgres, unless overridden by using the ALTER DEFAULT PRIVILEGES command, the USAGE privilege on languages is assigned to PUBLIC by default. If any "untrusted" language is listed in the results of the above command and not approved for use by the system, this is finding. If any user or group role has been granted USAGE on an "untrusted" language that is not documented and approved, this is a finding. # Check for functions that are written in untrusted procedural languages To check whether any user defined functions contained in a database within an EDB Postgres Advanced Server cluster (i.e., instance) are written in an untrusted procedural language, connect to the database as a database superuser using psql and execute the following SQL statement: SELECT n.nspname "Schema", p.proname "Function", p.prosrc "Source", p.probin "Library", l.lanname "Language", p.proacl "Access Privileges" FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_language l on p.prolang = l.oid WHERE (l .lanpltrusted = 'f' AND l.lanname != 'internal' ) AND n.nspname NOT IN ('pg_catalog', 'sys', 'information_schema') ORDER BY 5, 1, 2; Review the results of the above query. Note that if no Access Privileges are listed for a particular function, this means that default privileges are assigned. In Postgres, unless overridden by using the ALTER DEFAULT PRIVILEGES command, the EXECUTE privilege on functions is assigned to PUBLIC by default. If any user defined function is listed and is not documented as being approved for use, this is a finding. If any user defined function is listed and is documented as being approved, but has execute privilege granted to a user or group role that has not been documented as having been approved for this permission, this is a finding.

Fix: F-25853r495595_fix

Update system documentation to accurately identify all user and group roles that are authorized to perform privileged actions. If the SUPERUSER, CREATEROLE, CREATEDB, REPLICATION, or BYPASSRLS privileges have been assigned to a user or group role that is not approved to have these privileges, remove the privilege using the ALTER ROLE SQL command as necessary. The syntax is: ALTER ROLE <role> NOSUPERUSER ALTER ROLE <role> NOCREATEROLE ALTER ROLE <role> NOCREATEDB ALTER ROLE <role> NOREPLICATION ALTER ROLE <role> NOBYPASSURLS Examples: ALTER ROLE testuser NOSUPERUSER ALTER ROLE testuser NOCREATEROLE ALTER ROLE testuser NOCREATEDB ALTER ROLE testuser NOREPLICATION ALTER ROLE testuser NOBYPASSURLS If an unapproved user or group role is the owner of a database object, change the owner to an approved user or group role using one of the following ALTER SQL commands as appropriate: The syntax is: ALTER DATABASE <database name> OWNER TO <new_owner> ALTER SCHEMA <schema name> OWNER TO <new_owner> ALTER TABLE <table name> OWNER TO <new_owner> ALTER SEQUENCE <sequence name> OWNER TO <new_owner> ALTER VIEW <view name> OWNER TO <new_owner> ALTER FUNCTION <function name> (<args>) OWNER TO <new_owner> ALTER PROCEDURE <procedure name> (<args>) OWNER TO <new_owner> Examples: ALTER DATABASE test_db OWNER TO app_admin ALTER SCHEMA test_schema OWNER TO app_admin ALTER TABLE test_tbl OWNER TO app_admin ALTER SEQUENCE test_seq OWNER TO app_admin ALTER VIEW test_vw OWNER TO app_admin ALTER FUNCTION test_func (p1 numeric, p2 text) OWNER TO app_admin ALTER PROCEDURE test_proc (p1 numeric, p2 text) OWNER TO app_admin If a user or group role has been granted an unapproved role or object privilege, execute the appropriate REVOKE command as documented here: http://www.postgresql.org/docs/current/static/sql-revoke.html Update the system documentation to identify the intended use, scope, and justification for any "untrusted" procedural languages that are being used for user defined functions as well as the users who are approved to use these languages and corresponding functions. If an unapproved user defined function exists, remove it from the database by executing the DROP FUNCTION SQL command as documented here: https://www.postgresql.org/docs/current/sql-dropfunction.html If an unapproved procedural language is installed, remove it from the database by executing the following SQL command: DROP EXTENSION <extension_name>

b
Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.
AC-6 - Medium - CCI-002233 - V-224193 - SV-224193r879719_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002233
Version
EP11-00-007500
Vuln IDs
  • V-224193
  • V-100407
Rule IDs
  • SV-224193r879719_rule
  • SV-109511
In certain situations, to provide required functionality, a DBMS must execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. Privilege elevation must be utilized only where necessary and protected from misuse. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25866r495597_chk

Review the system documentation and source code of the application(s) using the database. If elevation of DBMS privileges is used but not documented, this is a finding. If elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding. If the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding. Execute the following SQL to find any SECURITY DEFINER functions (meaning they are executed as owner rather than invoker): select proname from pg_proc where prosecdef = true; If any of these functions should not be SECURITY DEFINER, this is a finding.

Fix: F-25854r495598_fix

Determine where, when, how, and by what principals/subjects elevated privilege is needed. Modify the system and the application(s) using the database to ensure privilege elevation is used only as required. To alter a function to use SECURITY INVOKER instead of SECURITY DEFINER, execute the following SQL: ALTER FUNCTION <function()> SECURITY INVOKER;

b
Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.
AC-6 - Medium - CCI-002233 - V-224194 - SV-224194r879719_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002233
Version
EP11-00-007510
Vuln IDs
  • V-224194
  • V-100409
Rule IDs
  • SV-224194r879719_rule
  • SV-109513
In certain situations, to provide required functionality, a DBMS must execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. Privilege elevation must be utilized only where necessary and protected from misuse. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25867r495600_chk

Review the system documentation and source code of the application(s) using the database. If elevation of DBMS privileges is used but not documented, this is a finding. If elevation of DBMS privileges is documented but not implemented as described in the documentation, this is a finding. If the privilege-elevation logic can be invoked in ways other than intended, in contexts other than intended, or by subjects/principals other than intended, this is a finding. Execute the following SQL to find any users with BYPASS RLS permissions: select rolname from pg_roles where rolbypassrls = true; If any of these users are not superusers that should bypass RLS, this is a finding.

