{"assessment-plan":{"uuid":"f7f0b3fb-3654-5371-a063-cb7bb6600d4c","metadata":{"props":[{"ns":"https://cisecurity.org/ns","name":"cis-benchmark-id","value":"xccdf_org.cisecurity.benchmarks_benchmark_1.0.0_CIS_PostgreSQL_18_Benchmark"}],"roles":[{"id":"assessor","title":"Assessor"},{"id":"asset-owner","title":"Asset Owner"}],"title":"CIS PostgreSQL 18 Benchmark","parties":[{"name":"Assessment Organization","type":"organization","uuid":"11b0a61f-69cd-533e-b79b-2610ab79e2aa"}],"version":"1.0.0","published":"2026-04-16T16:12:02Z","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"34bc9c34-74e6-4c34-82e2-b1fe1057f91f"}],"last-modified":"2026-04-16T16:12:02Z","oscal-version":"1.2.1","responsible-parties":[{"role-id":"assessor","party-uuids":["11b0a61f-69cd-533e-b79b-2610ab79e2aa"]}]},"import-ssp":{"href":"https://registry.oscal.io/api/v1/pirooz-javan/system-security-plans/17eb373b-6c3a-4ef9-a021-0f8995cb4ce2"},"local-definitions":{"activities":[{"uuid":"66010ee5-6768-59ec-8fab-b14bcc389987","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"1"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"group","value":"1 Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.1_Ensure_packages_are_obtained_from_authorized_repositories"}],"steps":[{"uuid":"0c79835c-9d91-5840-9416-471ed0b8fc41","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.1_Ensure_packages_are_obtained_from_authorized_repositories"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/2/subcontrol/1"}],"title":"Audit for Ensure packages are obtained from authorized repositories","remarks":"Being open-source, PostgreSQL packages are widely available across the internet through package aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.\n\n Many organizations choose to implement a local software repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.\n\n From a security perspective, it's imperative to verify the PostgreSQL binary packages are sourced from a valid software repository. For a complete listing of all PostgreSQL binaries available via configured repositories inspect the output from ` dnf provides '*libpq.so' ` or ` apt-file search /usr/pgsql-18/lib/libpq.so.5 ` .","description":"## Description\n\nStandard Linux distributions, although possessing the requisite packages, often do not have PostgreSQL pre-installed. The installation process includes installing the binaries and the means to generate a data cluster. Package installation should include both the server and client packages. Contribution modules are optional depending upon one's architectural requirements (they are recommended though).\n\n When obtaining and installing software packages (typically via ` dnf ` or ` apt ` ), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, the canonical repositories are the official PostgreSQL YUM repository (yum.postgresql.org) and the official PostgreSQL APT repository (apt.postgresql.org). Your chosen PostgreSQL vendor may offer its own software repositories as well."},{"uuid":"a1232ae1-2be0-5648-8585-893d117df02a","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.1_Ensure_packages_are_obtained_from_authorized_repositories"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure packages are obtained from authorized repositories","description":"Alter the configured repositories so they only include valid and authorized sources of packages. \n\n As an example of adding an authorized repository, we will install the PGDG repository RPM from ' yum.postgresql.org ': \n\n \n```bash\n# whoami \n root \n # dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm \n Last metadata expiration check: 0:01:35 ago on Mon 03 Oct 2022 01:19:37 PM EDT. \n [snip] \n Installed: \n pgdg-redhat-repo-42.0-64.noarch \n \n Complete! \n # whoami \n root \n # dnf repolist all | egrep 'enabled$' \n pgdg-common PostgreSQL common enabled \n pgdg14 PostgreSQL 14 for enabled \n pgdg15 PostgreSQL 15 for enabled \n pgdg16 PostgreSQL 16 for enabled \n pgdg17 PostgreSQL 17 for enabled \n rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise enabled \n rhel-9-for-x86_64-baseos-rpms Red Hat Enterprise enabled\n```\n If the version of PostgreSQL installed is not 18.x or they did not come from a valid repository, the packages may be uninstalled using this command: \n\n \n```bash\n# whoami \n root \n # dnf remove $(rpm -qa|grep postgres)\n```\n To install the PGDG RPMs for PostgreSQL 18.x, run: \n\n \n```bash\n# whoami \n root \n # dnf install -y postgresql18-{server,contrib} \n \n Installed: \n \n postgresql18-18.3-1PGDG.rhel9.x86_64 postgresql18-contrib-18.3-1PGDG.rhel9.x86_64 \n postgresql18-libs-18.3-1PGDG.rhel9.x86_64 postgresql18-server-18.3-1PGDG.rhel9.x86_64 \n Complete!\n```"}],"title":"Ensure packages are obtained from authorized repositories","description":"Standard Linux distributions, although possessing the requisite packages, often do not have PostgreSQL pre-installed. The installation process includes installing the binaries and the means to generate a data cluster. Package installation should include both the server and client packages. Contribution modules are optional depending upon one's architectural requirements (they are recommended though). When obtaining and installing software packages (typically via dnf or apt ), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, the canonical repositories are the official PostgreSQL YUM repository (yum.postgresql.org) and the official PostgreSQL APT repository (apt.postgresql.org). Your chosen PostgreSQL vendor may offer its own software repositories as well."},{"uuid":"27c5f401-2479-51b1-976c-e2a23cc5daff","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"2"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"group","value":"1 Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.2_Install_only_required_packages"}],"steps":[{"uuid":"9404eb18-82db-59ea-8cf7-7a9f31a86757","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.2_Install_only_required_packages"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/8"}],"title":"Audit for Install only required packages","remarks":"Unused packages can increase the potential attack surface of the system.","description":"## Description\n\nDepending on the distribution, several other packages next to the mandatory ` postgresql ` might have been installed upon a system.Typical add-on packages are:\n\n - ` postgresql-doc ` : PostgreSQL documentation. - ` phppgadmin ` : PostgreSQL web-based administration tool. - ..."},{"uuid":"8f0a7cc4-93db-5688-8368-915cb3d0898a","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.2_Install_only_required_packages"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Install only required packages","description":"Examine the installed packages: \n\n Debian: \n\n \n```bash\ndpkg -l $(apt-cache search postgresql --names-only| awk '{print $1}') 2>&1 | grep -v 'no packages found'\n```\n RHEL: \n\n \n```bash\nrpm -q $(dnf search postgresql | cut -d: -f1 | cut -d. -f1) 2>&1 | grep -Ev 'package.*is not installed'\n```\n Remove any identified packages that are undesired: \n\n Debian: \n\n \n```bash\napt purge\n```\n RHEL: \n\n \n```bash\ndnf erase\n```"}],"title":"Install only required packages","description":"Depending on the distribution, several other packages next to the mandatory postgresql might have been installed upon a system.Typical add-on packages are: postgresql-doc : PostgreSQL documentation. phppgadmin : PostgreSQL web-based administration tool. ..."},{"uuid":"edcda71b-f1ab-5983-ad5c-b002d33cd948","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"3"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"group","value":"1 Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.3_Ensure_systemd_Service_Files_Are_Enabled"}],"steps":[{"uuid":"cad9c51c-96d1-5528-82b1-574c843a5efe","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.3_Ensure_systemd_Service_Files_Are_Enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure systemd Service Files Are Enabled","remarks":"Enabling the ` systemd ` service on the OS ensures the database service is active when a change of state occurs as in the case of a system startup or reboot.","description":"## Description\n\nConfirm, and correct if necessary, the PostgreSQL ` systemd ` service is enabled."},{"uuid":"4574fa31-1902-5103-872b-f6b6ebadfc50","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.3_Ensure_systemd_Service_Files_Are_Enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure systemd Service Files Are Enabled","description":"Irrespective of package source, PostgreSQL services can be identified because it typically includes the text string \"postgresql\". PGDG installs do not automatically register the service as a \"want\" of the default ` systemd ` target. Multiple instances of PostgreSQL services often distinguish themselves using a version number. \n\n \n```bash\n# whoami \n root \n # systemctl enable postgresql-18 \n Created symlink /etc/systemd/system/multi-user.target.wants/postgresql-18.service → /usr/lib/systemd/system/postgresql-18.service. \n # systemctl is-enabled postgresql-18.service \n enabled\n```"}],"title":"Ensure systemd Service Files Are Enabled","description":"Confirm, and correct if necessary, the PostgreSQL systemd service is enabled."},{"uuid":"05eb40b2-ad4e-55f8-bd6d-ed57fbe3a585","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"4"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"group","value":"1 Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.4_Ensure_Data_Cluster_Initialized_Successfully"}],"steps":[{"uuid":"52a82285-f8eb-528c-9578-14a36c2d1785","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.4_Ensure_Data_Cluster_Initialized_Successfully"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3"}],"title":"Audit for Ensure Data Cluster Initialized Successfully","remarks":"For the purposes of security, PostgreSQL enforces ownership and permissions of the data cluster such that:\n\n - An initialized data cluster is owned by the UNIX account that created it. - The data cluster cannot be accessed by other UNIX user accounts. - The data cluster cannot be created or owned by ` root ` - The PostgreSQL process cannot be invoked by ` root ` nor any UNIX user account other than the owner of the data cluster. Incorrectly instantiating the data cluster will result in a failed installation.","description":"## Description\n\nFirst-time installs of a given PostgreSQL major release require the instantiation of the database cluster. A database cluster is a collection of databases that are managed by a single server instance."},{"uuid":"3573527c-57c6-5ba0-999e-0f41cb4a83b4","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.4_Ensure_Data_Cluster_Initialized_Successfully"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure Data Cluster Initialized Successfully","description":"Attempting to instantiate a data cluster to an existing non-empty directory will fail: \n\n \n```bash\n# whoami \n root \n # PGSETUP_INITDB_OPTIONS=\"-k\" /usr/pgsql-18/bin/postgresql-18-setup initdb \n Data directory is not empty!\n```\n In the case of a cluster instantiation failure, one must delete/remove the entire data cluster directory and repeat the ` initdb ` command: \n\n \n```bash\n# whoami \n root \n # rm -rf ~postgres/18 \n # PGSETUP_INITDB_OPTIONS=\"-k\" /usr/pgsql-18/bin/postgresql-18-setup initdb \n Initializing database ... OK\n```"}],"title":"Ensure Data Cluster Initialized Successfully","description":"First-time installs of a given PostgreSQL major release require the instantiation of the database cluster. A database cluster is a collection of databases that are managed by a single server instance."},{"uuid":"eaec4db5-f4ba-5679-b00c-0762bc9f8c8c","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"5"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"group","value":"1 Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.5_Ensure_the_Latest_Security_Patches_are_Applied"}],"steps":[{"uuid":"e1d10eff-5810-56f8-a959-6dcdaf769fd7","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.5_Ensure_the_Latest_Security_Patches_are_Applied"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/2/subcontrol/2"}],"title":"Audit for Ensure the Latest Security Patches are Applied","remarks":"Maintaining parity with PostgreSQL patches will help reduce the risk associated with known vulnerabilities present in the PostgreSQL server.\n\n Without the latest security patches, PostgreSQL might have known vulnerabilities which could be used by an attacker to gain access.","description":"## Description\n\nPostgreSQL updates are released to resolve bugs, and mitigate vulnerabilities quarterly (or sooner for drastic CVEs). It is recommended that PostgreSQL installations are kept up to date with the latest security updates. The PostgreSQL development group guarantees that point releases (or \"minor releases\") will not change the behavior of an existing install and as such are \"safe\" to install without fear of changes to your application's behavior."},{"uuid":"55f3d330-26e9-5f47-98f5-3b74b41ad323","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.5_Ensure_the_Latest_Security_Patches_are_Applied"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the Latest Security Patches are Applied","description":"Install the latest patches available for your version: \n\n RHEL: \n\n \n```bash\nsudo dnf update $(rpm -qa | grep '^postgresql')\n```\n Debian: \n\n \n```bash\nsudo apt-get install --only-upgrade $(dpkg-query -W -f '${db:Status-Status} ${Package}\\n' 'postgresql*' | awk '$1 != \"not-installed\" {print $NF}')\n```\n Impact: \n\n To update the PostgreSQL server a restart is required which will cause a momentary service outage."}],"title":"Ensure the Latest Security Patches are Applied","description":"PostgreSQL updates are released to resolve bugs, and mitigate vulnerabilities quarterly (or sooner for drastic CVEs). It is recommended that PostgreSQL installations are kept up to date with the latest security updates. The PostgreSQL development group guarantees that point releases (or \"minor releases\") will not change the behavior of an existing install and as such are \"safe\" to install without fear of changes to your application's behavior."},{"uuid":"4d374a26-ce2d-57e2-8930-4ebc586b73b6","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"6"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"group","value":"1 Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.6_Verify_That_PGPASSWORD_is_Not_Set_in_Users_Profiles"}],"steps":[{"uuid":"5e0252d0-7d4d-5ad3-9a92-f88023e53539","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.6_Verify_That_PGPASSWORD_is_Not_Set_in_Users_Profiles"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/11"}],"title":"Audit for Verify That 'PGPASSWORD' is Not Set in Users' Profiles","remarks":"Use of the ` PGPASSWORD ` environment variable implies PostgreSQL credentials are stored as clear text. Avoiding this may increase assurance that the confidentiality of PostgreSQL credentials is preserved.","description":"## Description\n\nPostgreSQL can read a default database password from an environment variable called ` PGPASSWORD ` ."},{"uuid":"18dc5689-abb4-5616-a13c-dbb807284328","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.6_Verify_That_PGPASSWORD_is_Not_Set_in_Users_Profiles"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Verify That 'PGPASSWORD' is Not Set in Users' Profiles","description":"Check which users and/or scripts are setting ` PGPASSWORD ` and change them to use a more secure method."}],"title":"Verify That 'PGPASSWORD' is Not Set in Users' Profiles","description":"PostgreSQL can read a default database password from an environment variable called PGPASSWORD ."},{"uuid":"82feb3a2-a079-5019-9175-468feeb6b2ee","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"7"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"group","value":"1 Installation and Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.7_Verify_That_the_PGPASSWORD_Environment_Variable_is_Not_in_Use"}],"steps":[{"uuid":"98c674f9-66e7-5b32-a5b6-c08d38928c43","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.7_Verify_That_the_PGPASSWORD_Environment_Variable_is_Not_in_Use"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/11"}],"title":"Audit for Verify That the 'PGPASSWORD' Environment Variable is Not in Use","remarks":"Using the ` PGPASSWORD ` environment variable implies PostgreSQL credentials are stored as clear text.Avoiding use of this environment variable can better safeguard the confidentiality of PostgreSQL credentials.","description":"## Description\n\nPostgreSQL can read a default database password from an environment variablecalled ` PGPASSWORD ` ."},{"uuid":"8d595d6d-609c-574d-83a6-72f4001209ba","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_1.7_Verify_That_the_PGPASSWORD_Environment_Variable_is_Not_in_Use"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Verify That the 'PGPASSWORD' Environment Variable is Not in Use","description":"Check which users and/or scripts are setting ` PGPASSWORD ` and change themto use a more secure method."}],"title":"Verify That the 'PGPASSWORD' Environment Variable is Not in Use","description":"PostgreSQL can read a default database password from an environment variablecalled PGPASSWORD ."},{"uuid":"5e308a8d-4259-51eb-bb81-a2f9bdb1916b","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"8"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"group","value":"2 Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.1_Ensure_the_file_permissions_mask_is_correct"}],"steps":[{"uuid":"7ffdce20-bd6b-5ff6-9e43-4d9d166dad21","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.1_Ensure_the_file_permissions_mask_is_correct"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3"}],"title":"Audit for Ensure the file permissions mask is correct","remarks":"The Linux OS defaults the umask to ` 0022 ` , which means the owner and primary group can read and write the file, and other accounts are permitted to read the file. Not explicitly setting the umask to a value as restrictive as ` 0077 ` allows other users to read, write, or even execute files and scripts created by the ` postgres ` user account. The alternative to using a umask is explicitly updating file permissions after file creation using the command line utility ` chmod ` (a manual and error-prone process that is not advised).","description":"## Description\n\nFiles are always created using a default set of permissions. File permissions can be restricted by applying a permissions mask called the ** ` umask ` ** . The ` postgres ` user account should use a umask of ` 0077 ` to deny file access to all user accounts except the owner."},{"uuid":"49fba322-b635-5fb9-9419-654bdcde9a1a","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.1_Ensure_the_file_permissions_mask_is_correct"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the file permissions mask is correct","description":"Depending upon the ` postgres ` user's environment, the umask is typically set in the initialization file ` .bash_profile ` , but may also be set in ` .profile ` or ` .bashrc ` . To set the umask, add the following to the appropriate profile file: \n\n \n```bash\n# whoami \n postgres \n # cd ~ \n # ls -ld .{bash_profile,profile,bashrc} \n ls: cannot access .profile: No such file or directory \n ls: cannot access .bashrc: No such file or directory \n -rwx------. 1 postgres postgres 267 Aug 14 12:59 .bash_profile \n # echo \"umask 077\" >> .bash_profile \n # source .bash_profile \n # umask \n 0077\n```"}],"title":"Ensure the file permissions mask is correct","description":"Files are always created using a default set of permissions. File permissions can be restricted by applying a permissions mask called the umask . The postgres user account should use a umask of 0077 to deny file access to all user accounts except the owner."},{"uuid":"8926c68a-532a-5b6e-9ffc-5f4d15090b3a","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"9"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"group","value":"2 Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.2_Ensure_extension_directory_has_appropriate_ownership_and_permissions"}],"steps":[{"uuid":"3fd64334-ce40-5423-9ddc-066deced527c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.2_Ensure_extension_directory_has_appropriate_ownership_and_permissions"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3"}],"title":"Audit for Ensure extension directory has appropriate ownership and permissions","remarks":"Limiting the accessibility of these objects will protect the confidentiality, integrity, and availability of the PostgreSQL database. If someone can modify extensions, then these extensions can be used to execute illicit instructions.","description":"## Description\n\nThe extension directory is the location of the PostgreSQL extensions. Extensions are storage engines or user defined functions (UDFs)."},{"uuid":"fa054993-ef69-55ed-b1b0-00e810eb0e80","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.2_Ensure_extension_directory_has_appropriate_ownership_and_permissions"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure extension directory has appropriate ownership and permissions","description":"If needed, correct the permissions on the extension dir by eecuting: \n\n \n```bash\nsudo chown root:root $ext_dir \n sudo chmod 0755 $ext_dir\n```\n If the permissions needed correct, it is imperative that all extensions found in ` $ext_dir ` are evaluated to ensure they have not been modified!"}],"title":"Ensure extension directory has appropriate ownership and permissions","description":"The extension directory is the location of the PostgreSQL extensions. Extensions are storage engines or user defined functions (UDFs)."},{"uuid":"1a19face-1e5d-5637-b6fa-fd2e55d4d625","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"10"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"group","value":"2 Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.3_Disable_PostgreSQL_Command_History"}],"steps":[{"uuid":"51244a58-94de-5ba2-bf01-754b89517255","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.3_Disable_PostgreSQL_Command_History"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/5"}],"title":"Audit for Disable PostgreSQL Command History","remarks":"Disabling the PostgreSQL command history reduces the probability of exposingsensitive information, such as passwords, encryption keys, or sensitive data.","description":"## Description\n\nOn Linux/UNIX, the PostgreSQL client logs most interactive statements to a history file.The default PostgreSQL history file is named ` .psql_history ` in the user's home directory.