From 9c00f542e44402fe8c37c74ee2f4b14701879e99 Mon Sep 17 00:00:00 2001 From: MITRE SAF Date: Fri, 30 Dec 2022 00:05:04 +0000 Subject: [PATCH] Automated ingestion of profiles Signed-off-by: MITRE SAF --- ...crunchy-data-postgresql-stig-baseline.json | 2 +- ...crunchy-data-postgresql-stig-baseline.json | 32 +++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json b/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json index bfa39dd8..b96ff322 100644 --- a/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json +++ b/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json @@ -4787,7 +4787,7 @@ "id": "crunchy-data-postgresql-stig-baseline-main/controls/V-233623.rb" } ], - "sha256": "6fcc312515c5c53a643031360031fc59d0f184fb707f9f5a4e6febe9ddb38ec2", + "sha256": "6431172891c10261492aed4e612830491e4cf05c171b20edb93686711d90f8b1", "status_message": "", "status": "loaded", "generator": { diff --git a/src/assets/data/baselineProfiles/crunchy-data-postgresql-stig-baseline.json b/src/assets/data/baselineProfiles/crunchy-data-postgresql-stig-baseline.json index 70beea18..5e1ac187 100644 --- a/src/assets/data/baselineProfiles/crunchy-data-postgresql-stig-baseline.json +++ b/src/assets/data/baselineProfiles/crunchy-data-postgresql-stig-baseline.json @@ -6,7 +6,7 @@ "copyright_email": "saf@groups.mitre.org", "license": "Apache-2.0", "summary": "Inspec Validation Profile for Crunchy Data PostgreSQL Security Technical Implementation Guide Version 1, Release: 1 Benchmark Date: 20 Nov 2020", - "version": "1.1.5", + "version": "1.1.6", "inspec_version": ">= 4.0", "inputs": [], "supports": [], @@ -196,7 +196,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233560' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to retrieve privileges/permissions \r\n\toccur.\"\r\n\tdesc\t\"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role \r\n\tinformation. Therefore, it must be possible to configure auditing to do this. PostgreSQLs typically make such \r\n\t\tinformation available through views or functions.\r\n\r\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer \r\nto the implicit retrieval of privileges/permissions/role memberships that PostgreSQL continually performs to \r\ndetermine if any and every action on the database is permitted.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGLOG environment variables. See supplementary content \r\n\tAPPENDIX-I for instructions on configuring PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a role \\\"bob\\\" by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, attempt to retrieve information from the pg_authid table:\r\n\r\n$ psql -c \\\"SET ROLE bob; SELECT * FROM pg_authid\\\"\r\n$ psql -c \\\"DROP ROLE bob;\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the event was logged in pg_log:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGLOG?}/\r\n< 2016-07-13 16:49:58.864 EDT postgres postgres ERROR: > permission denied for relation pg_authid\r\n< 2016-07-13 16:49:58.864 EDT postgres postgres STATEMENT: > SELECT * FROM pg_authid;\r\n\r\nIf the above steps cannot verify that audit records are produced when PostgreSQL denies retrieval of \r\nprivileges/permissions/role memberships, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to access privileges \r\n\toccur.\r\n\r\nAll denials are logged if logging is enabled. To ensure that logging is enabled, review supplementary content \r\nAPPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000091-DB-000325'\r\n tag gid: 'V-233560'\r\n tag rid: 'SV-233560r617333_rule'\r\n tag stig_id: 'CD12-00-005300'\r\n tag fix_id: 'F-36719r606904_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE fooaudit; SET ROLE fooaudit; SELECT * FROM pg_authid; SET ROLE postgres; DROP ROLE fooaudit;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t describe command(\"grep -r \\\"permission denied for table\\\\|relation\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*pg_authid.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233560' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to retrieve privileges/permissions \r\n\toccur.\"\r\n\tdesc\t\"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role \r\n\tinformation. Therefore, it must be possible to configure auditing to do this. PostgreSQLs typically make such \r\n\t\tinformation available through views or functions.\r\n\r\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not refer \r\nto the implicit retrieval of privileges/permissions/role memberships that PostgreSQL continually performs to \r\ndetermine if any and every action on the database is permitted.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGLOG environment variables. See supplementary content \r\n\tAPPENDIX-I for instructions on configuring PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a role \\\"bob\\\" by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, attempt to retrieve information from the pg_authid table:\r\n\r\n$ psql -c \\\"SET ROLE bob; SELECT * FROM pg_authid\\\"\r\n$ psql -c \\\"DROP ROLE bob;\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the event was logged in pg_log:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGLOG?}/\r\n< 2016-07-13 16:49:58.864 EDT postgres postgres ERROR: > permission denied for relation pg_authid\r\n< 2016-07-13 16:49:58.864 EDT postgres postgres STATEMENT: > SELECT * FROM pg_authid;\r\n\r\nIf the above steps cannot verify that audit records are produced when PostgreSQL denies retrieval of \r\nprivileges/permissions/role memberships, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to access privileges \r\n\toccur.\r\n\r\nAll denials are logged if logging is enabled. To ensure that logging is enabled, review supplementary content \r\nAPPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000091-DB-000325'\r\n tag gid: 'V-233560'\r\n tag rid: 'SV-233560r617333_rule'\r\n tag stig_id: 'CD12-00-005300'\r\n tag fix_id: 'F-36719r606904_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('CREATE ROLE fooaudit; SET ROLE fooaudit; SELECT * FROM pg_authid; SET ROLE postgres; DROP ROLE fooaudit;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t describe command(\"grep -r \\\"permission denied for table\\\\|relation\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*pg_authid.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233560.rb", "line": 3 @@ -580,7 +580,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233572' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to execute privileged activities or \r\n\tother system-level access occur.\"\r\n\tdesc\t\"Without tracking privileged activity, it would be difficult to establish, correlate, and investigate \r\n\tthe events relating to an incident or identify those responsible for one.\r\n\r\nSystem documentation should include a definition of the functionality considered privileged.\r\n\r\nA privileged function in this context is any operation that modifies the structure of the database, its built-in \r\nlogic, or its security settings. This would include all Data Definition Language (DDL) statements and all \r\nsecurity-related statements. In an SQL environment, it encompasses, but is not necessarily limited to:\r\n\r\nCREATE\r\nALTER\r\nDROP\r\nGRANT\r\nREVOKE\r\n\r\nNote: It is particularly important to audit, and tightly control, any action that weakens the implementation of this \r\nrequirement itself, since the objective is to have a complete audit trail of all administrative activity.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I on PGLOG.\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), create the role \\\"bob\\\" by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, change the current role to bob and attempt to execute privileged activity:\r\n\r\n$ psql -c \\\"CREATE ROLE stig_test SUPERUSER\\\"\r\n$ psql -c \\\"CREATE ROLE stig_test CREATEDB\\\"\r\n$ psql -c \\\"CREATE ROLE stig_test CREATEROLE\\\"\r\n$ psql -c \\\"CREATE ROLE stig_test CREATEUSER\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify that an audit event was produced (use the \r\nlatest log):\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-02-23 20:16:32.396 EST postgres 56cfa74f.79eb postgres: >ERROR: must be superuser to create superusers\r\n< 2016-02-23 20:16:32.396 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test SUPERUSER;\r\n< 2016-02-23 20:16:48.725 EST postgres 56cfa74f.79eb postgres: >ERROR: permission denied to create role\r\n< 2016-02-23 20:16:48.725 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test CREATEDB;\r\n< 2016-02-23 20:16:54.365 EST postgres 56cfa74f.79eb postgres: >ERROR: permission denied to create role\r\n< 2016-02-23 20:16:54.365 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test CREATEROLE;\r\n< 2016-02-23 20:17:05.949 EST postgres 56cfa74f.79eb postgres: >ERROR: must be superuser to create superusers\r\n< 2016-02-23 20:17:05.949 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test CREATEUSER;\r\n\r\nIf audit records are not produced, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to execute privileged SQL.\r\n\r\nAll denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary \r\ncontent APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000504-DB-000355'\r\n tag gid: 'V-233572'\r\n tag rid: 'SV-233572r617333_rule'\r\n tag stig_id: 'CD12-00-006500'\r\n tag fix_id: 'F-36731r606940_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE fooaudit; SET ROLE fooaudit; CREATE ROLE fooauditbad SUPERUSER;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"must be superuser to create superusers\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*must be superuser to create superusers.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE fooauditbad CREATEDB; CREATE ROLE fooauditbad CREATEROLE\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied to create role\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied to create role.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233572' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to execute privileged activities or \r\n\tother system-level access occur.\"\r\n\tdesc\t\"Without tracking privileged activity, it would be difficult to establish, correlate, and investigate \r\n\tthe events relating to an incident or identify those responsible for one.\r\n\r\nSystem documentation should include a definition of the functionality considered privileged.\r\n\r\nA privileged function in this context is any operation that modifies the structure of the database, its built-in \r\nlogic, or its security settings. This would include all Data Definition Language (DDL) statements and all \r\nsecurity-related statements. In an SQL environment, it encompasses, but is not necessarily limited to:\r\n\r\nCREATE\r\nALTER\r\nDROP\r\nGRANT\r\nREVOKE\r\n\r\nNote: It is particularly important to audit, and tightly control, any action that weakens the implementation of this \r\nrequirement itself, since the objective is to have a complete audit trail of all administrative activity.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I on PGLOG.