Fix: F-25855r495601_fix

Determine where, when, how, and by what principals/subjects elevated privilege is needed. Modify the system and the application(s) using the database to ensure privilege elevation is used only as required. To alter a user to not allow bypassing RLS, execute the following SQL: ALTER USER <user> NOBYPASSRLS;

b
The EDB Postgres Advanced Server must utilize centralized management of the content captured in audit records generated by all components of the EDB Postgres Advanced Server.
AU-3 - Medium - CCI-001844 - V-224195 - SV-224195r879729_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001844
Version
EP11-00-007700
Vuln IDs
  • V-224195
  • V-100411
Rule IDs
  • SV-224195r879729_rule
  • SV-109515
Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. The DBMS may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.
Checks: C-25868r495603_chk

If a centralized log collecting tool such as Postgres Enterprise Manager (PEM) is not installed and configured to automatically collect audit logs, this is a finding. Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.

Fix: F-25856r495604_fix

Install a centralized log collecting tool and configure it as instructed in its documentation. If using PEM, find the instructions at https://www.enterprisedb.com/docs/en/7.0/pemgetstarted/toc.html

b
The EDB Postgres Advanced Server must provide centralized configuration of the content to be captured in audit records generated by all components of the EDB Postgres Advanced Server.
AU-3 - Medium - CCI-001844 - V-224196 - SV-224196r879729_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001844
Version
EP11-00-007800
Vuln IDs
  • V-224196
  • V-100413
Rule IDs
  • SV-224196r879729_rule
  • SV-109517
If the configuration of the DBMS's auditing is spread across multiple locations in the database management software, or across multiple commands, only loosely related, it is harder to use and takes longer to reconfigure in response to events. The DBMS must provide a unified tool for audit configuration.
Checks: C-25869r495606_chk

If managing only single EDB Postgres Advanced Server clusters, this is not a finding. If managing multiple EDB Postgres Advanced Server clusters and a unified tool for audit configuration such as PEM (Postgres Enterprise Manager) is not installed to configure and manage audit logs, this is a finding. Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.

Fix: F-25857r495607_fix

If managing multiple EDB Postgres Advanced Server clusters (i.e., instances), install a centralized audit log management tool and configure it as instructed in its documentation. If using PEM, find the instructions at https://www.enterprisedb.com/docs/en/7.0/pemgetstarted/toc.html

b
The EDB Postgres Advanced Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
AU-4 - Medium - CCI-001849 - V-224197 - SV-224197r879730_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
EP11-00-007900
Vuln IDs
  • V-224197
  • V-100415
Rule IDs
  • SV-224197r879730_rule
  • SV-109519
To ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism. The task of allocating audit record storage capacity is usually performed during initial installation of the DBMS and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both. In determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the DBMS's ability to reuse the space formerly occupied by off-loaded records.
Checks: C-25870r495609_chk

Investigate whether there have been any incidents where the DBMS ran out of audit log space since the last time the space was allocated or other corrective measures were taken. If there have been incidents, this is a finding. To check how much storage capacity is available for audit records, first determine the location where the EDB audit logs are being written by executing the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW edb_audit_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Note that the default location for the EDB postgresql data directory is found in the directory where EDB Postgres Advanced Server is installed. The location of the data directory for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW data_directory" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If the default path is used for the postgresql data directory and the default setting of "edb_audit" is used for the edb_audit_directory parameter, the path to the EDB audit directory would be &lt;EDB Postgres data directory&gt;\edb_audit. Depending on the version of EPAS installed, the options selected during installation, and the edb_audit_directory parameter setting, the path to the data directory and the EDB audit directory may be different. With the EDB audit directory identified, note the disk on which this directory exists. Use the Windows Disk Management panel to determine how much space has been allocated to the disk and how much space remains. The Disk Management panel can be opened via "Start &gt; Run &gt; diskmgmt.msc". To determine the capacity, used, and free space on the disk via the Windows Explorer, right click to select the disk, and then select the "Properties" menu option. To determine how much space is currently being consumed by the audit log using Windows Explorer, right click select the audit directory and then select the "Properties" menu option. If the remaining storage on the disk does not meet organizationally defined audit record storage requirements, this is a finding.

Fix: F-25858r495610_fix

Allocate sufficient audit file space to the partition containing the EDB Audit directory to support peak demand. Note that the EDB audit log directory is configured by the edb_audit_directory parameter. By default, the edb_audit_directory is set to "edb_audit", which results in an "edb_audit" directory being created under the EPAS cluster's data directory for audit logs if auditing is enabled.

b
The EDB Postgres Advanced Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
AU-5 - Medium - CCI-001855 - V-224198 - SV-224198r879732_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
EP11-00-008000
Vuln IDs
  • V-224198
  • V-100417
Rule IDs
  • SV-224198r879732_rule
  • SV-109521
Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to EDB Postgres on its own server will not be an issue. However, space will still be required on the EDB Postgres server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result. If support personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.
Checks: C-25871r495612_chk

If Postgres Enterprise Manager (PEM) or another similar monitoring capability is not installed and configured to probe storage volume utilization of "&lt;postgresql data directory&gt;" and notify appropriate support staff upon storage volume utilization reaching 75 percent, this is a finding. (The default path for the postgresql data directory is C:\Program Files\edb\as&lt;version&gt;\data, but this will vary according to local circumstances.)

