V-72975

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must generate audit records when unsuccessful attempts to modify privileges/permissions occur.

NIST 800-53

STIG # Description Result
AU-12 AU-12: Audit Generation failed

Guidance

Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected. Modifying permissions is done via the GRANT and REVOKE commands. To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.

Check

First, as the database administrator (shown here as “postgres”), create a role ‘bob’ and a test table by running the following SQL: $ sudo su - postgres $ psql -c “CREATE ROLE bob; CREATE TABLE test(id INT)” Next, set current role to bob and attempt to modify privileges: $ psql -c “SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;” $ psql -c “SET ROLE bob; REVOKE ALL PRIVILEGES ON test FROM bob” Now, as the database administrator (shown here as “postgres”), verify the unsuccessful attempt was logged: $ sudo su - postgres $ cat ${PGDATA?}/pg_log/ 2016-07-14 18:12:23.208 EDT postgres postgres ERROR: permission denied for relation test 2016-07-14 18:12:23.208 EDT postgres postgres STATEMENT: GRANT ALL PRIVILEGES ON test TO bob; 2016-07-14 18:14:52.895 EDT postgres postgres ERROR: permission denied for relation test 2016-07-14 18:14:52.895 EDT postgres postgres STATEMENT: REVOKE ALL PRIVILEGES ON test FROM bob; If audit logs are not generated when unsuccessful attempts to modify privileges/permissions occur, this is a finding.

Fix

Configure PostgreSQL to produce audit records when unsuccessful attempts to modify privileges occur. All denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary stdout APPENDIX-C for instructions on enabling logging.

Test Results

  Result
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72975/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /ERROR:\s+permission denied for (relation|table) test/ passed
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72975/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /STATEMENT:\s+SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;/ passed
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72975/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /STATEMENT:\s+SET ROLE bob; REVOKE ALL PRIVILEGES ON test FROM bob;/ passed

Code

control "V-72975" do
  title "PostgreSQL must generate audit records when unsuccessful attempts to
  modify privileges/permissions occur."
  desc  "Failed attempts to change the permissions, privileges, and roles
  granted to users and roles must be tracked. Without an audit trail,
  unauthorized attempts to elevate or restrict privileges could go undetected.
  Modifying permissions is done via the GRANT and REVOKE commands.
  To aid in diagnosis, it is necessary to keep track of failed attempts in
  addition to the successful ones."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000495-DB-000329"
  tag "gid": "V-72975"
  tag "rid": "SV-87627r1_rule"
  tag "stig_id": "PGS9-00-006800"
  tag "cci": "CCI-000172"
  tag "nist": ["AU-12 c", "Rev_4"]
  tag "check": "First, as the database administrator (shown here as
  \"postgres\"), create a role 'bob' and a test table by running the following
  SQL:
  $ sudo su - postgres
  $ psql -c \"CREATE ROLE bob; CREATE TABLE test(id INT)\"
  Next, set current role to bob and attempt to modify privileges:
  $ psql -c \"SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;\"
  $ psql -c \"SET ROLE bob; REVOKE ALL PRIVILEGES ON test FROM bob\"
  Now, as the database administrator (shown here as \"postgres\"), verify the
  unsuccessful attempt was logged:
  $ sudo su - postgres
  $ cat ${PGDATA?}/pg_log/<latest_log>
  2016-07-14 18:12:23.208 EDT postgres postgres ERROR: permission denied for
  relation test
  2016-07-14 18:12:23.208 EDT postgres postgres STATEMENT: GRANT ALL PRIVILEGES
  ON test TO bob;
  2016-07-14 18:14:52.895 EDT postgres postgres ERROR: permission denied for
  relation test
  2016-07-14 18:14:52.895 EDT postgres postgres STATEMENT: REVOKE ALL PRIVILEGES
  ON test FROM bob;
  If audit logs are not generated when unsuccessful attempts to modify
  privileges/permissions occur, this is a finding."
  tag "fix": "Configure PostgreSQL to produce audit records when unsuccessful
  attempts to modify privileges occur.
  All denials are logged by default if logging is enabled. To ensure that
  logging is enabled, review supplementary stdout APPENDIX-C for instructions
  on enabling logging."

  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)
  log_directory_query = sql.query('SHOW log_directory;', [PG_DB])
  log_directory = log_directory_query.output
  current_log_command = "ls -1t #{log_directory}/*.pg_log | head -1"
  current_log = command(current_log_command).stdout.strip
  control = File.basename(__FILE__, File.extname(__FILE__))
  message = "starting tests for #{control}"
  message_sql = "DO language plpgsql $$ BEGIN "\
    "RAISE LOG '#{message}'; END $$;"
  start = Time.now.strftime('%Y-%m-%d %H:%M')
  get_logs = "sed -nre '/#{start}.*LOG:\\s+#{message}/,$p' #{current_log}"

  setup = 'CREATE ROLE bob; CREATE TABLE test(id INT);'
  set_role = 'SET ROLE bob;'
  teardown = 'DROP TABLE test; DROP ROLE bob;'
  grant = "#{set_role} GRANT ALL PRIVILEGES ON test TO bob;"
  revoke = "#{set_role} REVOKE ALL PRIVILEGES ON test FROM bob;"
  error = 'permission denied for relation test'

  sql.query(message_sql, [PG_DB])
  sql.query(setup, [PG_DB])
  sql.query(grant, [PG_DB])
  sql.query(revoke, [PG_DB])
  sql.query(teardown, [PG_DB])

  describe command(get_logs) do
    its('stdout') { should match /ERROR:\s+#{error}/ }
    its('stdout') { should match /STATEMENT:\s+#{grant}/ }
    its('stdout') { should match /STATEMENT:\s+#{revoke}/ }
  end
end