VMware Postgres must enforce authorized access to all public key infrastructure (PKI) private keys.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256602 | VCPG-70-000012 | SV-256602r887592_rule | CCI-000186 | high |
| Description | ||||
| The DOD standard for authentication is DOD-approved PKI certificates. PKI certificate-based authentication is performed by requiring the certificate holder to cryptographically prove possession of the corresponding private key. If a private key is stolen, an attacker can use it to impersonate the certificate holder. In cases where the database management system (DBMS)-stored private keys are used to authenticate the DBMS to the system's clients, loss of the corresponding private keys would allow an attacker to successfully perform undetected man-in-the-middle attacks against the DBMS system and its clients. All access to the private key(s) of the DBMS must be restricted to authorized and authenticated users. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide | 2023-06-15 | |||
Details
Check Text (C-256602r887592_chk)
At the command prompt, run the following command:
# stat -c "%a:%U:%G" /storage/db/vpostgres_ssl/server.key
Expected result:
600:vpostgres:vpgmongrp
If the output does not match the expected result, this is a finding.
Fix Text (F-60220r887591_fix)
At the command prompt, run the following commands:
# chmod 600 /storage/db/vpostgres_ssl/server.key
# chown vpostgres:vpgmongrp /storage/db/vpostgres_ssl/server.key