Fix: F-25859r495613_fix

Install PEM (or similar tool) and configure a probe to monitor "<postgresql data directory>" and notify appropriate support staff upon storage volume utilization reaching 75 percent. (The default path for the postgresql data directory is C:\Program Files\edb\as<version>\data, but this will vary according to local circumstances.) Example steps for creating a probe are below, using the thin client (browser) PEM interface. Refer also to the Supplemental Procedures document, supplied with this STIG. Open the PEM web console in a browser. - Log in. - Click on the agent for the machine to be monitored. - Select "Management | Probe Configuration". - Select "Disk Space" and set the check interval as you like. - Select "Management | Alerting". - Name the definition "Audit Log Full". - Select Template "Disk Consumption Percentage". - Set Frequency, Comparison Operator, and Thresholds (1 minute, >, 74/75/76 for example). - Enter the Location for the audit log. - Click Notification tab. - Click Email all alerts. - Click Add/Change to save, click "OK" to exit dialog box.

b
The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.
AU-5 - Medium - CCI-001858 - V-224199 - SV-224199r879733_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001858
Version
EP11-00-008100
Vuln IDs
  • V-224199
  • V-100419
Rule IDs
  • SV-224199r879733_rule
  • SV-109523
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. The appropriate support staff include, at a minimum, the ISSO and the DBA/SA. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). The necessary monitoring and alerts may be implemented using features of EDB Postgres, the OS, third-party software, custom code, or a combination of these. The term "the system" is used to encompass all of these.
Checks: C-25872r495615_chk

If Postgres Enterprise Manager (PEM) or another similar monitoring capability is not installed and configured to probe storage volume utilization of "&lt;postgresql data directory&gt;" and notify appropriate support staff upon storage volume utilization reaching capacity, this is a finding. (The default path for the postgresql data directory is C:\Program Files\edb\as&lt;version&gt;\data, but this will vary according to local circumstances.)

Fix: F-25860r495616_fix

Install PEM (or similar tool) and configure a probe to monitor "<postgresql data directory>" and notify appropriate support staff upon storage volume utilization reaching capacity. (The default path for the postgresql data directory is C:\Program Files\edb\as<version>\data, but this will vary according to local circumstances.) Example steps for creating a probe are below, using the thin client (browser) PEM interface. Refer also to the Supplemental Procedures document, supplied with this STIG. Open the PEM web console in a browser. - Log in. - Click on the agent for the machine to be monitored. - Select "Management | Probe Configuration". - Select "Disk Space" and set the check interval as you like. - Select "Management | Alerting". - Name the definition "Audit Log Full". - Select Template "Disk Consumption Percentage". - Set Frequency, Comparison Operator, and Thresholds (1 minute, >, 90/95/98 for example). - Enter the Location for the audit log. - Click Notification tab. - Click Email all alerts. - Click Add/Change to save, click "OK" to exit dialog box.

b
The EDB Postgres Advanced Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
CM-11 - Medium - CCI-001812 - V-224200 - SV-224200r879751_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001812
Version
EP11-00-008400
Vuln IDs
  • V-224200
  • V-100421
Rule IDs
  • SV-224200r879751_rule
  • SV-109525
Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user. DBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research. The DBMS must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. In the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc.
Checks: C-25873r495618_chk

If EDB Postgres supports only software development, experimentation, and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding. Review the EDB Postgres security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. These following commands, which are run using psql, can help with showing existing permissions of databases and schemas: \l \dn+ Permissions of concern in this respect include the following, and possibly others: - any database or schema with "C" (create) or "w" (update) privileges that are not necessary If any such permissions exist and are not documented and approved, this is a finding.

Fix: F-25861r495619_fix

Document and obtain approval for any non-administrative users who require the ability to create, alter, or replace logic modules. Implement the approved permissions. Revoke (or deny) any unapproved permissions and remove any unauthorized role memberships. Use the REVOKE SQL command to remove privileges from databases and schemas. For example, to revoke create privileges on a database: REVOKE CREATE ON DATABASE <database_name > FROM <role_name>; To revoke create privileges on a database: REVOKE CREATE ON SCHEMA <schema_name> FROM <role_name>;

b
The EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).
CM-5 - Medium - CCI-001813 - V-224201 - SV-224201r879753_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
EP11-00-008500
Vuln IDs
  • V-224201
  • V-100423
Rule IDs
  • SV-224201r879753_rule
  • SV-109527
Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals must be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.
Checks: C-25874r495621_chk

Review the security configuration of the EDB Postgres database(s). If EDB Postgres Advanced Server does not enforce access restrictions associated with changes to the configuration of the database(s), this is a finding. - - - - - To assist in conducting reviews of permissions, the following commands, which are run using psql, describe permissions of databases, schemas, and users: \l \dn+ \du Permissions of concern in this respect include the following, and possibly others: - any user with SUPERUSER privileges - any database or schema with "C" (create) or "w" (update) privileges that are not necessary If any users are listed that have SUPERUSER privileges who are not authorized for these privileges, this is a finding. If any user has create or update privileges on a database and schema who is not authorized for these privileges, this is a finding.

