UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

PostgreSQL must provide the capability for authorized users to capture, record, and log all content related to a user session.


Overview

Finding ID Version Rule ID IA Controls Severity
V-73021 PGS9-00-009800 SV-87673r2_rule Medium
Description
Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered. Typically, this PostgreSQL capability would be used in conjunction with comparable monitoring of a user's online session, involving other software components such as operating systems, web servers and front-end user applications. The current requirement, however, deals specifically with PostgreSQL.
STIG Date
PostgreSQL 9.x Security Technical Implementation Guide 2018-02-27

Details

Check Text ( C-73153r3_chk )
First, as the database administrator (shown here as "postgres"), verify pgaudit is installed by running the following SQL: 

$ sudo su - postgres 
$ psql -c "SHOW shared_preload_libraries" 

If shared_preload_libraries does not contain pgaudit, this is a finding. 

Next, to verify connections and disconnections are logged, run the following SQL: 

$ psql -c "SHOW log_connections" 
$ psql -c "SHOW log_disconnections" 

If log_connections and log_disconnections are off, this is a finding. 

Now, to verify that pgaudit is configured to log, run the following SQL: 

$ psql -c "SHOW pgaudit.log" 

If pgaudit.log does not contain ddl, role, read, write, function this is a finding.
Fix Text (F-79467r2_fix)
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

Configure the database capture, record, and log all content related to a user session. 

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. 

With logging enabled, as the database administrator (shown here as "postgres"), enable log_connections and log_disconnections: 

$ sudo su - postgres 
$ vi ${PGDATA?}/postgresql.conf 
log_connections = on 
log_disconnections = on 

Using pgaudit PostgreSQL can be configured to audit activity. See supplementary content APPENDIX-B for documentation on installing pgaudit. 

With pgaudit installed, as a database administrator (shown here as "postgres"), enable which objects required for auditing a user's session: 

$ sudo su - postgres 
$ vi ${PGDATA?}/postgresql.conf 
pgaudit.log = 'write, ddl, role, read, function'
pgaudit.log_relation = on

Now, as the system administrator, reload the server with the new configuration: 

# SYSTEMD SERVER ONLY 
$ sudo systemctl reload postgresql-${PGVER?}

# INITD SERVER ONLY 
$ sudo service postgresql-${PGVER?} reload