V-72901

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications.

NIST 800-53

STIG # Description Result
CM-5 CM-5: Access Restrictions For Change passed

Guidance

When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application’s database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.

Check

Review the PostgreSQL software library directory and any subdirectories. If any non-PostgreSQL software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the PostgreSQL, this is a finding. Only applications that are required for the functioning and administration, not use, of the PostgreSQL should be located in the same disk directory as the PostgreSQL software libraries. If other applications are located in the same directory as PostgreSQL, this is a finding.

Fix

Install all applications on directories separate from the PostgreSQL software library directory. Relocate any directories or reinstall other application software that currently shares the PostgreSQL software library directory.

Test Results

  Result
Directory /usr/lib/postgresql/10/bin should be directory passed
Directory /usr/lib/postgresql/10/bin should be owned by "root" passed
Directory /usr/lib/postgresql/10/bin should be grouped into "root" passed
Directory /usr/lib/postgresql/10/bin mode should cmp == "0755" passed
Command: `lsof | awk '$9 ~ "/usr/lib/postgresql/10/bin" {print $1}'` stdout should match /^$|postgres|postmaster/ passed
Command: `lsof | awk '$9 ~ "/usr/lib/postgresql/10/bin" {print $1}'` exit_status should cmp == 0 passed
Directory /usr/lib/postgresql/10/lib should be directory passed
Directory /usr/lib/postgresql/10/lib should be owned by "root" passed
Directory /usr/lib/postgresql/10/lib should be grouped into "root" passed
Directory /usr/lib/postgresql/10/lib mode should cmp == "0755" passed
Command: `lsof | awk '$9 ~ "/usr/lib/postgresql/10/lib" {print $1}'` stdout should match /^$|postgres|postmaster/ passed
Command: `lsof | awk '$9 ~ "/usr/lib/postgresql/10/lib" {print $1}'` exit_status should cmp == 0 passed
Directory /usr/include/postgresql/10 should be directory passed
Directory /usr/include/postgresql/10 should be owned by "root" passed
Directory /usr/include/postgresql/10 should be grouped into "root" passed
Directory /usr/include/postgresql/10 mode should cmp == "0755" passed
Command: `lsof | awk '$9 ~ "/usr/include/postgresql/10" {print $1}'` stdout should match /^$|postgres|postmaster/ passed
Command: `lsof | awk '$9 ~ "/usr/include/postgresql/10" {print $1}'` exit_status should cmp == 0 passed
Directory /usr/share/postgresql/10 should be directory passed
Directory /usr/share/postgresql/10 should be owned by "root" passed
Directory /usr/share/postgresql/10 should be grouped into "root" passed
Directory /usr/share/postgresql/10 mode should cmp == "0755" passed
Command: `lsof | awk '$9 ~ "/usr/share/postgresql/10" {print $1}'` stdout should match /^$|postgres|postmaster/ passed
Command: `lsof | awk '$9 ~ "/usr/share/postgresql/10" {print $1}'` exit_status should cmp == 0 passed

Code

control "V-72901" do
  title "Database software, including PostgreSQL configuration files, must be
  stored in dedicated directories separate from the host OS and other
  applications."
  desc  "When dealing with change control issues, it should be noted, any
  changes to the hardware, software, and/or firmware components of the
  information system and/or application can potentially have significant effects
  on the overall security of the system.
  Multiple applications can provide a cumulative negative effect. A
  vulnerability and subsequent exploit to one application can lead to an exploit
  of other applications sharing the same security context. For example, an
  exploit to a web server process that leads to unauthorized administrative
  access to host system directories can most likely lead to a compromise of all
  applications hosted by the same system. Database software not installed using
  dedicated directories both threatens and is threatened by other hosted
  applications. Access controls defined for one application may by default
  provide access to the other application's database objects or directories. Any
  method that provides any level of separation of security context assists in
  the protection between applications."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000133-DB-000199"
  tag "gid": "V-72901"
  tag "rid": "SV-87553r1_rule"
  tag "stig_id": "PGS9-00-003300"
  tag "cci": "CCI-001499"
  tag "nist": ["CM-5 (6)", "Rev_4"]
  tag "check": "Review the PostgreSQL software library directory and any
  subdirectories.
  If any non-PostgreSQL software directories exist on the disk directory,
  examine or investigate their use. If any of the directories are used by other
  applications, including third-party applications that use the PostgreSQL, this
  is a finding.
  Only applications that are required for the functioning and administration,
  not use, of the PostgreSQL should be located in the same disk directory as
  the PostgreSQL software libraries.
  If other applications are located in the same directory as PostgreSQL, this
  is a finding."
  tag "fix": "Install all applications on directories separate from the
  PostgreSQL software library directory. Relocate any directories or reinstall
  other application software that currently shares the PostgreSQL software
  library directory."

  PG_SHARED_LIBS.each do |dir|
    describe directory(dir) do
      it { should be_directory }
      it { should be_owned_by 'root' }
      it { should be_grouped_into 'root' }
      its('mode') { should cmp '0755' }
    end

    describe command("lsof | awk '$9 ~ \"#{dir}\" {print $1}'") do
      its('stdout') { should match /^$|postgres|postmaster/ }
      its('exit_status') { should cmp 0 }
    end
  end
end