\n\n The PostgreSQL command history should be disabled."},{"uuid":"876a0586-afe4-58e1-aadd-f14874a431d9","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.3_Disable_PostgreSQL_Command_History"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Disable PostgreSQL Command History","description":"For each OS user on the PostgreSQL server, perform the following steps to implement this setting: \n\n - Remove ` .psql_history ` if it exists. \n\n \n```bash\nrm -f ~/.psql_history || true\n```\n - Use either of the techniques below to prevent it from being created again: \n\n Set the ` HISTFILE ` variable to ` /dev/null ` in ` ~/.psqlrc ` \n```bash\ncat > ~/.psqlrc\\set HISTFILE /dev/nullEOF\n```\n - Create ` ~/.psql_history ` as a symbolic to ` /dev/null ` . \n```bash\nln -s /dev/null $HOME/.psql_history\n```\n - Set the ` PSQL_HISTORY ` variable for all users: \n\n \n```bash\nsudo echo 'PSQL_HISTORY=/dev/null' >> /etc/environment\n```"}],"title":"Disable PostgreSQL Command History","description":"On Linux/UNIX, the PostgreSQL client logs most interactive statements to a history file.The default PostgreSQL history file is named .psql_history in the user's home directory. The PostgreSQL command history should be disabled."},{"uuid":"de429f18-0b16-55d5-8f10-b05e19c91bf7","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"11"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"group","value":"2 Directory and File Permissions"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.4_Ensure_Passwords_are_Not_Stored_in_the_service_file"}],"steps":[{"uuid":"6c90c0d9-f5ca-5d2e-97e1-db417ca3782d","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.4_Ensure_Passwords_are_Not_Stored_in_the_service_file"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/11"}],"title":"Audit for Ensure Passwords are Not Stored in the service file","remarks":"Using the ` password ` parameter may negatively impact the confidentiality of the user's password.","description":"## Description\n\nOne can set a ` password ` in a PostgreSQL connection service file. Verify the ` password ` option is not used in a connection service file."},{"uuid":"06e7a040-d6a6-535e-b9d0-4de1c538594b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_2.4_Ensure_Passwords_are_Not_Stored_in_the_service_file"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure Passwords are Not Stored in the service file","description":"Delete every ` password ` entry in the file(s) previously identified. \n\n Impact: \n\n The global configuration is by default readable for all users on the system.This is needed for global defaults (prompt, port, socket, etc.).If a password is present in this file then all users on the system may be able to access it."}],"title":"Ensure Passwords are Not Stored in the service file","description":"One can set a password in a PostgreSQL connection service file. Verify the password option is not used in a connection service file."},{"uuid":"2b1083cc-3f01-5efc-8d1c-39bee89fbf14","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"12"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_the_log_destinations_are_set_correctly"}],"steps":[{"uuid":"31f4a7c6-9d08-5195-9ee6-72ba631b2bd5","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_the_log_destinations_are_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure the log destinations are set correctly","remarks":"If ` log_destination ` is not set, then any log messages generated by the core PostgreSQL processes will be lost.","description":"## Description\n\nPostgreSQL supports several methods for logging server messages, including ` stderr ` , ` csvlog ` , ` syslog ` , and ` jsonlog ` . On Windows, ` eventlog ` is also supported. One or more of these destinations should be set for server log output."},{"uuid":"ac3c1a61-e756-5a7a-b1ed-b602d72dfd29","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_the_log_destinations_are_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the log destinations are set correctly","description":"Execute the following SQL statements to remediate this setting (in this example, setting the log destination to ` csvlog ` ): \n\n \n```bash\npostgres=# alter system set log_destination = 'csvlog'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```\n ** Note: ** If more than one log destination is to be used, set this parameter to a list of desired log destinations separated by commas (e.g. ' ` csvlog, stderr ` ')."}],"title":"Ensure the log destinations are set correctly","description":"PostgreSQL supports several methods for logging server messages, including stderr , csvlog , syslog , and jsonlog . On Windows, eventlog is also supported. One or more of these destinations should be set for server log output."},{"uuid":"0af723c0-f32a-5ecd-84d7-b41d08e23b60","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"13"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.3_Ensure_the_logging_collector_is_enabled"}],"steps":[{"uuid":"8f98b939-aee0-5130-bf9a-6493e21de8c2","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.3_Ensure_the_logging_collector_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure the logging collector is enabled","remarks":"The logging collector approach is often more useful than logging to ` syslog ` , since some types of messages might not appear in ` syslog ` output. One common example is dynamic-linker failure message; another may be error messages produced by scripts such as ` archive_command ` .\n\n ** Note: ** This setting must be enabled when ` log_destination ` is either ` stderr ` or ` csvlog ` or logs will be lost . Certain other logging parameters require it as well.","description":"## Description\n\nThe logging collector is a background process that captures log messages sent to ` stderr ` and redirects them into log files. The ` logging_collector ` setting must be enabled in order for this process to run. It can only be set at the server start."},{"uuid":"7135659e-1d8f-5023-adf4-11a2e49b32a0","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.3_Ensure_the_logging_collector_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the logging collector is enabled","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set logging_collector = 'on'; \n ALTER SYSTEM\n```\n Unfortunately, this setting can only be changed at the server (re)start. As root, restart the PostgreSQL service for this change to take effect: \n\n \n```bash\n# whoami \n root \n # systemctl restart postgresql-18 \n # systemctl status postgresql-18|grep 'ago$' \n Active: active (running) since ; s ago\n```"}],"title":"Ensure the logging collector is enabled","description":"The logging collector is a background process that captures log messages sent to stderr and redirects them into log files. The logging_collector setting must be enabled in order for this process to run. It can only be set at the server start."},{"uuid":"f30a54e7-7ed8-5f7a-a43f-ce74ccdc1753","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"14"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.4_Ensure_the_log_file_destination_directory_is_set_correctly"}],"steps":[{"uuid":"488390ef-8b59-5145-b57e-2c1449ba3bb0","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.4_Ensure_the_log_file_destination_directory_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure the log file destination directory is set correctly","remarks":"If ` log_directory ` is not set, it is interpreted as the absolute path ` '/' ` and PostgreSQL will attempt to write its logs there (and typically fail due to a lack of permissions to that directory). This parameter should be set to direct the logs into the appropriate directory location as defined by your organization's logging policy.","description":"## Description\n\nThe ` log_directory ` setting specifies the destination directory for log files when ` log_destination ` is ` stderr ` or ` csvlog ` . It can be specified as relative to the cluster data directory ( ` $PGDATA ` ) or as an absolute path. ` log_directory ` should be set according to your organization's logging policy."},{"uuid":"3f4a71b3-f17a-5b0e-bb12-3eb09eee0bad","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.4_Ensure_the_log_file_destination_directory_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the log file destination directory is set correctly","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set log_directory='/var/log/postgres'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row) \n postgres=# show log_directory; \n log_directory \n --------------- \n /var/log/postgres \n (1 row)\n```\n ** Note: ** The use of ` /var/log/postgres ` , above, is an example. This should be set to an appropriate path as defined by your organization's logging requirements. Having said that, it ** is ** a good idea to have the logs outside of your ` PGDATA ` directory so that they are not included by things like ` pg_basebackup ` or ` pgBackRest ` ."}],"title":"Ensure the log file destination directory is set correctly","description":"The log_directory setting specifies the destination directory for log files when log_destination is stderr or csvlog . It can be specified as relative to the cluster data directory ( $PGDATA ) or as an absolute path. log_directory should be set according to your organization's logging policy."},{"uuid":"d4879b90-5a78-5677-b92a-2d0f3ce0cac8","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"15"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.5_Ensure_the_filename_pattern_for_log_files_is_set_correctly"}],"steps":[{"uuid":"2caf2f85-df0b-5b54-ad00-7638dda66bd6","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.5_Ensure_the_filename_pattern_for_log_files_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure the filename pattern for log files is set correctly","remarks":"If ` log_filename ` is not set, then the value of ` log_directory ` is appended to an empty string and PostgreSQL will fail to start as it will try to write to a directory instead of a file.","description":"## Description\n\nThe ` log_filename ` setting specifies the filename pattern for log files. The value for ` log_filename ` should match your organization's logging policy.\n\n The value is treated as a ` strftime ` pattern, so ` %-escapes ` can be used to specify time-varying file names. The supported ` %-escapes ` are similar to those listed in the Open Group's ` strftime ` specification. If you specify a file name without escapes, you should plan to use a log rotation utility to avoid eventually filling the partition that contains ` log_directory ` . If there are any time-zone-dependent ` %-escapes ` , the computation is done in the zone specified by ` log_timezone ` . Also, the system's ` strftime ` is not used directly, so platform-specific (nonstandard) extensions do not work.\n\n If CSV-format output is enabled in ` log_destination ` , ` .csv ` will be appended to the log filename. (If ` log_filename ` ends in ` .log ` , the suffix is replaced instead.)"},{"uuid":"3770f7f7-5bc2-5656-a19b-6f5cd048d0f0","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.5_Ensure_the_filename_pattern_for_log_files_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the filename pattern for log files is set correctly","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set log_filename='postgresql-%Y%m%d.log'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row) \n postgres=# show log_filename; \n log_filename \n ------------------- \n postgresql-%Y%m%d.log \n (1 row)\n```\n ** Note: ** In this example, a new log file will be created for each day (e.g. ` postgresql-20200804.log ` )"}],"title":"Ensure the filename pattern for log files is set correctly","description":"The log_filename setting specifies the filename pattern for log files. The value for log_filename should match your organization's logging policy. The value is treated as a strftime pattern, so %-escapes can be used to specify time-varying file names. The supported %-escapes are similar to those listed in the Open Group's strftime specification. If you specify a file name without escapes, you should plan to use a log rotation utility to avoid eventually filling the partition that contains log_directory . If there are any time-zone-dependent %-escapes , the computation is done in the zone specified by log_timezone . Also, the system's strftime is not used directly, so platform-specific (nonstandard) extensions do not work. If CSV-format output is enabled in log_destination , .csv will be appended to the log filename. (If log_filename ends in .log , the suffix is replaced instead.)"},{"uuid":"3d0406a7-86a9-5eff-91dc-134520165c52","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"16"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.6_Ensure_the_log_file_permissions_are_set_correctly"}],"steps":[{"uuid":"252610df-ecb7-5808-911e-6191f5152d0b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.6_Ensure_the_log_file_permissions_are_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3"}],"title":"Audit for Ensure the log file permissions are set correctly","remarks":"Log files often contain sensitive data. Allowing unnecessary access to log files may inadvertently expose sensitive data to unauthorized personnel.","description":"## Description\n\nThe ` log_file_mode ` setting determines the file permissions for log files when ` logging_collector ` is enabled. The parameter value is expected to be a numeric mode specification in the form accepted by the ` chmod ` and ` umask ` system calls. (To use the customary octal format, the number must start with a ` 0 ` (zero).)\n\n The permissions should be set to allow only the necessary access to authorized personnel. In most cases, the best setting is ` 0600 ` , so that only the server owner can read or write the log files. The other commonly useful setting is ` 0640 ` , allowing members of the owner's group to read the files, although to make use of that, you will need to either alter the ` log_directory ` setting to store the log files outside the cluster data directory or use ` PGSETUP_INITDB_OPTIONS=\"-k -g\" ` when initializing the cluster."},{"uuid":"fa3b230f-7c89-58c3-ae5f-b95069343cbc","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.6_Ensure_the_log_file_permissions_are_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the log file permissions are set correctly","description":"Execute the following SQL statement(s) to remediate this setting (with the example assuming the desired value of ` 0600 ` ): \n\n \n```bash\npostgres=# alter system set log_file_mode = '0600'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row) \n postgres=# show log_file_mode; \n log_file_mode \n --------------- \n 0600 \n (1 row)\n```"}],"title":"Ensure the log file permissions are set correctly","description":"The log_file_mode setting determines the file permissions for log files when logging_collector is enabled. The parameter value is expected to be a numeric mode specification in the form accepted by the chmod and umask system calls. (To use the customary octal format, the number must start with a 0 (zero).) The permissions should be set to allow only the necessary access to authorized personnel. In most cases, the best setting is 0600 , so that only the server owner can read or write the log files. The other commonly useful setting is 0640 , allowing members of the owner's group to read the files, although to make use of that, you will need to either alter the log_directory setting to store the log files outside the cluster data directory or use PGSETUP_INITDB_OPTIONS=\"-k -g\" when initializing the cluster."},{"uuid":"a2bb933c-d1eb-5fe0-95eb-5149ea4a2614","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"17"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.7_Ensure_log_truncate_on_rotation_is_enabled"}],"steps":[{"uuid":"445aafe6-7b62-5c13-9447-55ac87944b0c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.7_Ensure_log_truncate_on_rotation_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/3"}],"title":"Audit for Ensure 'log_truncate_on_rotation' is enabled","remarks":"If this setting is disabled, pre-existing log files will be appended to if ` log_filename ` is configured in such a way that static or recurring names are generated.\n\n Enabling or disabling the truncation should only be decided when ** also ** considering the value of ` log_filename ` and ` log_rotation_age ` / ` log_rotation_size ` . Some examples to illustrate the interaction between these settings:\n\n```bash\n# truncation is moot, as each rotation gets a unique filename (postgresql-20180605.log) \n log_truncate_on_rotation = on \n log_filename = 'postgresql-%Y%m%d.log' \n log_rotation_age = '1d' \n log_rotation_size = 0\n```\n\n```bash\n# truncation every hour, losing log data every hour until the date changes \n log_truncate_on_rotation = on \n log_filename = 'postgresql-%Y%m%d.log' \n log_rotation_age = '1h' \n log_rotation_size = 0\n```\n\n```bash\n# no truncation if the date changed before generating 100M of log data, truncation otherwise \n log_truncate_on_rotation = on \n log_filename = 'postgresql-%Y%m%d.log' \n log_rotation_age = '0' \n log_rotation_size = '100M'\n```","description":"## Description\n\nEnabling the ` log_truncate_on_rotation ` setting when ` logging_collector ` is enabled causes PostgreSQL to truncate (overwrite) existing log files with the same name during log rotation instead of appending to them. For example, using this setting in combination with a ` log_filename ` setting value like ` postgresql-%H.log ` would result in generating 24 hourly log files and then cyclically overwriting them:\n\n```bash\npostgresql-00.log \n postgresql-01.log \n [...] \n postgresql-23.log\n```\n ** Note: ** Truncation will occur ** only ** when a new file is being opened due to time-based rotation, not during server startup or size-based rotation (see later in this benchmark for size-based rotation details)."},{"uuid":"efe57f64-99d3-5d38-a6b5-5472070a6d1b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.7_Ensure_log_truncate_on_rotation_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_truncate_on_rotation' is enabled","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set log_truncate_on_rotation = 'on'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row) \n postgres=# show log_truncate_on_rotation; \n log_truncate_on_rotation \n -------------------------- \n on \n (1 row)\n```"}],"title":"Ensure 'log_truncate_on_rotation' is enabled","description":"Enabling the log_truncate_on_rotation setting when logging_collector is enabled causes PostgreSQL to truncate (overwrite) existing log files with the same name during log rotation instead of appending to them. For example, using this setting in combination with a log_filename setting value like postgresql-%H.log would result in generating 24 hourly log files and then cyclically overwriting them: postgresql-00.log postgresql-01.log [...] postgresql-23.log Note: Truncation will occur only when a new file is being opened due to time-based rotation, not during server startup or size-based rotation (see later in this benchmark for size-based rotation details)."},{"uuid":"72f20f45-6d14-59fb-b63c-62f1eeb722c8","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"18"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.8_Ensure_the_maximum_log_file_lifetime_is_set_correctly"}],"steps":[{"uuid":"bbdedd91-a8c7-5f1a-8b61-2b054c37875c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.8_Ensure_the_maximum_log_file_lifetime_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/3"}],"title":"Audit for Ensure the maximum log file lifetime is set correctly","remarks":"Log rotation is a standard best practice for log management.","description":"## Description\n\nWhen ` logging_collector ` is enabled, the ` log_rotation_age ` parameter determines the maximum lifetime of an individual log file (depending on the value of ` log_filename ` ). After this many minutes have elapsed, a new log file will be created via automatic log file rotation. Current best practices advise log rotation at least daily, but your organization's logging policy should dictate your rotation schedule."},{"uuid":"aba3a796-48fa-54fc-a546-be052d31a2c6","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.8_Ensure_the_maximum_log_file_lifetime_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the maximum log file lifetime is set correctly","description":"Execute the following SQL statement(s) to remediate this setting (in this example, setting it to one hour): \n\n \n```bash\npostgres=# alter system set log_rotation_age='1h'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure the maximum log file lifetime is set correctly","description":"When logging_collector is enabled, the log_rotation_age parameter determines the maximum lifetime of an individual log file (depending on the value of log_filename ). After this many minutes have elapsed, a new log file will be created via automatic log file rotation. Current best practices advise log rotation at least daily, but your organization's logging policy should dictate your rotation schedule."},{"uuid":"a94c743b-09a4-525a-aa80-07149e56307f","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"19"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.9_Ensure_the_maximum_log_file_size_is_set_correctly"}],"steps":[{"uuid":"77e8cdc9-0a4b-5811-8c23-4d037ef39ca0","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.9_Ensure_the_maximum_log_file_size_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/3"}],"title":"Audit for Ensure the maximum log file size is set correctly","remarks":"If this is set to zero, the size-triggered creation of new log files is disabled. This will prevent automatic log file rotation when files become too large, which could put log data at increased risk of loss (unless age-based rotation is configured).","description":"## Description\n\nThe ` log_rotation_size ` setting determines the maximum size of an individual log file. Once the maximum size is reached, automatic log file rotation will occur."