VMware Postgres must require authentication on all connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239204 | VCPG-67-000012 | SV-239204r717055_rule | High |
| Description |
|---|
| To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. VMware Postgres client authentication is configured in "pg_hba.conf". In this file are a number of lines that specify who can connect to the service, from where, and using what authentication methods. In Postgres there is a concept of a trusted connection where a specific network mask can connect without any authentication, to any account. This connection is termed "trust" in "pg_hba.conf" and it must not be present. Out of the box, VMware Postgres requires standard password authentication for all connections. Satisfies: SRG-APP-000148-DB-000103, SRG-APP-000171-DB-000074 |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 PostgreSQL Security Technical Implementation Guide | 2021-04-15 |
Details
| Check Text ( C-42437r678983_chk ) |
|---|
| At the command prompt, execute the following command: # grep -v "^#" /storage/db/vpostgres/pg_hba.conf|grep -z --color=always "trust" If any lines are returned, this is a finding. |
| Fix Text (F-42396r678984_fix) |
|---|
| Navigate to and open /storage/db/pgdata/pg_hba.conf. Find and remove the line that has a method of "trust" in the far right column. A correct, typical line will look like the following: # TYPE DATABASE USER ADDRESS METHOD host all all 127.0.0.1/32 md5 |