V-73061

Severity: Medium

Generated

2019-05-20 15:48:11.984914

Status

Passed

PostgreSQL must protect its audit configuration from unauthorized modification.

NIST 800-53

STIG # Description Result
AU-9 AU-9: Protection Of Audit Information passed

Guidance

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.

    Applications providing tools to interface with audit data will leverage
    user permissions and roles identifying the user accessing the tools and
    the corresponding rights the user enjoys in order make access decisions
    regarding the modification of audit tools.

    Audit tools include, but are not limited to, vendor-provided and open source
    audit tools needed to successfully view and manipulate audit information
    system activity and records. Audit tools include custom queries and
    report generators.

Check

All configurations for auditing and logging can be found in the postgresql.conf configuration file. By default, this file is owned by the database administrator account.

  To check that the permissions of the postgresql.conf are owned by the database
  administrator with permissions of 0600, run the following as the database
  administrator (shown here as "postgres"):

  $ sudo su - postgres
  $ ls -la ${PGDATA?}

  If postgresql.conf is not owned by the database administrator or does not
  have 0600 permissions, this is a finding.

  #### stderr Logging

  To check that logs are created with 0600 permissions, check the
  postgresql.conf file for the following setting:

  $ sudo su - postgres
  $ psql -c "SHOW log_file_mode"

  If permissions are not 0600, this is a finding.

  #### syslog Logging

  If PostgreSQL is configured to use syslog, verify that the logs are owned
  by root and have 0600 permissions. If they are not, this is a finding.

Fix

Apply or modify access controls and permissions (both within PostgreSQL and in the file system/operating system) to tools used to view or modify audit log data. Tools must be configurable by authorized personnel only.

  $ sudo su - postgres
  $ vi ${PGDATA?}/postgresql.conf
  log_file_mode = 0600

  Next, as the database administrator (shown here as "postgres"), change
  the ownership and permissions of configuration files in PGDATA:

  $ sudo su - postgres
  $ chown postgres:postgres ${PGDATA?}/*.conf
  $ chmod 0600 ${PGDATA?}/*.conf

Test Results

  Result
File /var/vcap/store/postgresql/data/postgresql.conf should be file passed
File /var/vcap/store/postgresql/data/postgresql.conf mode should cmp == "0600" passed
PostgreSQL query: SHOW log_file_mode; output should cmp == "0600" passed

Code

control "V-73061" do
  title "PostgreSQL must protect its audit configuration from unauthorized
        modification."
  desc  "Protecting audit data also includes identifying and protecting the tools
        used to view and manipulate log data. Therefore, protecting audit tools
        is necessary to prevent unauthorized operation on audit data.

        Applications providing tools to interface with audit data will leverage
        user permissions and roles identifying the user accessing the tools and
        the corresponding rights the user enjoys in order make access decisions
        regarding the modification of audit tools.

        Audit tools include, but are not limited to, vendor-provided and open source
        audit tools needed to successfully view and manipulate audit information
        system activity and records. Audit tools include custom queries and
        report generators."
  impact 0.5
  tag "severity": "medium"

  tag "gtitle": "SRG-APP-000122-DB-000203"
  tag "gid": "V-73061"
  tag "rid": "SV-87713r1_rule"
  tag "stig_id": "PGS9-00-012200"
  tag "cci": "CCI-001494"
  tag "nist": ["AU-9", "Rev_4"]

  tag "check": "All configurations for auditing and logging can be found in the
      postgresql.conf configuration file. By default, this file is owned by the
      database administrator account.

      To check that the permissions of the postgresql.conf are owned by the database
      administrator with permissions of 0600, run the following as the database
      administrator (shown here as \"postgres\"):

      $ sudo su - postgres
      $ ls -la ${PGDATA?}

      If postgresql.conf is not owned by the database administrator or does not
      have 0600 permissions, this is a finding.

      #### stderr Logging

      To check that logs are created with 0600 permissions, check the
      postgresql.conf file for the following setting:

      $ sudo su - postgres
      $ psql -c \"SHOW log_file_mode\"

      If permissions are not 0600, this is a finding.

      #### syslog Logging

      If PostgreSQL is configured to use syslog, verify that the logs are owned
      by root and have 0600 permissions. If they are not, this is a finding."

  tag "fix": "Apply or modify access controls and permissions (both within PostgreSQL
      and in the file system/operating system) to tools used to view or modify
      audit log data. Tools must be configurable by authorized personnel only.

      $ sudo su - postgres
      $ vi ${PGDATA?}/postgresql.conf
      log_file_mode = 0600

      Next, as the database administrator (shown here as \"postgres\"), change
      the ownership and permissions of configuration files in PGDATA:

      $ sudo su - postgres
      $ chown postgres:postgres ${PGDATA?}/*.conf
      $ chmod 0600 ${PGDATA?}/*.conf"

  describe file(PG_CONF) do
    it { should be_file }
    its('mode') { should cmp '0600' }
  end

  sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)

  log_destination_query = sql.query('SHOW log_destination;', [PG_DB])
  log_destination = log_destination_query.output

  if log_destination =~ /stderr/i
    describe sql.query('SHOW log_file_mode;', [PG_DB]) do
      its('output') { should cmp '0600' }
    end
  end
end