Fix: F-25862r495622_fix

Configure EDB Postgres Advanced Server to enforce access restrictions associated with changes to the configuration of the EDB Postgres database(s). Remove superuser rights from unauthorized database users via the ALTER ROLE or ALTER USER SQL command. The syntax is: ALTER ROLE <role> NOSUPERUSER or ALTER USER <user> NOSUPERUSER Example: ALTER ROLE testuser NOSUPERUSER; OR ALTER USER testuser NOSUPERUSER; Use the REVOKE SQL command to remove privileges from databases and schemas. For example: REVOKE ALL PRIVILEGES ON <table> FROM <role_name>;

b
The EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
CM-7 - Medium - CCI-001762 - V-224203 - SV-224203r879756_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
EP11-00-008700
Vuln IDs
  • V-224203
  • V-100427
Rule IDs
  • SV-224203r879756_rule
  • SV-109531
Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats. A database cluster listens on a single port (usually 5444 for Postgres Plus Advanced Server). The Postgres Enterprise Manager (PEM) agents do not listen on ports, they only act as clients to the PEM server. The PEM server has two components (a repository which is a Postgres database) and an Apache HTTPD application. The Apache HTTPD application listens on a port configured in Apache, generally 8080 or 8443. The ports to check are: 1) The primary Postgres cluster port, 2) If PEM is in use, the PEM Apache HTTPD port, and 3) The PEM Repository DB port. Generally 2 and 3 should be installed on an isolated management machine without access from anyone other than administrators.
Checks: C-25876r495627_chk

Review the network functions, ports, protocols, and services supported by the DBMS. If any protocol is prohibited by the PPSM guidance and is enabled, this is a finding. Open the pg_hba.conf file in an editor and verify that none of the uncommented rows have a TYPE of "host" or "hostnossl". Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d &lt;database name&gt; -U &lt;database superuser name&gt; -c "SHOW hba_file" where, &lt;database name&gt; is any database in the EDB postgres instance and &lt;database superuser name&gt; is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). If any rows in the pg_hba.conf file have a TYPE that is "host" or "hostnossl" and not documented as approved in the system security documentation, this is a finding. Execute the following SQL as enterprisedb: SHOW port; If the displayed port is not allowed, this is a finding.

Fix: F-25864r495628_fix

Disable each prohibited network function, port, protocol, or service prohibited by the PPSM guidance. Open the pg_hba.conf file in an editor and change the TYPE of any rows not starting with a "#" to be "hostssl". The METHOD for the hostssl rows should be one of these (in preferred order): cert, sspi, ldap, scram-sha-256 Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt: psql -d <database name> -U <database superuser name> -c "SHOW hba_file" where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS). Execute the following SQL as enterprisedb: ALTER SYSTEM SET port = <port>; Restart the database service. For EDB Postgres Advanced Server, the default service name for an instance will be "edb-as-<version>" with a default display name of "edb-as-<version> - Advanced Server <version>", where "<version>" is the major version number of the EDB Postgres Advanced Server that is installed: To restart the database service, using the Windows Services Control Manager: 1. Open the Windows Services Control Manager. 2. Select the database service from the list of services, right-click it, and select "Restart". Alternatively, the database can be restarted via the Windows command line using either the NET or SC command as follows: NET STOP <service name> NET START <service name> or SC STOP <service name> SC START <service name> In the above commands, replace <service name> with the actual service name corresponding to the EDB Postgres instance. Note that if pgAgent is installed and running, the corresponding pgAgent service is dependent on the EDB Postgres database service and must first be stopped to restart the database service. After restarting the database service, the pgAgent service may be started again.

b
The EDB Postgres Advanced Server must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.
IA-11 - Medium - CCI-002038 - V-224204 - SV-224204r879762_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002038
Version
EP11-00-008800
Vuln IDs
  • V-224204
  • V-100429
Rule IDs
  • SV-224204r879762_rule
  • SV-109533
The DoD standard for authentication of an interactive user is the presentation of a Common Access Card (CAC) or other physical token bearing a valid, current, DoD-issued Public Key Infrastructure (PKI) certificate, coupled with a Personal Identification Number (PIN) to be entered by the user at the beginning of each session and whenever re-authentication is required. Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user re-authenticate. In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.
Checks: C-25877r495630_chk

Determine all situations where a user must re-authenticate. Check if the mechanisms that handle such situations use the following SQL: To make a single user re-authenticate, the following must be present: SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user='&lt;username&gt;' To make all users re-authenticate, run the following: SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%' If the provided SQL does not force re-authentication, this is a finding.

Fix: F-25865r495631_fix

Determine the organization-defined circumstances or situations that require re-authentication and ensure the following SQL is executed in those situations. To require a single user to re-authenticate, use this SQL: SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user = '<username>'; To require all users to re-authenticate, use this SQL: SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%';

b
The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
SC-23 - Medium - CCI-002470 - V-224205 - SV-224205r879798_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
EP11-00-009100
Vuln IDs
  • V-224205
  • V-100431
Rule IDs
  • SV-224205r879798_rule
  • SV-109535
Only DoD-approved external PKIs evaluated to ensure security controls and identity vetting procedures are in place that are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users. The authoritative list of DoD-approved PKIs is published at https://cyber.mil/pki-pke/interoperability/. This requirement focuses on communications protection for the DBMS session rather than for the network packet.
Checks: C-25878r495633_chk

In a Windows CMD prompt, run this command: CertUtil &lt;postgresql data directory&gt;\server.crt If the "Issuer" that is printed out is not a DoD entity, this is a finding.

Fix: F-25866r495634_fix

Contact your program security office to request DoD issued certificates: root.crt (CA Certificate) server.crt server.key

b
The EDB Postgres Advanced Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.
SC-28 - Medium - CCI-002475 - V-224206 - SV-224206r879799_rule
RMF Control
SC-28
Severity
Medium
CCI
CCI-002475
Version
EP11-00-009200
Vuln IDs
  • V-224206
  • V-100433
Rule IDs
  • SV-224206r879799_rule
  • SV-109537
DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.
Checks: C-25879r495636_chk

If the application owner and Authorizing Official have determined that encryption of data at rest is not required, this is not a finding. Right-click on &lt;postgresql data directory&gt;, select properties, then select the General tab and the Advanced button. If the "Encrypt contents to secure data" check box is not checked, this is a finding.

