V-73069
Severity: Medium
Generated
2019-05-20 15:48:11.984914
Status
Passed
PostgreSQL must generate audit records for all direct access to the database(s).
NIST 800-53
| STIG # | Description | Result |
|---|---|---|
| AU-12 | AU-12: Audit Generation | failed |
Guidance
In this context, direct access is any query, command, or call to the DBMS that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.
Check
As the database administrator, verify pgaudit is enabled by running the following SQL:
$ sudo su - postgres
$ psql -c "SHOW shared_preload_libraries"
If the output does not contain "pgaudit", this is a finding.
Verify that connections and disconnections are being logged by
running the following SQL:
$ sudo su - postgres
$ psql -c "SHOW log_connections"
$ psql -c "SHOW log_disconnections"
If the output does not contain "on",
pgaudit.log='ddl, role, read, write'
log_connections='on'
log_disconnections='on'
this is a finding.
Fix
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
To ensure that logging is enabled, review supplementary content APPENDIX-C
for instructions on enabling logging.
Using pgaudit PostgreSQL can be configured to audit these requests. See
supplementary content APPENDIX-B for documentation on installing pgaudit.
With pgaudit installed the following configurations should be made:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
Add the following parameters (or edit existing parameters):
pgaudit.log='ddl, role, read, write'
log_connections='on'
log_disconnections='on'
Now, as the system administrator, reload the server with the new configuration:
# SYSTEMD SERVER ONLY
$ sudo systemctl reload postgresql-9.5
# INITD SERVER ONLY
$ sudo service postgresql-9.5 reload
Test Results
| Result | |
|---|---|
| PostgreSQL query: SHOW shared_preload_libraries; output should include "pgaudit" | passed |
| PostgreSQL query: SHOW log_connections; output should match /on|true/i | passed |
| PostgreSQL query: SHOW log_disconnections; output should match /on|true/i | passed |
Code
control "V-73069" do
title "PostgreSQL must generate audit records for all direct access to the
database(s)."
desc "In this context, direct access is any query, command, or call to the
DBMS that comes from any source other than the application(s) that it
supports. Examples would be the command line or a database management
utility program. The intent is to capture all activity from administrative
and non-standard sources."
impact 0.5
tag "severity": "medium"
tag "gtitle": "SRG-APP-000508-DB-000358"
tag "gid": "V-73069"
tag "rid": "SV-87721r1_rule"
tag "stig_id": "PGS9-00-012700"
tag "cci": "CCI-000172"
tag "nist": ["AU-12 c", "Rev_4"]
tag "check": "As the database administrator, verify pgaudit is enabled by running
the following SQL:
$ sudo su - postgres
$ psql -c \"SHOW shared_preload_libraries\"
If the output does not contain \"pgaudit\", this is a finding.
Verify that connections and disconnections are being logged by
running the following SQL:
$ sudo su - postgres
$ psql -c \"SHOW log_connections\"
$ psql -c \"SHOW log_disconnections\"
If the output does not contain \"on\",
pgaudit.log='ddl, role, read, write'
log_connections='on'
log_disconnections='on'
this is a finding."
tag "fix": "Note: The following instructions use the PGDATA environment
variable. See supplementary content APPENDIX-F for instructions on
configuring PGDATA.
To ensure that logging is enabled, review supplementary content APPENDIX-C
for instructions on enabling logging.
Using pgaudit PostgreSQL can be configured to audit these requests. See
supplementary content APPENDIX-B for documentation on installing pgaudit.
With pgaudit installed the following configurations should be made:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
Add the following parameters (or edit existing parameters):
pgaudit.log='ddl, role, read, write'
log_connections='on'
log_disconnections='on'
Now, as the system administrator, reload the server with the new configuration:
# SYSTEMD SERVER ONLY
$ sudo systemctl reload postgresql-9.5
# INITD SERVER ONLY
$ sudo service postgresql-9.5 reload"
sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)
describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do
its('output') { should include 'pgaudit' }
end
describe sql.query('SHOW log_connections;', [PG_DB]) do
its('output') { should match /on|true/i }
end
describe sql.query('SHOW log_disconnections;', [PG_DB]) do
its('output') { should match /on|true/i }
end
end