},{"uuid":"415ff718-8af3-582e-9070-dbccb95a0de0","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.9_Ensure_the_maximum_log_file_size_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the maximum log file size is set correctly","description":"Execute the following SQL statement(s) to remediate this setting (in this example, setting it to ` 1GB ` ): \n\n \n```bash\npostgres=# alter system set log_rotation_size = '1GB'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure the maximum log file size is set correctly","description":"The log_rotation_size setting determines the maximum size of an individual log file. Once the maximum size is reached, automatic log file rotation will occur."},{"uuid":"4b3b9dc7-903c-5a79-bc9c-4e387bb0730f","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"20"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.10_Ensure_the_correct_syslog_facility_is_selected"}],"steps":[{"uuid":"fac43837-4f4b-5580-b18a-901200775ccc","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.10_Ensure_the_correct_syslog_facility_is_selected"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/2"}],"title":"Audit for Ensure the correct syslog facility is selected","remarks":"If not set to the appropriate facility, the PostgreSQL log messages may be intermingled with other applications' log messages, incorrectly routed, or potentially dropped (depending on your ` syslog ` configuration).","description":"## Description\n\nThe ` syslog_facility ` setting specifies the syslog \"facility\" to be used when logging to ` syslog ` is enabled. You can choose from any of the 'local' facilities:\n\n - ` LOCAL0 ` - ` LOCAL1 ` - ` LOCAL2 ` - ` LOCAL3 ` - ` LOCAL4 ` - ` LOCAL5 ` - ` LOCAL6 ` - ` LOCAL7 ` Your organization's logging policy should dictate which facility to use based on the ` syslog ` daemon in use."},{"uuid":"f55bc28a-b9df-56f2-b253-dfe419a01778","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.10_Ensure_the_correct_syslog_facility_is_selected"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the correct syslog facility is selected","description":"Execute the following SQL statement(s) to remediate this setting (in this example, setting it to the ` LOCAL1 ` facility): \n\n \n```bash\npostgres=# alter system set syslog_facility = 'LOCAL1'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure the correct syslog facility is selected","description":"The syslog_facility setting specifies the syslog \"facility\" to be used when logging to syslog is enabled. You can choose from any of the 'local' facilities: LOCAL0 LOCAL1 LOCAL2 LOCAL3 LOCAL4 LOCAL5 LOCAL6 LOCAL7 Your organization's logging policy should dictate which facility to use based on the syslog daemon in use."},{"uuid":"cbf45017-c589-5335-bea1-38a2b1166e1c","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"21"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.11_Ensure_syslog_messages_are_not_suppressed"}],"steps":[{"uuid":"be3057cb-31d6-5761-a8f4-3f1124961295","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.11_Ensure_syslog_messages_are_not_suppressed"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure syslog messages are not suppressed","remarks":"Many modern Syslog implementations perform a log optimization and suppress repeated log entries while emitting “ ` --- last message repeated N times --- ` ”. In more modern Syslog implementations, repeated message suppression can be configured (for example, ` $RepeatedMsgReduction ` in ` rsyslog ` ).","description":"## Description\n\nWhen logging to Syslog and ` syslog_sequence_numbers ` is on, then each message will be prefixed by an increasing sequence number (such as [2])."},{"uuid":"76916421-5a71-5d5a-9fab-325f5835f688","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.11_Ensure_syslog_messages_are_not_suppressed"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure syslog messages are not suppressed","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set syslog_sequence_numbers = 'on'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```\n Impact: \n\n If disabled, messages sent to Syslog could be suppressed and not logged. While a message is emitted stating that a given message was repeated and suppressed, the timestamp associated with these suppressed messages is lost, potentially damaging the recreation of an incident timeline."}],"title":"Ensure syslog messages are not suppressed","description":"When logging to Syslog and syslog_sequence_numbers is on, then each message will be prefixed by an increasing sequence number (such as [2])."},{"uuid":"031b7993-bfb9-5344-89fb-5d0f2221666b","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"22"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.12_Ensure_syslog_messages_are_not_lost_due_to_size"}],"steps":[{"uuid":"f21209e1-cf2f-54e3-9417-e22cd2460931","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.12_Ensure_syslog_messages_are_not_lost_due_to_size"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure syslog messages are not lost due to size","description":"## Description\n\nPostgreSQL log messages can exceed 1024 bytes, which is a typical size limit for traditional Syslog implementations. When ` syslog_split_messages ` is off, PostgreSQL server log messages are delivered to the Syslog service as is, and it is up to the Syslog service to cope with the potentially bulky messages. When ` syslog_split_messages ` is on, messages are split by lines, and long lines are split so that they will fit into 1024 bytes.\n\n If syslog is ultimately logging to a text file, then the effect will be the same either way, and it is best to leave the setting on, since most syslog implementations either cannot handle large messages or would need to be specially configured to handle them. But if syslog is ultimately writing into some other medium, it might be necessary or more useful to keep messages logically together."},{"uuid":"4774f780-1bc1-5fa5-9718-4f5347a1cb06","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.12_Ensure_syslog_messages_are_not_lost_due_to_size"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure syslog messages are not lost due to size","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set syslog_split_messages = 'on'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```\n Impact: \n\n Depending on the Syslog server in use, log messages exceeding 1024 bytes may be lost or, potentially, cause the Syslog server processes to abort."}],"title":"Ensure syslog messages are not lost due to size","description":"PostgreSQL log messages can exceed 1024 bytes, which is a typical size limit for traditional Syslog implementations. When syslog_split_messages is off, PostgreSQL server log messages are delivered to the Syslog service as is, and it is up to the Syslog service to cope with the potentially bulky messages. When syslog_split_messages is on, messages are split by lines, and long lines are split so that they will fit into 1024 bytes. If syslog is ultimately logging to a text file, then the effect will be the same either way, and it is best to leave the setting on, since most syslog implementations either cannot handle large messages or would need to be specially configured to handle them. But if syslog is ultimately writing into some other medium, it might be necessary or more useful to keep messages logically together."},{"uuid":"0ea1dbd0-5d1e-53f5-8494-f52375f5c5af","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"23"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.13_Ensure_the_program_name_for_PostgreSQL_syslog_messages_is_correct"}],"steps":[{"uuid":"060be873-8758-5018-8d4f-9c6984b7fe8b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.13_Ensure_the_program_name_for_PostgreSQL_syslog_messages_is_correct"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure the program name for PostgreSQL syslog messages is correct","remarks":"If this is not set correctly, it may be difficult or impossible to distinguish PostgreSQL messages from other messages in Syslog logs.","description":"## Description\n\nThe ` syslog_ident ` setting specifies the program name used to identify PostgreSQL messages in syslog logs. An example of a possible program name is ` postgres ` ."},{"uuid":"0937afe7-2fd2-5429-beac-1066b49a8fa9","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.13_Ensure_the_program_name_for_PostgreSQL_syslog_messages_is_correct"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the program name for PostgreSQL syslog messages is correct","description":"Execute the following SQL statement(s) to remediate this setting (in this example, assuming a program name of ` proddb ` ): \n\n \n```bash\npostgres=# alter system set syslog_ident = 'proddb'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row) \n postgres=# show syslog_ident; \n syslog_ident \n -------------- \n proddb \n (1 row)\n```"}],"title":"Ensure the program name for PostgreSQL syslog messages is correct","description":"The syslog_ident setting specifies the program name used to identify PostgreSQL messages in syslog logs. An example of a possible program name is postgres ."},{"uuid":"840b4d36-6448-5474-9e85-51333516a75b","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"24"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.14_Ensure_the_correct_messages_are_written_to_the_server_log"}],"steps":[{"uuid":"3cf1aa64-ed82-5dd2-ac47-f978b24661ba","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.14_Ensure_the_correct_messages_are_written_to_the_server_log"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/3"}],"title":"Audit for Ensure the correct messages are written to the server log","remarks":"If this is not set to the correct value, too many or too few messages may be written to the server log.","description":"## Description\n\nThe ` log_min_messages ` setting specifies the message levels that are written to the server log. Each level includes all the levels that follow it. The lower the level (vertically, below), the fewer messages are logged.\n\n Valid values are:\n\n - ` DEBUG5 ` <-- exceedingly chatty - ` DEBUG4 ` - ` DEBUG3 ` - ` DEBUG2 ` - ` DEBUG1 ` - ` INFO ` - ` NOTICE ` - ` WARNING ` <-- default - ` ERROR ` - ` LOG ` - ` FATAL ` - ` PANIC ` <-- practically mute ` WARNING ` is considered the best practice unless indicated otherwise by your organization's logging policy."},{"uuid":"b4f4db98-bc57-5e04-af30-47761dc7120b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.14_Ensure_the_correct_messages_are_written_to_the_server_log"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the correct messages are written to the server log","description":"Execute the following SQL statement(s) as superuser to remediate this setting (in this example, to set it to ` warning ` ): \n\n \n```bash\npostgres=# alter system set log_min_messages = 'warning'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure the correct messages are written to the server log","description":"The log_min_messages setting specifies the message levels that are written to the server log. Each level includes all the levels that follow it. The lower the level (vertically, below), the fewer messages are logged. Valid values are: DEBUG5 <-- exceedingly chatty DEBUG4 DEBUG3 DEBUG2 DEBUG1 INFO NOTICE WARNING <-- default ERROR LOG FATAL PANIC <-- practically mute WARNING is considered the best practice unless indicated otherwise by your organization's logging policy."},{"uuid":"a80d077e-c2b2-59a9-b0b0-5f231c3dbe7c","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"25"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.15_Ensure_the_correct_SQL_statements_generating_errors_are_recorded"}],"steps":[{"uuid":"a2ce0b8a-c420-5589-a3b1-87fcacad0c06","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.15_Ensure_the_correct_SQL_statements_generating_errors_are_recorded"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/3"}],"title":"Audit for Ensure the correct SQL statements generating errors are recorded","remarks":"If this is not set to the correct value, too many erring or too few erring SQL statements may be written to the server log.","description":"## Description\n\nThe ` log_min_error_statement ` setting causes all SQL statements generating errors at or above the specified severity level to be recorded in the server log. Each level includes all the levels that follow it. The lower the level (vertically, below), the fewer messages are recorded. Valid values are:\n\n - ` DEBUG5 ` <-- exceedingly chatty - ` DEBUG4 ` - ` DEBUG3 ` - ` DEBUG2 ` - ` DEBUG1 ` - ` INFO ` - ` NOTICE ` - ` WARNING ` - ` ERROR ` <-- default - ` LOG ` - ` FATAL ` - ` PANIC ` <-- practically mute ` ERROR ` is considered the best practice setting. Changes should only be made in accordance with your organization's logging policy.\n\n ** Note: ** To effectively turn off logging of failing statements, set this parameter to ` PANIC ` ."},{"uuid":"5aff5b07-8643-5ed6-be13-177f7d34a618","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.15_Ensure_the_correct_SQL_statements_generating_errors_are_recorded"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the correct SQL statements generating errors are recorded","description":"Execute the following SQL statement(s) as superuser to remediate this setting (in the example, to ` error ` ): \n\n \n```bash\npostgres=# alter system set log_min_error_statement = 'error'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure the correct SQL statements generating errors are recorded","description":"The log_min_error_statement setting causes all SQL statements generating errors at or above the specified severity level to be recorded in the server log. Each level includes all the levels that follow it. The lower the level (vertically, below), the fewer messages are recorded. Valid values are: DEBUG5 <-- exceedingly chatty DEBUG4 DEBUG3 DEBUG2 DEBUG1 INFO NOTICE WARNING ERROR <-- default LOG FATAL PANIC <-- practically mute ERROR is considered the best practice setting. Changes should only be made in accordance with your organization's logging policy. Note: To effectively turn off logging of failing statements, set this parameter to PANIC ."},{"uuid":"184b48f3-b9e8-57d1-98f9-f9456aac7414","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"26"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.16_Ensure_debug_print_parse_is_disabled"}],"steps":[{"uuid":"295d05fa-014a-5b1d-b0b7-7b48ab1a604c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.16_Ensure_debug_print_parse_is_disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure 'debug_print_parse' is disabled","remarks":"Enabling any of the ` DEBUG ` printing variables may cause the logging of sensitive information that would otherwise be omitted based on the configuration of the other logging settings.","description":"## Description\n\nThe ` debug_print_parse ` setting enables printing the resulting parse tree for each executed query. These messages are emitted at the ` LOG ` message level. Unless directed otherwise by your organization's logging policy, it is recommended this setting be disabled by setting it to ` off ` ."},{"uuid":"2ab6f406-2497-53ed-9025-246f9061b01f","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.16_Ensure_debug_print_parse_is_disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'debug_print_parse' is disabled","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set debug_print_parse='off'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'debug_print_parse' is disabled","description":"The debug_print_parse setting enables printing the resulting parse tree for each executed query. These messages are emitted at the LOG message level. Unless directed otherwise by your organization's logging policy, it is recommended this setting be disabled by setting it to off ."},{"uuid":"eeb9820c-2b2d-55f9-a0ba-a60a4d87c48c","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"27"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.17_Ensure_debug_print_rewritten_is_disabled"}],"steps":[{"uuid":"c4702240-eab7-54d5-a8d8-791a9b43d2a5","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.17_Ensure_debug_print_rewritten_is_disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure 'debug_print_rewritten' is disabled","remarks":"Enabling any of the ` DEBUG ` printing variables may cause the logging of sensitive information that would otherwise be omitted based on the configuration of the other logging settings.","description":"## Description\n\nThe ` debug_print_rewritten ` setting enables printing the query rewriter output for each executed query. These messages are emitted at the ` LOG ` message level. Unless directed otherwise by your organization's logging policy, it is recommended this setting be disabled by setting it to ` off ` ."},{"uuid":"d928ae58-f8bc-56f0-b953-ca3af0d7d4bc","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.17_Ensure_debug_print_rewritten_is_disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'debug_print_rewritten' is disabled","description":"Execute the following SQL statement(s) to disable this setting: \n\n \n```bash\npostgres=# alter system set debug_print_rewritten = 'off'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'debug_print_rewritten' is disabled","description":"The debug_print_rewritten setting enables printing the query rewriter output for each executed query. These messages are emitted at the LOG message level. Unless directed otherwise by your organization's logging policy, it is recommended this setting be disabled by setting it to off ."},{"uuid":"c13d33d7-7ed3-5949-8e50-040e2adaa7af","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"28"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.18_Ensure_debug_print_plan_is_disabled"}],"steps":[{"uuid":"f0e8d33f-5816-5329-a3fb-2561a0dad4c2","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.18_Ensure_debug_print_plan_is_disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure 'debug_print_plan' is disabled","remarks":"Enabling any of the ` DEBUG ` printing variables may cause the logging of sensitive information that would otherwise be omitted based on the configuration of the other logging settings.","description":"## Description\n\nThe ` debug_print_plan ` setting enables printing the execution plan for each executed query. These messages are emitted at the ` LOG ` message level. Unless directed otherwise by your organization's logging policy, it is recommended this setting be disabled by setting it to ` off ` ."},{"uuid":"31633ecf-a857-5a11-a1b8-8cbb3f2d3ef9","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.18_Ensure_debug_print_plan_is_disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'debug_print_plan' is disabled","description":"Execute the following SQL statement(s) to disable this setting: \n\n \n```bash\npostgres=# alter system set debug_print_plan = 'off'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'debug_print_plan' is disabled","description":"The debug_print_plan setting enables printing the execution plan for each executed query. These messages are emitted at the LOG message level. Unless directed otherwise by your organization's logging policy, it is recommended this setting be disabled by setting it to off ."},{"uuid":"680f4a05-b8b9-545e-9858-3e403b51d851","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"29"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.19_Ensure_debug_pretty_print_is_enabled"}],"steps":[{"uuid":"ccc0e86e-7329-50a1-9412-3bfafd473beb","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.19_Ensure_debug_pretty_print_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure 'debug_pretty_print' is enabled","remarks":"If this setting is disabled, the \"compact\" format is used instead, significantly reducing the readability of the ` DEBUG ` statement log messages.","description":"## Description\n\nEnabling ` debug_pretty_print ` indents the messages produced by ` debug_print_parse ` , ` debug_print_rewritten ` , or ` debug_print_plan ` making them significantly easier to read."},{"uuid":"64ebd8fc-3106-5b19-af51-3d998493485c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.19_Ensure_debug_pretty_print_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'debug_pretty_print' is enabled","description":"Execute the following SQL statement(s) to enable this setting: \n\n \n```bash\npostgres=# alter system set debug_pretty_print = 'on'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```\n Impact: \n\n Be advised that the aforementioned ` DEBUG ` printing options are ** disabled ** , but if your organizational logging policy requires them to be ` on ` then this option comes into play."}],"title":"Ensure 'debug_pretty_print' is enabled","description":"Enabling debug_pretty_print indents the messages produced by debug_print_parse , debug_print_rewritten , or debug_print_plan making them significantly easier to read."},{"uuid":"3c63d3ac-d27c-5ec1-af61-60e1d20f508e","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"30"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.20_Ensure_log_connections_is_enabled"}],"steps":[{"uuid":"9caa72ca-5cf3-5e41-971e-43e83adef00f","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.20_Ensure_log_connections_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure 'log_connections' is enabled","remarks":"PostgreSQL does not maintain an internal record of attempted connections to the database for later auditing. It is only by enabling the logging of these attempts that one can determine if unexpected attempts are being made. PostgreSQL introduced the below new options for this setting:\n\n - ` receipt ` - ` authentication ` - ` authorization ` - ` setup_durations ` - ` all ` For the purposes of backwards compatibility, ` on ` , ` off ` , ` true ` , ` false ` , ` yes ` , ` no ` , ` 1 ` , and ` 0 ` are still supported. The equivalent of ` on ` is ` all ` .\n\n Note that enabling this without also enabling ` log_disconnections ` provides little value. Generally, you would enable/disable the pair together.","description":"## Description\n\nEnabling the ` log_connections ` setting causes each attempted connection to the server to be logged, as well as successful completion of client authentication. This parameter cannot be changed after the session start."},{"uuid":"3381a9e8-a184-5748-82b3-abb1eac1aec5","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.20_Ensure_log_connections_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_connections' is enabled","description":"Execute the following SQL statement(s) to enable this setting: \n\n \n```bash\npostgres=# alter system set log_connections = 'all'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```\n Then, in a new connection to the database, verify the change: \n\n \n```bash\npostgres=# show log_connections; \n log_connections \n ----------------- \n all \n (1 row)\n```\n Note that you cannot verify this change in the same connection in which it was changed; a new connection is needed."