\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), create the role \\\"bob\\\" by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, change the current role to bob and attempt to execute privileged activity:\r\n\r\n$ psql -c \\\"CREATE ROLE stig_test SUPERUSER\\\"\r\n$ psql -c \\\"CREATE ROLE stig_test CREATEDB\\\"\r\n$ psql -c \\\"CREATE ROLE stig_test CREATEROLE\\\"\r\n$ psql -c \\\"CREATE ROLE stig_test CREATEUSER\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify that an audit event was produced (use the \r\nlatest log):\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-02-23 20:16:32.396 EST postgres 56cfa74f.79eb postgres: >ERROR: must be superuser to create superusers\r\n< 2016-02-23 20:16:32.396 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test SUPERUSER;\r\n< 2016-02-23 20:16:48.725 EST postgres 56cfa74f.79eb postgres: >ERROR: permission denied to create role\r\n< 2016-02-23 20:16:48.725 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test CREATEDB;\r\n< 2016-02-23 20:16:54.365 EST postgres 56cfa74f.79eb postgres: >ERROR: permission denied to create role\r\n< 2016-02-23 20:16:54.365 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test CREATEROLE;\r\n< 2016-02-23 20:17:05.949 EST postgres 56cfa74f.79eb postgres: >ERROR: must be superuser to create superusers\r\n< 2016-02-23 20:17:05.949 EST postgres 56cfa74f.79eb postgres: >STATEMENT: CREATE ROLE stig_test CREATEUSER;\r\n\r\nIf audit records are not produced, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to execute privileged SQL.\r\n\r\nAll denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary \r\ncontent APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000504-DB-000355'\r\n tag gid: 'V-233572'\r\n tag rid: 'SV-233572r617333_rule'\r\n tag stig_id: 'CD12-00-006500'\r\n tag fix_id: 'F-36731r606940_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('CREATE ROLE fooaudit; SET ROLE fooaudit; CREATE ROLE fooauditbad SUPERUSER;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"must be superuser to create superusers\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*must be superuser to create superusers.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe sql.query('CREATE ROLE fooauditbad CREATEDB; CREATE ROLE fooauditbad CREATEROLE;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied to create role\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied to create role.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233572.rb", "line": 3 @@ -932,7 +932,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233555' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to modify security objects occur.\"\r\n\tdesc\t\"Changes in the database objects (tables, views, procedures, functions) that record and control \r\n\tpermissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, \r\n\tunauthorized changes to the security subsystem could go undetected. The database could be severely compromised \r\n\tor rendered inoperative.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), create a test role by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, to test if audit records are generated from unsuccessful attempts at modifying security objects, run the \r\nfollowing SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; UPDATE pg_authid SET rolsuper = 't' WHERE rolname = 'bob';\\\"\r\n\r\nNext, as the database administrator (shown here as \\\"postgres\\\"), verify the denials were logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-17 10:34:00.017 EDT bob 56eabf52.b62 postgres: >ERROR: permission denied for relation pg_authid\r\n< 2016-03-17 10:34:00.017 EDT bob 56eabf52.b62 postgres: >STATEMENT: UPDATE pg_authid SET rolsuper = 't' WHERE \r\nrolname = 'bob';\r\n\r\nIf denials are not logged, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to modify security \r\n\tobjects occur.\r\n\r\nUnsuccessful attempts to modify security objects can be logged if logging is enabled. To ensure logging is enabled,\r\n review supplementary content APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000496-DB-000335'\r\n tag gid: 'V-233555'\r\n tag rid: 'SV-233555r617333_rule'\r\n tag stig_id: 'CD12-00-004800'\r\n tag fix_id: 'F-36714r606889_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist? \r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE permdeniedtest; SET ROLE permdeniedtest; UPDATE pg_authid SET rolsuper = 't' WHERE rolname = 'permdeniedtest'; DROP ROLE IF EXISTS permdeniedtest;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied for relation\\\\|table pg_authid\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied for (relation|table) pg_authid.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233555' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to modify security objects occur.\"\r\n\tdesc\t\"Changes in the database objects (tables, views, procedures, functions) that record and control \r\n\tpermissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, \r\n\tunauthorized changes to the security subsystem could go undetected. The database could be severely compromised \r\n\tor rendered inoperative.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), create a test role by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, to test if audit records are generated from unsuccessful attempts at modifying security objects, run the \r\nfollowing SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; UPDATE pg_authid SET rolsuper = 't' WHERE rolname = 'bob';\\\"\r\n\r\nNext, as the database administrator (shown here as \\\"postgres\\\"), verify the denials were logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-17 10:34:00.017 EDT bob 56eabf52.b62 postgres: >ERROR: permission denied for relation pg_authid\r\n< 2016-03-17 10:34:00.017 EDT bob 56eabf52.b62 postgres: >STATEMENT: UPDATE pg_authid SET rolsuper = 't' WHERE \r\nrolname = 'bob';\r\n\r\nIf denials are not logged, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to modify security \r\n\tobjects occur.\r\n\r\nUnsuccessful attempts to modify security objects can be logged if logging is enabled. To ensure logging is enabled,\r\n review supplementary content APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000496-DB-000335'\r\n tag gid: 'V-233555'\r\n tag rid: 'SV-233555r617333_rule'\r\n tag stig_id: 'CD12-00-004800'\r\n tag fix_id: 'F-36714r606889_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist? \r\n\t\tdescribe sql.query(\"CREATE ROLE permdeniedtest; SET ROLE permdeniedtest; UPDATE pg_authid SET rolsuper = 't' WHERE rolname = 'permdeniedtest'; DROP ROLE IF EXISTS permdeniedtest;\", [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied for relation\\\\|table pg_authid\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied for (relation|table) pg_authid.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233555.rb", "line": 3 @@ -1284,7 +1284,7 @@ "CM-5 (1)" ] }, - "code": "control\t'V-233547' do\r\n\ttitle\t\"PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes \r\n\tto the configuration of PostgreSQL or database(s).\"\r\n\tdesc\t\"Without auditing the enforcement of access restrictions against changes to configuration, it would be \r\n\tdifficult to identify attempted attacks and an audit trail would not be available for forensic investigation for \r\n\tafter-the-fact actions.\r\n\r\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. \r\nEnforcement action methods may be as simple as denying access to a file based on the application of file permissions \r\n(access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes \r\nidentified after the fact.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA environment variable. See supplementary \r\n\tcontent APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nTo verify that system denies are logged when unprivileged users attempt to change database configuration, as the \r\ndatabase administrator (shown here as \\\"postgres\\\"), run the following commands:\r\n\r\n$ sudo su - postgres\r\n$ psql\r\n\r\nNext, create a role with no privileges, change the current role to that user and attempt to change a configuration \r\nby running the following SQL:\r\n\r\nCREATE ROLE bob;\r\nSET ROLE bob;\r\nSET pgaudit.role='test';\r\nRESET ROLE;\r\nDROP ROLE bob;\r\n\r\nNow check ${PGLOG?} (use the latest log):\r\n\r\n$ cat ${PGDATA?}/${PGLOG?}/postgresql-Thu.log\r\n< 2016-01-28 17:57:34.092 UTC bob postgres: >ERROR: permission denied to set parameter \\\"pgaudit.role\\\"\r\n< 2016-01-28 17:57:34.092 UTC bob postgres: >STATEMENT: SET pgaudit.role='test';\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\nBy default PostgreSQL configuration files are owned by the postgres user and cannot be edited by non-privileged users:\r\n\r\n$ ls -la ${PGDATA?} | grep postgresql.conf\r\n-rw-------. 1 postgres postgres 21758 Jan 22 10:27 postgresql.conf\r\n\r\nIf postgresql.conf is not owned by the database owner and does not have read and write permissions for the owner, \r\nthis is a finding.\"\r\n\tdesc\t'fix', \"Enable logging.\r\n\r\nAll denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary \r\ncontent APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000381-DB-000361'\r\n tag gid: 'V-233547'\r\n tag rid: 'SV-233547r617333_rule'\r\n tag stig_id: 'CD12-00-004100'\r\n tag fix_id: 'F-36706r606865_fix'\r\n tag cci: [\"CCI-001814\"]\r\n tag nist: [\"CM-5 (1)\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n #Execute an incorrectly-formed SQL statement with bad syntax, to prompt log ouput\r\n if file(pg_audit_log_dir).exist?\r\n\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE pgauditrolefailuretest; SET ROLE pgauditrolefailuretest; SET pgaudit.role='test'; SET ROLE postgres; DROP ROLE IF EXISTS pgauditrolefailuretest;\\\"\") do\r\n\t its('stdout') { should match // }\r\n\tend\r\n \r\n\t#Find the most recently modified log file in the pg_audit_log_dir, grep for the syntax error statement, and then\r\n\t#test to validate the output matches the regex.\r\n \r\n\tdescribe command(\"grep -r \\\"permission denied to set parameter\\\" #{pg_audit_log_dir}\") do\r\n\t its('stdout') { should match /^.*permission denied to set parameter ..pgaudit.role..*$/ }\r\n\tend \r\n else\r\n\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\tend\r\n end\r\n\t\r\n end\r\n", + "code": "control\t'V-233547' do\r\n\ttitle\t\"PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes \r\n\tto the configuration of PostgreSQL or database(s).\"\r\n\tdesc\t\"Without auditing the enforcement of access restrictions against changes to configuration, it would be \r\n\tdifficult to identify attempted attacks and an audit trail would not be available for forensic investigation for \r\n\tafter-the-fact actions.\r\n\r\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. \r\nEnforcement action methods may be as simple as denying access to a file based on the application of file permissions \r\n(access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes \r\nidentified after the fact.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA environment variable. See supplementary \r\n\tcontent APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nTo verify that system denies are logged when unprivileged users attempt to change database configuration, as the \r\ndatabase administrator (shown here as \\\"postgres\\\"), run the following commands:\r\n\r\n$ sudo su - postgres\r\n$ psql\r\n\r\nNext, create a role with no privileges, change the current role to that user and attempt to change a configuration \r\nby running the following SQL:\r\n\r\nCREATE ROLE bob;\r\nSET ROLE bob;\r\nSET pgaudit.role='test';\r\nRESET ROLE;\r\nDROP ROLE bob;\r\n\r\nNow check ${PGLOG?