| Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. |
If no information is identified as requiring such protection, this is not a finding.
Review the configuration of PostgreSQL, operating system/file system, and additional software as relevant.
If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.
One possible way to encrypt data within PostgreSQL is to use pgcrypto extension.
To check if pgcrypto is installed on PostgreSQL, as a database administrator (shown here as "postgres"), run the following command:
$ sudo su - postgres
$ psql -c "SELECT * FROM pg_available_extensions where name='pgcrypto'"
If data in the database requires encryption and pgcrypto is not available, this is a finding.
If disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate filesystem or disk level encryption.
If this is required and is not found, this is a finding.