Fix: F-25867r495637_fix

Do these steps as the Windows user that is the database administrators (default is enterprisedb), if done as a different user, the Windows database administration user will be unable to view this folder and therefore unable to start the database: Right-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button. Select option to apply to subfolders and files when prompted.

b
The EDB Postgres Advanced Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.
SC-28 - Medium - CCI-002476 - V-224207 - SV-224207r879800_rule
RMF Control
SC-28
Severity
Medium
CCI
CCI-002476
Version
EP11-00-009300
Vuln IDs
  • V-224207
  • V-100435
Rule IDs
  • SV-224207r879800_rule
  • SV-109539
DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). The decision whether and what to encrypt rests with the data owner and is influenced by the physical measures taken to secure the equipment and media on which the information resides.
Checks: C-25880r495638_chk

If the application owner and Authorizing Official have determined that encryption of data at rest is not required, this is not a finding. Right-click on &lt;postgresql data directory&gt;, select properties, then select the General tab and the Advanced button. If the "Encrypt contents to secure data" check box is not checked, this is a finding.

Fix: F-25868r495639_fix

Do these steps as the Windows user that is the database administrators (default is enterprisedb). If done as a different user, the Windows database administration user will be unable to view this folder and therefore unable to start the database: Right-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button. Select option to apply to subfolders and files when prompted.

b
The EDB Postgres Advanced Server must maintain the confidentiality and integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-224208 - SV-224208r879812_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
EP11-00-009500
Vuln IDs
  • V-224208
  • V-100437
Rule IDs
  • SV-224208r879812_rule
  • SV-109541
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms. EDB Postgres Advanced Server provides native support for using SSL connections to encrypt client/server communications. To enable the use of SSL, the postgres “ssl” configuration parameter must be set to “on” and the database instance needs to be configured to use a valid server certificate and private key installed on the server. With SSL enabled, connections made to the database server will default to being encrypted. However, it is possible for clients to override the default and attempt to establish an unencrypted connection. To prevent connections made from non-local hosts from being unencrypted, the postgres host-based authentication settings should be configured to only allow hostssl (i.e., encrypted) connections. The hostssl connections can be further configured to require the client present a valid (trusted) SSL certificate for a connection.
Checks: C-25881r850497_chk

If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding. First, check if SSL is enabled for the database instance by connecting to the database as a database superuser using psql and executing the following command: SHOW ssl; If the result is not "on", this is a finding. Next, review the host based authentication settings by connecting to the database as a database superuser using psql and executing the following command: SELECT * FROM pg_hba_file_rules; Alternatively, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command: SHOW hba_file; If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.

Fix: F-25869r850498_fix

To configure EDB Postgres Advanced Server to use SSL, open the ”postgresql.conf" file in an editor. Note the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf for a running EDB Postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command: SHOW config_file; In the postgresql.conf file, set the “ssl” parameter as follows: ssl = on Make sure the parameter is uncommented. In order to start an EDB Postgres Advance Server instance in SSL mode, files containing the server certificate and private key must exist. By default, these files are expected to exist in the Postgres data directory and are expected to be named server.crt and server.key, respectively. Update the ssl_cert_file and ssl_cert_key parameters in the postgresql.conf file if the files are placed in a different location or are named differently. Note that changes to the ssl parameter setting and any of the other ssl related parameters require a reload of the database server configuration to put the changes into effect. To reload the database server configuration, connect to the database as a database superuser using psql and execute the following command: SELECT pg_reload_conf(); After verifying that SSL is enabled for the database, open the pg_hba.conf file in an editor to configure the host-based authentication settings. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and execute the following command: SHOW hba_file; Obtain approval and document any uncommented entries with corresponding justification that are not of type hostssl and do not include the “clientcert=1” option. For any entries that are not of type hostssl authentication with the “clientcert=1” option and not documented and approved, change the "TYPE" column to “hostssl” and add the “clientcert=1” authentication method option. Note on Microsoft Windows systems, changes to the host-based authentication settings in the pg_hba.conf file are immediately applied by subsequent new connections. For more information on configuring PostgreSQL to use SSL, consult the following documentation: https://www.postgresql.org/docs/current/ssl-tcp.html For more information on configuring the postgresql pg_hba.conf file, consult the following documentation: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html

b
The EDB Postgres Advanced Server must maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-224209 - SV-224209r879813_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002422
Version
EP11-00-009600
Vuln IDs
  • V-224209
  • V-100439
Rule IDs
  • SV-224209r879813_rule
  • SV-109543
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When receiving data, the DBMS, associated applications, and infrastructure must leverage protection mechanisms. EDB Postgres Advanced Server provides native support for using SSL connections to encrypt client/server communications. To enable the use of SSL, the postgres “ssl” configuration parameter must be set to “on” and the database instance needs to be configured to use a valid server certificate and private key installed on the server. With SSL enabled, connections made to the database server will default to being encrypted. However, it is possible for clients to override the default and attempt to establish an unencrypted connection. To prevent connections made from non-local hosts from being unencrypted, the postgres host-based authentication settings should be configured to only allow hostssl (i.e., encrypted) connections. The hostssl connections can be further configured to require the client present a valid (trusted) SSL certificate for a connection.
Checks: C-25882r850500_chk

If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding. First, check if ssl is enabled for the database instance, connect to the database as a database superuser using psql and executing the following command: SHOW ssl; If the result is not "on", this is a finding. Next, review the host based authentication settings by connecting to the database as a database superuser using psql and executing the following command: SELECT * FROM pg_hba_file_rules; Alternatively, open the pg_hba.conf file in a viewer or editor and review the authentication settings that are configured in that file. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command: SHOW hba_file; If any uncommented lines are not of TYPE "hostssl" and do not include the "clientcert=1" authentication option and are not documented in the system security plan or equivalent document as being approved, this is a finding.