} (use the latest log):\r\n\r\n$ cat ${PGDATA?}/${PGLOG?}/postgresql-Thu.log\r\n< 2016-01-28 17:57:34.092 UTC bob postgres: >ERROR: permission denied to set parameter \\\"pgaudit.role\\\"\r\n< 2016-01-28 17:57:34.092 UTC bob postgres: >STATEMENT: SET pgaudit.role='test';\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\nBy default PostgreSQL configuration files are owned by the postgres user and cannot be edited by non-privileged users:\r\n\r\n$ ls -la ${PGDATA?} | grep postgresql.conf\r\n-rw-------. 1 postgres postgres 21758 Jan 22 10:27 postgresql.conf\r\n\r\nIf postgresql.conf is not owned by the database owner and does not have read and write permissions for the owner, \r\nthis is a finding.\"\r\n\tdesc\t'fix', \"Enable logging.\r\n\r\nAll denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary \r\ncontent APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000381-DB-000361'\r\n tag gid: 'V-233547'\r\n tag rid: 'SV-233547r617333_rule'\r\n tag stig_id: 'CD12-00-004100'\r\n tag fix_id: 'F-36706r606865_fix'\r\n tag cci: [\"CCI-001814\"]\r\n tag nist: [\"CM-5 (1)\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n #Execute an incorrectly-formed SQL statement with bad syntax, to prompt log ouput\r\n if file(pg_audit_log_dir).exist?\r\n\tdescribe sql.query(\"CREATE ROLE pgauditrolefailuretest; SET ROLE pgauditrolefailuretest; SET pgaudit.role='test'; SET ROLE postgres; DROP ROLE IF EXISTS pgauditrolefailuretest;\", [pg_db]) do\r\n\t its('output') { should match // }\r\n\tend\r\n \r\n\t#Find the most recently modified log file in the pg_audit_log_dir, grep for the syntax error statement, and then\r\n\t#test to validate the output matches the regex.\r\n \r\n\tdescribe command(\"grep -r \\\"permission denied to set parameter\\\" #{pg_audit_log_dir}\") do\r\n\t its('stdout') { should match /^.*permission denied to set parameter ..pgaudit.role..*$/ }\r\n\tend \r\n else\r\n\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\tend\r\n end\r\n\t\r\n end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233547.rb", "line": 3 @@ -1828,7 +1828,7 @@ "AU-9" ] }, - "code": "control\t'V-233549' do\r\n\ttitle\t\"The audit information produced by PostgreSQL must be protected from unauthorized read access.\"\r\n\tdesc\t\"If audit data were to become compromised, then competent forensic analysis and discovery of the true \r\n\tsource of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access \r\n\tto audit records provides information an attacker could potentially use to their advantage.\r\n\r\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information \r\nfrom any and all unauthorized access. This includes read, write, copy, etc.\r\n\r\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. \r\nSome commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file \r\nsystem protections and limiting log data location.\r\n\r\nAdditionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of \r\nor access to those records via the application. If the application provides access to the audit data, the application \r\nbecomes accountable for ensuring that audit information is protected from unauthorized access.\r\n\r\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to \r\nsuccessfully audit information system activity.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGLOG environment variable. See supplementary content \r\n\tAPPENDIX-I for instructions on configuring PGLOG.\r\n\r\nReview locations of audit logs, both internal to the database and database audit logs located at the operating \r\nsystem level.\r\n\r\nVerify there are appropriate controls and permissions to protect the audit information from unauthorized access.\r\n\r\n#### syslog Logging\r\n\r\nIf PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log \r\nfiles.\r\n\r\n#### stderr Logging\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), check the current log_file_mode configuration by running \r\nthe following:\r\n\r\nNote: Consult the organization's documentation on acceptable log privileges.\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SHOW log_file_mode\\\"\r\n\r\nIf log_file_mode is not 600, this is a finding.\r\n\r\nNext, verify the log files have the set permissions in ${PG_LOG?}:\r\n\r\n$ ls -l ${PGLOG?}/\r\ntotal 32\r\n-rw-------. 1 postgres postgres 0 Apr 8 00:00 postgresql-Fri.log\r\n-rw-------. 1 postgres postgres 8288 Apr 11 17:36 postgresql-Mon.log\r\n-rw-------. 1 postgres postgres 0 Apr 9 00:00 postgresql-Sat.log\r\n-rw-------. 1 postgres postgres 0 Apr 10 00:00 postgresql-Sun.log\r\n-rw-------. 1 postgres postgres 16212 Apr 7 17:05 postgresql-Thu.log \r\n-rw-------. 1 postgres postgres 1130 Apr 6 17:56 postgresql-Wed.log \r\n\r\nIf logs with 600 permissions do not exist in ${PG_LOG?}, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. \r\n\r\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\r\n\r\n#### syslog Logging\r\n\r\nIf PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log \r\nfiles.\r\n\r\n#### stderr Logging\r\n\r\nIf PostgreSQL is configured to use stderr for logging, permissions of the log files can be set in postgresql.conf.\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), edit the following settings of logs in the \r\npostgresql.conf file:\r\n\r\nNote: Consult the organization's documentation on acceptable log privileges.\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\nlog_file_mode = 0600\r\n\r\nNext, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000118-DB-000059'\r\n tag gid: 'V-233549'\r\n tag rid: 'SV-233549r617333_rule'\r\n tag stig_id: 'CD12-00-004200'\r\n tag fix_id: 'F-36708r606871_fix'\r\n tag cci: [\"CCI-000162\"]\r\n tag nist: [\"AU-9\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"SHOW log_file_mode\\\"\") do\r\n\t\tits('stdout') { should match /0600/ }\r\n\t end\r\n\t \r\n\t command(\"find #{pg_audit_log_dir} -type f\").stdout.split.each do |logfile|\r\n\t describe file(logfile) do\r\n\t\t its('mode') { should cmp '0600' }\r\n\t end\r\n\t end\r\n\t end\r\n", + "code": "control\t'V-233549' do\r\n\ttitle\t\"The audit information produced by PostgreSQL must be protected from unauthorized read access.\"\r\n\tdesc\t\"If audit data were to become compromised, then competent forensic analysis and discovery of the true \r\n\tsource of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access \r\n\tto audit records provides information an attacker could potentially use to their advantage.\r\n\r\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information \r\nfrom any and all unauthorized access. This includes read, write, copy, etc.\r\n\r\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. \r\nSome commonly employed methods include ensuring log files enjoy the proper file system permissions utilizing file \r\nsystem protections and limiting log data location.\r\n\r\nAdditionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of \r\nor access to those records via the application. If the application provides access to the audit data, the application \r\nbecomes accountable for ensuring that audit information is protected from unauthorized access.\r\n\r\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to \r\nsuccessfully audit information system activity.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGLOG environment variable. See supplementary content \r\n\tAPPENDIX-I for instructions on configuring PGLOG.\r\n\r\nReview locations of audit logs, both internal to the database and database audit logs located at the operating \r\nsystem level.\r\n\r\nVerify there are appropriate controls and permissions to protect the audit information from unauthorized access.\r\n\r\n#### syslog Logging\r\n\r\nIf PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log \r\nfiles.\r\n\r\n#### stderr Logging\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), check the current log_file_mode configuration by running \r\nthe following:\r\n\r\nNote: Consult the organization's documentation on acceptable log privileges.\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SHOW log_file_mode\\\"\r\n\r\nIf log_file_mode is not 600, this is a finding.\r\n\r\nNext, verify the log files have the set permissions in ${PG_LOG?}:\r\n\r\n$ ls -l ${PGLOG?}/\r\ntotal 32\r\n-rw-------. 1 postgres postgres 0 Apr 8 00:00 postgresql-Fri.log\r\n-rw-------. 1 postgres postgres 8288 Apr 11 17:36 postgresql-Mon.log\r\n-rw-------. 1 postgres postgres 0 Apr 9 00:00 postgresql-Sat.log\r\n-rw-------. 1 postgres postgres 0 Apr 10 00:00 postgresql-Sun.log\r\n-rw-------. 1 postgres postgres 16212 Apr 7 17:05 postgresql-Thu.log \r\n-rw-------. 1 postgres postgres 1130 Apr 6 17:56 postgresql-Wed.log \r\n\r\nIf logs with 600 permissions do not exist in ${PG_LOG?}, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. \r\n\r\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\r\n\r\n#### syslog Logging\r\n\r\nIf PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log \r\nfiles.\r\n\r\n#### stderr Logging\r\n\r\nIf PostgreSQL is configured to use stderr for logging, permissions of the log files can be set in postgresql.conf.\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), edit the following settings of logs in the \r\npostgresql.conf file:\r\n\r\nNote: Consult the organization's documentation on acceptable log privileges.\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\nlog_file_mode = 0600\r\n\r\nNext, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000118-DB-000059'\r\n tag gid: 'V-233549'\r\n tag rid: 'SV-233549r617333_rule'\r\n tag stig_id: 'CD12-00-004200'\r\n tag fix_id: 'F-36708r606871_fix'\r\n tag cci: [\"CCI-000162\"]\r\n tag nist: [\"AU-9\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tdescribe sql.query('SHOW log_file_mode;', [pg_db]) do\r\n\t\tits('output') { should match /0600/ }\r\n\t end\r\n\t \r\n\t command(\"find #{pg_audit_log_dir} -type f\").stdout.split.each do |logfile|\r\n\t describe file(logfile) do\r\n\t\t its('mode') { should cmp '0600' }\r\n\t end\r\n\t end\r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233549.rb", "line": 3 @@ -1956,7 +1956,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233562' do\r\n\ttitle\t\"PostgreSQL must be able to generate audit records when privileges/permissions are retrieved.\"\r\n\tdesc\t\"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role \r\n\tinformation. Therefore, it must be possible to configure auditing to do this. PostgreSQLs typically make such \r\n\t\tinformation available through views or functions.\r\n\r\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not \r\nrefer to the implicit retrieval of privileges/permissions/role memberships that PostgreSQL continually performs \r\nto determine if any and every action on the database is permitted.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGLOG environment variable. See supplementary \r\n\tcontent APPENDIX-I for instructions on configuring PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), check if pgaudit is enabled by running the \r\nfollowing SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\r\n\r\nIf pgaudit is not found in the results, this is a finding.\r\n\r\nNext, as the database administrator (shown here as \\\"postgres\\\"), list all role memberships for the database:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"\\du\\\"\r\n\r\nNext, verify the query was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGLOG?}/\r\n\r\nThis should, as an example, return (among other rows):\r\n2016-01-28 19:43:12.126 UTC postgres postgres: >LOG: AUDIT: SESSION,1,1,READ,SELECT,,,\\\"SELECT r.rolname, \r\nr.rolsuper, r.rolinherit,\r\nr.rolcreaterole, r.rolcreatedb, r.rolcanlogin,\r\nr.rolconnlimit, r.rolvaliduntil,\r\nARRAY(SELECT b.rolname\r\nFROM pg_catalog.pg_auth_members m\r\nJOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)\r\nWHERE m.member = r.oid) as memberof\r\n, r.rolreplication\r\n, r.rolbypassrls\r\nFROM pg_catalog.pg_roles r\r\nORDER BY 1;\\\",\r\n\r\nIf audit records are not produced, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nUsing pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B \r\nfor documentation on installing pgaudit.\r\n\r\nWith pgaudit installed the following configurations can be made:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nAdd the following parameters (or edit existing parameters): \r\n\r\npgaudit.log_catalog = 'on'\r\npgaudit.log = 'read'\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000091-DB-000066'\r\n tag gid: 'V-233562'\r\n tag rid: 'SV-233562r617333_rule'\r\n tag stig_id: 'CD12-00-005500'\r\n tag fix_id: 'F-36721r606910_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\ndescribe sql.query('SHOW shared_preload_libraries;', [pg_db]) do\r\n\tits('output') { should include 'pgaudit' }\r\nend\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"\\\\du\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*pg_catalog.pg_roles.*$/ }\r\n\t\t end \r\n\t else\r\n\t\t describe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\t end\r\n\t end\r\nend\r\n", + "code": "control\t'V-233562' do\r\n\ttitle\t\"PostgreSQL must be able to generate audit records when privileges/permissions are retrieved.\"\r\n\tdesc\t\"Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role \r\n\tinformation. Therefore, it must be possible to configure auditing to do this. PostgreSQLs typically make such \r\n\t\tinformation available through views or functions.\r\n\r\nThis requirement addresses explicit requests for privilege/permission/role membership information. It does not \r\nrefer to the implicit retrieval of privileges/permissions/role memberships that PostgreSQL continually performs \r\nto determine if any and every action on the database is permitted.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGLOG environment variable. See supplementary \r\n\tcontent APPENDIX-I for instructions on configuring PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), check if pgaudit is enabled by running the \r\nfollowing SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\r\n\r\nIf pgaudit is not found in the results, this is a finding.\r\n\r\nNext, as the database administrator (shown here as \\\"postgres\\\"), list all role memberships for the database:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"\\du\\\"\r\n\r\nNext, verify the query was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGLOG?}/\r\n\r\nThis should, as an example, return (among other rows):\r\n2016-01-28 19:43:12.126 UTC postgres postgres: >LOG: AUDIT: SESSION,1,1,READ,SELECT,,,\\\"SELECT r.rolname, \r\nr.rolsuper, r.rolinherit,\r\nr.rolcreaterole, r.rolcreatedb, r.rolcanlogin,\r\nr.rolconnlimit, r.rolvaliduntil,\r\nARRAY(SELECT b.rolname\r\nFROM pg_catalog.pg_auth_members m\r\nJOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)\r\nWHERE m.member = r.oid) as memberof\r\n, r.rolreplication\r\n, r.rolbypassrls\r\nFROM pg_catalog.pg_roles r\r\nORDER BY 1;\\\",\r\n\r\nIf audit records are not produced, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nUsing pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B \r\nfor documentation on installing pgaudit.\r\n\r\nWith pgaudit installed the following configurations can be made:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nAdd the following parameters (or edit existing parameters): \r\n\r\npgaudit.log_catalog = 'on'\r\npgaudit.log = 'read'\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000091-DB-000066'\r\n tag gid: 'V-233562'\r\n tag rid: 'SV-233562r617333_rule'\r\n tag stig_id: 'CD12-00-005500'\r\n tag fix_id: 'F-36721r606910_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\ndescribe sql.query('SHOW shared_preload_libraries;', [pg_db]) do\r\n\tits('output') { should include 'pgaudit' }\r\nend\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('\\\\du;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*pg_catalog.pg_roles.*$/ }\r\n\t\t end \r\n\telse\r\n\t\t describe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\t end\r\n\tend\r\n\r\nend\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233562.rb", "line": 3 @@ -1988,7 +1988,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233561' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to delete privileges/permissions occur.\"\r\n\tdesc\t\"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be \r\n\ttracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.\r\n\r\nIn a SQL environment, deleting permissions is typically done via the REVOKE command.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create the roles \\\"joe\\\" and \\\"bob\\\" with LOGIN \r\nby running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE joe LOGIN\\\"\r\n$ psql -c \\\"CREATE ROLE bob LOGIN\\\"\r\n\r\nNext, set current role to \\\"bob\\\" and attempt to alter the role \\\"joe\\\":\r\n\r\n$ psql -c \\\"SET ROLE bob; ALTER ROLE joe NOLOGIN;\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the denials are logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres: >ERROR: permission denied to alter role\r\n< 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres: >STATEMENT: ALTER ROLE joe;\r\n\r\nIf audit logs are not generated when unsuccessful attempts to delete privileges/permissions occur, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to delete privileges occur.\r\n\r\nAll denials are logged if logging is enabled. To ensure logging is enabled, review supplementary content APPENDIX-C \r\nfor instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000499-DB-000331'\r\n tag gid: 'V-233561'\r\n tag rid: 'SV-233561r617333_rule'\r\n tag stig_id: 'CD12-00-005400'\r\n tag fix_id: 'F-36720r606907_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE pgauditrolefailuretest; SET ROLE pgauditrolefailuretest; DROP ROLE postgres; SET ROLE postgres; DROP ROLE pgauditrolefailuretest;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t describe command(\"grep -r \\\"permission denied to drop role\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied to drop role.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233561' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to delete privileges/permissions occur.\"\r\n\tdesc\t\"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be \r\n\ttracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.\r\n\r\nIn a SQL environment, deleting permissions is typically done via the REVOKE command.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create the roles \\\"joe\\\" and \\\"bob\\\" with LOGIN \r\nby running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE joe LOGIN\\\"\r\n$ psql -c \\\"CREATE ROLE bob LOGIN\\\"\r\n\r\nNext, set current role to \\\"bob\\\" and attempt to alter the role \\\"joe\\\":\r\n\r\n$ psql -c \\\"SET ROLE bob; ALTER ROLE joe NOLOGIN;\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the denials are logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres: >ERROR: permission denied to alter role\r\n< 2016-03-17 11:28:10.004 EDT bob 56eacd05.cda postgres: >STATEMENT: ALTER ROLE joe;\r\n\r\nIf audit logs are not generated when unsuccessful attempts to delete privileges/permissions occur, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to delete privileges occur.\r\n\r\nAll denials are logged if logging is enabled. To ensure logging is enabled, review supplementary content APPENDIX-C \r\nfor instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000499-DB-000331'\r\n tag gid: 'V-233561'\r\n tag rid: 'SV-233561r617333_rule'\r\n tag stig_id: 'CD12-00-005400'\r\n tag fix_id: 'F-36720r606907_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('CREATE ROLE pgauditrolefailuretest; SET ROLE pgauditrolefailuretest; DROP ROLE postgres; SET ROLE postgres; DROP ROLE pgauditrolefailuretest;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t describe command(\"grep -r \\\"permission denied to drop role\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied to drop role.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233561.rb", "line": 3 @@ -2468,7 +2468,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233558' do\r\n\ttitle\t\"PostgreSQL must generate audit records when successful logons or connections occur.\"\r\n\tdesc\t\"For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) \r\n\tlogs on to PostgreSQL.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), check if log_connections is enabled by running \r\nthe following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SHOW log_connections\\\"\r\n\r\nIf log_connections is off, this is a finding.\r\n\r\nNext, verify the logs that the previous connection to the database was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-02-16 15:54:03.934 EST postgres postgres 56c64b8b.aeb: >LOG: connection authorized: user=postgres \r\ndatabase=postgres\r\n\r\nIf an audit record is not generated each time a user (or other principal) logs on or connects to PostgreSQL, this is \r\na finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\r\n\r\nIf logging is enabled the following configurations must be made to log connections, date/time, username, and session \r\nidentifier.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit postgresql.conf:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nEdit the following parameters as such:\r\n\r\nlog_connections = on\r\nlog_line_prefix = '< %m %u %d %c: >'\r\n\r\nWhere:\r\n* %m is the time and date\r\n* %u is the username\r\n* %d is the database\r\n* %c is the session ID for the connection\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000503-DB-000350'\r\n tag gid: 'V-233558'\r\n tag rid: 'SV-233558r617333_rule'\r\n tag stig_id: 'CD12-00-005100'\r\n tag fix_id: 'F-36717r606898_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"SHOW log_connections\\\"\") do\r\n\t\t its('stdout') { should match /on/ }\r\n\t\tend\r\n\t \r\n\t\t describe command(\"grep -r \\\"connection authorized\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*user=postgres.*$/ }\r\n\t\t end \r\n\t else\r\n\t\t describe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\t end\r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233558' do\r\n\ttitle\t\"PostgreSQL must generate audit records when successful logons or connections occur.\"\r\n\tdesc\t\"For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) \r\n\tlogs on to PostgreSQL.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), check if log_connections is enabled by running \r\nthe following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SHOW log_connections\\\"\r\n\r\nIf log_connections is off, this is a finding.