V-72977

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must generate audit records when unsuccessful attempts to add privileges/permissions occur.

NIST 800-53

STIG # Description Result
AU-12 AU-12: Audit Generation failed

Guidance

Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected. In an SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the REVOKE command. To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.

Check

First, as the database administrator (shown here as “postgres”), create a role ‘bob’ and a test table by running the following SQL: $ sudo su - postgres $ psql -c “CREATE ROLE bob; CREATE TABLE test(id INT)” Next, set current role to bob and attempt to modify privileges: $ psql -c “SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;” Now, as the database administrator (shown here as “postgres”), verify the unsuccessful attempt was logged: $ sudo su - postgres $ cat ${PGDATA?}/pg_log/ 2016-07-14 18:12:23.208 EDT postgres postgres ERROR: permission denied for relation test 2016-07-14 18:12:23.208 EDT postgres postgres STATEMENT: GRANT ALL PRIVILEGES ON test TO bob; If audit logs are not generated when unsuccessful attempts to add privileges/permissions occur, this is a finding.

Fix

Configure PostgreSQL to produce audit records when unsuccessful attempts to add privileges occur. All denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary stdout APPENDIX-C for instructions on enabling logging.

Test Results

  Result
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72977/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /ERROR:\s+permission denied for (relation|table) test/ passed
Command: `sed -nre '/2019-05-16 08:11.*LOG:\s+starting tests for V-72977/,$p' /var/vcap/sys/log/postgresql/Thu.pg_log` stdout should match /STATEMENT:\s+SET ROLE inspec_v72977_role; GRANT ALL PRIVILEGES ON test TO inspec_v72977_role;/ passed

Code

control "V-72977" do
  title "PostgreSQL must generate audit records when unsuccessful attempts to
  add privileges/permissions occur."
  desc  "Failed attempts to change the permissions, privileges, and roles
  granted to users and roles must be tracked. Without an audit trail,
  unauthorized attempts to elevate or restrict privileges could go undetected.
  In an SQL environment, adding permissions is typically done via the GRANT
  command, or, in the negative, the REVOKE command.
  To aid in diagnosis, it is necessary to keep track of failed attempts in
  addition to the successful ones."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000495-DB-000327"
  tag "gid": "V-72977"
  tag "rid": "SV-87629r1_rule"
  tag "stig_id": "PGS9-00-006900"
  tag "cci": "CCI-000172"
  tag "nist": ["AU-12 c", "Rev_4"]
  tag "check": "First, as the database administrator (shown here as
  \"postgres\"), create a role 'bob' and a test table by running the following
  SQL:
  $ sudo su - postgres
  $ psql -c \"CREATE ROLE bob; CREATE TABLE test(id INT)\"
  Next, set current role to bob and attempt to modify privileges:
  $ psql -c \"SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;\"
  Now, as the database administrator (shown here as \"postgres\"), verify the
  unsuccessful attempt was logged:
  $ sudo su - postgres
  $ cat ${PGDATA?}/pg_log/<latest_log>
  2016-07-14 18:12:23.208 EDT postgres postgres ERROR: permission denied for
  relation test
  2016-07-14 18:12:23.208 EDT postgres postgres STATEMENT: GRANT ALL PRIVILEGES
  ON test TO bob;
  If audit logs are not generated when unsuccessful attempts to add
  privileges/permissions occur, this is a finding."
  tag "fix": "Configure PostgreSQL to produce audit records when unsuccessful
  attempts to add privileges occur.
  All denials are logged by default if logging is enabled. To ensure that
  logging is enabled, review supplementary stdout APPENDIX-C for instructions
  on enabling logging."

  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)
  log_directory_query = sql.query('SHOW log_directory;', [PG_DB])
  log_directory = log_directory_query.output
  current_log_command = "ls -1t #{log_directory}/*.pg_log | head -1"
  current_log = command(current_log_command).stdout.strip
  control = File.basename(__FILE__, File.extname(__FILE__))
  message = "starting tests for #{control}"
  message_sql = "DO language plpgsql $$ BEGIN "\
    "RAISE LOG '#{message}'; END $$;"
  start = Time.now.strftime('%Y-%m-%d %H:%M')
  get_logs = "sed -nre '/#{start}.*LOG:\\s+#{message}/,$p' #{current_log}"

  setup = 'CREATE ROLE bob; CREATE TABLE test(id INT);'
  set_role = 'SET ROLE bob;'
  teardown = 'DROP TABLE test; DROP ROLE bob;'
  grant = "#{set_role} GRANT ALL PRIVILEGES ON test TO bob;"
  error = 'permission denied for relation test'

  sql.query(message_sql, [PG_DB])
  sql.query(setup, [PG_DB])
  sql.query(grant, [PG_DB])
  sql.query(teardown, [PG_DB])

  describe command(get_logs) do
    its('stdout') { should match /ERROR:\s+#{error}/ }
    its('stdout') { should match /STATEMENT:\s+#{grant}/ }
  end
end