}],"title":"Ensure 'log_connections' is enabled","description":"Enabling the log_connections setting causes each attempted connection to the server to be logged, as well as successful completion of client authentication. This parameter cannot be changed after the session start."},{"uuid":"ed52a529-b71d-5eb2-b576-818edf3c7d02","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"31"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.21_Ensure_log_disconnections_is_enabled"}],"steps":[{"uuid":"c1d6af1d-7541-508c-94be-b41ae7d637c5","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.21_Ensure_log_disconnections_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure 'log_disconnections' is enabled","remarks":"PostgreSQL does not maintain the beginning or ending of a connection internally for later review. It is only by enabling the logging of these that one can examine connections for failed attempts, 'over long' duration, or other anomalies.\n\n Note that enabling this without also enabling ` log_connections ` provides little value. Generally, you would enable/disable the pair together.","description":"## Description\n\nEnabling the ` log_disconnections ` setting logs the end of each session, including session duration. This parameter cannot be changed after the session start."},{"uuid":"dd989501-d65d-56a0-a256-d700e83b2547","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.21_Ensure_log_disconnections_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_disconnections' is enabled","description":"Execute the following SQL statement(s) to enable this setting: \n\n \n```bash\npostgres=# alter system set log_disconnections = 'on'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```\n Then, in a new connection to the database, verify the change: \n\n \n```bash\npostgres=# show log_disconnections; \n log_disconnections \n ----------------- \n on \n (1 row)\n```\n Note that you cannot verify this change in the same connection in which it was changed; a new connection is needed."}],"title":"Ensure 'log_disconnections' is enabled","description":"Enabling the log_disconnections setting logs the end of each session, including session duration. This parameter cannot be changed after the session start."},{"uuid":"d5dbf90d-b024-5e17-88a3-1df4c66520f1","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"32"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.22_Ensure_log_error_verbosity_is_set_correctly"}],"steps":[{"uuid":"b3e5abdd-d196-5a8c-9a2b-435c291cd849","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.22_Ensure_log_error_verbosity_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure 'log_error_verbosity' is set correctly","remarks":"If this is not set to the correct value, too many details or too few details may be logged.","description":"## Description\n\nThe ` log_error_verbosity ` setting specifies the verbosity (amount of detail) of logged messages. Valid values are:\n\n - ` TERSE ` - ` DEFAULT ` - ` VERBOSE ` with each containing the fields of the level above it as well as additional fields.\n\n ` TERSE ` excludes the logging of ` DETAIL ` , ` HINT ` , ` QUERY ` , and ` CONTEXT ` error information.\n\n ` VERBOSE ` output includes the ` SQLSTATE ` , error code, and the source code file name, function name, and line number that generated the error.\n\n The appropriate value should be set based on your organization's logging policy."},{"uuid":"20ba045a-09a9-5316-b75f-c9eab47d97a5","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.22_Ensure_log_error_verbosity_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_error_verbosity' is set correctly","description":"Execute the following SQL statement(s) as superuser to remediate this setting (in this example, to ` verbose ` ): \n\n \n```bash\npostgres=# alter system set log_error_verbosity = 'verbose'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'log_error_verbosity' is set correctly","description":"The log_error_verbosity setting specifies the verbosity (amount of detail) of logged messages. Valid values are: TERSE DEFAULT VERBOSE with each containing the fields of the level above it as well as additional fields. TERSE excludes the logging of DETAIL , HINT , QUERY , and CONTEXT error information. VERBOSE output includes the SQLSTATE , error code, and the source code file name, function name, and line number that generated the error. The appropriate value should be set based on your organization's logging policy."},{"uuid":"aa849004-4818-5444-9e22-7d5b157382ef","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"33"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.23_Ensure_log_hostname_is_set_correctly"}],"steps":[{"uuid":"dc208175-fab9-5675-93b0-86df9199d587","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.23_Ensure_log_hostname_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure 'log_hostname' is set correctly","remarks":"Depending on your hostname resolution setup, enabling this setting might impose a non-negligible performance penalty. Additionally, the IP addresses that are logged can be resolved to their DNS names when reviewing the logs (unless dynamic hostnames are being used as part of your DHCP setup).","description":"## Description\n\nEnabling the ` log_hostname ` setting causes the hostname of the connecting host to be logged ** in addition ** to the host's IP address for connection log messages. Disabling the setting causes only the connecting host's IP address to be logged, and not the hostname. Unless your organization's logging policy requires hostname logging, it is best to disable this setting so as not to incur the overhead of DNS resolution for each statement that is logged."},{"uuid":"4a71061d-2c82-5790-bb6c-fb2c83a53d78","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.23_Ensure_log_hostname_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_hostname' is set correctly","description":"Execute the following SQL statement(s) to remediate this setting (in this example, to ` off ` ): \n\n \n```bash\npostgres=# alter system set log_hostname='off'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'log_hostname' is set correctly","description":"Enabling the log_hostname setting causes the hostname of the connecting host to be logged in addition to the host's IP address for connection log messages. Disabling the setting causes only the connecting host's IP address to be logged, and not the hostname. Unless your organization's logging policy requires hostname logging, it is best to disable this setting so as not to incur the overhead of DNS resolution for each statement that is logged."},{"uuid":"35fbe7ca-704f-5eba-a9c6-4d1d60a2e3d1","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"34"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.24_Ensure_log_line_prefix_is_set_correctly"}],"steps":[{"uuid":"a0d96b74-acf1-59b1-b24d-b3e96954d80b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.24_Ensure_log_line_prefix_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure 'log_line_prefix' is set correctly","remarks":"Properly setting ` log_line_prefix ` allows for adding additional information to each log entry (such as the user, or the database). Said information may then be of use in auditing or security reviews.","description":"## Description\n\nThe ` log_line_prefix ` setting specifies a ` printf ` -style string that is prefixed to each log line. If blank, no prefix is used. You should configure this as recommended by the pgBadger development team unless directed otherwise by your organization's logging policy.\n\n ` % ` characters begin \"escape sequences\" that are replaced with status information as outlined below. Unrecognized escapes are ignored. Other characters are copied straight to the logline. Some escapes are only recognized by session processes and will be treated as empty by background processes such as the main server process. Status information may be aligned either left or right by specifying a numeric literal after the ` % ` and before the option. A negative value will cause the status information to be padded on the right with spaces to give it a minimum width, whereas a positive value will pad on the left. Padding can be useful to aid human readability in log files.\n\n Any of the following escape sequences can be used:\n\n```bash\n%a = application name \n %u = user name \n %d = database name \n %r = remote host and port \n %h = remote host \n %b = backend type \n %p = process ID \n %P = process ID of parallel group leader \n %t = timestamp without milliseconds \n %m = timestamp with milliseconds \n %n = timestamp with milliseconds (as a Unix epoch) \n %Q = query ID (0 if none or not computed) \n %i = command tag \n %e = SQL state \n %c = session ID \n %l = session line number \n %s = session start timestamp \n %v = virtual transaction ID \n %x = transaction ID (0 if none) \n %q = stop here in non-session processes \n %% = '%'\n```"},{"uuid":"bd05f1db-0ac6-5a0f-9c9b-4db0c9876419","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.24_Ensure_log_line_prefix_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_line_prefix' is set correctly","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set log_line_prefix = '%m [%p]: [%l-1] db=%d,user=%u,app=%a,client=%h '; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'log_line_prefix' is set correctly","description":"The log_line_prefix setting specifies a printf -style string that is prefixed to each log line. If blank, no prefix is used. You should configure this as recommended by the pgBadger development team unless directed otherwise by your organization's logging policy. % characters begin \"escape sequences\" that are replaced with status information as outlined below. Unrecognized escapes are ignored. Other characters are copied straight to the logline. Some escapes are only recognized by session processes and will be treated as empty by background processes such as the main server process. Status information may be aligned either left or right by specifying a numeric literal after the % and before the option. A negative value will cause the status information to be padded on the right with spaces to give it a minimum width, whereas a positive value will pad on the left. Padding can be useful to aid human readability in log files. Any of the following escape sequences can be used: %a = application name %u = user name %d = database name %r = remote host and port %h = remote host %b = backend type %p = process ID %P = process ID of parallel group leader %t = timestamp without milliseconds %m = timestamp with milliseconds %n = timestamp with milliseconds (as a Unix epoch) %Q = query ID (0 if none or not computed) %i = command tag %e = SQL state %c = session ID %l = session line number %s = session start timestamp %v = virtual transaction ID %x = transaction ID (0 if none) %q = stop here in non-session processes %% = '%'"},{"uuid":"e30db314-6334-5cd3-b43f-d608fc05f0c8","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"35"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.25_Ensure_log_statement_is_set_correctly"}],"steps":[{"uuid":"4d41e050-34aa-5222-a487-00ce1e2eae60","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.25_Ensure_log_statement_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure 'log_statement' is set correctly","remarks":"Setting ` log_statement ` to align with your organization's security and logging policies facilitates later auditing and review of database activities.","description":"## Description\n\nThe ` log_statement ` setting specifies the types of SQL statements that are logged. Valid values are:\n\n - ` none ` (off) - ` ddl ` - ` mod ` - ` all ` (all statements) It is recommended this be set to ` ddl ` unless otherwise directed by your organization's logging policy.\n\n ` ddl ` logs all data definition statements:\n\n - ` CREATE ` - ` ALTER ` - ` DROP ` ` mod ` logs all ` ddl ` statements, plus data-modifying statements:\n\n - ` INSERT ` - ` UPDATE ` - ` DELETE ` - ` TRUNCATE ` - ` COPY FROM ` ( ` PREPARE ` , ` EXECUTE ` , and ` EXPLAIN ANALYZE ` statements are also logged if their contained command is of an appropriate type.)\n\n For clients using extended query protocol, logging occurs when an Execute message is received, and values of the Bind parameters are included (with any embedded single-quote marks doubled)."},{"uuid":"07c56a92-c51e-5d28-ad69-416a0546a39a","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.25_Ensure_log_statement_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_statement' is set correctly","description":"Execute the following SQL statement(s) as superuser to remediate this setting: \n\n \n```bash\npostgres=# alter system set log_statement='ddl'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'log_statement' is set correctly","description":"The log_statement setting specifies the types of SQL statements that are logged. Valid values are: none (off) ddl mod all (all statements) It is recommended this be set to ddl unless otherwise directed by your organization's logging policy. ddl logs all data definition statements: CREATE ALTER DROP mod logs all ddl statements, plus data-modifying statements: INSERT UPDATE DELETE TRUNCATE COPY FROM ( PREPARE , EXECUTE , and EXPLAIN ANALYZE statements are also logged if their contained command is of an appropriate type.) For clients using extended query protocol, logging occurs when an Execute message is received, and values of the Bind parameters are included (with any embedded single-quote marks doubled)."},{"uuid":"e4b43023-0c6f-5e02-96b6-28bdb30dbf96","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"36"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3.1 PostgreSQL Logging"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.26_Ensure_log_timezone_is_set_correctly"}],"steps":[{"uuid":"5310f75d-0515-5b70-8359-32ae2227ccf2","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.26_Ensure_log_timezone_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/5"}],"title":"Audit for Ensure 'log_timezone' is set correctly","remarks":"Log entry timestamps should be configured for an appropriate time zone as defined by your organization's logging policy to ensure a lack of confusion around when a logged event occurred.\n\n Note that this setting affects only the timestamps present in the logs. It does not affect the time zone in use by the database itself (for example, ` select now() ` ), nor does it affect the host's time zone.","description":"## Description\n\nThe ` log_timezone ` setting specifies the time zone to use in timestamps within log messages. This value is cluster-wide, so that all sessions will report timestamps consistently. Unless directed otherwise by your organization's logging policy, set this to either ` GMT ` or ` UTC ` ."},{"uuid":"6cefa6e7-dde9-5182-8426-27c4fdb94562","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.1.26_Ensure_log_timezone_is_set_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'log_timezone' is set correctly","description":"Execute the following SQL statement(s) to remediate this setting: \n\n \n```bash\npostgres=# alter system set log_timezone = 'GMT'; \n ALTER SYSTEM \n postgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure 'log_timezone' is set correctly","description":"The log_timezone setting specifies the time zone to use in timestamps within log messages. This value is cluster-wide, so that all sessions will report timestamps consistently. Unless directed otherwise by your organization's logging policy, set this to either GMT or UTC ."},{"uuid":"704767c1-87de-583c-b9f9-343298cc9f5e","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"37"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"group","value":"3 Logging And Auditing"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.2_Ensure_the_PostgreSQL_Audit_Extension_pgAudit_is_enabled"}],"steps":[{"uuid":"36e92c67-59c1-5ffc-8c06-4abffeb5956d","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.2_Ensure_the_PostgreSQL_Audit_Extension_pgAudit_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/2"}],"title":"Audit for Ensure the PostgreSQL Audit Extension (pgAudit) is enabled","remarks":"Basic statement logging can be provided by the standard logging facility with ` log_statement = all ` . This is acceptable for monitoring and other uses but does not provide the level of detail generally required for an audit. It is not enough to have a list of all the operations performed against the database, it must also be possible to find particular statements that are of interest to an auditor. The standard logging facility shows what the user requested, while pgAudit focuses on the details of what happened while the database was satisfying the request.\n\n When logging ` SELECT ` and ` DML ` statements, pgAudit can be configured to log a separate entry for each relation referenced in a statement. No parsing is required to find all statements that touch a particular table. In fact, the goal is that the statement text is provided primarily for deep forensics and should not be required for an audit.","description":"## Description\n\nThe PostgreSQL Audit Extension ( pgAudit ) provides detailed session and/or object audit logging via the standard PostgreSQL logging facility. The goal of pgAudit is to provide PostgreSQL users with the capability to produce audit logs often required to comply with government, financial, or ISO certifications."},{"uuid":"df738f84-f146-50df-b95a-d564486694ab","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_3.2_Ensure_the_PostgreSQL_Audit_Extension_pgAudit_is_enabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the PostgreSQL Audit Extension (pgAudit) is enabled","description":"To install and enable pgAudit, simply install the appropriate rpm from the PGDG repo: \n\n \n```bash\n# whoami \n root \n # dnf -y install pgaudit_18 \n [snip] \n Installed: \n pgaudit_18-18.0-1PGDG.rhel9.x86_64 \n \n Complete!\n```\n pgAudit is now installed and ready to be configured. Next, we need to alter the ` postgresql.conf ` configuration file to: \n\n - enable pgAudit as an extension in the ` shared_preload_libraries ` parameter - indicate which classes of statements we want to log via the ` pgaudit.log ` parameter and, finally, restart the PostgreSQL service: \n\n \n```bash\n$ vi ${PGDATA}/postgresql.conf\n```\n Find the ` shared_preload_libraries ` entry, and add 'pgaudit' to it (preserving any existing entries): \n\n \n```bash\nshared_preload_libraries = 'pgaudit' \n \n OR \n \n shared_preload_libraries = 'pgaudit,somethingelse'\n```\n Now, add a new ` pgaudit ` -specific entry: \n\n \n```bash\n# for this example we are logging the ddl and write operations \n pgaudit.log='ddl,write'\n```\n Restart the PostgreSQL server for changes to take affect: \n\n \n```bash\n# whoami \n root \n # systemctl restart postgresql-18 \n # systemctl status postgresql-18|grep 'ago$' \n Active: active (running) since [date] 10s ago\n```\n Impact: \n\n Depending on settings, it is possible for pgAudit to generate an enormous volume of logging . Be careful to determine exactly what needs to be audit logged in your environment to avoid logging too much."}],"title":"Ensure the PostgreSQL Audit Extension (pgAudit) is enabled","description":"The PostgreSQL Audit Extension ( pgAudit ) provides detailed session and/or object audit logging via the standard PostgreSQL logging facility. The goal of pgAudit is to provide PostgreSQL users with the capability to produce audit logs often required to comply with government, financial, or ISO certifications."},{"uuid":"3614f5e7-e437-5038-9e3d-ed48fe313039","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"38"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.1_Ensure_Interactive_Login_is_Disabled"}],"steps":[{"uuid":"0f6728b3-4acf-5b67-bb1d-72ed4ad82420","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.1_Ensure_Interactive_Login_is_Disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/5/subcontrol/4"}],"title":"Audit for Ensure Interactive Login is Disabled","remarks":"Preventing the PostgreSQL user from logging in interactively may reduce the impact of a compromised PostgreSQL account.There is also more accountability, as accessing the operating system where the PostgreSQL server lies will require the user's own account and the apprpriate ` sudo ` configuration.Interactive access by the PostgreSQL user is unnecessary and should be disabled.","description":"## Description\n\nWhen created, the PostgreSQL user may have interactive access to the operating system, which means that the PostgreSQL user could login to the host as any other user would."},{"uuid":"b7057235-0619-59cd-b560-dd2fa528650c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.1_Ensure_Interactive_Login_is_Disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure Interactive Login is Disabled","description":"Execute the following command: \n\n \n```bash\nsudo passwd -l postgres\n```\n Impact: \n\n This setting will prevent the PostgreSQL administrator from interactively logging into the operating system using the PostgreSQL user.Instead, the administrator will need to log in using one's own account and then ` sudo ` to the PostgreSQL administrator account."}],"title":"Ensure Interactive Login is Disabled","description":"When created, the PostgreSQL user may have interactive access to the operating system, which means that the PostgreSQL user could login to the host as any other user would."