VMware Postgres must enforce authorized access to all public key infrastructure (PKI) private keys.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-256602 | VCPG-70-000012 | SV-256602r887592_rule | High |
| Description |
|---|
| The DOD standard for authentication is DOD-approved PKI certificates. PKI certificate-based authentication is performed by requiring the certificate holder to cryptographically prove possession of the corresponding private key. If a private key is stolen, an attacker can use it to impersonate the certificate holder. In cases where the database management system (DBMS)-stored private keys are used to authenticate the DBMS to the system's clients, loss of the corresponding private keys would allow an attacker to successfully perform undetected man-in-the-middle attacks against the DBMS system and its clients. All access to the private key(s) of the DBMS must be restricted to authorized and authenticated users. |
| STIG | Date |
|---|---|
| VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide | 2023-06-15 |
Details
| Check Text ( C-60277r887590_chk ) |
|---|
| At the command prompt, run the following command: # stat -c "%a:%U:%G" /storage/db/vpostgres_ssl/server.key Expected result: 600:vpostgres:vpgmongrp If the output does not match the expected result, this is a finding. |
| Fix Text (F-60220r887591_fix) |
|---|
| At the command prompt, run the following commands: # chmod 600 /storage/db/vpostgres_ssl/server.key # chown vpostgres:vpgmongrp /storage/db/vpostgres_ssl/server.key |