\r\n\r\nNext, verify the logs that the previous connection to the database was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-02-16 15:54:03.934 EST postgres postgres 56c64b8b.aeb: >LOG: connection authorized: user=postgres \r\ndatabase=postgres\r\n\r\nIf an audit record is not generated each time a user (or other principal) logs on or connects to PostgreSQL, this is \r\na finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\r\n\r\nIf logging is enabled the following configurations must be made to log connections, date/time, username, and session \r\nidentifier.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit postgresql.conf:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nEdit the following parameters as such:\r\n\r\nlog_connections = on\r\nlog_line_prefix = '< %m %u %d %c: >'\r\n\r\nWhere:\r\n* %m is the time and date\r\n* %u is the username\r\n* %d is the database\r\n* %c is the session ID for the connection\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000503-DB-000350'\r\n tag gid: 'V-233558'\r\n tag rid: 'SV-233558r617333_rule'\r\n tag stig_id: 'CD12-00-005100'\r\n tag fix_id: 'F-36717r606898_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('SHOW log_connections;', [pg_db]) do\r\n\t\t its('output') { should match /on/ }\r\n\t\tend\r\n\t \r\n\t\t describe command(\"grep -r \\\"connection authorized\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*user=postgres.*$/ }\r\n\t\t end \r\n\t else\r\n\t\t describe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\t end\r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233558.rb", "line": 3 @@ -2564,7 +2564,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233559' do\r\n\ttitle\t\"PostgreSQL must generate audit records when security objects are deleted.\"\r\n\tdesc\t\"The removal of security objects from the database/PostgreSQL would seriously degrade a system's \r\n\tinformation assurance posture. If such an event occurs, it must be logged.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a test table stig_test, enable row level \r\nsecurity, and create a policy by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE TABLE stig_test(id INT)\\\"\r\n$ psql -c \\\"ALTER TABLE stig_test ENABLE ROW LEVEL SECURITY\\\"\r\n$ psql -c \\\"CREATE POLICY lock_table ON stig_test USING ('postgres' = current_user)\\\"\r\n\r\nNext, drop the policy and disable row level security:\r\n\r\n$ psql -c \\\"DROP POLICY lock_table ON stig_test\\\"\r\n$ psql -c \\\"ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the security objects deletions were logged:\r\n\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n2016-03-30 14:54:18.991 EDT postgres postgres LOG: AUDIT: SESSION,11,1,DDL,DROP POLICY,,,DROP POLICY lock_table ON \r\nstig_test;,\r\n2016-03-30 14:54:42.373 EDT postgres postgres LOG: AUDIT: SESSION,12,1,DDL,ALTER TABLE,,,ALTER TABLE stig_test \r\nDISABLE ROW LEVEL SECURITY;,\r\n\r\nIf audit records are not produced when security objects are dropped, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary \r\n\tcontent APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nUsing pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for \r\ndocumentation on installing pgaudit.\r\n\r\nWith pgaudit installed the following configurations can be made:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nAdd the following parameters (or edit existing parameters):\r\n\r\npgaudit.log = 'ddl'\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000501-DB-000336'\r\n tag gid: 'V-233559'\r\n tag rid: 'SV-233559r617333_rule'\r\n tag stig_id: 'CD12-00-005200'\r\n tag fix_id: 'F-36718r606901_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE TABLE stig_test(id INT); ALTER TABLE stig_test ENABLE ROW LEVEL SECURITY; CREATE POLICY lock_table ON stig_test USING ('postgres' = current_user); DROP POLICY lock_table ON stig_test; ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY; DROP TABLE stig_test;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*CREATE TABLE,,,CREATE TABLE stig_test.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*ALTER TABLE stig_test ENABLE ROW LEVEL SECURITY.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*CREATE POLICY lock_table ON stig_test.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*DROP POLICY lock_table ON stig_test.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY.*$/ }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*DROP TABLE stig_test.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233559' do\r\n\ttitle\t\"PostgreSQL must generate audit records when security objects are deleted.\"\r\n\tdesc\t\"The removal of security objects from the database/PostgreSQL would seriously degrade a system's \r\n\tinformation assurance posture. If such an event occurs, it must be logged.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a test table stig_test, enable row level \r\nsecurity, and create a policy by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE TABLE stig_test(id INT)\\\"\r\n$ psql -c \\\"ALTER TABLE stig_test ENABLE ROW LEVEL SECURITY\\\"\r\n$ psql -c \\\"CREATE POLICY lock_table ON stig_test USING ('postgres' = current_user)\\\"\r\n\r\nNext, drop the policy and disable row level security:\r\n\r\n$ psql -c \\\"DROP POLICY lock_table ON stig_test\\\"\r\n$ psql -c \\\"ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the security objects deletions were logged:\r\n\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n2016-03-30 14:54:18.991 EDT postgres postgres LOG: AUDIT: SESSION,11,1,DDL,DROP POLICY,,,DROP POLICY lock_table ON \r\nstig_test;,\r\n2016-03-30 14:54:42.373 EDT postgres postgres LOG: AUDIT: SESSION,12,1,DDL,ALTER TABLE,,,ALTER TABLE stig_test \r\nDISABLE ROW LEVEL SECURITY;,\r\n\r\nIf audit records are not produced when security objects are dropped, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary \r\n\tcontent APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nUsing pgaudit PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for \r\ndocumentation on installing pgaudit.\r\n\r\nWith pgaudit installed the following configurations can be made:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nAdd the following parameters (or edit existing parameters):\r\n\r\npgaudit.log = 'ddl'\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000501-DB-000336'\r\n tag gid: 'V-233559'\r\n tag rid: 'SV-233559r617333_rule'\r\n tag stig_id: 'CD12-00-005200'\r\n tag fix_id: 'F-36718r606901_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query(\"CREATE TABLE stig_test(id INT); ALTER TABLE stig_test ENABLE ROW LEVEL SECURITY; CREATE POLICY lock_table ON stig_test USING ('postgres' = current_user); DROP POLICY lock_table ON stig_test; ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY; DROP TABLE stig_test;\", [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*CREATE TABLE,,,CREATE TABLE stig_test.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*ALTER TABLE stig_test ENABLE ROW LEVEL SECURITY.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*CREATE POLICY lock_table ON stig_test.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*DROP POLICY lock_table ON stig_test.*$/ }\r\n\t\tend \r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*ALTER TABLE stig_test DISABLE ROW LEVEL SECURITY.*$/ }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"AUDIT: SESSION\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*DROP TABLE stig_test.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233559.rb", "line": 3 @@ -2660,7 +2660,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233575' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to modify privileges/permissions occur.\"\r\n\tdesc\t\"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be \r\n\ttracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.\r\n\r\nModifying permissions is done via the GRANT and REVOKE commands.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a role \\\"bob\\\" and a test table by \r\nrunning the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob; CREATE TABLE test(id INT)\\\"\r\n\r\nNext, set current role to \\\"bob\\\" and attempt to modify privileges:\r\n\r\n$ psql -c \\\"SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;\\\"\r\n$ psql -c \\\"SET ROLE bob; REVOKE ALL PRIVILEGES ON test FROM bob;\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the unsuccessful attempt was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n2016-07-14 18:12:23.208 EDT postgres postgres ERROR: permission denied for relation test\r\n2016-07-14 18:12:23.208 EDT postgres postgres STATEMENT: GRANT ALL PRIVILEGES ON test TO bob;\r\n2016-07-14 18:14:52.895 EDT postgres postgres ERROR: permission denied for relation test\r\n2016-07-14 18:14:52.895 EDT postgres postgres STATEMENT: REVOKE ALL PRIVILEGES ON test FROM bob;\r\n\r\nIf audit logs are not generated when unsuccessful attempts to modify privileges/permissions occur, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to modify privileges occur.\r\n\r\nAll denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary \r\ncontent APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000495-DB-000329'\r\n tag gid: 'V-233575'\r\n tag rid: 'SV-233575r617333_rule'\r\n tag stig_id: 'CD12-00-006800'\r\n tag fix_id: 'F-36734r606949_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE fooaudit; CREATE TABLE fooaudittest (id int); SET ROLE fooaudit; GRANT ALL PRIVILEGES ON fooaudittest TO fooaudit; DROP TABLE IF EXISTS fooaudittest;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied for relation\\\\|table\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*pg_authid.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233575' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to modify privileges/permissions occur.\"\r\n\tdesc\t\"Failed attempts to change the permissions, privileges, and roles granted to users and roles must be \r\n\ttracked. Without an audit trail, unauthorized attempts to elevate or restrict privileges could go undetected.\r\n\r\nModifying permissions is done via the GRANT and REVOKE commands.\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a role \\\"bob\\\" and a test table by \r\nrunning the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob; CREATE TABLE test(id INT)\\\"\r\n\r\nNext, set current role to \\\"bob\\\" and attempt to modify privileges:\r\n\r\n$ psql -c \\\"SET ROLE bob; GRANT ALL PRIVILEGES ON test TO bob;\\\"\r\n$ psql -c \\\"SET ROLE bob; REVOKE ALL PRIVILEGES ON test FROM bob;\\\"\r\n\r\nNow, as the database administrator (shown here as \\\"postgres\\\"), verify the unsuccessful attempt was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n2016-07-14 18:12:23.208 EDT postgres postgres ERROR: permission denied for relation test\r\n2016-07-14 18:12:23.208 EDT postgres postgres STATEMENT: GRANT ALL PRIVILEGES ON test TO bob;\r\n2016-07-14 18:14:52.895 EDT postgres postgres ERROR: permission denied for relation test\r\n2016-07-14 18:14:52.895 EDT postgres postgres STATEMENT: REVOKE ALL PRIVILEGES ON test FROM bob;\r\n\r\nIf audit logs are not generated when unsuccessful attempts to modify privileges/permissions occur, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to modify privileges occur.