V-72933

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must generate audit records when successful logons or connections occur.

NIST 800-53

STIG # Description Result
AU-12 AU-12: Audit Generation failed

Guidance

For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to PostgreSQL.

Check

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA. First, as the database administrator (shown here as “postgres”), check if log_connections is enabled by running the following SQL: $ sudo su - postgres $ psql -c “SHOW log_connections” If log_connections is off, this is a finding. Next, verify the logs that the previous connection to the database was logged: $ sudo su - postgres $ cat ${PGDATA?}/pg_log/ < 2016-02-16 15:54:03.934 EST postgres postgres 56c64b8b.aeb: >LOG: connection authorized: user=postgres database=postgres If an audit record is not generated each time a user (or other principal) logs on or connects to PostgreSQL, this is a finding.

Fix

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA. To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. If logging is enabled the following configurations must be made to log connections, date/time, username, and session identifier. First, as the database administrator (shown here as “postgres”), edit postgresql.conf: $ sudo su - postgres $ vi ${PGDATA?}/postgresql.conf Edit the following parameters as such: log_connections = on log_line_prefix = ‘< %m %u %d %c: >’ Where: * %m is the time and date * %u is the username * %d is the database * %c is the session ID for the connection Now, as the system administrator, reload the server with the new configuration: # SYSTEMD SERVER ONLY $ sudo systemctl reload postgresql-9.5 # INITD SERVER ONLY $ sudo service postgresql-9.5 reload

Test Results

  Result
PostgreSQL query: SHOW log_connections; output should match /on|true/i passed
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72933/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /2019-05-16 08:11.*LOG:\s+connection authorized:\s+user=crunchy\s+database=stig_test_db/ passed

Code

control "V-72933" do
  title "PostgreSQL must generate audit records when successful logons or
  connections occur."
  desc  "For completeness of forensic analysis, it is necessary to track
  who/what (a user or other principal) logs on to PostgreSQL."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000503-DB-000350"
  tag "gid": "V-72933"
  tag "rid": "SV-87585r1_rule"
  tag "stig_id": "PGS9-00-005100"
  tag "cci": "CCI-000172"
  tag "nist": ["AU-12 c", "Rev_4"]
  tag "check": "Note: The following instructions use the PGDATA environment
  variable. See supplementary content APPENDIX-F for instructions on configuring
  PGDATA.
  First, as the database administrator (shown here as \"postgres\"), check if
  log_connections is enabled by running the following SQL:
  $ sudo su - postgres
  $ psql -c \"SHOW log_connections\"
  If log_connections is off, this is a finding.
  Next, verify the logs that the previous connection to the database was logged:
  $ sudo su - postgres
  $ cat ${PGDATA?}/pg_log/<latest_log>
  < 2016-02-16 15:54:03.934 EST postgres postgres 56c64b8b.aeb: >LOG: connection
  authorized: user=postgres database=postgres
  If an audit record is not generated each time a user (or other principal) logs
  on or connects to PostgreSQL, this is a finding."
  tag "fix": "Note: The following instructions use the PGDATA environment
  variable. See supplementary content APPENDIX-F for instructions on configuring
  PGDATA.
  To ensure that logging is enabled, review supplementary content APPENDIX-C for
  instructions on enabling logging.
  If logging is enabled the following configurations must be made to log
  connections, date/time, username, and session identifier.
  First, as the database administrator (shown here as \"postgres\"), edit
  postgresql.conf:
  $ sudo su - postgres
  $ vi ${PGDATA?}/postgresql.conf
  Edit the following parameters as such:
  log_connections = on
  log_line_prefix = '< %m %u %d %c: >'
  Where:
  * %m is the time and date
  * %u is the username
  * %d is the database
  * %c is the session ID for the connection
  Now, as the system administrator, reload the server with the new configuration:
  # SYSTEMD SERVER ONLY
  $ sudo systemctl reload postgresql-9.5
  # INITD SERVER ONLY
  $ sudo service postgresql-9.5 reload"

  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)
  log_directory_query = sql.query('SHOW log_directory;', [PG_DB])
  log_directory = log_directory_query.output
  current_log_command = "ls -1t #{log_directory}/*.pg_log | head -1"
  current_log = command(current_log_command).stdout.strip
  control = File.basename(__FILE__, File.extname(__FILE__))
  message = "starting tests for #{control}"
  message_sql = "DO language plpgsql $$ BEGIN "\
    "RAISE LOG '#{message}'; END $$;"
  start = Time.now.strftime('%Y-%m-%d %H:%M')
  get_logs = "sed -nre '/#{start}.*LOG:\\s+#{message}/,$p' #{current_log}"

  time = Time.now
  timestamp = time.strftime('%Y-%m-%d %H:%M')
  connection_message = "#{timestamp}.*LOG:\\s+connection authorized:"\
    "\\s+user=#{PG_DBA}\\s+database=#{PG_DB}"
  connection_regex = Regexp.new(connection_message)

  sql.query(message_sql, [PG_DB])

  describe sql.query('SHOW log_connections;', [PG_DB]) do
    its('output') { should match /on|true/i }
  end

  describe command(get_logs) do
    its('stdout') { should match connection_regex }
  end
end