V-72907

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

When invalid inputs are received, PostgreSQL must behave in a predictable and documented manner that reflects organizational and system objectives.

NIST 800-53

STIG # Description Result
SI-10 SI-10: Information Input Validation passed

Guidance

A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.

Check

As the database administrator (shown here as “postgres”), make a small SQL syntax error in psql by running the following: $ sudo su - postgres $ psql -c “CREAT TABLEincorrect_syntax(id INT)” ERROR: syntax error at or near “CREAT” Now, as the database administrator (shown here as “postgres”), verify the syntax error was logged (change the log file name and part to suit the circumstances): $ sudo su - postgres $ cat ~/9.5/data/pg_log/postgresql-Wed.log 2016-03-30 16:18:10.772 EDT postgres postgres 5706bb87.90dERROR: syntax error at or near “CRT” at character 1 2016-03-30 16:18:10.772 EDT postgres postgres 5706bb87.90dSTATEMENT: CRT TABLE incorrect_syntax(id INT); Review system documentation to determine how input errors from application to PostgreSQL are to be handled in general and if any special handling is defined for specific circumstances. If it does not implement the documented behavior, this is a finding.

Fix

Enable logging. To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. All errors and denials are logged if logging is enabled.

Test Results

  Result
PostgreSQL query with errors: CREAT TABLEincorrect_syntax(id INT); output should match /ERROR:\s+syntax error at or near "CREAT"/ passed
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72907/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /ERROR:\s+syntax error at or near "CREAT"/ passed
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72907/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /STATEMENT:\s+CREAT\ TABLEincorrect_syntax\(id\ INT\);/ passed

Code

control "V-72907" do
  title "When invalid inputs are received, PostgreSQL must behave in a
  predictable and documented manner that reflects organizational and system
  objectives."
  desc  "A common vulnerability is unplanned behavior when invalid inputs are
  received. This requirement guards against adverse or unintended system
  behavior caused by invalid inputs, where information system responses to the
  invalid input may be disruptive or cause the system to fail into an unsafe
  state.
  The behavior will be derived from the organizational and system requirements
  and includes, but is not limited to, notification of the appropriate
  personnel, creating an audit record, and rejecting invalid input."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000447-DB-000393"
  tag "gid": "V-72907"
  tag "rid": "SV-87559r1_rule"
  tag "stig_id": "PGS9-00-003700"
  tag "cci": "CCI-002754"
  tag "nist": ["SI-10 (3)", "Rev_4"]
  tag "check": "As the database administrator (shown here as \"postgres\"), make
  a small SQL syntax error in psql by running the following:
  $ sudo su - postgres
  $ psql -c \"CREAT TABLEincorrect_syntax(id INT)\"
  ERROR: syntax error at or near \"CREAT\"
  Now, as the database administrator (shown here as \"postgres\"), verify the
  syntax error was logged (change the log file name and part to suit the
  circumstances):
  $ sudo su - postgres
  $ cat ~/9.5/data/pg_log/postgresql-Wed.log
  2016-03-30 16:18:10.772 EDT postgres postgres 5706bb87.90dERROR: syntax error
  at or near \"CRT\" at character 1
  2016-03-30 16:18:10.772 EDT postgres postgres 5706bb87.90dSTATEMENT: CRT TABLE
  incorrect_syntax(id INT);
  Review system documentation to determine how input errors from application to
  PostgreSQL are to be handled in general and if any special handling is defined
  for specific circumstances.
  If it does not implement the documented behavior, this is a finding."
  tag "fix": "Enable logging.
  To ensure that logging is enabled, review supplementary content APPENDIX-C for
  instructions on enabling logging.
  All errors and denials are logged if logging is enabled."

  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)
  log_directory_query = sql.query('SHOW log_directory;', [PG_DB])
  log_directory = log_directory_query.output
  current_log_command = "ls -1t #{log_directory}/*.pg_log | head -1"
  current_log = command(current_log_command).stdout.strip
  control = File.basename(__FILE__, File.extname(__FILE__))
  message = "starting tests for #{control}"
  message_sql = "DO language plpgsql $$ BEGIN "\
    "RAISE LOG '#{message}'; END $$;"
  start = Time.now.strftime('%Y-%m-%d %H:%M')
  get_logs = "sed -nre '/#{start}.*LOG:\\s+#{message}/,$p' #{current_log}"

  command = 'CREAT TABLEincorrect_syntax(id INT);'
  error = 'syntax error at or near "CREAT"'

  sql.query(message_sql, [PG_DB])

  describe sql.query(command, [PG_DB]) do
    it { should match /ERROR:\s+#{error}/ }
  end

  describe command(get_logs) do
    its('stdout') { should match /ERROR:\s+#{error}/ }
    its('stdout') { should match /STATEMENT:\s+#{Regexp.escape(command)}/ }
  end
end