1.6 Verify That 'PGPASSWORD' is Not Set in Users' Profiles

Information

PostgreSQL can read a default database password from an environment variable called PGPASSWORD.

Rationale:

Use of the PGPASSWORD environment variable implies PostgreSQL credentials are stored as clear text. Avoiding this may increase assurance that the confidentiality of PostgreSQL credentials is preserved.

Solution

Check which users and/or scripts are setting PGPASSWORD and change them to use a more secure method.

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1)

Plugin: Unix

Control ID: fa20255450ea1d1bd2b2f99838333f6057cd0a9d7a873c6e5c92a94acb0451ff