CM-5: Access Restrictions For Change

Generated

2019-05-20 15:48:11.984914

Status

Passed

Statements

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

STIG

STIG # Description Result
V-72853 Privileges to change PostgreSQL software modules must be limited. passed
V-72855 PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL. passed
V-72865 The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users. passed
V-72897 Database objects (including but not limited to tables, indexes, storage, trigger procedures, functions, links to software external to PostgreSQL, etc.) must be owned by database/DBMS principals authorized for ownership. passed
V-72899 The PostgreSQL software installation account must be restricted to authorized users. skipped
V-72901 Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications. passed
V-72913 PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s). passed
V-73017 PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s). passed

Additional Guidance

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).