Fix: F-25870r850501_fix

To configure EDB Postgres Advanced Server to use SSL, open the ”postgresql.conf" file in an editor. Note the default location for the postgresql.conf file is in the postgresql data directory. The location of the postgresql.conf for a running EDB Postgres instance can be found by connecting to the database as a database superuser using psql and executing the following command: SHOW config_file; In the postgresql.conf file, set the “ssl” parameter as follows: ssl = on Make sure the parameter is uncommented. In order to start an EDB Postgres Advanced Server instance in SSL mode, files containing the server certificate and private key must exist. By default, these files are expected to exist in the Postgres data directory and are expected to be named server.crt and server.key, respectively. Update the ssl_cert_file and ssl_cert_key parameters in the postgresql.conf file if the files are placed in a different location or are named differently. Note changes to the ssl parameter setting and any of the other ssl related parameters require a reload of the database server configuration to put the changes into effect. To reload the database server configuration, connect to the database as a database superuser using psql and execute the following command: SELECT pg_reload_conf(); After verifying SSL is enabled for the database, open the pg_hba.conf file in an editor to configure the host-based authentication settings. Note the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running EDB postgres instance can be found by connecting to the database as a database superuser using psql and execute the following command: SHOW hba_file; Obtain approval and document any uncommented entries with corresponding justification that are not of type hostssl and do not include the “clientcert=1” option. For any entries that are not of type hostssl authentication with the “clientcert=1” option and not documented and approved, change the "TYPE" column to “hostssl” and add the “clientcert=1” authentication method option. Note that on Microsoft Windows systems, changes to the host-based authentication settings in the pg_hba.conf file are immediately applied by subsequent new connections. For more information on configuring PostgreSQL to use SSL, consult the following documentation: https://www.postgresql.org/docs/current/ssl-tcp.html For more information on configuring the postgresql pg_hba.conf file, consult the following documentation: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html

b
When invalid inputs are received, the EDB Postgres Advanced Server must behave in a predictable and documented manner that reflects organizational and system objectives.
SI-10 - Medium - CCI-002754 - V-224210 - SV-224210r879818_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-002754
Version
EP11-00-009700
Vuln IDs
  • V-224210
  • V-100441
Rule IDs
  • SV-224210r879818_rule
  • SV-109545
A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input. This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.
Checks: C-25883r495647_chk

Review system documentation to determine how input errors are to be handled in general and if any special handling is defined for specific circumstances. Review the source code for database program objects (stored procedures, functions, triggers) and application source code to identify how the system responds to invalid input. If it does not implement the documented behavior, this is a finding. Verify that EDB auditing is enabled. Execute the following SQL as enterprisedb: SHOW edb_audit; If the result is not "csv" or "xml", this is a finding. Verify that EDB Audit is logging errors at a minimum, and unless otherwise documented and approved, also logging DDL and DML actions performed on the EDB Postgres Advanced Server database. Execute the following SQL as enterprisedb: SHOW edb_audit_statement; If the result is "all", this is not a finding. Otherwise, if the result is not at least "error,ddl,dml" and if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from unexpected or unauthorized actions performed on database tables, verify that it has been configured according to documented organizational needs. 1) Execute the following SQL as enterprisedb: SELECT name, setting FROM pg_settings WHERE name LIKE 'edb\_sql\_protect.%' ESCAPE '\'; If the results of the above query show that the edb_sql_protect.enabled parameter is set to 'off' or if the edb_sql_protect.level is not set to an approved value, this is a finding. 2) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: \dn If the "sqlprotect" schema is not listed, this is a finding. 3) In all the databases that are to be monitored with EDB SQL/Protect, execute the following SQL as enterprisedb: SELECT * FROM sqlprotect.list_protected_users; If the database and user that handles user input is not listed or the remaining settings are not set to approved values, this is a finding.

Fix: F-25871r495648_fix

Revise and deploy the source code for database program objects (stored procedures, functions, triggers) and application source code, to implement the documented behavior. To enable EDB Auditing, execute the following SQL statements as the enterprisedb user: ALTER SYSTEM SET edb_audit = csv; SELECT pg_reload_conf(); or ALTER SYSTEM SET edb_audit = xml; SELECT pg_reload_conf(); To configure the edb_audit_statement parameter, execute the following SQL statements as the enterprisedb user: ALTER SYSTEM SET edb_audit_statement = 'all'; SELECT pg_reload_conf(); or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement. If EDB SQL/Protect is being used to monitor and protect the EDB Postgres Advanced Server database from unexpected or unauthorized actions performed on database tables, install and configure SQL/Protect as documented in section "Protecting Against SQL Injection Attacks" in the EDB Postgres Advanced Server Guide available at the following link: https://www.enterprisedb.com/edb-docs/p/edb-postgres-advanced-server

b
Security-relevant software updates to the EDB Postgres Advanced Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
SI-2 - Medium - CCI-002605 - V-224211 - SV-224211r879827_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002605
Version
EP11-00-009900
Vuln IDs
  • V-224211
  • V-100443
Rule IDs
  • SV-224211r879827_rule
  • SV-109547
Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means the time period utilized must be a configurable parameter. Timeframes for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-25884r495650_chk

Obtain evidence that software patches are obtained from EnterpriseDB and are consistently applied to the DBMS within the timeframe defined for each patch. If such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding. To check which version of EDB Postgres Advanced Server is installed, execute the following SQL statement: SELECT version(); If the version returned by the above query is at a lower version level than required, this is a finding. If an administrator is not registered on the EDB Support Portal with an email address for monitoring technical alerts, this is a finding.