\r\n\r\nAll denials are logged by default if logging is enabled. To ensure that logging is enabled, review supplementary \r\ncontent APPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000495-DB-000329'\r\n tag gid: 'V-233575'\r\n tag rid: 'SV-233575r617333_rule'\r\n tag stig_id: 'CD12-00-006800'\r\n tag fix_id: 'F-36734r606949_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('CREATE ROLE fooaudit; CREATE TABLE fooaudittest (id int); SET ROLE fooaudit; GRANT ALL PRIVILEGES ON fooaudittest TO fooaudit; DROP TABLE IF EXISTS fooaudittest;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied for relation\\\\|table\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*pg_authid.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233575.rb", "line": 3 @@ -2820,7 +2820,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233556' do\r\n\ttitle\t\"PostgreSQL must generate audit records when privileges/permissions are added.\"\r\n\tdesc\t\"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without \r\n\tan audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges \r\n\tgive users access to information and functionality that they should not have; restricted privileges wrongly deny \r\n\taccess to authorized users.\r\n\r\nIn a SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the REVOKE \r\ncommand.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a role by running the following SQL:\r\n\r\nChange the privileges of another user:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, GRANT then REVOKE privileges from the role:\r\n\r\n$ psql -c \\\"GRANT CONNECT ON DATABASE postgres TO bob\\\"\r\n$ psql -c \\\"REVOKE CONNECT ON DATABASE postgres FROM bob\\\"\r\n\r\npostgres=# REVOKE CONNECT ON DATABASE postgres FROM bob;\r\nREVOKE\r\n\r\npostgres=# GRANT CONNECT ON DATABASE postgres TO bob;\r\nGRANT\r\n\r\nNext, as the database administrator (shown here as \\\"postgres\\\"), verify the events were logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-07-13 16:25:21.103 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,GRANT,,,GRANT CONNECT ON DATABASE \r\npostgres TO bob,\r\n< 2016-07-13 16:25:25.520 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,REVOKE,,,REVOKE CONNECT ON DATABASE \r\npostgres FROM bob,\r\n\r\nIf the above steps cannot verify that audit records are produced when privileges/permissions/role memberships are \r\nadded, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nUsing pgaudit, PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for \r\ndocumentation on installing pgaudit.\r\n\r\nWith pgaudit installed, the following configurations can be made:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nAdd the following parameters (or edit existing parameters):\r\n\r\npgaudit.log = 'role'\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000495-DB-000326'\r\n tag gid: 'V-233556'\r\n tag rid: 'SV-233556r617333_rule'\r\n tag stig_id: 'CD12-00-004900'\r\n tag fix_id: 'F-36715r606892_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE fooaudit; GRANT CONNECT ON DATABASE postgres TO fooaudit; REVOKE CONNECT ON DATABASE postgres FROM fooaudit;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"GRANT CONNECT ON DATABASE postgres TO\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*fooaudit.*$/ }\r\n\t\tend \r\n\t\t\r\n\t\tdescribe command(\"grep -r \\\"REVOKE CONNECT ON DATABASE postgres FROM\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*fooaudit.*$/ }\r\n\t\tend\r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233556' do\r\n\ttitle\t\"PostgreSQL must generate audit records when privileges/permissions are added.\"\r\n\tdesc\t\"Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without \r\n\tan audit trail, unauthorized elevation or restriction of privileges could go undetected. Elevated privileges \r\n\tgive users access to information and functionality that they should not have; restricted privileges wrongly deny \r\n\taccess to authorized users.\r\n\r\nIn a SQL environment, adding permissions is typically done via the GRANT command, or, in the negative, the REVOKE \r\ncommand.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), create a role by running the following SQL:\r\n\r\nChange the privileges of another user:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE ROLE bob\\\"\r\n\r\nNext, GRANT then REVOKE privileges from the role:\r\n\r\n$ psql -c \\\"GRANT CONNECT ON DATABASE postgres TO bob\\\"\r\n$ psql -c \\\"REVOKE CONNECT ON DATABASE postgres FROM bob\\\"\r\n\r\npostgres=# REVOKE CONNECT ON DATABASE postgres FROM bob;\r\nREVOKE\r\n\r\npostgres=# GRANT CONNECT ON DATABASE postgres TO bob;\r\nGRANT\r\n\r\nNext, as the database administrator (shown here as \\\"postgres\\\"), verify the events were logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-07-13 16:25:21.103 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,GRANT,,,GRANT CONNECT ON DATABASE \r\npostgres TO bob,\r\n< 2016-07-13 16:25:25.520 EDT postgres postgres LOG: > AUDIT: SESSION,1,1,ROLE,REVOKE,,,REVOKE CONNECT ON DATABASE \r\npostgres FROM bob,\r\n\r\nIf the above steps cannot verify that audit records are produced when privileges/permissions/role memberships are \r\nadded, this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nUsing pgaudit, PostgreSQL can be configured to audit these requests. See supplementary content APPENDIX-B for \r\ndocumentation on installing pgaudit.\r\n\r\nWith pgaudit installed, the following configurations can be made:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nAdd the following parameters (or edit existing parameters):\r\n\r\npgaudit.log = 'role'\r\n\r\nNow, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000495-DB-000326'\r\n tag gid: 'V-233556'\r\n tag rid: 'SV-233556r617333_rule'\r\n tag stig_id: 'CD12-00-004900'\r\n tag fix_id: 'F-36715r606892_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('CREATE ROLE fooaudit; GRANT CONNECT ON DATABASE postgres TO fooaudit; REVOKE CONNECT ON DATABASE postgres FROM fooaudit;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"GRANT CONNECT ON DATABASE postgres TO\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*fooaudit.*$/ }\r\n\t\tend \r\n\t\t\r\n\t\tdescribe command(\"grep -r \\\"REVOKE CONNECT ON DATABASE postgres FROM\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*fooaudit.*$/ }\r\n\t\tend\r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233556.rb", "line": 3 @@ -3171,7 +3171,7 @@ "CM-7 a" ] }, - "code": "control\t'V-233593' do\r\n\ttitle\t\"Access to external executables must be disabled or restricted.\"\r\n\tdesc\t\"Information systems are capable of providing a wide variety of functions and services. Some of the \r\n\tfunctions and services, provided by default, may not be necessary to support essential organizational operations \r\n\t(e.g., key missions, functions).\r\n\r\nIt is detrimental for applications to provide, or install by default, functionality exceeding requirements or \r\nmission objectives. \r\n\r\nApplications must adhere to the principles of least functionality by providing only essential capabilities.\r\n\r\nPostgreSQLs may spawn additional external processes to execute procedures that are defined in PostgreSQL but stored \r\nin external host files (external procedures). The spawned process used to execute the external procedure may operate \r\nwithin a different OS security context than PostgreSQL and provide unauthorized access to the host system.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"PostgreSQL's Copy command can interact with the underlying OS. Only superuser has access to \r\n\tthis command.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), run the following SQL to list all roles and their \r\nprivileges:\r\n\r\n$ sudo su - postgres\r\n$ psql -x -c \\\"\\du\\\"\r\n\r\nIf any role has \\\"superuser\\\" that should not, this is a finding.\r\n\r\nIt is possible for an extension to contain code that could access external executables via SQL. To list all installed \r\nextensions, as the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -x -c \\\"SELECT * FROM pg_available_extensions WHERE installed_version IS NOT NULL\\\"\r\n\r\nIf any extensions are installed that are not approved, this is a finding.\"\r\n\tdesc\t'fix', \"To remove superuser from a role, as the database administrator (shown here as \\\"postgres\\\"), run \r\n\tthe following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"ALTER ROLE WITH NOSUPERUSER\\\"\r\n\r\nTo remove extensions from PostgreSQL, as the database administrator (shown here as \\\"postgres\\\"), run the following \r\nSQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"DROP EXTENSION extension_name\\\"\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000141-DB-000093'\r\n tag gid: 'V-233593'\r\n tag rid: 'SV-233593r617333_rule'\r\n tag stig_id: 'CD12-00-009100'\r\n tag fix_id: 'F-36752r607003_fix'\r\n tag cci: [\"CCI-000381\"]\r\n tag nist: [\"CM-7 a\"]\r\n\r\npg_conf_file= input('pg_conf_file')\r\n\r\npg_host = input('pg_host')\r\n\r\nlogin_user = input('login_user')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_superusers = input('pg_superusers')\r\n\r\napproved_ext = input('approved_ext')\r\n\r\n\tdbs = nil\r\n\tdb = nil\r\n \r\n\tif !(\"#{pg_db}\".to_s.empty?)\r\n\t db = [\"#{pg_db}\"]\r\n\t dbs = db.map { |x| \"-d #{x}\" }.join(' ')\r\n\tend\r\n \r\n\tsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n \r\n\troles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\r\n\troles_query = sql.query(roles_sql, [pg_db])\r\n\troles = roles_query.lines\r\n \r\n\troles.each do |role|\r\n\t unless pg_superusers.include?(role)\r\n\t\tsuperuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\r\n\t\t \"WHERE r.rolname = '#{role}';\"\r\n \r\n\t\tdescribe sql.query(superuser_sql, [pg_db]) do\r\n\t\t its('output') { should_not eq 't' }\r\n\t\tend\r\n\t end\r\n\tend\r\n\t\r\n\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"select * from pg_shadow where usename <> 'postgres' and usesuper = 't';\") do\r\n\t its('stdout.strip') { should match '' }\r\n\tend\r\n \r\n # @todo how do I check to see if any extensions are installed that are not approved? fix stdout value?\r\n \r\n\tdescribe.one do\r\n\t approved_ext.each do |extension|\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"SELECT * FROM pg_available_extensions WHERE installed_version IS NOT NULL\\\"\") do\r\n\t\t its('stdout.strip') { should match extension }\r\n\t\tend\r\n\t end\r\n\tend\r\n end \r\n", + "code": "control\t'V-233593' do\r\n\ttitle\t\"Access to external executables must be disabled or restricted.\"\r\n\tdesc\t\"Information systems are capable of providing a wide variety of functions and services. Some of the \r\n\tfunctions and services, provided by default, may not be necessary to support essential organizational operations \r\n\t(e.g., key missions, functions).\r\n\r\nIt is detrimental for applications to provide, or install by default, functionality exceeding requirements or \r\nmission objectives. \r\n\r\nApplications must adhere to the principles of least functionality by providing only essential capabilities.\r\n\r\nPostgreSQLs may spawn additional external processes to execute procedures that are defined in PostgreSQL but stored \r\nin external host files (external procedures). The spawned process used to execute the external procedure may operate \r\nwithin a different OS security context than PostgreSQL and provide unauthorized access to the host system.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"PostgreSQL's Copy command can interact with the underlying OS. Only superuser has access to \r\n\tthis command.