1.7 Verify That the 'PGPASSWORD' Environment Variable is Not in Use

Information

PostgreSQL can read a default database password from an environment variable called PGPASSWORD.

Rationale:

Using the PGPASSWORD environment variable implies PostgreSQL credentials are stored as clear text. Avoiding use of this environment variable can better safeguard the confidentiality of PostgreSQL credentials.

Solution

Check which users and/or scripts are setting PGPASSWORD and change them
to use a more secure method.

See Also

https://workbench.cisecurity.org/benchmarks/17003

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1)

Plugin: Unix

Control ID: a5616dd92409457abde50465721e338dc991b30f58bc24796b20150eee4e1917