Detections
Analytics
PGS9-00-007200 - PostgreSQL must maintain the confidentiality and integrity of information during preparation for transmission.
Information
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
When transmitting data, PostgreSQL, associated applications, and infrastructure must leverage transmission protection mechanisms.
For more information on configuring PostgreSQL to use SSL, consult the following documentation:
https://www.postgresql.org/docs/current/ssl-tcp.html
Postgres provides native support for using SSL connections to encrypt client/server communications. To enable the use of SSL, the postgres 'ssl' configuration parameter must be set to 'on' and the database instance needs to be configured to use a valid server certificate and private key installed on the server. With SSL enabled, connections made to the database server will default to being encrypted. However, it is possible for clients to override the default and attempt to establish an unencrypted connection. To prevent connections made from non-local hosts from being unencrypted, the postgres host-based authentication settings should be configured to only allow hostssl (i.e., encrypted) connections. The hostssl connections can be further configured to require that the client present a valid (trusted) SSL certificate for a connection.
Solution
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.Implement protective measures against unauthorized disclosure and modification during preparation for transmission.
To configure PostgreSQL to use SSL, as a database administrator (shown here as 'postgres'), edit postgresql.conf:
$ sudo su - postgres
$ vi ${PGDATA?}/postgresql.conf
Add the following parameter:
ssl = on
To change authentication requirements for the database, as the database administrator (shown here as 'postgres'), edit pg_hba.conf:
$ sudo su - postgres
$ vi ${PGDATA?}/pg_hba.conf
Edit authentication requirements to the organizational requirements. See the official documentation for the complete list of options for authentication: http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
Now, as the system administrator, reload the server with the new configuration:
# SYSTEMD SERVER ONLY
$ sudo systemctl reload postgresql-${PGVER?}
# INITD SERVER ONLY
$ sudo service postgresql-${PGVER?} reload
For more information on configuring PostgreSQL to use SSL, see supplementary content APPENDIX-G.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_SQL_9-x_V2R5_STIG.zip
Item Details
Audit Name: DISA STIG PostgreSQL 9.x on RHEL DB v2r5
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-8(2), CAT|II, CCI|CCI-002420, Rule-ID|SV-214113r961638_rule, STIG-ID|PGS9-00-007200, STIG-Legacy|SV-87633, STIG-Legacy|V-72981, Vuln-ID|V-214113
Plugin: PostgreSQLDB
Control ID: c3b161d5e78ebcedf70089be87cc34f4fa9321998829d593f789226b9ead79b4