},{"uuid":"2c9fa292-2058-5125-90b1-54677ce419a7","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"39"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.2_Ensure_sudo_is_configured_correctly"}],"steps":[{"uuid":"67047de7-47a9-5ee4-b0b7-896787203068","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.2_Ensure_sudo_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/4/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/5/subcontrol/4"}],"title":"Audit for Ensure sudo is configured correctly","remarks":"Without ` sudo ` , there would be no capabilities to strictly control access to the superuser account nor to securely and authoritatively audit its use.","description":"## Description\n\nIt is common to have more than one authorized individual administering the PostgreSQL service at the Operating System level. It is also quite common to permit login privileges to individuals on a PostgreSQL host who otherwise are not authorized to access the server's data cluster and files. Administering the PostgreSQL data cluster, as opposed to its data, is to be accomplished via a localhost login of a regular UNIX user account. Access to the ` postgres ` superuser account is restricted in such a manner as to interdict unauthorized access. ` sudo ` satisfies the requirements by escalating ordinary user account privileges as the PostgreSQL RDBMS superuser."},{"uuid":"269f602b-da59-5268-b26a-1a44a38d751c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.2_Ensure_sudo_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure sudo is configured correctly","description":"As superuser ` root ` , execute the following commands: \n\n \n```bash\n# echo '%dba ALL=(postgres) PASSWD: ALL' > /etc/sudoers.d/postgres \n # chmod 600 /etc/sudoers.d/postgres\n```\n This grants any Operating System user that is a member of the ` dba ` group the ability to use ` sudo -iu postgres ` to become the ` postgres ` user. \n\n Ensure that all Operating System user's that need such access are members of the group."}],"title":"Ensure sudo is configured correctly","description":"It is common to have more than one authorized individual administering the PostgreSQL service at the Operating System level. It is also quite common to permit login privileges to individuals on a PostgreSQL host who otherwise are not authorized to access the server's data cluster and files. Administering the PostgreSQL data cluster, as opposed to its data, is to be accomplished via a localhost login of a regular UNIX user account. Access to the postgres superuser account is restricted in such a manner as to interdict unauthorized access. sudo satisfies the requirements by escalating ordinary user account privileges as the PostgreSQL RDBMS superuser."},{"uuid":"8855e208-8b0e-5e5c-9d4e-35042caf7f3a","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"40"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_excessive_administrative_privileges_are_revoked"}],"steps":[{"uuid":"57717c00-a4d1-5650-92ab-698eca17eaa2","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_excessive_administrative_privileges_are_revoked"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure excessive administrative privileges are revoked","remarks":"By not restricting global administrative commands to superusers only, regular users granted excessive privileges may execute administrative commands with unintended and undesirable results.","description":"## Description\n\nWith respect to PostgreSQL administrative SQL commands, only superusers should have elevated privileges. PostgreSQL regular, or application, users should not possess the ability to create roles, create new databases, manage replication, or perform any other action deemed privileged. Typically, regular users should only be granted the minimal set of privileges commensurate with managing the application:\n\n - DDL ( ` create table ` , ` create view ` , ` create index ` , etc.) - DML ( ` select ` , ` insert ` , ` update ` , ` delete ` ) Further, it has become best practice to create separate roles for DDL and DML. Given an application called 'payroll', one would create the following users:\n\n - ` payroll_owner ` - ` payroll_user ` Any DDL privileges would be granted to the ` payroll_owner ` account only, while DML privileges would be given to the ` payroll_user ` account only. This prevents accidental creation/altering/dropping of database objects by application code that runs as the ` payroll_user ` account."},{"uuid":"5686de04-1faf-53bc-ac44-b1dd36bbda2e","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_excessive_administrative_privileges_are_revoked"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure excessive administrative privileges are revoked","description":"If any regular or application users have been granted excessive administrative rights, those privileges should be removed immediately via the PostgreSQL ` ALTER ROLE ` SQL command. Using the same example above, the following SQL statements revoke all unnecessary elevated administrative privileges from the regular user ` appuser ` : \n\n \n```bash\n# whoami \n postgres \n # psql -c \"ALTER ROLE appuser NOSUPERUSER;\" \n ALTER ROLE \n # psql -c \"ALTER ROLE appuser NOCREATEROLE;\" \n ALTER ROLE \n # psql -c \"ALTER ROLE appuser NOCREATEDB;\" \n ALTER ROLE \n # psql -c \"ALTER ROLE appuser NOREPLICATION;\" \n ALTER ROLE \n # psql -c \"ALTER ROLE appuser NOBYPASSRLS;\" \n ALTER ROLE \n # psql -c \"ALTER ROLE appuser NOINHERIT;\" \n ALTER ROLE\n```\n Verify the ` appuser ` now passes your check by having no defined Attributes: \n\n \n```bash\n# whoami \n postgres \n # psql -c \"\\du+ appuser\" \n List of roles \n Role name | Attributes | Description \n ----------+------------+----------- \n appuser | |\n```"}],"title":"Ensure excessive administrative privileges are revoked","description":"With respect to PostgreSQL administrative SQL commands, only superusers should have elevated privileges. PostgreSQL regular, or application, users should not possess the ability to create roles, create new databases, manage replication, or perform any other action deemed privileged. Typically, regular users should only be granted the minimal set of privileges commensurate with managing the application: DDL ( create table , create view , create index , etc.) DML ( select , insert , update , delete ) Further, it has become best practice to create separate roles for DDL and DML. Given an application called 'payroll', one would create the following users: payroll_owner payroll_user Any DDL privileges would be granted to the payroll_owner account only, while DML privileges would be given to the payroll_user account only. This prevents accidental creation/altering/dropping of database objects by application code that runs as the payroll_user account."},{"uuid":"7b40327f-014c-5e87-87c7-18d3a18cf678","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"41"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.4_Lock_Out_Accounts_if_Not_Currently_in_Use"}],"steps":[{"uuid":"78dc1ae7-1791-5683-9840-974c2194f500","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.4_Lock_Out_Accounts_if_Not_Currently_in_Use"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"}],"title":"Audit for Lock Out Accounts if Not Currently in Use","remarks":"Only actively used database accounts should be allowed to login to the database.","description":"## Description\n\nIf users with database accounts will not be using the database for some time, disabling the account will reduce the risk of attacks or inappropriate account usage."},{"uuid":"8f51816a-9035-57fc-8567-7318caf3f253","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.4_Lock_Out_Accounts_if_Not_Currently_in_Use"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Lock Out Accounts if Not Currently in Use","description":"To lock accounts, as a superuser, run: \n\n \n```bash\nALTER ROLE NOLOGIN;\n```\n To unlock accounts, as a superuser, runL \n\n \n```bash\nALTER ROLE LOGIN;\n```"}],"title":"Lock Out Accounts if Not Currently in Use","description":"If users with database accounts will not be using the database for some time, disabling the account will reduce the risk of attacks or inappropriate account usage."},{"uuid":"ed793b05-11fe-507f-9b51-b017b2d89b4e","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"42"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.5_Ensure_excessive_function_privileges_are_revoked"}],"steps":[{"uuid":"8a24c66f-00e0-59e2-9335-8ee19a1020a2","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.5_Ensure_excessive_function_privileges_are_revoked"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure excessive function privileges are revoked","remarks":"Ideally, all application source code should be vetted to validate interactions between the application and the logic in the database, but this is usually not possible or feasible with available resources even if the source code is available. The DBA should attempt to obtain assurances from the development organization that this issue has been addressed and should document what has been discovered. The DBA should also inspect all application logic stored in the database (in the form of functions, rules, and triggers) for excessive privileges.","description":"## Description\n\nIn certain situations, to provide the required functionality, PostgreSQL needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by their organization. This is known as privilege elevation. Privilege elevation must be utilized only where necessary. Execute privileges for application functions should be restricted to authorized users only."},{"uuid":"e607d4b8-d77b-5552-9878-db47889d284d","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.5_Ensure_excessive_function_privileges_are_revoked"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure excessive function privileges are revoked","description":"Where possible, revoke ` SECURITY DEFINER ` on PostgreSQL functions. To change a ` SECURITY DEFINER ` function to ` SECURITY INVOKER ` , run the following SQL: \n\n \n```bash\n# whoami \n root \n # sudo -iu postgres \n # psql -c \"ALTER FUNCTION [functionname] SECURITY INVOKER;\"\n```\n If it is not possible to revoke ` SECURITY DEFINER ` , ensure the function can be executed by only the accounts that absolutely need such functionality: \n\n \n```bash\npostgres=# SELECT proname, proacl FROM pg_proc WHERE proname = 'delete_customer'; \n proname | proacl \n -----------------+-------------------------------------------------------- \n delete_customer | {=X/postgres,postgres=X/postgres,appreader=X/postgres} \n (1 row) \n postgres=# REVOKE EXECUTE ON FUNCTION delete_customer(integer,boolean) FROM appreader; \n REVOKE \n postgres=# SELECT proname, proacl FROM pg_proc WHERE proname = 'delete_customer'; \n proname | proacl \n -----------------+-------------------------------------------------------- \n delete_customer | {=X/postgres,postgres=X/postgres} \n (1 row)\n```\n Based on the output above, ` appreader=X/postgres ` no longer exists in the ` proacl ` column results returned from the query and confirms ` appreader ` is no longer granted execute privilege on the function."}],"title":"Ensure excessive function privileges are revoked","description":"In certain situations, to provide the required functionality, PostgreSQL needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by their organization. This is known as privilege elevation. Privilege elevation must be utilized only where necessary. Execute privileges for application functions should be restricted to authorized users only."},{"uuid":"6f5c44a7-119b-564e-894f-009378508eda","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"43"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.6_Ensure_excessive_DML_privileges_are_revoked"}],"steps":[{"uuid":"1c1e3bf7-b1eb-5c09-b8ba-9e5cae5acf0e","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.6_Ensure_excessive_DML_privileges_are_revoked"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Ensure excessive DML privileges are revoked","remarks":"Excessive DML grants can lead to unprivileged users changing or deleting information without proper authorization.","description":"## Description\n\nDML (insert, update, delete) operations at the table level should be restricted to only authorized users. PostgreSQL manages table-level DML permissions via the GRANT statement."},{"uuid":"8f4cdc51-3604-588b-817e-7b0e19b0c2e3","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.6_Ensure_excessive_DML_privileges_are_revoked"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure excessive DML privileges are revoked","description":"If a given database user has been granted excessive DML privileges for a given database table, those privileges should be revoked immediately using the ` REVOKE ` SQL command. \n\n Continuing with the example above, remove unauthorized grants for ` appreader ` user using the ` REVOKE ` statement and verify the Boolean values are now false. \n\n \n```bash\npostgres=# REVOKE INSERT, UPDATE, DELETE ON TABLE customer FROM appreader; \n REVOKE \n \n postgres=# select t.tablename, u.usename, \n has_table_privilege(u.usename, t.tablename, 'select') as select, \n has_table_privilege(u.usename, t.tablename, 'insert') as insert, \n has_table_privilege(u.usename, t.tablename, 'update') as update, \n has_table_privilege(u.usename, t.tablename, 'delete') as delete \n from pg_tables t, pg_user u \n where t.tablename = 'customer' \n and u.usename in ('appwriter','appreader'); \n \n tablename | usename | select | insert | update | delete \n ----------+-----------+--------+--------+--------+-------- \n customer | appwriter | t | t | t | t \n customer | appreader | t | f | f | f \n (2 rows)\n```\n ** Note: ** For versions of PostgreSQL prior to version 15, CVE-2018-1058 is applicable and it is recommended that all privileges be revoked from the ` public ` schema for all users on all databases. If you have upgraded from one of these earlier releases, this CVE is not fixed for you during an upgrade. You can correct this CVE by issuing: \n\n \n```bash\npostgres=# REVOKE CREATE ON SCHEMA public FROM PUBLIC; \n REVOKE\n```"}],"title":"Ensure excessive DML privileges are revoked","description":"DML (insert, update, delete) operations at the table level should be restricted to only authorized users. PostgreSQL manages table-level DML permissions via the GRANT statement."},{"uuid":"7873c10a-f589-5d52-85c2-33ee5f8021e6","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"44"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.7_Ensure_Row_Level_Security_RLS_is_configured_correctly"}],"steps":[{"uuid":"507706ca-29cc-5e6c-b5d8-fff2312a9abc","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.7_Ensure_Row_Level_Security_RLS_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3"}],"title":"Audit for Ensure Row Level Security (RLS) is configured correctly","remarks":"If RLS policies and privileges are not configured correctly, users could perform actions on tables that they are not authorized to perform, such as inserting, updating, or deleting rows.","description":"## Description\n\nIn addition to the SQL-standard privilege system available through ` GRANT ` , tables can have row security policies that restrict, on a per-user basis, which individual rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. This feature is also known as Row Level Security (RLS).\n\n By default, tables do not have any policies, so if a user has access privileges to a table according to the SQL privilege system, all rows within it are equally available for querying or updating. Row security policies can be specific to commands, to roles, or to both. A policy can be specified to apply to ` ALL ` commands, or to any combination of ` SELECT ` , ` INSERT ` , ` UPDATE ` , or ` DELETE ` . Multiple roles can be assigned to a given policy, and normal role membership and inheritance rules apply.\n\n If you use RLS and apply restrictive policies to certain users, it is important that the ` Bypass RLS ` privilege not be granted to any unauthorized users. This privilege overrides RLS-enabled tables and associated policies. Generally, only superusers and elevated users should possess this privilege."},{"uuid":"f7b6912e-c9ab-52ff-946b-7d7d4c46e66e","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.7_Ensure_Row_Level_Security_RLS_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure Row Level Security (RLS) is configured correctly","description":"Again, we are using the example from the PostgreSQL documentation using the example ` passwd ` table. We will create three database roles to illustrate the workings of RLS: \n\n \n```bash\npostgres=# CREATE USER admin; \n CREATE USER \n postgres=# CREATE USER bob; \n CREATE USER \n postgres=# CREATE USER alice; \n CREATE USER\n```\n Now, we will insert known data into the ` passwd ` table: \n\n \n```bash\npostgres=# INSERT INTO passwd VALUES \n ('admin','xxx',0,0,'Admin','111-222-3333',null,'/root','/bin/dash'); \n INSERT 0 1 \n postgres=# INSERT INTO passwd VALUES \n ('bob','xxx',1,1,'Bob','123-456-7890',null,'/home/bob','/bin/zsh'); \n INSERT 0 1 \n postgres=# INSERT INTO passwd VALUES \n ('alice','xxx',2,1,'Alice','098-765-4321',null,'/home/alice','/bin/zsh'); \n INSERT 0 1\n```\n And we will enable RLS on the table: \n\n \n```bash\npostgres=# ALTER TABLE passwd ENABLE ROW LEVEL SECURITY; \n ALTER TABLE \n postgres=# SELECT oid, relname, relrowsecurity FROM pg_class WHERE relname = 'passwd'; \n oid | relname | relrowsecurity \n -------+---------+---------------- \n 24679 | passwd | t \n (1 row)\n```\n Now that RLS is enabled, we need to define one or more policies. Create the administrator policy and allow it access to all rows: \n\n \n```bash\npostgres=# CREATE POLICY admin_all ON passwd TO admin USING (true) WITH CHECK (true); \n CREATE POLICY\n```\n Create a policy for normal users to view all rows: \n\n \n```bash\npostgres=# CREATE POLICY all_view ON passwd FOR SELECT USING (true); \n CREATE POLICY\n```\n Create a policy for normal users that allows them to update only their own rows and to limit what values can be set for their login shell: \n\n \n```bash\npostgres=# CREATE POLICY user_mod ON passwd FOR UPDATE \n USING (current_user = user_name) \n WITH CHECK ( \n current_user = user_name AND \n shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh') \n ); \n CREATE POLICY\n```\n Grant all the normal rights on the table to the ` admin ` user: \n\n \n```bash\npostgres=# GRANT SELECT, INSERT, UPDATE, DELETE ON passwd TO admin; \n GRANT\n```\n Grant only select access on non-sensitive columns to everyone: \n\n \n```bash\npostgres=# GRANT SELECT \n (user_name, uid, gid, real_name, home_phone, extra_info, home_dir, shell) \n ON passwd TO public; \n GRANT\n```\n Grant update to only the sensitive columns: \n\n \n```bash\npostgres=# GRANT UPDATE \n (pwhash, real_name, home_phone, extra_info, shell) \n ON passwd TO public; \n GRANT\n```\n Ensure that no one has been granted ` Bypass RLS ` inadvertently, by running the ` psql ` display command ` \\du+ ` . If unauthorized users do have ` Bypass RLS ` granted then resolve this using the ` ALTER ROLE ` ` ` ` NOBYPASSRLS; ` command. \n\n You can now verify that 'admin', 'bob', and 'alice' are properly restricted by querying the ` passwd ` table as each of these roles. \n\n \n```bash\npostgres=# set role admin; \n SET \n postgres=# table passwd; \n user_name | pwhash | uid | gid | real_name | home_phone | extra_info | home_dir | shell \n -----------+--------+-----+-----+-----------+--------------+------------+-------------+----------- \n admin | xxx | 0 | 0 | Admin | 111-222-3333 | | /root | /bin/dash \n bob | xxx | 1 | 1 | Bob | 123-456-7890 | | /home/bob | /bin/zsh \n alice | xxx | 2 | 1 | Alice | 098-765-4321 | | /home/alice | /bin/zsh \n (3 rows) \n postgres=# set role alice; \n SET \n postgres=# table passwd; \n ERROR: permission denied for table passwd \n postgres=# select user_name,real_name,home_phone,extra_info,home_dir,shell from passwd; \n user_name | real_name | home_phone | extra_info | home_dir | shell \n -----------+-----------+--------------+------------+-------------+----------- \n admin | Admin | 111-222-3333 | | /root | /bin/dash \n bob | Bob | 123-456-7890 | | /home/bob | /bin/zsh \n alice | Alice | 098-765-4321 | | /home/alice | /bin/zsh \n (3 rows) \n postgres=# update passwd set user_name = 'joe'; \n ERROR: permission denied for table passwd \n -- Alice is allowed to change her own real_name, but no others \n postgres=# update passwd set real_name = 'Alice Doe'; \n UPDATE 1 \n postgres=# update passwd set real_name = 'John Doe' where user_name = 'admin'; \n UPDATE 0 \n postgres=# select user_name,real_name,home_phone,extra_info,home_dir,shell from passwd; \n user_name | real_name | home_phone | extra_info | home_dir | shell \n -----------+-----------+--------------+------------+-------------+----------- \n admin | Admin | 111-222-3333 | | /root | /bin/dash \n bob | Bob | 123-456-7890 | | /home/bob | /bin/zsh \n alice | Alice Doe | 098-765-4321 | | /home/alice | /bin/zsh \n (3 rows) \n postgres=# update passwd set shell = '/bin/xx'; \n ERROR: new row violates WITH CHECK OPTION for \"passwd\" \n postgres=# delete from passwd; \n ERROR: permission denied for table passwd \n postgres=# insert into passwd (user_name) values ('xxx'); \n ERROR: permission denied for table passwd \n -- Alice can change her own password; RLS silently prevents updating other rows \n postgres=# update passwd set pwhash = 'abc'; \n UPDATE 1\n```"}],"title":"Ensure Row Level Security (RLS) is configured correctly","description":"In addition to the SQL-standard privilege system available through GRANT , tables can have row security policies that restrict, on a per-user basis, which individual rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. This feature is also known as Row Level Security (RLS). By default, tables do not have any policies, so if a user has access privileges to a table according to the SQL privilege system, all rows within it are equally available for querying or updating. Row security policies can be specific to commands, to roles, or to both. A policy can be specified to apply to ALL commands, or to any combination of SELECT , INSERT , UPDATE , or DELETE . Multiple roles can be assigned to a given policy, and normal role membership and inheritance rules apply. If you use RLS and apply restrictive policies to certain users, it is important that the Bypass RLS privilege not be granted to any unauthorized users. This privilege overrides RLS-enabled tables and associated policies. Generally, only superusers and elevated users should possess this privilege."