CM-5: Access Restrictions For Change
Generated
2019-04-12 13:01:48.067729
Status
Statements
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
STIG
| STIG # | Description | Result |
|---|---|---|
| V-72853 | Privileges to change PostgreSQL software modules must be limited. | passed |
| V-72855 | PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL. | failed |
| V-72865 | The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users. | failed |
| V-72897 | Database objects (including but not limited to tables, indexes, storage, trigger procedures, functions, links to software external to PostgreSQL, etc.) must be owned by database/DBMS principals authorized for ownership. | failed |
| V-72899 | The PostgreSQL software installation account must be restricted to authorized users. | skipped |
| V-72901 | Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications. | passed |
| V-72913 | PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s). | failed |
| V-73017 | PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s). | passed |
Additional Guidance
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).