EPAS-00-008100 - The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.

Information

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.

A failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions.

Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Install PEM and configure audit failure event alerting as documented here: https://www.enterprisedb.com/docs/pem/latest/

An example for creating an alert that ensure the audit directory does not fill up is included below, using the thin client (browser) PEM interface. Refer also to the Supplemental Procedures document supplied with this STIG.

Open the PEM web console in a browser.

- Log in.
- Click on the agent for the machine to be monitored.
- Select 'Management | Probe Configuration'.
- Select 'Disk Space' and set the check interval as warranted.
- Select 'Management | Alerting'.
- Name the definition 'Audit Log Full'.
- Select Template 'Disk Consumption Percentage'.
- Set Frequency, Comparison Operator, and Thresholds (1 minute, >, 95/96/97 for example).
- Enter the Mount Point for where the audit log is.
- Click Notification tab.
- Click Email all alerts.
- Click 'Execute Script' on Monitored Server.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EPAS_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(2), CAT|II, CCI|CCI-001858, Rule-ID|SV-259280r961401_rule, STIG-ID|EPAS-00-008100, Vuln-ID|V-259280

Plugin: PostgreSQLDB

Control ID: 829adfd50ea2ba6d53fda210c1ecd28563273023db69769084859985265c361f