OpenControls Logo

STIG Viewer

The EDB Postgres Advanced Server must generate audit records when privileges/permissions are retrieved.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-259216EPAS-00-001200SV-259216r960885_ruleCCI-000172medium
Description
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.
STIGDate
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide2024-08-27

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
AU-12
1.00
  • DISA · V2R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
  • DISA · V2R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
  • DISA · V2R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000172
1.00
  • DISA · V2R1 · disa_xccdf · related

Details

Check Text (C-259216r960885_chk)

Execute the following SQL as the "enterprisedb" operating system user: > psql edb -c "SHOW edb_audit_statement" If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.

Fix Text (F-62864r938700_fix)

Execute the following SQL as the "enterprisedb" operating system user: > psql edb -c "ALTER SYSTEM SET edb_audit_statement = 'all'" > psql edb -c "SELECT pg_reload_conf()" or Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.