Skip to content
Log In

PostgreSQL 9.x Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL.

    If the system were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust cha...
    Rule Medium Severity
    Show

  • SRG-APP-000172-DB-000075

    Group
    Show

  • If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords.

    The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and require...
    Rule High Severity
    Show

  • SRG-APP-000033-DB-000084

    Group
    Show

  • SRG-APP-000314-DB-000310

    Group
    Show

  • PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission.

    Without the association of security labels to information, there is no basis for PostgreSQL to make security-related access-control decisions. Security labels are abstractions representing the bas...
    Rule Medium Severity
    Show

  • SRG-APP-000001-DB-000031

    Group
    Show

  • PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

    Database management includes the ability to control the number of users and user sessions utilizing PostgreSQL. Unlimited concurrent connections to PostgreSQL could allow a successful Denial of Ser...
    Rule Medium Severity
    Show

  • SRG-APP-000133-DB-000362

    Group
    Show

  • SRG-APP-000180-DB-000115

    Group
    Show

  • SRG-APP-000311-DB-000308

    Group
    Show

  • PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage.

    Without the association of security labels to information, there is no basis for PostgreSQL to make security-related access-control decisions. Security labels are abstractions representing the bas...
    Rule Medium Severity
    Show

  • SRG-APP-000251-DB-000160

    Group
    Show

  • PostgreSQL must check the validity of all data inputs except those specifically identified by the organization.

    Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated applic...
    Rule Medium Severity
    Show

  • SRG-APP-000251-DB-000391

    Group
    Show

  • PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it.

    With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various pr...
    Rule Medium Severity
    Show

  • SRG-APP-000251-DB-000392

    Group
    Show

  • PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

    With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various pr...
    Rule Medium Severity
    Show

  • SRG-APP-000357-DB-000316

    Group
    Show

  • SRG-APP-000328-DB-000301

    Group
    Show

  • PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.

    Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...
    Rule Medium Severity
    Show

  • SRG-APP-000120-DB-000061

    Group
    Show

  • SRG-APP-000374-DB-000322

    Group
    Show

  • PostgreSQL must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).

    If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by PostgreSQL must include date and time. Tim...
    Rule Medium Severity
    Show

  • SRG-APP-000267-DB-000163

    Group
    Show

  • SRG-APP-000090-DB-000065

    Group
    Show

  • PostgreSQL must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

    Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events. ...
    Rule Medium Severity
    Show

  • SRG-APP-000360-DB-000320

    Group
    Show

  • SRG-APP-000442-DB-000379

    Group
    Show

  • PostgreSQL must maintain the confidentiality and integrity of information during reception.

    Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/un...
    Rule Medium Severity
    Show

  • SRG-APP-000133-DB-000200

    Group
    Show

  • SRG-APP-000133-DB-000198

    Group
    Show

  • The PostgreSQL software installation account must be restricted to authorized users.

    When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effec...
    Rule High Severity
    Show

  • SRG-APP-000133-DB-000199

    Group
    Show

  • Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications.

    When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have sign...
    Rule Medium Severity
    Show

  • SRG-APP-000101-DB-000044

    Group
    Show

  • PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

    Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough infor...
    Rule Medium Severity
    Show

  • SRG-APP-000342-DB-000302

    Group
    Show

  • SRG-APP-000447-DB-000393

    Group
    Show

  • When invalid inputs are received, PostgreSQL must behave in a predictable and documented manner that reflects organizational and system objectives.

    A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information syst...
    Rule Medium Severity
    Show

  • SRG-APP-000356-DB-000314

    Group
    Show

  • SRG-APP-000233-DB-000124

    Group
    Show

  • PostgreSQL must isolate security functions from non-security functions.

    An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and...
    Rule Medium Severity
    Show

  • SRG-APP-000381-DB-000361

    Group
    Show

  • SRG-APP-000118-DB-000059

    Group
    Show

  • SRG-APP-000454-DB-000389

    Group
    Show

  • When updates are applied to PostgreSQL software, any software components that have been replaced or made unnecessary must be removed.

    Previous versions of PostgreSQL components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some PostgreSQL installation tools ma...
    Rule Medium Severity
    Show

  • SRG-APP-000494-DB-000344

    Group
    Show

  • PostgreSQL must generate audit records when categorized information (e.g., classification levels/security levels) is accessed.

    Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected. For detailed information on categorizing information, refer t...
    Rule Medium Severity
    Show

  • SRG-APP-000492-DB-000333

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules