The EDB Postgres Advanced Server must invalidate session identifiers upon user logout or other session termination.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259258	EPAS-00-005200	SV-259258r938827_rule		Medium

Description
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries to capture and continue to employ previously valid session IDs. This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Session IDs are tokens generated by DBMSs to uniquely identify a user's (or process's) session. DBMSs will make access decisions and execute logic based on the session ID. Unique session IDs help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. When a user logs out, or when any other session termination event occurs, the DBMS must terminate the user session(s) to minimize the potential for sessions to be hijacked.

Description

Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries to capture and continue to employ previously valid session IDs. This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Session IDs are tokens generated by DBMSs to uniquely identify a user's (or process's) session. DBMSs will make access decisions and execute logic based on the session ID. Unique session IDs help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. When a user logs out, or when any other session termination event occurs, the DBMS must terminate the user session(s) to minimize the potential for sessions to be hijacked.

STIG	Date
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide	2023-11-20

Details

Check Text ( C-62997r938825_chk )
As the "enterprisedb" user, run the following from the command line: > psql edb From the psql prompt run the following commands: SHOW statement_timeout; SHOW tcp_keepalives_idle; SHOW tcp_keepalives_interval; SHOW tcp_keepalives_count; If any of the above parameters has a value of "0", this is a finding.

Fix Text (F-62906r938826_fix)
As the "enterprisedb" user, run the following from the command line for all of the previously noted parameters with a value of "0" : psql edb ALTER SYSTEM SET statement_timeout = 10000; ALTER SYSTEM SET tcp_keepalives_idle = 10; ALTER SYSTEM SET tcp_keepalives_interval = 10; ALTER SYSTEM SET tcp_keepalives_count = 10; Note: The above values can be configured per organization requirements. Refer to documentation : https://www.enterprisedb.com/docs/epas/latest/reference/database_administrator_reference/02_summary_of_configuration_parameters/ From the operating system command line run the following as the "enterprisedb" user: systemctl restart edb-as-

Fix Text (F-62906r938826_fix)

As the "enterprisedb" user, run the following from the command line for all of the previously noted parameters with a value of "0" :

psql edb

ALTER SYSTEM SET statement_timeout = 10000;
ALTER SYSTEM SET tcp_keepalives_idle = 10;
ALTER SYSTEM SET tcp_keepalives_interval = 10;
ALTER SYSTEM SET tcp_keepalives_count = 10;

Note: The above values can be configured per organization requirements. Refer to documentation : https://www.enterprisedb.com/docs/epas/latest/reference/database_administrator_reference/02_summary_of_configuration_parameters/

From the operating system command line run the following as the "enterprisedb" user:

systemctl restart edb-as-