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), run the following SQL to list all roles and their \r\nprivileges:\r\n\r\n$ sudo su - postgres\r\n$ psql -x -c \\\"\\du\\\"\r\n\r\nIf any role has \\\"superuser\\\" that should not, this is a finding.\r\n\r\nIt is possible for an extension to contain code that could access external executables via SQL. To list all installed \r\nextensions, as the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -x -c \\\"SELECT * FROM pg_available_extensions WHERE installed_version IS NOT NULL\\\"\r\n\r\nIf any extensions are installed that are not approved, this is a finding.\"\r\n\tdesc\t'fix', \"To remove superuser from a role, as the database administrator (shown here as \\\"postgres\\\"), run \r\n\tthe following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"ALTER ROLE WITH NOSUPERUSER\\\"\r\n\r\nTo remove extensions from PostgreSQL, as the database administrator (shown here as \\\"postgres\\\"), run the following \r\nSQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"DROP EXTENSION extension_name\\\"\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000141-DB-000093'\r\n tag gid: 'V-233593'\r\n tag rid: 'SV-233593r617333_rule'\r\n tag stig_id: 'CD12-00-009100'\r\n tag fix_id: 'F-36752r607003_fix'\r\n tag cci: [\"CCI-000381\"]\r\n tag nist: [\"CM-7 a\"]\r\n\r\npg_conf_file= input('pg_conf_file')\r\n\r\npg_host = input('pg_host')\r\n\r\nlogin_user = input('login_user')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_superusers = input('pg_superusers')\r\n\r\napproved_ext = input('approved_ext')\r\n\r\n\tdbs = nil\r\n\tdb = nil\r\n \r\n\tif !(\"#{pg_db}\".to_s.empty?)\r\n\t db = [\"#{pg_db}\"]\r\n\t dbs = db.map { |x| \"-d #{x}\" }.join(' ')\r\n\tend\r\n \r\n\tsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n \r\n\troles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\r\n\troles_query = sql.query(roles_sql, [pg_db])\r\n\troles = roles_query.lines\r\n \r\n\troles.each do |role|\r\n\t unless pg_superusers.include?(role)\r\n\t\tsuperuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\r\n\t\t \"WHERE r.rolname = '#{role}';\"\r\n \r\n\t\tdescribe sql.query(superuser_sql, [pg_db]) do\r\n\t\t its('output') { should_not eq 't' }\r\n\t\tend\r\n\t end\r\n\tend\r\n\t\r\n\tdescribe sql.query(\"select * from pg_shadow where usename <> 'postgres' and usesuper = 't';\", [pg_db]) do\r\n\t its('output') { should match '' }\r\n\tend\r\n \r\n # @todo how do I check to see if any extensions are installed that are not approved? fix stdout value?\r\n \r\n\tdescribe.one do\r\n\t approved_ext.each do |extension|\r\n\t\tdescribe sql.query('SELECT * FROM pg_available_extensions WHERE installed_version IS NOT NULL;', [pg_db]) do\r\n\t\t its('output') { should match extension }\r\n\t\tend\r\n\t end\r\n\tend\r\n end \r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233593.rb", "line": 3 @@ -3427,7 +3427,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233553' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur.\"\r\n\tdesc\t\"For completeness of forensic analysis, it is necessary to track failed attempts to log on to \r\n\tPostgreSQL. While positive identification may not be possible in a case of failed authentication, as much \r\n\t\tinformation as possible about the incident must be captured.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I on PGLOG.\r\n\r\nIn this example the user \\\"joe\\\" will log in to the Postgres database unsuccessfully:\r\n\r\n$ psql -d postgres -U joe\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), check ${PGLOG?} for a FATAL connection audit trail:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/{latest_log>\r\n< 2016-02-16 16:18:13.027 EST joe 56c65135.b5f postgres: >LOG: connection authorized: user=joe database=postgres\r\n< 2016-02-16 16:18:13.027 EST joe 56c65135.b5f postgres: >FATAL: role \\\"joe\\\" does not exist\r\n\r\nIf an audit record is not generated each time a user (or other principal) attempts, but fails to log on or \r\nconnect to PostgreSQL (including attempts where the user ID is invalid/unknown), this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\r\n\r\nIf logging is enabled the following configurations must be made to log unsuccessful connections, date/time, \r\nusername, and session identifier.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit postgresql.conf:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nEdit the following parameters:\r\n\r\nlog_connections = on\r\nlog_line_prefix = '< %m %u %c: >'\r\n\r\nWhere:\r\n* %m is the time and date\r\n* %u is the username\r\n* %c is the session ID for the connection\r\n\r\nNext, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000503-DB-000351'\r\n tag gid: 'V-233553'\r\n tag rid: 'SV-233553r617333_rule'\r\n tag stig_id: 'CD12-00-004600'\r\n tag fix_id: 'F-36712r606883_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"SET ROLE pgauditrolefailuretest;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"does not exist\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*role \\\"\\\"pgauditrolefailuretest\\\"\\\" does not exist.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233553' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur.\"\r\n\tdesc\t\"For completeness of forensic analysis, it is necessary to track failed attempts to log on to \r\n\tPostgreSQL. While positive identification may not be possible in a case of failed authentication, as much \r\n\t\tinformation as possible about the incident must be captured.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I on PGLOG.\r\n\r\nIn this example the user \\\"joe\\\" will log in to the Postgres database unsuccessfully:\r\n\r\n$ psql -d postgres -U joe\r\n\r\nAs the database administrator (shown here as \\\"postgres\\\"), check ${PGLOG?} for a FATAL connection audit trail:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/{latest_log>\r\n< 2016-02-16 16:18:13.027 EST joe 56c65135.b5f postgres: >LOG: connection authorized: user=joe database=postgres\r\n< 2016-02-16 16:18:13.027 EST joe 56c65135.b5f postgres: >FATAL: role \\\"joe\\\" does not exist\r\n\r\nIf an audit record is not generated each time a user (or other principal) attempts, but fails to log on or \r\nconnect to PostgreSQL (including attempts where the user ID is invalid/unknown), this is a finding.\"\r\n\tdesc\t'fix', \"Note: The following instructions use the PGDATA and PGVER environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\r\n\r\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.\r\n\r\nIf logging is enabled the following configurations must be made to log unsuccessful connections, date/time, \r\nusername, and session identifier.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit postgresql.conf:\r\n\r\n$ sudo su - postgres\r\n$ vi ${PGDATA?}/postgresql.conf\r\n\r\nEdit the following parameters:\r\n\r\nlog_connections = on\r\nlog_line_prefix = '< %m %u %c: >'\r\n\r\nWhere:\r\n* %m is the time and date\r\n* %u is the username\r\n* %c is the session ID for the connection\r\n\r\nNext, as the system administrator, reload the server with the new configuration:\r\n\r\n$ sudo systemctl reload postgresql-${PGVER?}\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000503-DB-000351'\r\n tag gid: 'V-233553'\r\n tag rid: 'SV-233553r617333_rule'\r\n tag stig_id: 'CD12-00-004600'\r\n tag fix_id: 'F-36712r606883_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('SET ROLE pgauditrolefailuretest;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"does not exist\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*role \\\"\\\"pgauditrolefailuretest\\\"\\\" does not exist.*$/ }\r\n\t\tend \r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend \r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233553.rb", "line": 3 @@ -3555,7 +3555,7 @@ "AU-12 c" ] }, - "code": "control\t'V-233552' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to access security objects occur.\"\r\n\tdesc\t\"Changes to the security configuration must be tracked.\r\n\r\nThis requirement applies to situations where security data is retrieved or modified via data manipulation \r\noperations, as opposed to via specialized security functionality.\r\n\r\nIn an SQL environment, types of access include, but are not necessarily limited to:\r\n\r\nSELECT\r\nINSERT\r\nUPDATE\r\nDELETE\r\nEXECUTE\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), setup a test schema and revoke users privileges \r\nfrom using it by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE SCHEMA stig_test_schema AUTHORIZATION postgres\\\"\r\n$ psql -c \\\"REVOKE ALL ON SCHEMA stig_test_schema FROM public\\\"\r\n$ psql -c \\\"GRANT ALL ON SCHEMA stig_test_schema TO postgres\\\"\r\n\r\nNext, create a test table, insert a value into that table for the following checks by running the following SQL:\r\n\r\n$ psql -c \\\"CREATE TABLE stig_test_schema.stig_test_table(id INT)\\\"\r\n$ psql -c \\\"INSERT INTO stig_test_schema.stig_test_table(id) VALUES (0)\\\"\r\n\r\n#### CREATE\r\nAttempt to CREATE a table in the stig_test_schema schema with a role that does not have privileges by running the \r\nfollowing SQL:\r\n\r\npsql -c \\\"CREATE ROLE bob; SET ROLE bob; CREATE TABLE stig_test_schema.test_table(id INT);\\\"\r\nERROR: permission denied for schema stig_test_schema\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 09:55:19.423 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema stig_test_schema \r\nat character 14\r\n< 2016-03-09 09:55:19.423 EST postgres 56e0393f.186b postgres: >STATEMENT: CREATE TABLE \r\nstig_test_schema.test_table(id INT);\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### INSERT\r\nAs role bob, attempt to INSERT into the table created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; INSERT INTO stig_test_schema.stig_test_table(id) VALUES (0);\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 09:58:30.709 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 13\r\n< 2016-03-09 09:58:30.709 EST postgres 56e0393f.186b postgres: >STATEMENT: INSERT INTO \r\nstig_test_schema.stig_test_table(id) VALUES (0);\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### SELECT\r\nAs role bob, attempt to SELECT from the table created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; SELECT * FROM stig_test_schema.stig_test_table;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 09:57:58.327 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 15\r\n< 2016-03-09 09:57:58.327 EST postgres 56e0393f.186b postgres: >STATEMENT: SELECT * FROM \r\nstig_test_schema.stig_test_table;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### ALTER\r\nAs role bob, attempt to ALTER the table created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; ALTER TABLE stig_test_schema.stig_test_table ADD COLUMN name TEXT;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:03:43.765 EST postgres 56e0393f.186b postgres: >STATEMENT: ALTER TABLE \r\nstig_test_schema.stig_test_table ADD COLUMN name TEXT;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### UPDATE\r\nAs role bob, attempt to UPDATE a row created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; UPDATE stig_test_schema.stig_test_table SET id=1 WHERE id=0;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:08:27.696 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 8\r\n< 2016-03-09 10:08:27.696 EST postgres 