Detections
Analytics

EP11-00-001100 - The EDB Postgres Advanced Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

Information

Without the capability to restrict the types of roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.

Suppression of auditing could permit an adversary to evade detection.

Misconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If a non-EDB provided database auditing solution or a custom auditing solution is being used, configure the DBMS's settings according to the documentation provided for those solutions to allow designated personnel to select which auditable events are audited.

If EDB Auditing is being used, perform the following actions as necessary to address any findings:
1) Postgresql Data Directory Ownership and Permissions:
If the postgresql data directory and its contents are owned by unauthorized users, change ownership to an authorized user.

Restrict access on the postgresql data directory to the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to start a postgresql database cluster.

2) Postgresql Configuration File Ownership and Permissions:
If the postgresql configuration file(s) is owned by an unauthorized user, change ownership to an authorized user.

Restrict write access on Postgres configuration file(s) the database service account, software owner accounts, Administrators, DBAs, System group, or other documented users authorized to edit the file(s).

3) Database Users Assigned Superuser Privileges:
Remove superuser rights from unauthorized database users via the ALTER ROLE or ALTER USER SQL command.

The syntax is:
ALTER ROLE <role> NOSUPERUSER

or

ALTER USER <user> NOSUPERUSER

Example:
ALTER ROLE testuser NOSUPERUSER;

OR

ALTER USER testuser NOSUPERUSER;

See PostgreSQL and/or EDB Postgres Advanced Server documentation for details.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EDB_PGS_Advanced_Server_v11_Windows_V2R4_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12b., CAT|II, CCI|CCI-000171, Rule-ID|SV-224135r960882_rule, STIG-ID|EP11-00-001100, STIG-Legacy|SV-109401, STIG-Legacy|V-100297, Vuln-ID|V-224135

Plugin: Windows

Control ID: cb85381290969e2262d3b444afc530291dfe3dd70f78e3babe4829131482bd26