V-73043
Severity: Medium
Generated
2019-05-20 15:48:11.984914
Status
PostgreSQL must protect its audit features from unauthorized removal.
NIST 800-53
| STIG # | Description | Result |
|---|---|---|
| AU-9 | AU-9: Protection Of Audit Information | passed |
Guidance
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Check
As the database administrator (shown here as “postgres”), verify the permissions of PGDATA:
$ sudo su - postgres $ ls -la ${PGDATA?}
If PGDATA is not owned by postgres:postgres or if files can be accessed by others, this is a finding.
As the system administrator, verify the permissions of pgsql shared objects and compiled binaries:
$ ls -la /usr/pgsql-9.5/bin/ $ ls -la /usr/pgsql-9.5/share $ ls -la /usr/pgsql-9.5/include
If any of these are not owned by root:root, this is a finding.
Fix
As the system administrator, change the permissions of PGDATA:
$ sudo chown -R postgres:postgres ${PGDATA?} $ sudo chmod 700 ${PGDATA?}
As the system administrator, change the permissions of pgsql:
$ sudo chown -R root:root /usr/pgsql-9.5/share/contrib/pgaudit
Test Results
| Result | |
|---|---|
| Directory /var/vcap/store/postgresql/data should be directory | passed |
| Directory /var/vcap/store/postgresql/data should be owned by "vcap" | passed |
| Directory /var/vcap/store/postgresql/data should be grouped into "vcap" | passed |
| Directory /var/vcap/store/postgresql/data mode should cmp == "0700" | passed |
| Command: `find /var/vcap/store/postgresql/data -type f \( ! -perm 600 -or ! -user vcap -or ! -group vcap \)` stdout should eq "" | passed |
| Command: `find /var/vcap/store/postgresql/data -type f \( ! -perm 600 -or ! -user vcap -or ! -group vcap \)` exit_status should cmp == 0 | passed |
| Command: `find /var/vcap/store/postgresql/data -type d \( ! -perm 700 -or ! -user vcap -or ! -group vcap \)` stdout should eq "" | passed |
| Command: `find /var/vcap/store/postgresql/data -type d \( ! -perm 700 -or ! -user vcap -or ! -group vcap \)` exit_status should cmp == 0 | passed |
| Directory /usr/lib/postgresql/10/bin should be directory | passed |
| Directory /usr/lib/postgresql/10/bin should be owned by "root" | passed |
| Directory /usr/lib/postgresql/10/bin should be grouped into "root" | passed |
| Directory /usr/lib/postgresql/10/lib should be directory | passed |
| Directory /usr/lib/postgresql/10/lib should be owned by "root" | passed |
| Directory /usr/lib/postgresql/10/lib should be grouped into "root" | passed |
| Directory /usr/include/postgresql/10 should be directory | passed |
| Directory /usr/include/postgresql/10 should be owned by "root" | passed |
| Directory /usr/include/postgresql/10 should be grouped into "root" | passed |
| Directory /usr/share/postgresql/10 should be directory | passed |
| Directory /usr/share/postgresql/10 should be owned by "root" | passed |
| Directory /usr/share/postgresql/10 should be grouped into "root" | passed |
Code
control "V-73043" do
title "PostgreSQL must protect its audit features from unauthorized removal."
desc "Protecting audit data also includes identifying and protecting the tools
used to view and manipulate log data. Therefore, protecting audit tools is necessary
to prevent unauthorized operation on audit data.
Applications providing tools to interface with audit data will leverage user
permissions and roles identifying the user accessing the tools and the corresponding
rights the user enjoys in order make access decisions regarding the deletion of
audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit
tools needed to successfully view and manipulate audit information system activity
and records. Audit tools include custom queries and report generators."
impact 0.5
tag "severity": "medium"
tag "gtitle": "SRG-APP-000123-DB-000204"
tag "gid": "V-73043"
tag "rid": "SV-87695r1_rule"
tag "stig_id": "PGS9-00-011200"
tag "cci": "CCI-001495"
tag "nist": ["AU-9", "Rev_4"]
tag "check": "As the database administrator (shown here as \"postgres\"), verify
the permissions of PGDATA:
$ sudo su - postgres
$ ls -la ${PGDATA?}
If PGDATA is not owned by postgres:postgres or if files can be accessed by others,
this is a finding.
As the system administrator, verify the permissions of pgsql shared objects and
compiled binaries:
$ ls -la /usr/pgsql-9.5/bin/
$ ls -la /usr/pgsql-9.5/share
$ ls -la /usr/pgsql-9.5/include
If any of these are not owned by root:root, this is a finding."
tag "fix": "As the system administrator, change the permissions of PGDATA:
$ sudo chown -R postgres:postgres ${PGDATA?}
$ sudo chmod 700 ${PGDATA?}
As the system administrator, change the permissions of pgsql:
$ sudo chown -R root:root /usr/pgsql-9.5/share/contrib/pgaudit"
describe directory(PG_DATA) do
it { should be_directory }
it { should be_owned_by PG_OWNER }
it { should be_grouped_into PG_GROUP }
its('mode') { should cmp '0700' }
end
find_insecure_files = "find #{PG_DATA} -type f \\( "\
"! -perm 600 -or ! -user #{PG_OWNER} -or ! -group #{PG_GROUP} \\)"
describe command(find_insecure_files) do
its('stdout') { should eq '' }
its('exit_status') { should cmp 0 }
end
find_insecure_dirs = "find #{PG_DATA} -type d \\( "\
"! -perm 700 -or ! -user #{PG_OWNER} -or ! -group #{PG_GROUP} \\)"
describe command(find_insecure_dirs) do
its('stdout') { should eq '' }
its('exit_status') { should cmp 0 }
end
PG_SHARED_LIBS.each do |dir|
describe directory(dir) do
it { should be_directory }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
end
end