},{"uuid":"32c8f570-dcc6-5e98-ad4f-039bc0baf998","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"45"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.8_Ensure_the_set_user_extension_is_installed"}],"steps":[{"uuid":"7bb6ff7d-9612-5a7c-9255-56592fac9e51","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.8_Ensure_the_set_user_extension_is_installed"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/4/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/5/subcontrol/4"}],"title":"Audit for Ensure the set_user extension is installed","remarks":"Even when reducing and limiting the access to the superuser role as described earlier in this benchmark, it is still difficult to determine who accessed the superuser role and what actions were taken using that role. As such, it is ideal to prevent anyone from logging in as the superuser and forcing them to escalate their role. This model is used at the OS level by the use of ` sudo ` and should be emulated in the database. The ` set_user ` extension allows for this setup.","description":"## Description\n\nPostgreSQL access to the superuser database role must be controlled and audited to prevent unauthorized access.\n\n ** Note: ** Prior to performing this audit you must create a ` roletree ` view. Here are the procedures to create this view:\n\n```bash\npostgres=# \n DROP VIEW IF EXISTS roletree; \n CREATE OR REPLACE VIEW roletree AS \n WITH RECURSIVE \n roltree AS ( \n SELECT u.rolname AS rolname, \n u.oid AS roloid, \n u.rolcanlogin, \n u.rolsuper, \n '{}'::name[] AS rolparents, \n NULL::oid AS parent_roloid, \n NULL::name AS parent_rolname \n FROM pg_catalog.pg_authid u \n LEFT JOIN pg_catalog.pg_auth_members m on u.oid = m.member \n LEFT JOIN pg_catalog.pg_authid g on m.roleid = g.oid \n WHERE g.oid IS NULL \n UNION ALL \n SELECT u.rolname AS rolname, \n u.oid AS roloid, \n u.rolcanlogin, \n u.rolsuper, \n t.rolparents || g.rolname AS rolparents, \n g.oid AS parent_roloid, \n g.rolname AS parent_rolname \n FROM pg_catalog.pg_authid u \n JOIN pg_catalog.pg_auth_members m on u.oid = m.member \n JOIN pg_catalog.pg_authid g on m.roleid = g.oid \n JOIN roltree t on t.roloid = g.oid \n ) \n SELECT \n r.rolname, \n r.roloid, \n r.rolcanlogin, \n r.rolsuper, \n r.rolparents \n FROM roltree r \n ORDER BY 1;\n```"},{"uuid":"fadaeb9b-1daf-5b6c-bdc9-446b350379be","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.8_Ensure_the_set_user_extension_is_installed"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the set_user extension is installed","description":"We will install the ` set_user ` extension: \n\n \n```bash\n# whoami \n root \n # dnf -y install set_user_18 \n [snip] \n Installed: \n set_user_18-4.2.0-1.rhel9.1.x86_64 \n \n Complete!\n```\n Now that ` set_user ` is installed, we need to tell PostgreSQL to load its library: \n\n \n```bash\n# whoami \n root \n # vi ~postgres/18/data/postgresql.conf\n```\n Find the ` shared_preload_libraries ` entry, and add 'set_user' to it (preserving any existing entries): \n\n \n```bash\nshared_preload_libraries = 'set_user' \n \n OR \n \n shared_preload_libraries = 'set_user,pgaudit,somethingelse'\n```\n Restart the PostgreSQL server for changes to take effect: \n\n \n```bash\n# systemctl restart postgresql-18 \n # systemctl status postgresql-18|grep 'ago$' \n Active: active (running) since [timestamp]; 1s ago\n```\n And now, we can install the extension with SQL: \n\n \n```bash\n# su - postgres \n # psql \n postgres=# select * from pg_available_extensions where name = 'set_user'; \n name | default_version | installed_version | comment \n ---------+-----------------+-------------------+----------------------------- \n set_user | 4.2.0 | | similar to SET ROLE but with \n | | | added logging \n (1 row) \n \n postgres=# create extension set_user; \n CREATE EXTENSION \n postgres=# select * from pg_available_extensions where name = 'set_user'; \n name | default_version | installed_version | comment \n ---------+-----------------+-------------------+----------------------------- \n set_user | 4.2.0 | 4.2.0 | similar to SET ROLE but with \n | | | added logging \n (1 row)\n```\n Now, we use ` GRANT ` to configure each DBA role to allow it to use the ` set_user ` functions. In the example below, we will configure my db user ` doug ` . (You would do this for each DBA's normal user role.) \n\n \n```bash\npostgres=# grant execute on function set_user(text) to doug; \n GRANT \n postgres=# grant execute on function set_user_u(text) to doug; \n GRANT\n```\n Connect to PostgreSQL as yourself and verify it works as expected: \n\n \n```bash\n# whoami \n psql \n # psql -U doug -d postgres -h 127.0.0.1 \n postgres=> select set_user('postgres'); \n ERROR: switching to superuser not allowed \n HINT: Use 'set_user_u' to escalate. \n postgres=> select set_user_u('postgres'); \n set_user_u \n ------------ \n OK \n (1 row) \n postgres=# select current_user, session_user; \n current_user | session_user \n --------------+-------------- \n postgres | doug \n (1 row) \n postgres=# select reset_user(); \n reset_user \n ------------ \n OK \n (1 row) \n postgres=> select current_user, session_user; \n current_user | session_user \n --------------+-------------- \n doug | doug \n (1 row)\n```\n Once all DBA's normal user accounts have been ` GRANT ` ed permission, revoke the ability to login as the ` postgres ` (superuser) user: \n\n \n```bash\npostgres=# ALTER USER postgres NOLOGIN; \n ALTER ROLE\n```\n Which results in: \n\n \n```bash\n$ psql \n psql: FATAL: role \"postgres\" is not permitted to log in \n $ psql -U doug -d postgres -h 127.0.0.1 \n psql (18.0)\n```\n Revoke SUPERUSER and/or LOGIN from any other roles that were previously identified: \n\n \n```bash\npostgres=# ALTER USER usera NOSUPERUSER; -- revoke superuser \n ALTER ROLE \n postgres=# ALTER USER usera NOLOGIN; -- revoke login \n ALTER ROLE \n postgres=# ALTER USER usera NOSUPERUSER NOLOGIN; -- revoke both at once \n ALTER ROLE\n```\n Note that we show dropping the privileges both individually and as one. Pick an appropriate version based on your application/business needs. \n\n Remove any escalated privileges on users granted indirectly that were previously identified using the ` roletree ` view: \n\n \n```bash\npostgres=# REVOKE name_of_granting_role FROM bob; -- an example only \n REVOKE ROLE\n```\n Impact: \n\n Much like the venerable ` sudo ` does for the OS, ` set_user ` manages superuser access for PostgreSQL. To complete configuration of ` set_user ` is documented at the extension's website and should be reviewed to ensure the logging entries that your organization cares about are properly configured. \n\n Note that some external tools assume they can connect as the ` postgres ` user by default and this is no longer true when ` set_user ` is deployed. You may find some tools need different options, reconfigured, or even abandoned to compensate for this."}],"title":"Ensure the set_user extension is installed","description":"PostgreSQL access to the superuser database role must be controlled and audited to prevent unauthorized access. Note: Prior to performing this audit you must create a roletree view. Here are the procedures to create this view: postgres=# DROP VIEW IF EXISTS roletree; CREATE OR REPLACE VIEW roletree AS WITH RECURSIVE roltree AS ( SELECT u.rolname AS rolname, u.oid AS roloid, u.rolcanlogin, u.rolsuper, '{}'::name[] AS rolparents, NULL::oid AS parent_roloid, NULL::name AS parent_rolname FROM pg_catalog.pg_authid u LEFT JOIN pg_catalog.pg_auth_members m on u.oid = m.member LEFT JOIN pg_catalog.pg_authid g on m.roleid = g.oid WHERE g.oid IS NULL UNION ALL SELECT u.rolname AS rolname, u.oid AS roloid, u.rolcanlogin, u.rolsuper, t.rolparents || g.rolname AS rolparents, g.oid AS parent_roloid, g.rolname AS parent_rolname FROM pg_catalog.pg_authid u JOIN pg_catalog.pg_auth_members m on u.oid = m.member JOIN pg_catalog.pg_authid g on m.roleid = g.oid JOIN roltree t on t.roloid = g.oid ) SELECT r.rolname, r.roloid, r.rolcanlogin, r.rolsuper, r.rolparents FROM roltree r ORDER BY 1;"},{"uuid":"dd998bee-b8dc-52ba-bf6e-0f14fe1b3e72","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"46"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.9_Make_use_of_predefined_roles"}],"steps":[{"uuid":"dde58f69-1387-50a4-ae5e-2c511611fb05","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.9_Make_use_of_predefined_roles"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/1"}],"title":"Audit for Make use of predefined roles","remarks":"In keeping with the principle of least privilege, judicious use of the PostgreSQL predefined roles can greatly limit the access to privileged, or superuser, access.","description":"## Description\n\nPostgreSQL provides a set of predefined roles that provide access to certain commonly needed privileged capabilities and information. Administrators can GRANT these roles to users and/or other roles in their environment, providing those users with access to the specified capabilities and information."},{"uuid":"fbdac4df-efc6-57a3-a3b6-71c18ed592a9","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.9_Make_use_of_predefined_roles"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Make use of predefined roles","description":"If you've determined that one or more of the predefined roles can be used, simply ` GRANT ` it: \n\n \n```bash\npostgres=# GRANT pg_monitor TO doug; \n GRANT ROLE\n```\n And then remove ` superuser ` from the account: \n\n \n```bash\npostgres=# ALTER ROLE doug NOSUPERUSER; \n ALTER ROLE \n postgres=# select rolname from pg_roles where rolsuper is true; \n rolname \n ---------- \n postgres \n (1 row)\n```"}],"title":"Make use of predefined roles","description":"PostgreSQL provides a set of predefined roles that provide access to certain commonly needed privileged capabilities and information. Administrators can GRANT these roles to users and/or other roles in their environment, providing those users with access to the specified capabilities and information."},{"uuid":"1272fa72-7c02-546c-86c4-a64b2962de02","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"47"},{"ns":"https://cisecurity.org/ns","name":"category","value":"User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"group","value":"4 User Access and Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.10_Ensure_all_accounts_that_can_log_in_have_passwords"}],"steps":[{"uuid":"bfed366b-9920-539d-9a7c-5d424a5c4a3a","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.10_Ensure_all_accounts_that_can_log_in_have_passwords"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/5/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/4/subcontrol/4"}],"title":"Audit for Ensure all accounts that can log in have passwords","remarks":"All accounts that can login to the database should challenge the user for an SSL certificate or an account password.","description":"## Description\n\nIf not using certificate-based authentication, all database accounts that have the ability to login should have a password set."},{"uuid":"1cf6392a-3bba-51fa-8df5-1bc9a496e76a","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_4.10_Ensure_all_accounts_that_can_log_in_have_passwords"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure all accounts that can log in have passwords","description":"Set a valid password for any database user identified above. \n\n \n```bash\npostgres=# \\password user1\n```\n This shows setting the password for ` user1 ` . You can use ` ALTER ROLE ` , but note that the passwords will be emitted to the PostgreSQL logs. \n\n Impact: \n\n Note that if no password has been set up for a user, the stored password is null and password authentication will always fail for that user."}],"title":"Ensure all accounts that can log in have passwords","description":"If not using certificate-based authentication, all database accounts that have the ability to login should have a password set."},{"uuid":"e1b9fcfd-3fb5-5c56-8f24-49aabce6f027","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"48"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"group","value":"5 Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.1_Do_Not_Specify_Passwords_in_the_Command_Line"}],"steps":[{"uuid":"6d654d35-56a9-55b3-9668-c99a4631662e","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.1_Do_Not_Specify_Passwords_in_the_Command_Line"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/10"}],"title":"Audit for Do Not Specify Passwords in the Command Line","remarks":"If the password is visible in the process list or user's shell/command history, an attacker will be able to access the PostgreSQL database using the stolen credentials.","description":"## Description\n\nWhen a command is executed on the command line, for example\n\n - ` psql postgresql://postgres:PASSWORD@host ` the password may be visible in the user's shell/command history or in the process list, thus exposing the password to other entities on the server."},{"uuid":"a00945d8-3cc9-5f54-81d2-4aaf88cf5908","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.1_Do_Not_Specify_Passwords_in_the_Command_Line"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Do Not Specify Passwords in the Command Line","description":"- Use the ` --password ` or ` -W ` terminal parameter without directly specifying the password and then enter the password when prompted. \n\n Substitute ` ` with your username, e.g., root: \n\n \n```bash\npsql -u --password\n```\n - Do not use a Connection URI with password included, e.g. ` psql postgresql://postgres:PASSWORD@host ` \n\n - If desired, configure a ` .pgpass ` file with the proper credentials and secure the file appropriately."}],"title":"Do Not Specify Passwords in the Command Line","description":"When a command is executed on the command line, for example psql postgresql://postgres:PASSWORD@host the password may be visible in the user's shell/command history or in the process list, thus exposing the password to other entities on the server."},{"uuid":"2c54428b-c11e-5938-afcc-179fd5ca1d00","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"49"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"group","value":"5 Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.2_Ensure_PostgreSQL_is_Bound_to_an_IP_Address"}],"steps":[{"uuid":"7bf661a2-1138-5a17-ac23-d1c05b42e00c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.2_Ensure_PostgreSQL_is_Bound_to_an_IP_Address"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/10"}],"title":"Audit for Ensure PostgreSQL is Bound to an IP Address","remarks":"Limiting the IP addresses that PostgreSQL listens on provides additional restrictions on where client applications/users can connect from.","description":"## Description\n\nBy default, ` listen_addresses ` is set to ` localhost ` which prevents any and all remote TCP connections to the PostgreSQL port.\n\n Some Docker images may set ` listen_addesses ` to ` * ` . ` * ` corresponds to all available IP interfaces; thus, the PostgreSQL server then accepts TCP connections on all the server's IPv6 and IPv4 interfaces. (The same is true for a setting of ` 0.0.0.0 ` .)\n\n You can make this configuration more restrictive by setting the ` listen_addresses ` configuration option to a specific list of IPv4 or IPv6 address so that the server only accepts TCP connections on those addresses.\n\n This parameter can only be set at server start."},{"uuid":"67396a4e-8c19-55fb-9694-177d84ac3d61","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.2_Ensure_PostgreSQL_is_Bound_to_an_IP_Address"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure PostgreSQL is Bound to an IP Address","description":"To have the PostgreSQL server only accept connections on a specific IP address, add an entry similar to this in the PostgreSQL configuration file ` postgresql.conf ` : \n\n \n```bash\nlisten_addresses = ''\n```\n To listen on multiple addresses, a comma-separated list may be used: \n\n \n```bash\nlisten_addresses = ', '\n```\n In this case, clients can connect to the server using ` --host= ` ` ` , while connections on other server host addresses are not possible."}],"title":"Ensure PostgreSQL is Bound to an IP Address","description":"By default, listen_addresses is set to localhost which prevents any and all remote TCP connections to the PostgreSQL port. Some Docker images may set listen_addesses to * . * corresponds to all available IP interfaces; thus, the PostgreSQL server then accepts TCP connections on all the server's IPv6 and IPv4 interfaces. (The same is true for a setting of 0.0.0.0 .) You can make this configuration more restrictive by setting the listen_addresses configuration option to a specific list of IPv4 or IPv6 address so that the server only accepts TCP connections on those addresses. This parameter can only be set at server start."},{"uuid":"60a1ece2-b413-50df-9543-d5e2f0bb49c5","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"50"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"group","value":"5 Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.3_Ensure_login_via_local_UNIX_Domain_Socket_is_configured_correctly"}],"steps":[{"uuid":"98382308-48e6-52d8-8a9a-a22030575cab","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.3_Ensure_login_via_local_UNIX_Domain_Socket_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/4/subcontrol/5"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/6/subcontrol/5"}],"title":"Audit for Ensure login via \"local\" UNIX Domain Socket is configured correctly","description":"## Description\n\nA remote host login, via SSH, is arguably the most secure means of remotely accessing and administering the PostgreSQL server. Once connected to the PostgreSQL server, using the ` psql ` client, via UNIX DOMAIN SOCKETS, while using the ` peer ` authentication method is the most secure mechanism available for local database connections. Provided a database user account of the same name of the UNIX account has already been defined in the database, even ordinary user accounts can access the cluster in a similarly highly secure manner."},{"uuid":"314c7c6a-1a9b-53fb-8388-f15ab0fb7b2e","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.3_Ensure_login_via_local_UNIX_Domain_Socket_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure login via \"local\" UNIX Domain Socket is configured correctly","description":"Creation of a database account that matches the local account allows PEER authentication: \n\n \n```bash\n# psql -c \"CREATE ROLE user1 WITH LOGIN;\" \n CREATE ROLE\n```\n Execute the following as the UNIX user account, the default authentication rules should now permit the login: \n\n \n```bash\n# su - user1 \n # whoami \n user1 \n # psql -u user1 -d postgres \n postgres=>\n```\n As per the host-based authentication rules in ` $PGDATA/pg_hba.conf ` , all login attempts via UNIX DOMAIN SOCKETS are processed on the line beginning with ` local ` . \n\n This is the minimal rule that must be in place allowing PEER connections: \n\n \n```bash\n# TYPE DATABASE USER ADDRESS METHOD \n local all all peer\n```\n Once edited, the server process must reload the authentication file before it can take effect. Improperly configured rules cannot update i.e. the old rules remain in place. The PostgreSQL logs will report the outcome of the SIGHUP: \n\n \n```bash\npostgres=# select pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```\n The following examples illustrate other possible configurations. The resultant \"rule\" of success/failure depends upon the first matching line: \n\n \n```bash\n# allow only postgres user logins locally via UNIX socket \n # TYPE DATABASE USER ADDRESS METHOD \n local all postgres peer\n```\n \n```bash\n# allow all local users via UNIX socket# TYPE DATABASE USER ADDRESS METHOD \n local all all peer\n```\n \n```bash\n# allow all local users, via UNIX socket, only if they are connecting to a db named the same as their username \n # e.g. if user 'bob' is connecting to a db named 'bob' \n # TYPE DATABASE USER METHOD \n local samerole all peer\n```\n \n```bash\n# allow only local users, via UNIX socket, who are members of the 'rw' role in the db \n # TYPE DATABASE USER ADDRESS METHOD \n local all +rw peer\n```"}],"title":"Ensure login via \"local\" UNIX Domain Socket is configured correctly","description":"A remote host login, via SSH, is arguably the most secure means of remotely accessing and administering the PostgreSQL server. Once connected to the PostgreSQL server, using the psql client, via UNIX DOMAIN SOCKETS, while using the peer authentication method is the most secure mechanism available for local database connections. Provided a database user account of the same name of the UNIX account has already been defined in the database, even ordinary user accounts can access the cluster in a similarly highly secure manner."},{"uuid":"87dc5d53-c510-540c-9037-257471e7d1ee","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"51"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"group","value":"5 Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.4_Ensure_login_via_host_TCPIP_Socket_is_configured_correctly"}],"steps":[{"uuid":"4f2c92ab-4847-537f-92a9-f178d8b14375","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.4_Ensure_login_via_host_TCPIP_Socket_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/10"}],"title":"Audit for Ensure login via \"host\" TCP/IP Socket is configured correctly","description":"## Description\n\nA large number of authentication METHODs are available for hosts connecting using TCP/IP sockets, including:\n\n - ` trust ` - ` reject ` - ` md5 ` - ` scram-sha-256 ` - ` password ` - ` gss ` - ` sspi ` - ` ident ` - ` pam ` - ` ldap ` - ` radius ` - ` cert ` - ` oauth ` METHODs ` trust ` , ` password ` , and ` ident ` are ** not ** to be used for remote logins.\n\n METHOD ` md5 ` is the most popular and can be used in both encrypted and unencrypted sessions, however, it is vulnerable to packet replay attacks . ** It is recommended that ` scram-sha-256 ` be used instead of ` md5 ` . **\n\n PostgreSQL 18 also introduced the setting ` md5_password_warnings ` . This is on by default and will produce a warning regarding MD5 password deprecation when a ` CREATE ROLE ` or ` ALTER ROLE ` statement sets an MD5-encrypted password.\n\n Use of the ` gss ` , ` sspi ` , ` pam ` , ` ldap ` , ` oauth ` , ` radius ` , and ` cert ` METHODs are dependent upon the availability of external authenticating processes/services and thus are not covered in this benchmark."