56e0393f.186b postgres: >STATEMENT: UPDATE \r\nstig_test_schema.stig_test_table SET id=1 WHERE id=0;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### DELETE\r\nAs role bob, attempt to DELETE a row created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; DELETE FROM stig_test_schema.stig_test_table WHERE id=0;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:09:29.607 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 13\r\n< 2016-03-09 10:09:29.607 EST postgres 56e0393f.186b postgres: >STATEMENT: DELETE FROM \r\nstig_test_schema.stig_test_table WHERE id=0;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### PREPARE \r\nAs role bob, attempt to execute a prepared system using PREPARE by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; PREPARE stig_test_plan(int) AS SELECT id FROM stig_test_schema.stig_test_table \r\nWHERE id=$1;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:16:22.628 EST postgres 56e03e02.18e4 postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 46\r\n< 2016-03-09 10:16:22.628 EST postgres 56e03e02.18e4 postgres: >STATEMENT: PREPARE stig_test_plan(int) AS \r\nSELECT id FROM stig_test_schema.stig_test_table WHERE id=$1;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### DROP\r\nAs role bob, attempt to DROP the table created earlier stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; DROP TABLE stig_test_schema.stig_test_table;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:18:55.255 EST postgres 56e03e02.18e4 postgres: >ERROR: permission denied for schema \r\nstig_test_schema\r\n< 2016-03-09 10:18:55.255 EST postgres 56e03e02.18e4 postgres: >STATEMENT: DROP TABLE \r\nstig_test_schema.stig_test_table;\r\n\r\nIf the denial is not logged, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to access security \r\n\tobjects occur.\r\n\r\nAll denials are logged if logging is enabled. To ensure that logging is enabled, review supplementary content \r\nAPPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000492-DB-000333'\r\n tag gid: 'V-233552'\r\n tag rid: 'SV-233552r617333_rule'\r\n tag stig_id: 'CD12-00-004500'\r\n tag fix_id: 'F-36711r606880_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"CREATE ROLE permdeniedtest; CREATE SCHEMA permdeniedschema; SET ROLE permdeniedtest; CREATE TABLE permdeniedschema.usertable(index int);\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t \r\n\t\t#Find the most recently modified log file in the pg_audit_log_dir, grep for the syntax error statement, and then\r\n\t\t#test to validate the output matches the regex.\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied for schema\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied for schema permdeniedschema..*$/ }\r\n\t\tend \r\n\t\tdescribe command(\"PGPASSWORD='#{pg_dba_password}' psql -U #{pg_dba} -d #{pg_db} -h #{pg_host} -A -t -c \\\"SET ROLE postgres; DROP SCHEMA IF EXISTS permdeniedschema; DROP ROLE IF EXISTS permdeniedtest;\\\"\") do\r\n\t\t its('stdout') { should match // }\r\n\t\tend\r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", + "code": "control\t'V-233552' do\r\n\ttitle\t\"PostgreSQL must generate audit records when unsuccessful attempts to access security objects occur.\"\r\n\tdesc\t\"Changes to the security configuration must be tracked.\r\n\r\nThis requirement applies to situations where security data is retrieved or modified via data manipulation \r\noperations, as opposed to via specialized security functionality.\r\n\r\nIn an SQL environment, types of access include, but are not necessarily limited to:\r\n\r\nSELECT\r\nINSERT\r\nUPDATE\r\nDELETE\r\nEXECUTE\r\n\r\nTo aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones.\"\r\n\tdesc\t'rationale', ''\r\n\tdesc\t'check', \"Note: The following instructions use the PGDATA and PGLOG environment variables. See \r\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for PGLOG.\r\n\r\nFirst, as the database administrator (shown here as \\\"postgres\\\"), setup a test schema and revoke users privileges \r\nfrom using it by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"CREATE SCHEMA stig_test_schema AUTHORIZATION postgres\\\"\r\n$ psql -c \\\"REVOKE ALL ON SCHEMA stig_test_schema FROM public\\\"\r\n$ psql -c \\\"GRANT ALL ON SCHEMA stig_test_schema TO postgres\\\"\r\n\r\nNext, create a test table, insert a value into that table for the following checks by running the following SQL:\r\n\r\n$ psql -c \\\"CREATE TABLE stig_test_schema.stig_test_table(id INT)\\\"\r\n$ psql -c \\\"INSERT INTO stig_test_schema.stig_test_table(id) VALUES (0)\\\"\r\n\r\n#### CREATE\r\nAttempt to CREATE a table in the stig_test_schema schema with a role that does not have privileges by running the \r\nfollowing SQL:\r\n\r\npsql -c \\\"CREATE ROLE bob; SET ROLE bob; CREATE TABLE stig_test_schema.test_table(id INT);\\\"\r\nERROR: permission denied for schema stig_test_schema\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 09:55:19.423 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema stig_test_schema \r\nat character 14\r\n< 2016-03-09 09:55:19.423 EST postgres 56e0393f.186b postgres: >STATEMENT: CREATE TABLE \r\nstig_test_schema.test_table(id INT);\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### INSERT\r\nAs role bob, attempt to INSERT into the table created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; INSERT INTO stig_test_schema.stig_test_table(id) VALUES (0);\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 09:58:30.709 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 13\r\n< 2016-03-09 09:58:30.709 EST postgres 56e0393f.186b postgres: >STATEMENT: INSERT INTO \r\nstig_test_schema.stig_test_table(id) VALUES (0);\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### SELECT\r\nAs role bob, attempt to SELECT from the table created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; SELECT * FROM stig_test_schema.stig_test_table;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 09:57:58.327 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 15\r\n< 2016-03-09 09:57:58.327 EST postgres 56e0393f.186b postgres: >STATEMENT: SELECT * FROM \r\nstig_test_schema.stig_test_table;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### ALTER\r\nAs role bob, attempt to ALTER the table created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; ALTER TABLE stig_test_schema.stig_test_table ADD COLUMN name TEXT;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:03:43.765 EST postgres 56e0393f.186b postgres: >STATEMENT: ALTER TABLE \r\nstig_test_schema.stig_test_table ADD COLUMN name TEXT;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### UPDATE\r\nAs role bob, attempt to UPDATE a row created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; UPDATE stig_test_schema.stig_test_table SET id=1 WHERE id=0;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:08:27.696 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 8\r\n< 2016-03-09 10:08:27.696 EST postgres 56e0393f.186b postgres: >STATEMENT: UPDATE \r\nstig_test_schema.stig_test_table SET id=1 WHERE id=0;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### DELETE\r\nAs role bob, attempt to DELETE a row created earlier, stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; DELETE FROM stig_test_schema.stig_test_table WHERE id=0;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:09:29.607 EST postgres 56e0393f.186b postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 13\r\n< 2016-03-09 10:09:29.607 EST postgres 56e0393f.186b postgres: >STATEMENT: DELETE FROM \r\nstig_test_schema.stig_test_table WHERE id=0;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### PREPARE \r\nAs role bob, attempt to execute a prepared system using PREPARE by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; PREPARE stig_test_plan(int) AS SELECT id FROM stig_test_schema.stig_test_table \r\nWHERE id=$1;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:16:22.628 EST postgres 56e03e02.18e4 postgres: >ERROR: permission denied for schema \r\nstig_test_schema at character 46\r\n< 2016-03-09 10:16:22.628 EST postgres 56e03e02.18e4 postgres: >STATEMENT: PREPARE stig_test_plan(int) AS \r\nSELECT id FROM stig_test_schema.stig_test_table WHERE id=$1;\r\n\r\nIf the denial is not logged, this is a finding.\r\n\r\n#### DROP\r\nAs role bob, attempt to DROP the table created earlier stig_test_table by running the following SQL:\r\n\r\n$ sudo su - postgres\r\n$ psql -c \\\"SET ROLE bob; DROP TABLE stig_test_schema.stig_test_table;\\\"\r\n\r\nNext, as a database administrator (shown here as \\\"postgres\\\"), verify that the denial was logged:\r\n\r\n$ sudo su - postgres\r\n$ cat ${PGDATA?}/${PGLOG?}/\r\n< 2016-03-09 10:18:55.255 EST postgres 56e03e02.18e4 postgres: >ERROR: permission denied for schema \r\nstig_test_schema\r\n< 2016-03-09 10:18:55.255 EST postgres 56e03e02.18e4 postgres: >STATEMENT: DROP TABLE \r\nstig_test_schema.stig_test_table;\r\n\r\nIf the denial is not logged, this is a finding.\"\r\n\tdesc\t'fix', \"Configure PostgreSQL to produce audit records when unsuccessful attempts to access security \r\n\tobjects occur.\r\n\r\nAll denials are logged if logging is enabled. To ensure that logging is enabled, review supplementary content \r\nAPPENDIX-C for instructions on enabling logging.\"\r\n\timpact 0.5\r\n\ttag severity: 'medium'\r\n tag gtitle: 'SRG-APP-000492-DB-000333'\r\n tag gid: 'V-233552'\r\n tag rid: 'SV-233552r617333_rule'\r\n tag stig_id: 'CD12-00-004500'\r\n tag fix_id: 'F-36711r606880_fix'\r\n tag cci: [\"CCI-000172\"]\r\n tag nist: [\"AU-12 c\"]\r\n\r\npg_ver = input('pg_version')\r\n\r\npg_dba = input('pg_dba')\r\n\r\npg_dba_password = input('pg_dba_password')\r\n\r\npg_db = input('pg_db')\r\n\r\npg_host = input('pg_host')\r\n\r\npg_log_dir = input('pg_log_dir')\r\n\r\npg_audit_log_dir = input('pg_audit_log_dir')\r\n\r\nsql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\r\n\r\n\tif file(pg_audit_log_dir).exist?\r\n\t\tdescribe sql.query('CREATE ROLE permdeniedtest; CREATE SCHEMA permdeniedschema; SET ROLE permdeniedtest; CREATE TABLE permdeniedschema.usertable(index int);', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t \r\n\t\t#Find the most recently modified log file in the pg_audit_log_dir, grep for the syntax error statement, and then\r\n\t\t#test to validate the output matches the regex.\r\n\t \r\n\t\tdescribe command(\"grep -r \\\"permission denied for schema\\\" #{pg_audit_log_dir}\") do\r\n\t\t its('stdout') { should match /^.*permission denied for schema permdeniedschema..*$/ }\r\n\t\tend \r\n\t\tdescribe sql.query('SET ROLE postgres; DROP SCHEMA IF EXISTS permdeniedschema; DROP ROLE IF EXISTS permdeniedtest;', [pg_db]) do\r\n\t\t its('output') { should match // }\r\n\t\tend\r\n\t else\r\n\t\tdescribe \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\" do\r\n\t\t skip \"The #{pg_audit_log_dir} directory was not found. Check path for this postgres version/install to define the value for the 'pg_audit_log_dir' inspec input parameter.\"\r\n\t\tend\r\n\t end\r\n\t \r\n\t end\r\n", "source_location": { "ref": "./PostgreSQL STIG/controls/V-233552.rb", "line": 3 @@ -4420,7 +4420,7 @@ "id": "controls/V-233606.rb" } ], - "sha256": "dad2f9292324ed3a7f9b4f81d8b29e13894ff6d55d4e40595fdc10d438b0afe1", + "sha256": "3fb45281a778d9e5d90d0975b94b86e2e39ef0f5290afc7c246b44659be26f52", "status_message": "", "status": "loaded", "generator": {