| V-89445 | High | The vRA PostgreSQL database must use FIPS 140-2 ciphers. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards... |
| V-89447 | High | The vRA PostgreSQL database must use FIPS 140-2 ciphers. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards... |
| V-89449 | High | The vRA PostgreSQL database must use FIPS 140-2 ciphers. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards... |
| V-89399 | High | The vRA PostgreSQL database security updates and patches must be installed in a timely manner in accordance with site policy. | Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching their products to address newly discovered... |
| V-89455 | High | The DBMS must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations. | Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not... |
| V-89441 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events... |
| V-89407 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individuals' and... |
| V-89425 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
For detailed information on categorizing information,... |
| V-89387 | Medium | The vRA PostgreSQL database must be configured to use a syslog facility. | Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to the DBMS on its own server will not be an issue. However, space will... |
| V-89345 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Information system auditing capability is critical for accurate forensic analysis. Without information about the outcome of events, security personnel cannot make an accurate assessment as to... |
| V-89365 | Medium | vRA PostgreSQL database objects must only be accessible to the postgres account. | Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and... |
| V-89355 | Medium | The vRA PostgreSQL database must have the correct ownership on the log files. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the... |
| V-89409 | Medium | The DBMS must generate audit records when privileges/permissions are modified. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individuals' and groups' privileges... |
| V-89357 | Medium | The vRA PostgreSQL database must have the correct group-ownership on the log files. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the... |
| V-89385 | Medium | The vRA PostgreSQL database must have log collection enabled. | Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a... |
| V-89339 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Information system auditing capability is critical for accurate forensic analysis. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events... |
| V-89353 | Medium | The vRA PostgreSQL database must have the correct permissions on the log files. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-89391 | Medium | The vRA PostgreSQL database must use UTC for log timestamps. | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the DBMS must include date and time. Time... |
| V-89393 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the DBMS must include date and time.... |
| V-89359 | Medium | The vRA PostgreSQL configuration files must have the correct permissions. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may... |
| V-89461 | Medium | vRA Postgres must be configured to use the correct port. | Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats. |
| V-89397 | Medium | vRA PostgreSQL database must be configured to validate character encoding to UTF-8. | A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information... |
| V-89383 | Medium | The vRA PostgreSQL error file must be protected from unauthorized access. | If the DBMS provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully... |
| V-89337 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Information system auditing capability is critical for accurate forensic analysis. Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate... |
| V-89335 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered.
Typically, this DBMS capability would be... |
| V-89349 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough... |
| V-89333 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it needs to be in operation... |
| V-89443 | Medium | The vRA PostgreSQL database must set the log_statement to all. | In this context, direct access is any query, command, or call to the DBMS that comes from any source other than the application(s) that it supports. Examples would be the command line or a... |
| V-89331 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically... |
| V-89373 | Medium | The vRA PostgreSQL database must use md5 for authentication. | The DoD standard for authentication is DoD-approved PKI certificates.
Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and... |
| V-89395 | Medium | The DBMS must enforce access restrictions associated with changes to the configuration of the DBMS or database(s). | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system.
When dealing with access restrictions... |
| V-89371 | Medium | The vRA PostgreSQL database must be limited to authorized accounts. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational... |
| V-89381 | Medium | Data from the vRA PostgreSQL database must be protected from unauthorized transfer. | Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources.
Data used for the development and testing of applications often involves... |
| V-89377 | Medium | The vRA PostgreSQL database must complete writing log entries prior to returning results. | Failure to a known state can address safety or security in accordance with the mission/business needs of the organization.
Failure to a known secure state helps prevent a loss of confidentiality,... |
| V-89375 | Medium | The vRA PostgreSQL database must be configured to use ssl. | The DoD standard for authentication is DoD-approved PKI certificates.
Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and... |
| V-89439 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events... |
| V-89429 | Medium | The vRA PostgreSQL database must set the log_min_messages to warning. | For completeness of forensic analysis, it is necessary to track failed attempts to log on to the DBMS. While positive identification may not be possible in a case of failed authentication, as much... |
| V-89369 | Medium | The vRA PostgreSQL database must not contain sample data. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-89453 | Medium | vRA PostgreSQL must have the latest approved security-relevant software updates installed. | Configuring the DBMS to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline... |
| V-89451 | Medium | The vRA PostgreSQL database must be configured to use a syslog facility. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.... |
| V-89457 | Medium | vRA Postgres must be configured to use the correct port. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-89459 | Medium | The vRA PostgreSQL database must have log collection enabled. | If the configuration of the DBMS's auditing is spread across multiple locations in the database management software, or across multiple commands, only loosely related, it is harder to use and... |
| V-89379 | Medium | The vRA PostgreSQL must not allow access to unauthorized accounts. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Security functions are the hardware, software,... |
| V-89389 | Medium | The vRA PostgreSQL database must be configured to use a syslog facility. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an... |
| V-89343 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Information system auditing capability is critical for accurate forensic analysis. Without establishing the source of the event, it is impossible to establish, correlate, and investigate the... |
| V-89341 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Information system auditing capability is critical for accurate forensic analysis. Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events... |
| V-89347 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Information system auditing capability is critical for accurate forensic analysis. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of... |
| V-89419 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individuals' and... |
| V-89417 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individuals' and groups' privileges... |
| V-89415 | Medium | The DBMS must generate audit records when unsuccessful attempts to modify security objects occur. | Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit... |
| V-89329 | Medium | The vRA PostgreSQL configuration file must not be accessible by unauthorized users. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical... |
| V-89413 | Medium | The DBMS must generate audit records when security objects are modified. | Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit... |
| V-89433 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
System... |
| V-89411 | Medium | The DBMS must generate audit records when unsuccessful attempts to modify privileges/permissions occur. | Failed attempts to change the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized attempts to elevate or restrict individuals' and... |
| V-89427 | Medium | The vRA PostgreSQL database must set log_connections to on. | For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to the DBMS. |
| V-89327 | Medium | vRA PostgreSQL database log file data must contain required data elements. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit... |
| V-89405 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restriction of individuals' and groups' privileges... |
| V-89435 | Medium | The vRA PostgreSQL database must set log_connections to on. | For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to the DBMS lasts. This can be achieved by recording disconnections, in addition... |
| V-89361 | Medium | The vRA PostgreSQL configuration files must have the correct ownership. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on... |
| V-89363 | Medium | The vRA PostgreSQL configuration files must have the correct group-ownership. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on... |
| V-89403 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Changes to the security configuration must be tracked.
This requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via... |
| V-89401 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Changes to the security configuration must be tracked.
This requirement applies to situations where security data is retrieved or modified via data manipulation operations, as opposed to via... |
| V-89367 | Medium | The vRA PostgreSQL database must limit modify privileges to authorized accounts. | If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of... |
| V-89437 | Medium | The vRA PostgreSQL database must set log_connections to on. | For completeness of forensic analysis, it is necessary to track who logs on to the DBMS.
Concurrent connections by the same user from multiple workstations may be valid use of the system; or such... |
| V-89463 | Medium | vRA PostgreSQL must limit the number of connections. | Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service... |
| V-89423 | Medium | The vRA PostgreSQL database must set the log_statement to all. | The removal of security objects from the database/DBMS would seriously degrade a system's information assurance posture. If such an action is attempted, it must be logged.
To aid in diagnosis, it... |
| V-89421 | Medium | The vRA PostgreSQL database must set the log_statement to all. | The removal of security objects from the database/DBMS would seriously degrade a system's information assurance posture. If such an event occurs, it must be logged. |
| V-89431 | Medium | The vRA PostgreSQL database must set the log_statement to all. | Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
System... |
| V-89351 | Low | vRA PostgreSQL database must have log_truncate_on_rotation enabled. | It is critical that when the DBMS is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: software/hardware errors;... |
