If passwords are used for authentication, the vROps PostgreSQL DB must store only hashed, salted representations of passwords.

From VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide

Associated with: CCI-000196

SV-98915r1_rule If passwords are used for authentication, the vROps PostgreSQL DB must store only hashed, salted representations of passwords.

Vulnerability discussion

The DoD standard for authentication is DoD-approved PKI certificates.Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.In such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.

Check content

At the command prompt, execute the following command to enter the psql prompt: # cat /storage/db/vcops/vpostgres/data/pg_hba.conf If any rows have "trust" specified for the "METHOD" column, this is a finding.

Fix text

Navigate to and open /storage/db/vcops/vpostgres/data/pg_hba.conf. Navigate to the user that has a method of "trust". Change the method to md5. A correct, typical line will look like the below: # TYPE DATABASE USER ADDRESS METHOD host all all 127.0.0.1/32 md5

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.