Skip to content
Log In

Crunchy Data PostgreSQL Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.

    Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. P...
    Rule Medium Severity
    Show

  • PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.

    One class of man-in-the-middle, or session hijacking, attack involves the adversary guessing at valid session identifiers based on patterns in identifiers already known. The preferred technique fo...
    Rule Medium Severity
    Show

  • PostgreSQL must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

    This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). ...
    Rule Medium Severity
    Show

  • PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

    Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. System ...
    Rule High Severity
    Show

  • PostgreSQL must protect its audit configuration from unauthorized modification.

    Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...
    Rule Medium Severity
    Show

  • PostgreSQL must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.

    Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated ...
    Rule High Severity
    Show

  • PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner’s requirements.

    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...
    Rule High Severity
    Show

  • SRG-APP-000499-DB-000331

    Group
    Show

  • SRG-APP-000091-DB-000066

    Group
    Show

  • SRG-APP-000357-DB-000316

    Group
    Show

  • SRG-APP-000090-DB-000065

    Group
    Show

  • SRG-APP-000503-DB-000350

    Group
    Show

  • PostgreSQL must generate audit records when successful logons or connections occur.

    For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to PostgreSQL.
    Rule Medium Severity
    Show

  • SRG-APP-000099-DB-000043

    Group
    Show

  • SRG-APP-000456-DB-000390

    Group
    Show

  • SRG-APP-000119-DB-000060

    Group
    Show

  • The audit information produced by PostgreSQL must be protected from unauthorized modification.

    If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veraci...
    Rule Medium Severity
    Show

  • SRG-APP-000023-DB-000001

    Group
    Show

  • SRG-APP-000501-DB-000336

    Group
    Show

  • PostgreSQL must generate audit records when security objects are deleted.

    The removal of security objects from the database/PostgreSQL would seriously degrade a system's information assurance posture. If such an event occurs, it must be logged.
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules