V-72851

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

NIST 800-53

STIG # Description Result
SI-11 SI-11: Error Handling passed

Guidance

Any PostgreSQL or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.

    Databases can inadvertently provide a wealth of information to an
    attacker through improperly handled error messages. In addition to
    sensitive business or personal information, database errors can provide
    host names, IP addresses, user names, and other system information not
    required for troubleshooting but very useful to someone targeting the
    system.

    Carefully consider the structure/content of error messages. The extent
    to which information systems are able to identify and handle error
    conditions is guided by organizational policy and operational
    requirements. Information that could be exploited by adversaries
    includes, for example, logon attempts with passwords entered by mistake
    as the username, mission/business information that can be derived from
    (if not stated explicitly by) information recorded, and personal
    information, such as account numbers, social security numbers, and
    credit card numbers.

Check

As the database administrator, run the following SQL:

SELECT current_setting(‘client_min_messages’);

If client_min_messages is not set to error, this is a finding.

Fix

As the database administrator, edit postgresql.conf:

$ sudo su - postgres $ vi $PGDATA/postgresql.conf Change the client_min_messages parameter to be error: client_min_messages = ‘error’

Now reload the server with the new configuration (this just reloads settings currently in memory, will not cause an interruption):

$ sudo su - postgres # SYSTEMD SERVER ONLY $ systemctl reload postgresql-9.5

# INITD SERVER ONLY $ service postgresql-9.5 reload

Test Results

  Result
PostgreSQL query: SHOW client_min_messages; output should match /^error$/i passed
PostgreSQL Configuration client_min_messages should match /^error$/i passed

Code

control "V-72851" do
  title "PostgreSQL must provide non-privileged users with error messages that
        provide information necessary for corrective actions without revealing
        information that could be exploited by adversaries."
  desc  "Any PostgreSQL or associated application providing too much information
        in error messages on the screen or printout risks compromising the data
        and security of the system. The structure and content of error messages
        need to be carefully considered by the organization and development team.

        Databases can inadvertently provide a wealth of information to an
        attacker through improperly handled error messages. In addition to
        sensitive business or personal information, database errors can provide
        host names, IP addresses, user names, and other system information not
        required for troubleshooting but very useful to someone targeting the
        system.

        Carefully consider the structure/content of error messages. The extent
        to which information systems are able to identify and handle error
        conditions is guided by organizational policy and operational
        requirements. Information that could be exploited by adversaries
        includes, for example, logon attempts with passwords entered by mistake
        as the username, mission/business information that can be derived from
        (if not stated explicitly by) information recorded, and personal
        information, such as account numbers, social security numbers, and
        credit card numbers."
  impact 0.5
  tag "severity": "medium"

  tag "gtitle": "SRG-APP-000266-DB-000162"
  tag "gid": "V-72851"
  tag "rid": "SV-87503r1_rule"
  tag "stig_id": "PGS9-00-000600"
  tag "cci": "CCI-001312"
  tag "nist": ["SI-11 a", "Rev_4"]
  tag "check": "As the database administrator, run the following SQL:

  SELECT current_setting('client_min_messages');

  If client_min_messages is *not* set to error, this is a finding."

  tag "fix": "As the database administrator, edit postgresql.conf:

  $ sudo su - postgres
  $ vi $PGDATA/postgresql.conf
  Change the client_min_messages parameter to be error:
  client_min_messages = 'error'

  Now reload the server with the new configuration (this just reloads settings
  currently in memory, will not cause an interruption):

  $ sudo su - postgres
  # SYSTEMD SERVER ONLY
  $ systemctl reload postgresql-9.5

  # INITD SERVER ONLY
  $ service postgresql-9.5 reload "

  default = postgres_conf(PG_CONF)
  override = postgres_conf(PG_USER_DEFINED_CONF)
  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)

  describe sql.query('SHOW client_min_messages;', [PG_DB]) do
   its('output') { should match /^error$/i }
  end

  cmm_conf = override.client_min_messages ? override : default
  describe cmm_conf do
    its('client_min_messages') { should match /^error$/i }
  end
end