Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The EDB Postgres Advanced Server password file must not be used.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-224173 | EP11-00-004850 | SV-224173r508023_rule | Medium |
| Description |
|---|
| The EDB Postgres password file can contain passwords to be used if the connection allows a password (and no password has been specified otherwise). This file contain lines of the following format: hostname:port:database:username:password It is critically important to system security that use of a password file be avoided as it stores passwords in plain text. Any user with access to these could potentially compromise the security of the database. |
| STIG | Date |
|---|---|
| EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide | 2020-09-23 |
Details
| Check Text ( C-25846r495537_chk ) |
|---|
| Check DBMS settings to determine whether a password file is being used. On Windows the default file name and location is: %APPDATA%\postgresql\pgpass.conf (where %APPDATA% refers to the Application Data subdirectory in the user's profile). Alternatively, a password file can be specified using the connection parameter passfile or the environment variable PGPASSFILE. If a password file exists, this is a finding. If a password file is not in use, this is not a finding. |
| Fix Text (F-25834r495538_fix) |
|---|
| Remove any password files present on the server and implement a more secure form of authentication. The DoD standard for authentication is DoD-approved PKI certificates. |