V-73037

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must invalidate session identifiers upon user logout or other session termination.

NIST 800-53

STIG # Description Result
SC-23 SC-23: Session Authenticity failed

Guidance

Captured sessions can be reused in “replay” attacks. This requirement limits the ability of adversaries to capture and continue to employ previously valid session IDs.

This requirement focuses on communications protection for PostgreSQL session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted.

Session IDs are tokens generated by PostgreSQLs to uniquely identify a user’s (or process’s) session. DBMSs will make access decisions and execute logic based on the session ID.

Unique session IDs help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of. information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.

When a user logs out, or when any other session termination event occurs, PostgreSQL must terminate the user session(s) to minimize the potential for sessions to be hijacked.

Check

As the database administrator (shown here as “postgres”), run the following SQL:

$ sudo su - postgres $ psql -c “SHOW tcp_keepalives_idle” $ psql -c “SHOW tcp_keepalives_interval” $ psql -c “SHOW tcp_keepalives_count” $ psql -c “SHOW statement_timeout”

If these settings are not set, this is a finding.

Fix

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

As the database administrator (shown here as “postgres”), edit postgresql.conf:

$ sudo su - postgres $ vi $PGDATA/postgresql.conf

Set the following parameters to organizational requirements:

statement_timeout = 10000 #milliseconds tcp_keepalives_idle = 10 # seconds tcp_keepalives_interval = 10 # seconds tcp_keepalives_count = 10

Now, as the system administrator, restart the server with the new configuration:

SYSTEMD SERVER ONLY

$ sudo systemctl restart postgresql-9.5

INITD SERVER ONLY

$ sudo service postgresql-9.5 restart

Test Results

  Result
PostgreSQL query: SHOW tcp_keepalives_idle; output should not cmp == 0 passed
PostgreSQL query: SHOW tcp_keepalives_interval; output should not cmp == 0 passed
PostgreSQL query: SHOW tcp_keepalives_count; output should not cmp == 0 passed
PostgreSQL query: SHOW statement_timeout; output should not cmp == 0 passed

Code

control "V-73037" do
  title "PostgreSQL must invalidate session identifiers upon user logout or other
session termination."
  desc  "Captured sessions can be reused in \"replay\" attacks. This requirement
limits the ability of adversaries to capture and continue to employ previously valid
session IDs.

This requirement focuses on communications protection for PostgreSQL session rather
than for the network packet. The intent of this control is to establish grounds for
confidence at each end of a communications session in the ongoing identity of the
other party and in the validity of the information being transmitted.

Session IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or
process's) session. DBMSs will make access decisions and execute logic based on the
session ID.

Unique session IDs help to reduce predictability of said identifiers. Unique session
IDs address man-in-the-middle attacks, including session hijacking or insertion of.
information into a session. If the attacker is unable to identify or guess the
session information related to pending application traffic, they will have more
difficulty in hijacking the session or otherwise manipulating valid sessions.

When a user logs out, or when any other session termination event occurs, PostgreSQL
must terminate the user session(s) to minimize the potential for sessions to be
hijacked."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000220-DB-000149"
  tag "gid": "V-73037"
  tag "rid": "SV-87689r1_rule"
  tag "stig_id": "PGS9-00-010600"
  tag "cci": "CCI-001185"
  tag "nist": ["SC-23 (1)", "Rev_4"]
  tag "check": "As the database administrator (shown here as \"postgres\"), run the
following SQL:

$ sudo su - postgres
$ psql -c \"SHOW tcp_keepalives_idle\"
$ psql -c \"SHOW tcp_keepalives_interval\"
$ psql -c \"SHOW tcp_keepalives_count\"
$ psql -c \"SHOW statement_timeout\"

If these settings are not set, this is a finding."
  tag "fix": "Note: The following instructions use the PGDATA environment variable.
See supplementary content APPENDIX-F for instructions on configuring PGDATA.

As the database administrator (shown here as \"postgres\"), edit postgresql.conf:

$ sudo su - postgres
$ vi $PGDATA/postgresql.conf

Set the following parameters to organizational requirements:

statement_timeout = 10000 #milliseconds
tcp_keepalives_idle = 10 # seconds
tcp_keepalives_interval = 10 # seconds
tcp_keepalives_count = 10

Now, as the system administrator, restart the server with the new configuration:

# SYSTEMD SERVER ONLY
$ sudo systemctl restart postgresql-9.5

# INITD SERVER ONLY
$ sudo service postgresql-9.5 restart"

  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)

  describe sql.query('SHOW tcp_keepalives_idle;', [PG_DB]) do
    its('output') { should_not cmp 0 }
  end

  describe sql.query('SHOW tcp_keepalives_interval;', [PG_DB]) do
    its('output') { should_not cmp 0 }
  end

  describe sql.query('SHOW tcp_keepalives_count;', [PG_DB]) do
    its('output') { should_not cmp 0 }
  end

  describe sql.query('SHOW statement_timeout;', [PG_DB]) do
    its('output') { should_not cmp 0 }
  end
end