UCF STIG Viewer Logo

The EDB Postgres Advanced Server password file must not be used.


Overview

Finding ID Version Rule ID IA Controls Severity
V-224173 EP11-00-004850 SV-224173r508023_rule Medium
Description
The EDB Postgres password file can contain passwords to be used if the connection allows a password (and no password has been specified otherwise). This file contain lines of the following format: hostname:port:database:username:password It is critically important to system security that use of a password file be avoided as it stores passwords in plain text. Any user with access to these could potentially compromise the security of the database.
STIG Date
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide 2022-06-13

Details

Check Text ( C-25846r495537_chk )
Check DBMS settings to determine whether a password file is being used.

On Windows the default file name and location is:
%APPDATA%\postgresql\pgpass.conf (where %APPDATA% refers to the Application Data subdirectory in the user's profile).
Alternatively, a password file can be specified using the connection parameter passfile or the environment variable PGPASSFILE.

If a password file exists, this is a finding.
If a password file is not in use, this is not a finding.
Fix Text (F-25834r495538_fix)
Remove any password files present on the server and implement a more secure form of authentication.

The DoD standard for authentication is DoD-approved PKI certificates.