EDB Postgres Advanced Server software modules, to include stored procedures, functions, and triggers must be monitored to discover unauthorized changes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259235	EPAS-00-003210	SV-259235r938758_rule		Medium

Description
If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective. Unmanaged changes that occur to the logic modules within the database can lead to unauthorized or compromised installations.

Description

If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Monitoring is required for assurance that the protections are effective. Unmanaged changes that occur to the logic modules within the database can lead to unauthorized or compromised installations.

STIG	Date
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide	2023-11-20

Details

Check Text ( C-62974r938756_chk )
Check the EDB Postgres configuration for a timed job that automatically checks all system and user-defined procedures, functions, and triggers for being modified by running the following EDB Postgres query: select job, what from ALL_JOBS; Additionally, in Postgres Enterprise Manager, navigate to the "Jobs" node of the database and examine the job from there. If a timed job or the relation "ALL_JOBS" does not exist, check if the EDB Audit utility has been enabled to capture these changes. As the "enterprisedb" operating system user, run the following command: > psql edb -c "SHOW edb_audit_statement" The output should return "all". If neither a timed job or some other method is not implemented to check for procedures, functions, and triggers being modified such as enabling EDB auditing, this is a finding.

Check Text ( C-62974r938756_chk )

Check the EDB Postgres configuration for a timed job that automatically checks all system and user-defined procedures, functions, and triggers for being modified by running the following EDB Postgres query:

select job, what from ALL_JOBS;

Additionally, in Postgres Enterprise Manager, navigate to the "Jobs" node of the database and examine the job from there.

If a timed job or the relation "ALL_JOBS" does not exist, check if the EDB Audit utility has been enabled to capture these changes. As the "enterprisedb" operating system user, run the following command:

> psql edb -c "SHOW edb_audit_statement"

The output should return "all".

If neither a timed job or some other method is not implemented to check for procedures, functions, and triggers being modified such as enabling EDB auditing, this is a finding.

Fix Text (F-62883r938757_fix)
Configure an EDB Postgres timed job that automatically checks all system and user-defined procedures, functions, and triggers for being modified, and in the event of such changes informs the proper personnel for evaluation and possible action. Refer to the EDB documentation for further information on how to configure a job using the DBMS_JOB package: https://www.enterprisedb.com/docs/epas/latest/reference/oracle_compatibility_reference/epas_compat_bip_guide/03_built-in_packages/05_dbms_job/ Alternatively, the EDB audit utility can capture these changes by enabling as follows: Execute the following SQL as the "enterprisedb" operating system user: > psql edb -c "ALTER SYSTEM SET edb_audit_statement = 'all'" > psql edb -c "SELECT pg_reload_conf()"

Fix Text (F-62883r938757_fix)

Configure an EDB Postgres timed job that automatically checks all system and user-defined procedures, functions, and triggers for being modified, and in the event of such changes informs the proper personnel for evaluation and possible action. Refer to the EDB documentation for further information on how to configure a job using the DBMS_JOB package: https://www.enterprisedb.com/docs/epas/latest/reference/oracle_compatibility_reference/epas_compat_bip_guide/03_built-in_packages/05_dbms_job/

Alternatively, the EDB audit utility can capture these changes by enabling as follows: Execute the following SQL as the "enterprisedb" operating system user:

> psql edb -c "ALTER SYSTEM SET edb_audit_statement = 'all'"
> psql edb -c "SELECT pg_reload_conf()"