The EDB Postgres Advanced Server must generate audit records when privileges/permissions are retrieved.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259216 | EPAS-00-001200 | SV-259216r938701_rule | Medium |
| Description |
|---|
| Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted. |
| STIG | Date |
|---|---|
| EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide | 2023-11-20 |
Details
| Check Text ( C-62955r938699_chk ) |
|---|
| Execute the following SQL as the "enterprisedb" operating system user: > psql edb -c "SHOW edb_audit_statement" If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding. |
| Fix Text (F-62864r938700_fix) |
|---|
| Execute the following SQL as the "enterprisedb" operating system user: > psql edb -c "ALTER SYSTEM SET edb_audit_statement = 'all'" > psql edb -c "SELECT pg_reload_conf()" or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement. |