PostgreSQL must generate audit records showing starting and ending time for user access to the database(s).

From PostgreSQL 9.x Security Technical Implementation Guide

Part of SRG-APP-000505-DB-000352

Associated with: CCI-000172

SV-87577r2_rule PostgreSQL must generate audit records showing starting and ending time for user access to the database(s).

Vulnerability discussion

For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to PostgreSQL lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs.Disconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.

Check content

Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA. First, log into the database with the postgres user by running the following commands: $ sudo su - postgres $ psql -U postgres Next, as the database administrator, verify the log for a connection audit trail: $ sudo su - postgres $ cat ${PGDATA?}/pg_log/postgresql-Tue.log < 2016-02-23 20:25:39.931 EST postgres 56cfa993.7a72 postgres: >LOG: connection authorized: user=postgres database=postgres < 2016-02-23 20:27:45.428 EST postgres 56cfa993.7a72 postgres: >LOG: AUDIT: SESSION,1,1,READ,SELECT,,,SELECT current_user;, < 2016-02-23 20:27:47.988 EST postgres 56cfa993.7a72 postgres: >LOG: disconnection: session time: 0:00:08.057 user=postgres database=postgres host=[local] If connections are not logged, this is a finding.

Fix text

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.  If logging is enabled the following configurations must be made to log connections, date/time, username, and session identifier.  First, as the database administrator (shown here as "postgres"), edit postgresql.conf by running the following:  $ sudo su - postgres  $ vi ${PGDATA?}/postgresql.conf  Edit the following parameters:  log_connections = on  log_disconnections = on  log_line_prefix = '< %m %u %c: >'   Where:  * %m is the time and date  * %u is the username  * %c is the session ID for the connection  Now, as the system administrator, reload the server with the new configuration:  # SYSTEMD SERVER ONLY  $ sudo systemctl reload postgresql-${PGVER?} # INITD SERVER ONLY  $ sudo service postgresql-${PGVER?} reload

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer