The EDB Postgres Advanced Server must generate audit records when privileges/permissions are retrieved.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259216 | EPAS-00-001200 | SV-259216r960885_rule | CCI-000172 | medium |
| Description | ||||
| Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted. | ||||
| STIG | Date | |||
| EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide | 2024-08-27 | |||
Details
Check Text (C-259216r960885_chk)
Execute the following SQL as the "enterprisedb" operating system user:
> psql edb -c "SHOW edb_audit_statement"
If the result is not "all" or if the current setting for this requirement has not been noted and approved by the organization in the system documentation, this is a finding.
Fix Text (F-62864r938700_fix)
Execute the following SQL as the "enterprisedb" operating system user:
> psql edb -c "ALTER SYSTEM SET edb_audit_statement = 'all'"
> psql edb -c "SELECT pg_reload_conf()"
or
Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.