V-73043

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must protect its audit features from unauthorized removal.

NIST 800-53

STIG # Description Result
AU-9 AU-9: Protection Of Audit Information passed

Guidance

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.

Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Check

As the database administrator (shown here as “postgres”), verify the permissions of PGDATA:

$ sudo su - postgres $ ls -la ${PGDATA?}

If PGDATA is not owned by postgres:postgres or if files can be accessed by others, this is a finding.

As the system administrator, verify the permissions of pgsql shared objects and compiled binaries:

$ ls -la /usr/pgsql-9.5/bin/ $ ls -la /usr/pgsql-9.5/share $ ls -la /usr/pgsql-9.5/include

If any of these are not owned by root:root, this is a finding.

Fix

As the system administrator, change the permissions of PGDATA:

$ sudo chown -R postgres:postgres ${PGDATA?} $ sudo chmod 700 ${PGDATA?}

As the system administrator, change the permissions of pgsql:

$ sudo chown -R root:root /usr/pgsql-9.5/share/contrib/pgaudit

Test Results

  Result
Directory /var/vcap/store/postgresql/data should be directory passed
Directory /var/vcap/store/postgresql/data should be owned by "vcap" passed
Directory /var/vcap/store/postgresql/data should be grouped into "vcap" passed
Directory /var/vcap/store/postgresql/data mode should cmp == "0700" passed
Command: `find /var/vcap/store/postgresql/data -type f \( ! -perm 600 -or ! -user vcap -or ! -group vcap \)` stdout should eq "" passed
Command: `find /var/vcap/store/postgresql/data -type f \( ! -perm 600 -or ! -user vcap -or ! -group vcap \)` exit_status should cmp == 0 passed
Command: `find /var/vcap/store/postgresql/data -type d \( ! -perm 700 -or ! -user vcap -or ! -group vcap \)` stdout should eq "" passed
Command: `find /var/vcap/store/postgresql/data -type d \( ! -perm 700 -or ! -user vcap -or ! -group vcap \)` exit_status should cmp == 0 passed
Directory /usr/lib/postgresql/10/bin should be directory passed
Directory /usr/lib/postgresql/10/bin should be owned by "root" passed
Directory /usr/lib/postgresql/10/bin should be grouped into "root" passed
Directory /usr/lib/postgresql/10/lib should be directory passed
Directory /usr/lib/postgresql/10/lib should be owned by "root" passed
Directory /usr/lib/postgresql/10/lib should be grouped into "root" passed
Directory /usr/include/postgresql/10 should be directory passed
Directory /usr/include/postgresql/10 should be owned by "root" passed
Directory /usr/include/postgresql/10 should be grouped into "root" passed
Directory /usr/share/postgresql/10 should be directory passed
Directory /usr/share/postgresql/10 should be owned by "root" passed
Directory /usr/share/postgresql/10 should be grouped into "root" passed

Code

control "V-73043" do
  title "PostgreSQL must protect its audit features from unauthorized removal."
  desc  "Protecting audit data also includes identifying and protecting the tools
used to view and manipulate log data. Therefore, protecting audit tools is necessary
to prevent unauthorized operation on audit data.

Applications providing tools to interface with audit data will leverage user
permissions and roles identifying the user accessing the tools and the corresponding
rights the user enjoys in order make access decisions regarding the deletion of
audit tools.

Audit tools include, but are not limited to, vendor-provided and open source audit
tools needed to successfully view and manipulate audit information system activity
and records. Audit tools include custom queries and report generators."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000123-DB-000204"
  tag "gid": "V-73043"
  tag "rid": "SV-87695r1_rule"
  tag "stig_id": "PGS9-00-011200"
  tag "cci": "CCI-001495"
  tag "nist": ["AU-9", "Rev_4"]
  tag "check": "As the database administrator (shown here as \"postgres\"), verify
the permissions of PGDATA:

$ sudo su - postgres
$ ls -la ${PGDATA?}

If PGDATA is not owned by postgres:postgres or if files can be accessed by others,
this is a finding.

As the system administrator, verify the permissions of pgsql shared objects and
compiled binaries:

$ ls -la /usr/pgsql-9.5/bin/
$ ls -la /usr/pgsql-9.5/share
$ ls -la /usr/pgsql-9.5/include

If any of these are not owned by root:root, this is a finding."

  tag "fix": "As the system administrator, change the permissions of PGDATA:

$ sudo chown -R postgres:postgres ${PGDATA?}
$ sudo chmod 700 ${PGDATA?}

As the system administrator, change the permissions of pgsql:

$ sudo chown -R root:root /usr/pgsql-9.5/share/contrib/pgaudit"

  describe directory(PG_DATA) do
    it { should be_directory }
    it { should be_owned_by PG_OWNER }
    it { should be_grouped_into PG_GROUP }
    its('mode') { should cmp '0700' }
  end

  find_insecure_files = "find #{PG_DATA} -type f \\( "\
    "! -perm 600 -or ! -user #{PG_OWNER} -or ! -group #{PG_GROUP} \\)"

  describe command(find_insecure_files) do
    its('stdout') { should eq '' }
    its('exit_status') { should cmp 0 }
  end

  find_insecure_dirs = "find #{PG_DATA} -type d \\( "\
    "! -perm 700 -or ! -user #{PG_OWNER} -or ! -group #{PG_GROUP} \\)"

  describe command(find_insecure_dirs) do
    its('stdout') { should eq '' }
    its('exit_status') { should cmp 0 }
  end

  PG_SHARED_LIBS.each do |dir|
    describe directory(dir) do
      it { should be_directory }
      it { should be_owned_by 'root' }
      it { should be_grouped_into 'root' }
    end
  end
end