Fix: F-25872r495651_fix

Institute and adhere to policies and procedures to ensure that patches are consistently obtained from EnterpriseDB and applied to the DBMS within the time allowed. Ensure that a monitored email address is registered as a user on the EDB support portal and is receiving technical alerts.

b
The EDB Postgres Advanced Server must generate audit records when successful/unsuccessful logons, connections, or connection attempts occur.
AU-12 - Medium - CCI-000172 - V-224232 - SV-224232r879874_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
EP11-00-011800
Vuln IDs
  • V-224232
  • V-100485
Rule IDs
  • SV-224232r879874_rule
  • SV-109589
For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to the DBMS. It is also necessary to track failed attempts to log on to the DBMS. While positive identification may not be possible in a case of failed authentication, as much information as possible about the incident must be captured. Satisfies: SRG-APP-000503-DB-000350,SRG-APP-000503-DB-000351
Checks: C-25905r495713_chk

Execute the following SQL as enterprisedb: SHOW edb_audit_connect; If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.

Fix: F-25893r495714_fix

Execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit_connect = 'all'; SELECT pg_reload_conf(); or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.

b
The EDB Postgres Advanced Server must generate audit records showing starting and ending time for user access to the database(s) and concurrent logons/connections by the same user from different workstations.
AU-12 - Medium - CCI-000172 - V-224235 - SV-224235r879876_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
EP11-00-012200
Vuln IDs
  • V-224235
  • V-100493
Rule IDs
  • SV-224235r879876_rule
  • SV-109597
For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to the DBMS lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs. Disconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged. Concurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the CAC for authentication; or they may indicate unauthorized account sharing; or they may be because an account has been compromised. (If the fact of multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events [logons/connections; voluntary and involuntary disconnections], then it is not mandatory to create additional log entries specifically for this.) Satisfies: SRG-APP-000505-DB-000352,SRG-APP-000506-DB-000353
Checks: C-25908r495722_chk

Execute the following SQL as enterprisedb: SHOW edb_audit_connect; If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding. Execute the following SQL as enterprisedb: SHOW edb_audit_disconnect; If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.

Fix: F-25896r495723_fix

Execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit_connect = 'all'; ALTER SYSTEM SET edb_audit_disconnect = 'all'; SELECT pg_reload_conf(); or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.

b
The EDB Postgres Advanced Server must generate audit records for all direct access to the database(s).
AU-12 - Medium - CCI-000172 - V-224238 - SV-224238r879879_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
EP11-00-012600
Vuln IDs
  • V-224238
  • V-100501
Rule IDs
  • SV-224238r879879_rule
  • SV-109605
In this context, direct access is any query, command, or call to the DBMS that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.
Checks: C-25911r495731_chk

Execute the following SQL as enterprisedb: SHOW edb_audit_statement; SHOW edb_audit_connect; SHOW edb_audit_disconnect; If the result is not "all" for any or if the current settings for this requirement have not been noted and approved by the organization in the system documentation, this is a finding.

Fix: F-25899r495732_fix

Execute the following SQL as enterprisedb: ALTER SYSTEM SET edb_audit_statement = 'all'; ALTER SYSTEM SET edb_audit_connect = 'all'; ALTER SYSTEM SET edb_audit_disconnect = 'all'; SELECT pg_reload_conf(); or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.

b
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
SC-13 - Medium - CCI-002450 - V-224239 - SV-224239r879885_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
EP11-00-012700
Vuln IDs
  • V-224239
  • V-100503
Rule IDs
  • SV-224239r879885_rule
  • SV-109607
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance of testing and validation. For detailed information, refer to NIST FIPS Publication 140-3, Security Requirements For Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.
Checks: C-25912r495734_chk

If any uncommented lines in &lt;postgresql data dir&gt;\pg_hba.conf do not start with "hostssl", this is a finding. The "ssleay32_dll" and "libeay32.dll" files in &lt;EDB Postgres Advanced Server Home&gt;\bin should be FIPS 140-2 compliant DLLs from EnterpriseDB. These are included in EDB Postgres Advanced Server v11 update 6 (i.e., 11.6) and greater. If the installed EDB v11 is not update 11.6 or greater, this is a finding. If C:\usr\local\ssl\openssl.cnf does not exist with these contents, or if an System Environment variable called OPENSSL_CONF pointing to a file with these contents has not been created, this is a finding: HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf=openssl_conf_section [openssl_conf_section] alg_section=evp_settings [evp_settings] fips_mode=yes

Fix: F-25900r495735_fix

Edit <postgresql data dir>\pg_hba.conf so that each uncommented line starts with "hostssl". If the EDB Postgres Advanced Server minor version is less than version 11.6, install the 11.6 update or later version or contact EnterpriseDB to obtain a copy of the FIPS 140-2 compliant versions of the "ssleay32.dll" and "libeay32.dll" files and replace the "ssleay32.dll" and "libeay32.dll" files in <EDB Postgres Advanced Server Home>\bin with FIPS 140-2 compliant DLLs from EnterpriseDB. If the EDB Postgres Advanced Server minor version is 11.6 or greater, the FIPS 140-2 compliant versions of these DLLs are installed by default and do not need to be replaced. Create C:\usr\local\ssl\openssl.cnf or another file referenced by a System Environment variable called OPENSSL_CONF with these contents: HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf=openssl_conf_section [openssl_conf_section] alg_section=evp_settings [evp_settings] fips_mode=yes Restart the Postgres server via the Services administration GUI.

b
The EDB Postgres Advanced Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
AU-4 - Medium - CCI-001851 - V-224240 - SV-224240r879886_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
EP11-00-013000
Vuln IDs
  • V-224240
  • V-100509
Rule IDs
  • SV-224240r879886_rule
  • SV-109613
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The DBMS may write audit records to database tables, to files in the file system, to other kinds of local repositories, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.
Checks: C-25913r495737_chk

If Postgres Enterprise Manager (PEM) or another log collection tool is not installed and configured to automatically collect audit logs or if or a process for off-loading audit logs to a centralized system is not in place, this is a finding. Review the system documentation for a description of how audit records are off-loaded and how local audit log space is managed.

