CIS PostgreSQL 12 DB v1.1.0

Audit Details

Name: CIS PostgreSQL 12 DB v1.1.0

Updated: 6/17/2024

Authority: CIS

Plugin: PostgreSQLDB

Revision: 1.2

Estimated Item Count: 50

File Details

Filename: CIS_PostgreSQL_12_v1.1.0_L1_Database.audit

Size: 136 kB

MD5: 813b1774f64d9201bc4a49de4caeedb8
SHA256: ec727f7f2f347b47e44ec21785fbc18d2ae81a51ae1b0afa1e986c36176b4236

Audit Items

DescriptionCategories
3.1.2 Ensure the log destinations are set correctly

AUDIT AND ACCOUNTABILITY

3.1.3 Ensure the logging collector is enabled

AUDIT AND ACCOUNTABILITY

3.1.4 Ensure the log file destination directory is set correctly

AUDIT AND ACCOUNTABILITY

3.1.5 Ensure the filename pattern for log files is set correctly

AUDIT AND ACCOUNTABILITY

3.1.6 Ensure the log file permissions are set correctly

ACCESS CONTROL, MEDIA PROTECTION

3.1.7 Ensure 'log_truncate_on_rotation' is enabled

AUDIT AND ACCOUNTABILITY

3.1.8 Ensure the maximum log file lifetime is set correctly

AUDIT AND ACCOUNTABILITY

3.1.9 Ensure the maximum log file size is set correctly

AUDIT AND ACCOUNTABILITY

3.1.10 Ensure the correct syslog facility is selected

AUDIT AND ACCOUNTABILITY

3.1.11 Ensure syslog messages are not suppressed

AUDIT AND ACCOUNTABILITY

3.1.12 Ensure syslog messages are not lost due to size

AUDIT AND ACCOUNTABILITY

3.1.13 Ensure the program name for PostgreSQL syslog messages is correct

AUDIT AND ACCOUNTABILITY

3.1.14 Ensure the correct messages are written to the server log

AUDIT AND ACCOUNTABILITY

3.1.15 Ensure the correct SQL statements generating errors are recorded

AUDIT AND ACCOUNTABILITY

3.1.16 Ensure 'debug_print_parse' is disabled - debug_print_parse is disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.1.17 Ensure 'debug_print_rewritten' is disabled - debug_print_rewritten is disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.1.18 Ensure 'debug_print_plan' is disabled - debug_print_plan is disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.1.19 Ensure 'debug_pretty_print' is enabled - debug_pretty_print is enabled

AUDIT AND ACCOUNTABILITY

3.1.20 Ensure 'log_connections' is enabled - log_connections is enabled

AUDIT AND ACCOUNTABILITY

3.1.21 Ensure 'log_disconnections' is enabled - log_disconnections is enabled

AUDIT AND ACCOUNTABILITY

3.1.22 Ensure 'log_error_verbosity' is set correctly - log_error_verbosity is set correctly

AUDIT AND ACCOUNTABILITY

3.1.23 Ensure 'log_hostname' is set correctly - log_hostname is set correctly

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.1.24 Ensure 'log_line_prefix' is set correctly - log_line_prefix is set correctly

AUDIT AND ACCOUNTABILITY

3.1.25 Ensure 'log_statement' is set correctly - log_statement is set correctly

AUDIT AND ACCOUNTABILITY

3.1.26 Ensure 'log_timezone' is set correctly - log_timezone is set correctly

AUDIT AND ACCOUNTABILITY

3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled - pgaudit installed

AUDIT AND ACCOUNTABILITY

3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled - show pgaudit.log

AUDIT AND ACCOUNTABILITY

4.2 Ensure excessive administrative privileges are revoked

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

4.3 Ensure excessive function privileges are revoked

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

4.4 Ensure excessive DML privileges are revoked

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

4.5 Ensure Row Level Security (RLS) is configured correctly - RLS is configured correctly

ACCESS CONTROL, MEDIA PROTECTION

4.6 Ensure the set_user extension is installed

ACCESS CONTROL

4.7 Make use of predefined roles

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

6.1 Understanding attack vectors and runtime parameters

CONFIGURATION MANAGEMENT

6.2 Ensure 'backend' runtime parameters are configured correctly

CONFIGURATION MANAGEMENT

6.3 Ensure 'Postmaster' Runtime Parameters are Configured

CONFIGURATION MANAGEMENT

6.4 Ensure 'SIGHUP' Runtime Parameters are Configured

CONFIGURATION MANAGEMENT

6.5 Ensure 'Superuser' Runtime Parameters are Configured

CONFIGURATION MANAGEMENT

6.6 Ensure 'User' Runtime Parameters are Configured

CONFIGURATION MANAGEMENT

6.8 Ensure TLS is enabled and configured correctly

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.9 Ensure the pgcrypto extension is installed and configured correctly

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Ensure a replication-only user is created and used for streaming replication

ACCESS CONTROL

7.2 Ensure logging of replication commands is configured

ACCESS CONTROL

7.3 Ensure base backups are configured and functional

CONTINGENCY PLANNING

7.4 Ensure WAL archiving is configured and functional - archive_command

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.4 Ensure WAL archiving is configured and functional - archive_mode

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.5 Ensure streaming replication parameters are configured correctly

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

8.1 Ensure PostgreSQL subdirectory locations are outside the data cluster

CONFIGURATION MANAGEMENT

8.3 Ensure miscellaneous configuration settings are correct

CONFIGURATION MANAGEMENT

CIS_PostgreSQL_12_v1.1.0_L1_DB.audit from CIS PostgreSQL 12 Benchmark v1.1.0