Navigation :

V-72945

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must generate audit records when unsuccessful attempts to delete privileges/permissions occur.

NIST 800-53

STIG # Description Result
AU-12 AU-12: Audit Generation failed

Guidance

Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected. In an SQL environment, deleting permissions is typically done via the REVOKE command. To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.

Check

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA. First, as the database administrator (shown here as “postgres”), create the roles joe and bob with LOGIN by running the following SQL: $ sudo su - postgres $ psql -c “CREATE ROLE joe LOGIN” $ psql -c “CREATE ROLE bob LOGIN” Next, set current role to bob and attempt to alter the role joe: $ psql -c “SET ROLE bob; ALTER ROLE joe NOLOGIN” Now, as the database administrator (shown here as “postgres”), verify the denials are logged: $ sudo su - postgres $ cat ${PGDATA?}/pg_log/ < 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres: >ERROR: permission denied to drop role < 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres: >STATEMENT: DROP ROLE joe; If audit logs are not generated when unsuccessful attempts to delete privileges/permissions occur, this is a finding.

Fix

Configure PostgreSQL to produce audit records when unsuccessful attempts to delete privileges occur. All denials are logged if logging is enabled. To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.

Test Results

  Result
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72945/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /ERROR:\s+permission denied/ passed
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72945/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /STATEMENT:\s+SET ROLE inspec_v72945_role_1; ALTER ROLE inspec_v72945_role_2 NOLOGIN;/ passed

Code

control "V-72945" do
  title "PostgreSQL must generate audit records when unsuccessful attempts to
  delete privileges/permissions occur."
  desc  "Failed attempts to change the permissions, privileges, and roles
  granted to users and roles must be tracked. Without an audit trail,
  unauthorized attempts to elevate or restrict privileges could go undetected.
  In an SQL environment, deleting permissions is typically done via the REVOKE
  command.
  To aid in diagnosis, it is necessary to keep track of failed attempts in
  addition to the successful ones."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000499-DB-000331"
  tag "gid": "V-72945"
  tag "rid": "SV-87597r1_rule"
  tag "stig_id": "PGS9-00-005400"
  tag "cci": "CCI-000172"
  tag "nist": ["AU-12 c", "Rev_4"]
  tag "check": "Note: The following instructions use the PGDATA environment
  variable. See supplementary content APPENDIX-F for instructions on configuring
  PGDATA.
  First, as the database administrator (shown here as \"postgres\"), create the
  roles joe and bob with LOGIN by running the following SQL:
  $ sudo su - postgres
  $ psql -c \"CREATE ROLE joe LOGIN\"
  $ psql -c \"CREATE ROLE bob LOGIN\"
  Next, set current role to bob and attempt to alter the role joe:
  $ psql -c \"SET ROLE bob; ALTER ROLE joe NOLOGIN\"
  Now, as the database administrator (shown here as \"postgres\"), verify the
  denials are logged:
  $ sudo su - postgres
  $ cat ${PGDATA?}/pg_log/<latest_log>
  < 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres: >ERROR: permission
  denied to drop role
  < 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres:
  >STATEMENT: DROP ROLE joe;
  If audit logs are not generated when unsuccessful attempts to delete
  privileges/permissions occur, this is a finding."
  tag "fix": "Configure PostgreSQL to produce audit records when unsuccessful
  attempts to delete privileges occur.
  All denials are logged if logging is enabled. To ensure that logging is
  enabled, review supplementary content APPENDIX-C for instructions on enabling
  logging."

  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)
  log_directory_query = sql.query('SHOW log_directory;', [PG_DB])
  log_directory = log_directory_query.output
  current_log_command = "ls -1t #{log_directory}/*.pg_log | head -1"
  current_log = command(current_log_command).stdout.strip
  control = File.basename(__FILE__, File.extname(__FILE__))
  message = "starting tests for #{control}"
  message_sql = "DO language plpgsql $$ BEGIN "\
    "RAISE LOG '#{message}'; END $$;"
  start = Time.now.strftime('%Y-%m-%d %H:%M')
  get_logs = "sed -nre '/#{start}.*LOG:\\s+#{message}/,$p' #{current_log}"

  create_bob =  'CREATE ROLE bob;'
  create_joe =  'CREATE ROLE joe;'
  drop_bob =  'DROP ROLE bob;'
  drop_joe =  'DROP ROLE joe;'
  command = 'SET ROLE bob; ALTER ROLE joe NOLOGIN;'
  error = 'permission denied'

  sql.query(message_sql, [PG_DB])
  sql.query(create_bob, [PG_DB])
  sql.query(create_joe, [PG_DB])
  sql.query(command, [PG_DB])
  sql.query(drop_joe, [PG_DB])
  sql.query(drop_bob, [PG_DB])

  describe command(get_logs) do
    its('stdout') { should match /ERROR:\s+#{error}/ }
    its('stdout') { should match /STATEMENT:\s+#{command}/ }
  end
end