If DBMS authentication, using passwords, is employed, EDB Postgres Advanced Server must enforce the DOD standards for password complexity and lifetime.

An XCCDF Rule

Description

<VulnDiscussion>OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable, and must be documented and Authorizing Official (AO)-approved. The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DOD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259246r1015716_rule
Severity: High
References: CCI-000192 CCI-004066
Updated: 17 days ago

After creating a password verification function, configure the default profile to use it and the other required password related settings.

To facilitate checking that a new password is sufficiently different from a previously used one, the dod_verify_password function uses the Levenshtein function, which is available as part of the PostgreSQL fuzzystrmatch extension.

Before creating the password verification function, check whether the fuzzystrmatch extension is installed by executing the following SQL query as enterprisedb:
 SELECT extname FROM pg_extension;

If "fuzzystrmatch" is not listed, execute the following SQL to install the extension as enterprisedb:

 CREATE EXTENSION fuzzystrmatch;

With the fuzzystrmatch extension installed, execute the following SQL statements as enterprisedb:

 CREATE OR REPLACE FUNCTION sys.dod_verify_password(user_name varchar2, new_password varchar2, old_password varchar2) 
 RETURN boolean IMMUTABLE 
 IS 
 pwd_length integer := NVL( length(new_password), 0 );

 min_length integer := 15;
 min_lower integer := 1;
 min_upper integer := 1;
 min_numeric integer := 1;
 min_special integer := 1;
 min_diff integer := ceil(min_length::numeric / 2);

 cnt_lower integer := 0;
 cnt_upper integer := 0;
 cnt_numeric integer := 0;
 cnt_special integer := 0;

 cnt_diff integer := 0;

 i integer ;
 curr_char CHAR(1);

 BEGIN

 --
 -- Check Length of new password
 --
 IF ( pwd_length < min_length ) 
 THEN 
 raise_application_error(-20001, 'Password is too short. Password must be at least '||min_length||' characters long.'); 
 END IF;

 --
 -- Get count of each character type in new password.
 --
 FOR i in 1..pwd_length LOOP
 curr_char := substr(new_password, i, 1);

 IF ( curr_char SIMILAR TO '[a-z]' ) THEN
 cnt_lower := cnt_lower + 1;
 ELSIF ( curr_char SIMILAR TO '[A-Z]' ) THEN
 cnt_upper := cnt_upper + 1;
 ELSIF ( curr_char SIMILAR TO '[0-9]' ) THEN
 cnt_numeric := cnt_numeric + 1;
 ELSE
 cnt_special := cnt_special + 1;
 END IF;
 END LOOP;

 --
 -- Calculate Levenshtein difference between old and new password
 --
 cnt_diff := levenshtein( old_password, new_password );

 -- Check if new password has minimum number of lowercase characters
 IF cnt_lower < min_lower THEN
 raise_application_error(-20004, 'Password must contain at least '||min_lower||' lowercase character(s)'); 
 END IF;

 -- Check if new password has minimum number of uppercase characters
 IF cnt_upper < min_upper THEN
 raise_application_error(-20003, 'Password must contain at least '||min_upper||' uppercase character(s)'); 
 END IF;

 -- Check if new password has minimum number of numeric characters
 IF cnt_numeric < min_numeric THEN
 raise_application_error(-20005, 'Password must contain at least '||min_numeric||' numeric character(s)'); 
 END IF;

 -- Check if new password has minimum number of special characters
 IF cnt_special < min_special THEN
 raise_application_error(-20006, 'Password must contain at least '||min_special||' special character(s)'); 
 END IF;

 -- Check if new password differs from old password by minimum number of required characters
 IF cnt_diff < min_diff THEN
 raise_application_error(-20007, 'Password must differ from old password by at least '||min_diff||' character(s)'); 
 END IF;


 RETURN true; 
 END; 

 ALTER FUNCTION sys.dod_verify_password(varchar2, varchar2, varchar2) OWNER TO enterprisedb;

Next, execute the following statement (or a variant of this) to set the default profile for DOD standards:

 ALTER PROFILE DEFAULT LIMIT
 FAILED_LOGIN_ATTEMPTS 3 
 PASSWORD_LOCK_TIME 1
 PASSWORD_LIFE_TIME 60
 PASSWORD_GRACE_TIME 3
 PASSWORD_REUSE_TIME 180
 PASSWORD_REUSE_MAX 5
 PASSWORD_VERIFY_FUNCTION dod_verify_password;

Note that the above statement assumes that the password verification function is named "dod_verify_password". If the function was created with a different name, update the ALTER PROFILE statement above as appropriate.

If DBMS authentication, using passwords, is employed, EDB Postgres Advanced Server must enforce the DOD standards for password complexity and lifetime.

Description

Remediation - Manual Procedure