Fix: F-25901r495738_fix

Install a centralized log-collecting tool and configure it as instructed in its documentation. If using PEM, find the instructions for configuring the centralized audit manager at: https://www.enterprisedb.com/docs/en/7.0/pemgetstarted/toc.html

b
The EDB Postgres Advanced Server must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
CM-6 - Medium - CCI-000366 - V-224241 - SV-224241r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
EP11-00-013100
Vuln IDs
  • V-224241
  • V-100511
Rule IDs
  • SV-224241r879887_rule
  • SV-109615
Configuring the DBMS to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. In addition to this SRG, sources of guidance on security and information assurance exist. These include NSA configuration guides, CTOs, DTMs, and IAVMs. The DBMS must be configured in compliance with guidance from all such relevant sources.
Checks: C-25914r495740_chk

Review the DBMS documentation and configuration to determine if the DBMS is configured in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs and IAVMs. If the DBMS is not configured in accordance with security configuration settings, this is a finding.

Fix: F-25902r495741_fix

Configure EDB Postgres Advanced Server in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, and IAVMs.

c
The EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.
IA-7 - High - CCI-000803 - V-224242 - SV-224242r879616_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
EP11-00-013200
Vuln IDs
  • V-224242
  • V-100513
Rule IDs
  • SV-224242r879616_rule
  • SV-109617
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of the DBMS. Applications, including DBMSs, utilizing cryptography are required to use approved NIST FIPS 140-2 or 140-3 validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. The standard for validating cryptographic modules will transition to the NIST FIPS 140-3 publication. FIPS 140-2 modules can remain active for up to 5 years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list. Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules More information on the FIPS 140-3 transition can be found here: https://csrc.nist.gov/Projects/fips-140-3-transition-effort/ When the EDB FIPS 140 certified cryptographic modules are configured properly, an EDB Postgres Advanced Server will fail to start if non-FIPS 140 ciphers are specified for the Postgres ssl_ciphers parameter. To test whether the FIPS 140 compliant configuration is working, temporarily set the "ssl_ciphers" parameter in the postgresql.conf file to 'RC4-SHA' and then attempt to restart the database service. Since "RC4-SHA" is not a FIPS 140 approved cipher, the database will fail to start. Using the Event Viewer in Windows, a "FATAL: could not set the cipher list (no valid ciphers available)" error will be found under "Event Viewer (Local) >> Windows Logs >> Application". Satisfies: SRG-APP-000179-DB-000114,SRG-APP-000514-DB-000382,SRG-APP-000514-DB-000383
Checks: C-25915r836883_chk

If any uncommented lines in &lt;postgresql data dir&gt;\pg_hba.conf do not start with "hostssl", this is a finding. The "ssleay32_dll" and "libeay32.dll" files in &lt;EDB Postgres Advanced Server Home&gt;\bin should be FIPS 140-2 or 140-3 compliant DLLs from EnterpriseDB. These are included in EDB Postgres Advanced Server v11 update 6 (i.e., 11.6) and greater. If the installed EDB v11 is not update 11.6 or greater, this is a finding. If C:\usr\local\ssl\openssl.cnf does not exist with these contents, or if an System Environment variable called OPENSSL_CONF pointing to a file with these contents has not been created, this is a finding: HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf=openssl_conf_section [openssl_conf_section] alg_section=evp_settings [evp_settings] fips_mode=yes

Fix: F-25903r836884_fix

Edit <postgresql data dir>\pg_hba.conf so that each uncommented line starts with "hostssl" If the EDB Postgres Advanced Server minor version is less than version 11.6, install the 11.6 update or later version or contact EnterpriseDB to obtain a copy of the FIPS 140 compliant versions of the "ssleay32.dll" and "libeay32.dll" files and replace the "ssleay32.dll" and "libeay32.dll" files in <EDB Postgres Advanced Server Home>\bin with FIPS 140 compliant DLLs from EnterpriseDB. If the EDB Postgres Advanced Server minor version is 11.6 or greater, the FIPS 140 compliant versions of these DLLs are installed by default and do not need to be replaced. Create C:\usr\local\ssl\openssl.cnf or another file referenced by a System Environment variable called OPENSSL_CONF with these contents: HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf=openssl_conf_section [openssl_conf_section] alg_section=evp_settings [evp_settings] fips_mode=yes Restart the Postgres server via the Services administration GUI.

c
EDB Postgres Advanced Server v11 products must be a version supported by the vendor.
SA-22 - High - CCI-003376 - V-259795 - SV-259795r947231_rule
RMF Control
SA-22
Severity
High
CCI
CCI-003376
Version
EP11-00-013300
Vuln IDs
  • V-259795
Rule IDs
  • SV-259795r947231_rule
Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.
Checks: C-54617r947230_chk

Review the system documentation and interview the database administrator. Identify all database software components. Review the current version and release information; execute the following SQL as enterprisedb: SHOW SERVER_VERSION; --OR-- Using pgAdmin, once connected to the database, left click the "servers" tree to expand it. Left-click on "PostgreSQL" under the "Servers" tree and then click on the "Properties" tab. The Properties tab will have the currently installed Postgres version. Access the EDB website to validate that the version is currently supported: https://www.enterprisedb.com/resources/platform-compatibility If the DBMS or any of the software components are not supported by the vendor, this is a finding.

Fix: F-54571r947223_fix

Remove or decommission all unsupported software products. Upgrade unsupported DBMS or unsupported components to a supported version of the product.