PostgreSQL must protect its audit configuration from unauthorized modification.

From PostgreSQL 9.x Security Technical Implementation Guide

Part of SRG-APP-000122-DB-000203

Associated with: CCI-001494

SV-87713r1_rule PostgreSQL must protect its audit configuration from unauthorized modification.

Vulnerability discussion

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Check content

All configurations for auditing and logging can be found in the postgresql.conf configuration file. By default, this file is owned by the database administrator account. To check that the permissions of the postgresql.conf are owned by the database administrator with permissions of 0600, run the following as the database administrator (shown here as "postgres"): $ sudo su - postgres $ ls -la ${PGDATA?} If postgresql.conf is not owned by the database administrator or does not have 0600 permissions, this is a finding. #### stderr Logging To check that logs are created with 0600 permissions, check the postgresql.conf file for the following setting: $ sudo su - postgres $ psql -c "SHOW log_file_mode" If permissions are not 0600, this is a finding. #### syslog Logging If PostgreSQL is configured to use syslog, verify that the logs are owned by root and have 0600 permissions. If they are not, this is a finding.

Fix text

Apply or modify access controls and permissions (both within PostgreSQL and in the file system/operating system) to tools used to view or modify audit log data. Tools must be configurable by authorized personnel only. $ sudo su - postgres $ vi ${PGDATA?}/postgresql.conf log_file_mode = 0600 Next, as the database administrator (shown here as "postgres"), change the ownership and permissions of configuration files in PGDATA: $ sudo su - postgres $ chown postgres:postgres ${PGDATA?}/*.conf $ chmod 0600 ${PGDATA?}/*.conf

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer