Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-224173 | EP11-00-004850 | SV-224173r508023_rule | Medium |
Description |
---|
The EDB Postgres password file can contain passwords to be used if the connection allows a password (and no password has been specified otherwise). This file contain lines of the following format: hostname:port:database:username:password It is critically important to system security that use of a password file be avoided as it stores passwords in plain text. Any user with access to these could potentially compromise the security of the database. |
STIG | Date |
---|---|
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide | 2022-06-13 |
Check Text ( C-25846r495537_chk ) |
---|
Check DBMS settings to determine whether a password file is being used. On Windows the default file name and location is: %APPDATA%\postgresql\pgpass.conf (where %APPDATA% refers to the Application Data subdirectory in the user's profile). Alternatively, a password file can be specified using the connection parameter passfile or the environment variable PGPASSFILE. If a password file exists, this is a finding. If a password file is not in use, this is not a finding. |
Fix Text (F-25834r495538_fix) |
---|
Remove any password files present on the server and implement a more secure form of authentication. The DoD standard for authentication is DoD-approved PKI certificates. |