PostgreSQL must generate audit records showing starting and ending time for user access to the database(s).

An XCCDF Rule

Description

For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to PostgreSQL lasts. This can be achieved by recording disconnections, in addition to logons/connections, in the audit logs. Disconnection may be initiated by the user or forced by the system (as in a timeout) or result from a system or network failure. To the greatest extent possible, all disconnections must be logged.

ID: SV-214088r879876_rule
Version: PGS9-00-004700
Severity: Medium
References: CCI-000172
Updated: 5 days ago

Remediation Templates

Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.

To ensure that logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging. 

If logging is enabled the following configurations must be made to log connections, date/time, username, and session identifier. 
First, as the database administrator (shown here as "postgres"), edit postgresql.conf by running the following: 

$ sudo su - postgres 
$ vi ${PGDATA?}/postgresql.conf 

Edit the following parameters: 

log_connections = on 
log_disconnections = on 
log_line_prefix = '< %m %u %c: >'  

Where: 
* %m is the time and date 
* %u is the username 
* %c is the session ID for the connection 

Now, as the system administrator, reload the server with the new configuration: 

# SYSTEMD SERVER ONLY 
$ sudo systemctl reload postgresql-${PGVER?} 

# INITD SERVER ONLY 
$ sudo service postgresql-${PGVER?} reload

PostgreSQL must generate audit records showing starting and ending time for user access to the database(s).

Description

Remediation Templates

A Manual Procedure