PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur.

An XCCDF Rule

Description

For completeness of forensic analysis, it is necessary to track failed attempts to log on to PostgreSQL. While positive identification may not be possible in a case of failed authentication, as much information as possible about the incident must be captured.

ID: SV-214087r879874_rule
Version: PGS9-00-004600
Severity: Medium
References: CCI-000172
Updated: 5 days ago

Remediation Templates

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. 

If logging is enabled the following configurations must be made to log unsuccessful connections, date/time, username, and session identifier. 
First, as the database administrator (shown here as "postgres"), edit postgresql.conf: 

$ sudo su - postgres 
$ vi ${PGDATA?}/postgresql.conf 

Edit the following parameters: 

log_connections = on 
log_line_prefix = '< %m %u %c: >'  

Where: 
* %m is the time and date 
* %u is the username 
* %c is the session ID for the connection 

Now, as the system administrator, reload the server with the new configuration: 

# SYSTEMD SERVER ONLY 
$ sudo systemctl reload postgresql-${PGVER?}

# INITD SERVER ONLY 
$ sudo service postgresql-${PGVER?} reload

PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur.

Description

Remediation Templates

A Manual Procedure