},{"uuid":"c6e5a7f5-0ca4-5a3f-9a80-526407ffb4b0","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.4_Ensure_login_via_host_TCPIP_Socket_is_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure login via \"host\" TCP/IP Socket is configured correctly","description":"Confirm a login attempt has been made by looking for a logged error message detailing the nature of the authenticating failure. In the case of failed login attempts, whether encrypted or unencrypted, check the following: \n\n - The server should be sitting on a port exposed to the remote connecting host, i.e. NOT IP address ` 127.0.0.1 ` \n```bash\nlisten_addresses = '*' \n ``` \n * An authenticating rule must exist in the file `pg_hba.conf` \n \n This example permits encrypted sessions for the `postgres` role and denies all unencrypted sessions for the `postgres` role:\n```\n \n```bash\n# TYPE DATABASE USER ADDRESS METHODhostssl all postgres 0.0.0.0/0 scram-sha-256hostnossl all postgres 0.0.0.0/0 reject\n```\n The following examples illustrate other possible configurations. The resultant \"rule\" of success/failure depends upon the ** first matching line ** . \n\n \n```bash\n# allow 'postgres' user only from 'localhost/loopback' connections# and only if you know the password# (accepts both SSL and non-SSL connections)# TYPE DATABASE USER ADDRESS METHODhost all postgres 127.0.0.1/32 scram-sha-256# allow users to connect remotely only to the database named after them, # with the correct user password:# (accepts both SSL and non-SSL connections)# TYPE DATABASE USER ADDRESS METHODhost samerole all 0.0.0.0/0 scram-sha-256# allow only those users who are a member of the 'rw' role to connect# only to the database named after them, with the correct user password:# (accepts both SSL and non-SSL connections)# TYPE DATABASE USER ADDRESS METHODhost samerole +rw 0.0.0.0/0 scram-sha-256\n```"}],"title":"Ensure login via \"host\" TCP/IP Socket is configured correctly","description":"A large number of authentication METHODs are available for hosts connecting using TCP/IP sockets, including: trust reject md5 scram-sha-256 password gss sspi ident pam ldap radius cert oauth METHODs trust , password , and ident are not to be used for remote logins. METHOD md5 is the most popular and can be used in both encrypted and unencrypted sessions, however, it is vulnerable to packet replay attacks . It is recommended that scram-sha-256 be used instead of md5 . PostgreSQL 18 also introduced the setting md5_password_warnings . This is on by default and will produce a warning regarding MD5 password deprecation when a CREATE ROLE or ALTER ROLE statement sets an MD5-encrypted password. Use of the gss , sspi , pam , ldap , oauth , radius , and cert METHODs are dependent upon the availability of external authenticating processes/services and thus are not covered in this benchmark."},{"uuid":"97a160dc-e33f-5419-8e84-b82464661650","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"52"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"group","value":"5 Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.5_Ensure_per-account_connection_limits_are_used"}],"steps":[{"uuid":"d6ceba91-2482-5bd9-be3e-014800e4dd84","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.5_Ensure_per-account_connection_limits_are_used"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"}],"title":"Audit for Ensure per-account connection limits are used","remarks":"Limiting the number of concurrent sessions at the user level helps to reduce the risk of DoS attacks.","description":"## Description\n\nLimiting concurrent connections to a PostgreSQL server can be used to reduce the risk of Denial of Service (DoS) attacks."},{"uuid":"4f95870f-c54d-5266-955d-d205fc3db365","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.5_Ensure_per-account_connection_limits_are_used"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure per-account connection limits are used","description":"Set a per-user connection limit by running: \n\n \n```bash\nALTER USER CONNECTION LIMIT ;\n```"}],"title":"Ensure per-account connection limits are used","description":"Limiting concurrent connections to a PostgreSQL server can be used to reduce the risk of Denial of Service (DoS) attacks."},{"uuid":"6f928bbc-2d67-56dd-9085-6b9e100483c9","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"53"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"group","value":"5 Connection and Login"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_Password_Complexity_is_configured"}],"steps":[{"uuid":"5a5a3f14-0629-5730-ab22-0d9fa77e927b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_Password_Complexity_is_configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/5/subcontrol/2"}],"title":"Audit for Ensure Password Complexity is configured","remarks":"Having strong password management for your locally-authenticated PostgreSQL accounts will protect against attackers' brute force techniques. This is important especially if external authentication is not possible to implement due to application requirements or restrictions.","description":"## Description\n\nPassword complexity configuration is crucial to restrict unauthorized access to data. By default, PostgreSQL doesn’t provide for password complexity. Moreover, many compliance frameworks such as PCI DSS, and HIPPA require both password complexity and length. It is worth stating that the NIST 800-63B Password Guidelines publication is a good reference of authentication management."},{"uuid":"4e635e75-1eba-5d10-838b-d674da62ddbb","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_Password_Complexity_is_configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure Password Complexity is configured","description":"Alter the ` postgresql.conf ` configuration file to enable ` passwordcheck ` as an extension in the ` shared_preload_libraries ` parameter and restart the PostgreSQL service: \n\n \n```bash\n$ vi ${PGDATA}/postgresql.conf\n```\n Find the ` shared_preload_libraries ` entry, and add ` passwordcheck ` to it (preserving any existing entries): \n\n \n```bash\nshared_preload_libraries = '$libdir/passwordcheck'\n```\n OR \n\n \n```bash\nshared_preload_libraries = 'pgaudit,$libdir/passwordcheck,somethingelse'\n```\n Restart the PostgreSQL server for changes to take affect: \n\n \n```bash\n# whoami \n root \n # systemctl restart postgresql-18 \n # systemctl status postgresql-18|grep 'ago$' \n Active: active (running) since [date] 10s ago\n```"}],"title":"Ensure Password Complexity is configured","description":"Password complexity configuration is crucial to restrict unauthorized access to data. By default, PostgreSQL doesn’t provide for password complexity. Moreover, many compliance frameworks such as PCI DSS, and HIPPA require both password complexity and length. It is worth stating that the NIST 800-63B Password Guidelines publication is a good reference of authentication management."},{"uuid":"958bb48f-e56c-5782-9171-e3e502355c4b","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"54"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.1_Understanding_attack_vectors_and_runtime_parameters"}],"steps":[{"uuid":"ca31c098-be16-52c2-bcbf-405ecfecd037","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.1_Understanding_attack_vectors_and_runtime_parameters"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Understanding attack vectors and runtime parameters","remarks":"There are as many ways of compromising a server as there are runtime parameters. A combination of any one or more of them executed at the right time under the right conditions has the potential to compromise the RDBMS. Mitigating risk is dependent upon one's understanding of the attack vectors and includes:\n\n - Via user session: includes those runtime parameters that can be set by a ROLE that persists for the life of a server-client session. - Via attribute: includes those runtime parameters that can be set by a ROLE during a server-client session that can be assigned as an attribute for an entity such as a table, index, database, or role. - Via server reload: includes those runtime parameters that can be set by the superuser using a SIGHUP or configuration file reload command and affects the entire cluster. - Via server restart: includes those runtime parameters that can be set and effected by restarting the server process and affects the entire cluster.","description":"## Description\n\nUnderstanding the vulnerability of PostgreSQL runtime parameters by the particular delivery method, or attack vector."},{"uuid":"907995b7-ce55-583e-9b22-18485c102e22","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.1_Understanding_attack_vectors_and_runtime_parameters"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Understanding attack vectors and runtime parameters","description":"In the case of a changed parameter, the value is returned back to its default value. In the case of a successful exploit of an already set runtime parameter then an analysis must be carried out to determine the best approach in mitigating the risk to prevent future exploitation. \n\n Impact: \n\n It can be difficult to totally eliminate risk. Once changed, detecting a miscreant parameter can become problematic."}],"title":"Understanding attack vectors and runtime parameters","description":"Understanding the vulnerability of PostgreSQL runtime parameters by the particular delivery method, or attack vector."},{"uuid":"25e2227a-df64-599a-bafa-9234ca4b3cb0","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"55"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.2_Ensure_backend_runtime_parameters_are_configured_correctly"}],"steps":[{"uuid":"36dd2d87-3244-50c9-a17b-b1381ed56fc3","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.2_Ensure_backend_runtime_parameters_are_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Ensure 'backend' runtime parameters are configured correctly","remarks":"A denial of service is possible by denying the use of indexes and by slowing down client access to an unreasonable level. Unsanctioned behavior can be introduced by introducing rogue libraries which can then be called in a database session. Logging can be altered and obfuscated inhibiting root cause analysis.","description":"## Description\n\nIn order to serve multiple clients efficiently, the PostgreSQL server launches a new \"backend\" process for each client. The runtime parameters in this benchmark section are controlled by the backend process. The server's performance, in the form of slow queries causing a denial of service, and the RDBM's auditing abilities for determining root cause analysis can be potentially compromised via these parameters."},{"uuid":"7427ab0e-9052-5402-a558-929c33783d8b","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.2_Ensure_backend_runtime_parameters_are_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'backend' runtime parameters are configured correctly","description":"Once detected, the unauthorized/undesired change can be corrected by altering the configuration file and executing a server restart. In the case where the parameter has been specified on the command-line invocation of ` pg_ctl ` the ` restart ` invocation is insufficient and an explicit ` stop ` and ` start ` must instead be made. \n\n - Query the view ` pg_settings ` and compare with previous query outputs for any changes. - Review configuration files ` postgresql.conf ` and ` postgresql.auto.conf ` and compare them with previously archived file copies for any changes. - Examine the process output and look for parameters that were used at server startup: \n```bash\nps -few | grep -E -- '[p]ost.*-[D]'\n```\n - Examine the contents of ` $PGDATA/postmaster.opts ` Impact: \n\n All changes made on this level will affect the overall behavior of the server. These changes can only be affected by a server restart after the parameters have been altered in the configuration files."}],"title":"Ensure 'backend' runtime parameters are configured correctly","description":"In order to serve multiple clients efficiently, the PostgreSQL server launches a new \"backend\" process for each client. The runtime parameters in this benchmark section are controlled by the backend process. The server's performance, in the form of slow queries causing a denial of service, and the RDBM's auditing abilities for determining root cause analysis can be potentially compromised via these parameters."},{"uuid":"06479a6d-f061-5a1b-910d-c3341ccf6c92","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"56"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.3_Ensure_Postmaster_Runtime_Parameters_are_Configured"}],"steps":[{"uuid":"bbaa12f9-5ba6-5adb-a36e-beea845782ac","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.3_Ensure_Postmaster_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Ensure 'Postmaster' Runtime Parameters are Configured","remarks":"The ` postmaster ` process is the supervisory process that assigns a backend process to an incoming client connection. The ` postmaster ` manages key runtime parameters that are either shared by all backend connections or needed by the ` postmaster ` process itself to run.","description":"## Description\n\nPostgreSQL runtime parameters that are executed by the postmaster process."},{"uuid":"72b3746b-ce59-54a9-84f7-d5573a765040","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.3_Ensure_Postmaster_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'Postmaster' Runtime Parameters are Configured","description":"Once detected, the unauthorized/undesired change can be corrected by editing the altered configuration file and executing a server restart. In the case where the parameter has been specified on the command-line invocation of ` pg_ctl ` the ` restart ` invocation is insufficient and an explicit ` stop ` and ` start ` must instead be made. \n\n Detecting a change is possible by one of the following methods: \n\n - Query the view ` pg_settings ` and compare with previous query outputs for any changes - Review the configuration files ` postgresql.conf ` and ` postgresql.auto.conf ` and compare with previously archived file copies for any changes - Examine the process output and look for parameters that were used at server startup: \n```bash\nps -few | grep -E -- '[p]ost.*-[D]'\n```\n - Examine the contents of ` $PGDATA/postmaster.opts ` Impact: \n\n All changes made on this level will affect the overall behavior of the server. These changes can be effected by editing the PostgreSQL configuration files and by either executing a server SIGHUP from the command line or, as superuser ` postgres ` , executing the SQL command ` select pg_reload_conf() ` . A denial of service is possible by the over-allocating of limited resources, such as RAM. Data can be corrupted by allowing damaged pages to load or by changing parameters to reinterpret values in an unexpected fashion, e.g. changing the time zone. Client messages can be altered in such a way as to interfere with the application logic. Logging can be altered and obfuscated inhibiting root cause analysis."}],"title":"Ensure 'Postmaster' Runtime Parameters are Configured","description":"PostgreSQL runtime parameters that are executed by the postmaster process."},{"uuid":"7a8c7b10-5343-5a31-823f-805ac1d55b5a","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"57"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.4_Ensure_SIGHUP_Runtime_Parameters_are_Configured"}],"steps":[{"uuid":"87a977a2-7a99-55d8-bd0f-8b41596a91ed","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.4_Ensure_SIGHUP_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Ensure 'SIGHUP' Runtime Parameters are Configured","remarks":"In order to define server behavior and optimize server performance, the server's superuser has the privilege of setting these parameters which are found in the configuration files ` postgresql.conf ` and ` pg_hba.conf ` . Alternatively, those parameters found in ` postgresql.conf ` can also be changed using a server login session and executing the SQL command ` ALTER SYSTEM ` which writes its changes in the configuration file ` postgresql.auto.conf ` .","description":"## Description\n\nPostgreSQL runtime parameters that are executed by the SIGHUP signal."},{"uuid":"41807dfd-180f-53d9-b99b-80c9241bb2ee","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.4_Ensure_SIGHUP_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'SIGHUP' Runtime Parameters are Configured","description":"Restore all values in the PostgreSQL configuration files and invoke the server to reload the configuration files. \n\n Impact: \n\n All changes made on this level will affect the overall behavior of the server. These changes can be effected by editing the PostgreSQL configuration files and by either executing a server SIGHUP from the command line or, as superuser ` postgres ` , executing the SQL command ` select pg_reload_conf() ` . A denial of service is possible by the over-allocating of limited resources, such as RAM. Data can be corrupted by allowing damaged pages to load or by changing parameters to reinterpret values in an unexpected fashion, e.g. changing the time zone. Client messages can be altered in such a way as to interfere with the application logic. Logging can be altered and obfuscated inhibiting root cause analysis."}],"title":"Ensure 'SIGHUP' Runtime Parameters are Configured","description":"PostgreSQL runtime parameters that are executed by the SIGHUP signal."},{"uuid":"dae2aa42-7b02-56d3-abe3-ddf59eb2e6a9","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"58"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.5_Ensure_Superuser_Runtime_Parameters_are_Configured"}],"steps":[{"uuid":"edb101b4-4230-5fd6-9abb-4c4141ac1103","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.5_Ensure_Superuser_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Ensure 'Superuser' Runtime Parameters are Configured","remarks":"In order to improve and optimize server performance, the server's superuser has the privilege of setting these parameters which are found in the configuration file ` postgresql.conf ` . Alternatively, they can be changed in a PostgreSQL login session via the SQL command ` ALTER SYSTEM ` which writes its changes in the configuration file ` postgresql.auto.conf ` .","description":"## Description\n\nPostgreSQL runtime parameters that can only be executed by the server's superuser, ` postgres ` ."},{"uuid":"6d7e35f8-fd5e-5173-bfed-5882b454b7b3","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.5_Ensure_Superuser_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'Superuser' Runtime Parameters are Configured","description":"The exploit is made in the configuration files. These changes are effected upon server restart. Once detected, the unauthorized/undesired change can be made by editing the altered configuration file and executing a server restart. In the case where the parameter has been set on the command-line invocation of ` pg_ctl ` the ` restart ` invocation is insufficient and an explicit ` stop ` and ` start ` must instead be made. \n\n Detecting a change is possible by one of the following methods: \n\n - Query the view ` pg_settings ` and compare with previous query outputs for any changes. - Review the configuration files ` postgreql.conf ` and ` postgreql.auto.conf ` and compare with previously archived file copies for any changes - Examine the process output and look for parameters that were used at server startup: \n```bash\nps aux | grep -E -- '[p]ost.*-[D]'\n```\n - Examine the contents of ` $PGDATA/postmaster.opts ` Impact: \n\n All changes made on this level will affect the overall behavior of the server. These changes can only be affected by a server restart after the parameters have been altered in the configuration files. A denial of service is possible by the over-allocating of limited resources, such as RAM. Data can be corrupted by allowing damaged pages to load or by changing parameters to reinterpret values in an unexpected fashion, e.g. changing the time zone. Client messages can be altered in such a way as to interfere with the application logic. Logging can be altered and obfuscated inhibiting root cause analysis."}],"title":"Ensure 'Superuser' Runtime Parameters are Configured","description":"PostgreSQL runtime parameters that can only be executed by the server's superuser, postgres ."},{"uuid":"a0c7ff91-ef81-5c66-97c0-dfbb346d1fad","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"59"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.6_Ensure_User_Runtime_Parameters_are_Configured"}],"steps":[{"uuid":"cf7836c1-6073-5473-b678-5ede7bf30ae8","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.6_Ensure_User_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Ensure 'User' Runtime Parameters are Configured","remarks":"In order to improve performance and optimize features, a ` ROLE ` has the privilege of setting numerous parameters in a transaction, session, or entity attribute. Any ` ROLE ` can alter any of these parameters.","description":"## Description\n\nThese PostgreSQL runtime parameters are managed at the user account (ROLE) level."},{"uuid":"716bf3ce-61ed-5f38-82b7-fad60243e269","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.6_Ensure_User_Runtime_Parameters_are_Configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure 'User' Runtime Parameters are Configured","description":"In the matter of a user session, the login sessions must be validated that it is not executing undesired parameter changes. In the matter of attributes that have been changed in entities, they must be manually reverted to their default value(s). \n\n Impact: \n\n A denial of service is possible by the over-allocating of limited resources, such as RAM. Changing ` VACUUM ` parameters can force a server shutdown which is standard procedure preventing data corruption from transaction ID wraparound. Data can be corrupted by changing parameters to reinterpret values in an unexpected fashion, e.g. changing the time zone. Logging can be altered and obfuscated to inhibit root cause analysis."}],"title":"Ensure 'User' Runtime Parameters are Configured","description":"These PostgreSQL runtime parameters are managed at the user account (ROLE) level."},{"uuid":"e72b48ac-094a-5ad5-bf95-bab434332d50","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"60"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.7_Ensure_FIPS_140-2_OpenSSL_Cryptography_Is_Used"}],"steps":[{"uuid":"b974e75b-97bf-53e5-a7f8-0747297860f6","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.7_Ensure_FIPS_140-2_OpenSSL_Cryptography_Is_Used"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/10"}],"title":"Audit for Ensure FIPS 140-2 OpenSSL Cryptography Is Used","remarks":"Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard developed by a U.S. Government and industry working group for validating the quality of cryptographic modules. Use of weak, or untested, encryption algorithms undermines the purposes of utilizing encryption to protect data. PostgreSQL uses OpenSSL for the underlying encryption layer.