5.1 Do Not Specify Passwords in the Command Line

Information

When a command is executed on the command line, for example

psql postgresql://postgres:PASSWORD@host

the password may be visible in the user's shell/command history or in the process list, thus exposing the password to other entities on the server.

Rationale:

If the password is visible in the process list or user's shell/command history, an attacker will be able to access the PostgreSQL database using the stolen credentials.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Use the --password or -W terminal parameter without directly specifying the password and then enter the password when prompted.
Substitute <user> with your username, e.g., root:

psql -u <user> --password

Do not use a Connection URI with password included, e.g. psql postgresql://postgres:PASSWORD@host

If desired, configure a .pgpass file with the proper credentials and secure the file appropriately.

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1)

Plugin: Unix

Control ID: 2a6b89746e2f081118ec6f64a199172b379eb183ea6d1e872a4f8dfcba5b44a4