The DBMS must map the PKI-authenticated identity to an associated user account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259251	EPAS-00-004700	SV-259251r938806_rule		Medium

Description
The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a DBMS user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions.

STIG	Date
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide	2023-11-20

Details

Check Text ( C-62990r938804_chk )
The Common Name (cn) attribute of the certificate will be compared to the requested database user name and, if they match, the login will be allowed. To check the cn of the certificate, using openssl, do the following: $ openssl x509 -noout -subject -in client_cert If the cn does not match the users listed in PostgreSQL and no user mapping is used, this is a finding. User name mapping can be used to allow cn to be different from the database user name. If User Name Maps are used, run the following as the database administrator (shown here as "enterprisedb"), to get a list of maps used for authentication: $ sudo su - enterprisedb $ grep "map" $/pg_hba.conf The default path for the postgresql data directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances. With the names of the maps used, check those maps against the user name mappings in pg_ident.conf: $ sudo su - enterprisedb $ cat /pg_ident.conf If user accounts are not being mapped to authenticated identities, this is a finding. If the cn and the username mapping do not match, this is a finding.

Check Text ( C-62990r938804_chk )

The Common Name (cn) attribute of the certificate will be compared to the requested database user name and, if they match, the login will be allowed.

To check the cn of the certificate, using openssl, do the following:

$ openssl x509 -noout -subject -in client_cert

If the cn does not match the users listed in PostgreSQL and no user mapping is used, this is a finding.

User name mapping can be used to allow cn to be different from the database user name. If User Name Maps are used, run the following as the database administrator (shown here as "enterprisedb"), to get a list of maps used for authentication:

$ sudo su - enterprisedb
$ grep "map" $/pg_hba.conf

The default path for the postgresql data directory is /var/lib/edb/as/data (PGDATA), but this will vary according to local circumstances.

With the names of the maps used, check those maps against the user name mappings in pg_ident.conf:

$ sudo su - enterprisedb
$ cat /pg_ident.conf

If user accounts are not being mapped to authenticated identities, this is a finding.

If the cn and the username mapping do not match, this is a finding.

Fix Text (F-62899r938805_fix)
Configure PostgreSQL to map authenticated identities directly to PostgreSQL user accounts.