UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

PostgreSQL must generate audit records showing starting and ending time for user access to the database(s).


Overview

Finding ID Version Rule ID IA Controls Severity
V-72925 PGS9-00-004700 SV-87577r2_rule Medium
Description
For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to PostgreSQL lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs. Disconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.
STIG Date
PostgreSQL 9.x Security Technical Implementation Guide 2020-03-23

Details

Check Text ( C-73059r1_chk )
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.

First, log into the database with the postgres user by running the following commands:

$ sudo su - postgres
$ psql -U postgres

Next, as the database administrator, verify the log for a connection audit trail:

$ sudo su - postgres
$ cat ${PGDATA?}/pg_log/postgresql-Tue.log
< 2016-02-23 20:25:39.931 EST postgres 56cfa993.7a72 postgres: >LOG: connection authorized: user=postgres database=postgres
< 2016-02-23 20:27:45.428 EST postgres 56cfa993.7a72 postgres: >LOG: AUDIT: SESSION,1,1,READ,SELECT,,,SELECT current_user;,
< 2016-02-23 20:27:47.988 EST postgres 56cfa993.7a72 postgres: >LOG: disconnection: session time: 0:00:08.057 user=postgres database=postgres host=[local]

If connections are not logged, this is a finding.
Fix Text (F-79369r2_fix)
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. 

If logging is enabled the following configurations must be made to log connections, date/time, username, and session identifier. 

First, as the database administrator (shown here as "postgres"), edit postgresql.conf by running the following: 

$ sudo su - postgres 
$ vi ${PGDATA?}/postgresql.conf 

Edit the following parameters: 

log_connections = on 
log_disconnections = on 
log_line_prefix = '< %m %u %c: >'  

Where: 
* %m is the time and date 
* %u is the username 
* %c is the session ID for the connection 

Now, as the system administrator, reload the server with the new configuration: 

# SYSTEMD SERVER ONLY 
$ sudo systemctl reload postgresql-${PGVER?}

# INITD SERVER ONLY 
$ sudo service postgresql-${PGVER?} reload