\n\n The database and application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\n For detailed information, refer to NIST FIPS Publication 140-2, Security Requirements for Cryptographic Modules . Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant. The security functions validated as part of FIPS 140-2 for cryptographic modules are described in FIPS 140-2 Annex A. Currently, only Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of OpenSSL. For other operating systems, users must obtain or build their own FIPS 140-2 OpenSSL libraries.","description":"## Description\n\nInstall, configure, and use OpenSSL on a platform that has a NIST certified FIPS 140-2 installation of OpenSSL. This provides PostgreSQL instances the ability to generate and validate cryptographic hashes to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements."},{"uuid":"ddbf7808-a3c6-5e10-b8e5-42fcd9a44b52","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.7_Ensure_FIPS_140-2_OpenSSL_Cryptography_Is_Used"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure FIPS 140-2 OpenSSL Cryptography Is Used","description":"Configure OpenSSL to be FIPS compliant as PostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS 140-2 compliant, see the official RHEL Documentation . Below is a general summary of the steps required: \n\n To switch the system to FIPS mode in RHEL 9: \n\n \n```bash\n# fips-mode-setup --enable \n Kernel initramdisks are being regenerated. This might take some time. \n Setting system policy to FIPS \n Note: System-wide crypto policies are applied on application start-up. \n It is recommended to restart the system for the change of policies \n to fully take place. \n FIPS mode will be enabled. \n Please reboot the system for the setting to take effect.\n```\n Restart your system to allow the kernel to switch to FIPS mode: \n\n \n```bash\n# reboot\n```\n After the restart, you can check the current state of FIPS mode: \n\n \n```bash\n# fips-mode-setup --check \n FIPS mode is enabled.\n```"}],"title":"Ensure FIPS 140-2 OpenSSL Cryptography Is Used","description":"Install, configure, and use OpenSSL on a platform that has a NIST certified FIPS 140-2 installation of OpenSSL. This provides PostgreSQL instances the ability to generate and validate cryptographic hashes to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements."},{"uuid":"0fbf56a8-9b36-523d-90f6-dd8519e0a235","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"61"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.8_Ensure_TLS_is_enabled_and_configured_correctly"}],"steps":[{"uuid":"de1d244b-ed8e-5ebd-b00d-15c3d4c4d1d4","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.8_Ensure_TLS_is_enabled_and_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/10"}],"title":"Audit for Ensure TLS is enabled and configured correctly","remarks":"If TLS is not enabled and configured correctly, this increases the risk of data being compromised in transit.","description":"## Description\n\nTLS on a PostgreSQL server should be enabled and configured to encrypt TCP traffic to and from the server."},{"uuid":"92eaf0f4-9646-5055-baf6-1a3cc9797cc4","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.8_Ensure_TLS_is_enabled_and_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure TLS is enabled and configured correctly","description":"For this example, and ease of illustration, we will be using a self-signed certificate (generated via ` openssl ` ) for the server, and the PostgreSQL defaults for file naming and location in the PostgreSQL ` $PGDATA ` directory. \n\n \n```bash\n# whoami \n postgres \n # # create new certificate and enter details at prompts \n # openssl req -new -text -out server.req \n Generating a 2048 bit RSA private key \n .....................+++ \n ..................................................................+++ \n writing new private key to 'privkey.pem' \n Enter PEM pass phrase: \n Verifying - Enter PEM pass phrase: \n ----- \n You are about to be asked to enter information that will be incorporated \n into your certificate request. \n What you are about to enter is what is called a Distinguished Name or a DN. \n There are quite a few fields but you can leave some blank \n For some fields there will be a default value, \n If you enter '.', the field will be left blank. \n ----- \n Country Name (2 letter code) [XX]:US \n State or Province Name (full name) []:Ohio \n Locality Name (eg, city) [Default City]:Columbus \n Organization Name (eg, company) [Default Company Ltd]:Me Inc \n Organizational Unit Name (eg, section) []:IT \n Common Name (eg, your name or your server's hostname) []:my.me.inc \n Email Address []:me@meinc.com \n \n Please enter the following 'extra' attributes \n to be sent with your certificate request \n A challenge password []: \n An optional company name []: \n \n # # remove passphrase (required for automatic server start up, if not using `ssl_passphrase_command`) \n # openssl rsa -in privkey.pem -out server.key && rm privkey.pem \n Enter pass phrase for privkey.pem: \n writing RSA key \n \n # # modify certificate to self signed, generate .key and .crt files \n # openssl req -x509 -in server.req -text -key server.key -out server.crt \n \n # # copy .key and .crt files to appropriate location, here default $PGDATA \n $ cp server.key server.crt $PGDATA \n \n # # restrict file mode for server.key \n $ chmod og-rwx server.key\n```\n Edit the PostgreSQL configuration file ` postgresql.conf ` to ensure the following items are set. Again, we are using defaults. Note that altering these parameters will require restarting the cluster. \n\n \n```bash\n# (change requires restart) \n ssl = on \n \n # force clients to use TLS v1.3 or newer \n ssl_min_protocol_version = 'TLSv1.3' \n \n # (change requires restart) \n ssl_cert_file = 'server.crt' \n \n # (change requires restart) \n ssl_key_file = 'server.key'\n```\n Finally, restart PostgreSQL and confirm ` ssl ` using commands outlined in Audit Procedures: \n\n \n```bash\npostgres=# show ssl; \n ssl \n ----- \n on \n (1 row)\n```\n Impact: \n\n A self-signed certificate can be used for testing, but a certificate signed by a certificate authority (CA) (either one of the global CAs or a local one) should be used in production so that clients can verify the server's identity. If all the database clients are local to the organization, using a local CA is recommended. \n\n To ultimately enable and enforce TLS authentication for the server, appropriate ` hostssl ` records must be added to the ` pg_hba.conf ` file. Be sure to ` reload ` PostgreSQL after any changes (restart not required). \n\n ** Note: ** The ` hostssl ` record matches connection attempts made using TCP/IP, but ** only ** when the connection is made with TLS encryption. The ` host ` record matches attempts made using TCP/IP, but allows both TLS and non-TLS connections. The ` hostnossl ` record matches attempts made using TCP/IP, but only those without TLS. Care should be taken to enforce TLS as appropriate."}],"title":"Ensure TLS is enabled and configured correctly","description":"TLS on a PostgreSQL server should be enabled and configured to encrypt TCP traffic to and from the server."},{"uuid":"3f9f7e1e-c219-52fc-aea9-92e0dbb0c07d","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"62"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.9_Ensure_the_TLSv1.0_and_TLSv1.1_Protocols_are_Disabled"}],"steps":[{"uuid":"6668bb07-ccd3-5e46-8698-4b499f960c4d","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.9_Ensure_the_TLSv1.0_and_TLSv1.1_Protocols_are_Disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/10"}],"title":"Audit for Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled","remarks":"The TLSv1.0 protocol is vulnerable to the BEAST attack when used in CBC mode (October 2011). TLSv1.0 uses CBC modes for all of the block mode ciphers, which only leaves the RC4 streaming cipher which is also weak and therefore ** not ** recommended. Therefore, it is recommended that the TLSv1.0 protocol is disabled. The TLSv1.1 protocol does not support Authenticated Encryption with Associated Data (AEAD) which is designed to simultaneously provide confidentiality, integrity, and authenticity. All major up-to-date browsers support TLSv1.2, and most recent versions of Firefox and Chrome support the newer TLSv1.3 protocol, since 2017.\n\n IETF deprecated TLSv1.0 and TLSv1.1 in March 2021 (see RFC 8996 ).","description":"## Description\n\nTransport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols which can be used to encrypt data sent between client and server."},{"uuid":"9a762990-27bf-5294-8623-c335f5b978d4","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.9_Ensure_the_TLSv1.0_and_TLSv1.1_Protocols_are_Disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled","description":"Adjust the ssl_min_protocol_version to at least TLSv1.2: \n\n \n```bash\nALTER SYSTEM SET ssl_min_protocol_version = 'TLSv1.2';\n```\n or (preferred): \n\n \n```bash\nALTER SYSTEM SET ssl_min_protocol_version = 'TLSv1.3';\n```\n In either case, make the change active: \n\n \n```bash\nSELECT pg_reload_conf(); \n SHOW ssl_min_protocol_version;\n```"}],"title":"Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled","description":"Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols which can be used to encrypt data sent between client and server."},{"uuid":"c594e686-34a6-57f1-857a-ec23533b25c2","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"63"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.10_Ensure_Weak_SSLTLS_Ciphers_Are_Disabled"}],"steps":[{"uuid":"e22ea89b-731b-50cf-9cd3-aae2843bcb8d","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.10_Ensure_Weak_SSLTLS_Ciphers_Are_Disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"}],"title":"Audit for Ensure Weak SSL/TLS Ciphers Are Disabled","remarks":"The SSL/TLS protocols support a large number of Cipher Suites including many weak and medium strength algorithms that are subject to man-in-the middle attacks and information disclosure. Some implementations even support the ` NULL ` Cipher Suite which allows a TLS connection without any cryptographic protection. Therefore, it is critical to ensure the configuration only allows strong algorithms greater than or equal to 128-bit to be negotiated with the client. Stronger 256-bit algorithms should be allowed and preferred.\n\n Furthermore, during the TLS handshake, after the initial Client Hello and Server Hello , there is a pre-master secret generated, which is used to generate the master secret, and in turn generates the session key. When using protocols that do not provide forward secrecy, such as RSA, the pre-master secret is encrypted by the client with the server's public key and sent over the network. However, with protocols such as ` ECDHE ` (Elliptic-Curve Diffie-Hellman Ephemeral) the pre-master secret is not sent over the wire, even in encrypted format. The key exchange arrives at the shared secret in the clear using ephemeral keys that are not stored or used again. With forward secrecy, each session has a unique key exchange, so that future sessions are protected.\n\n ** Note ** This recommendation is primarily targeted at those installs that cannot run in FIPS-mode, or need to further refine the allowable cipher list.","description":"## Description\n\nThe PostgreSQL ` ssl_ciphers ` and ` ssl_tls13_ciphers ` directives specify which Cipher Suites are allowed in the negotiation with the client. ` ssl_ciphers ` is used to specify the list of allowed cipher suites for TLS 1.2 and earlier versions. While ` ssl_tls13_ciphers ` is a list of cipher suites that are allowed by connections using TLS version 1.3.\n\n In cryptography, perfect forward secrecy (PFS), also known as forward secrecy (FS), is a feature of specific key exchange protocols that give assurance that the session keys will not be compromised even if the private key of the server is compromised. For instance, ` RSA ` does not provide PFS, while the ` ECDHE ` (Elliptic-Curve Diffie-Hellman Ephemeral) and ` DHE ` (Diffie-Hellman Ephemeral) provides PFS.\n\n ` ECDHE ` is the stronger protocol and should be preferred, while ` DHE ` may be allowed for greater compatibility with older clients.Only Cipher Suites with either the ` ECDHE ` or the ` DHE ` key exchange are allowed."},{"uuid":"92ac3d13-0d92-59df-b174-fe0778446d65","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.10_Ensure_Weak_SSLTLS_Ciphers_Are_Disabled"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure Weak SSL/TLS Ciphers Are Disabled","description":"Add or modify the ` ssl_ciphers ` directive to the following value: \n\n \n```bash\npostgres=# ALTER SYSTEM SET ssl_ciphers = 'TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_SHA256'; \n postgres=# ALTER SYSTEM SET ssl_tls13_ciphers = 'TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_SHA256'; \n ALTER SYSTEM \n postgres=# SELECT pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row)\n```"}],"title":"Ensure Weak SSL/TLS Ciphers Are Disabled","description":"The PostgreSQL ssl_ciphers and ssl_tls13_ciphers directives specify which Cipher Suites are allowed in the negotiation with the client. ssl_ciphers is used to specify the list of allowed cipher suites for TLS 1.2 and earlier versions. While ssl_tls13_ciphers is a list of cipher suites that are allowed by connections using TLS version 1.3. In cryptography, perfect forward secrecy (PFS), also known as forward secrecy (FS), is a feature of specific key exchange protocols that give assurance that the session keys will not be compromised even if the private key of the server is compromised. For instance, RSA does not provide PFS, while the ECDHE (Elliptic-Curve Diffie-Hellman Ephemeral) and DHE (Diffie-Hellman Ephemeral) provides PFS. ECDHE is the stronger protocol and should be preferred, while DHE may be allowed for greater compatibility with older clients.Only Cipher Suites with either the ECDHE or the DHE key exchange are allowed."},{"uuid":"8a026e75-8c7d-521a-bbf0-958ce6ffb2e3","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"64"},{"ns":"https://cisecurity.org/ns","name":"category","value":"PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"group","value":"6 PostgreSQL Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.11_Ensure_the_pgcrypto_extension_is_installed_and_configured_correctly"}],"steps":[{"uuid":"bb6c7fa2-f45a-546d-a9dd-f8c8c8882827","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.11_Ensure_the_pgcrypto_extension_is_installed_and_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/8"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/11"}],"title":"Audit for Ensure the pgcrypto extension is installed and configured correctly","remarks":"PostgreSQL instances handling data that requires \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to PostgreSQL or implemented via additional software or operating system/file system settings, as appropriate to the situation. Information at rest refers to the state of information when it is located on a secondary storage device (e.g. disk drive, tape drive) within an organizational information system.\n\n The selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e. full disk encryption) or encrypt specific data structures (e.g. files, records, or fields). Organizations may also optionally choose to implement both to implement layered security.\n\n The decision of whether, and what, to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protection, as appropriate. If the confidentiality and integrity of application data are not protected, the data will be open to compromise and unauthorized modification.\n\n The PostgreSQL ` pgcrypto ` extension provides cryptographic functions for PostgreSQL and is intended to address the confidentiality and integrity of user and system information at rest in non-mobile devices.","description":"## Description\n\nPostgreSQL must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components."},{"uuid":"060810f2-9912-52cc-b086-3179f2512ee7","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_6.11_Ensure_the_pgcrypto_extension_is_installed_and_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the pgcrypto extension is installed and configured correctly","description":"The ` pgcrypto ` extension is included with the PostgreSQL ` contrib ` package. Although included, it needs to be created in the database. \n\n As the database administrator, run the following: \n\n \n```bash\npostgres=# CREATE EXTENSION pgcrypto; \n CREATE EXTENSION\n```\n Verify ` pgcrypto ` is installed: \n\n \n```bash\npostgres=# SELECT * FROM pg_available_extensions WHERE name='pgcrypto'; \n name | default_version | installed_version | comment \n ----------+-----------------+-------------------+------------------------- \n pgcrypto | 1.4 | 1.4 | cryptographic functions \n (1 row)\n```\n Impact: \n\n When considering or undertaking any form of encryption, it is critical to understand the state of the encrypted data at all stages of the data lifecycle. The use of ` pgcrypto ` ensures that the data at rest in the tables (and therefore on disk) is encrypted, but for the data to be accessed by any users or applications, said users/applications will, by necessity, have access to the encrypt and decrypt keys and the data in question will be encrypted/decrypted in memory and then transferred to/from the user/application in that form."}],"title":"Ensure the pgcrypto extension is installed and configured correctly","description":"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components."},{"uuid":"ed81de84-67c4-563c-8bde-aa44d4bb2612","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"65"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Replication"},{"ns":"https://cisecurity.org/ns","name":"group","value":"7 Replication"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.1_Ensure_a_replication-only_user_is_created_and_used_for_streaming_replication"}],"steps":[{"uuid":"37bacb47-8877-5f77-8de8-4f2bea93a8c8","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.1_Ensure_a_replication-only_user_is_created_and_used_for_streaming_replication"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/4/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/5/subcontrol/4"}],"title":"Audit for Ensure a replication-only user is created and used for streaming replication","remarks":"As it is not necessary to be a superuser to initiate a replication connection, it is proper to create an account specifically for replication. This allows further 'locking down' the uses of the superuser account and follows the general principle of using the least privileges necessary.","description":"## Description\n\nCreate a new user specifically for use by streaming replication instead of using the superuser account."},{"uuid":"e17949cc-1010-59c1-8939-d73a3024615c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.1_Ensure_a_replication-only_user_is_created_and_used_for_streaming_replication"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure a replication-only user is created and used for streaming replication","description":"It will be necessary to create a new role for replication purposes: \n\n \n```bash\npostgres=# create user replication_user REPLICATION encrypted password 'XXX'; \n CREATE ROLE \n postgres=# select rolname from pg_roles where rolreplication is true; \n rolname \n ------------------ \n postgres \n replication_user \n (2 rows)\n```\n When using ` pg_basebackup ` (or other replication tools) on your standby server, you would use the ` replication_user ` (and its password). \n\n Ensure you allow the new user via your ` pg_hba.conf ` file: \n\n \n```bash\n# note that 'replication' in the 2nd column is required and is a special \n # keyword, not a real database \n hostssl replication replication_user 0.0.0.0/0 scram-sha-256\n```"}],"title":"Ensure a replication-only user is created and used for streaming replication","description":"Create a new user specifically for use by streaming replication instead of using the superuser account."},{"uuid":"406a1864-662c-512b-94e8-8e153a891e27","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"66"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Replication"},{"ns":"https://cisecurity.org/ns","name":"group","value":"7 Replication"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.2_Ensure_logging_of_replication_commands_is_configured"}],"steps":[{"uuid":"9b1b67e1-2a1f-505a-93b2-2676fbb56f6c","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.2_Ensure_logging_of_replication_commands_is_configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/4/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/5/subcontrol/4"}],"title":"Audit for Ensure logging of replication commands is configured","remarks":"A successful replication connection allows for a complete copy of the data stored within the data cluster to be offloaded to another, potentially insecure, host. As such, it is advisable to log all replication commands that are executed in your database cluster to ensure the data is not off-loaded to an unexpected/undesired location.","description":"## Description\n\nEnabling the ` log_replication_commands ` setting causes each attempted replication from the server to be logged."},{"uuid":"63334ccc-6898-5676-b3b6-39819a48c65e","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.2_Ensure_logging_of_replication_commands_is_configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure logging of replication commands is configured","description":"To enable the logging of replication commands, execute the following: \n\n \n```bash\npostgres=# ALTER SYSTEM SET log_replication_commands = 'on'; \n ALTER SYSTEM \n postgres=# SELECT pg_reload_conf(); \n pg_reload_conf \n ---------------- \n t \n (1 row) \n postgres=# show log_replication_commands ; \n log_replication_commands \n -------------------------- \n on \n (1 row)\n```"}],"title":"Ensure logging of replication commands is configured","description":"Enabling the log_replication_commands setting causes each attempted replication from the server to be logged."},{"uuid":"a260af60-aef7-51af-b717-3c523676f5d7","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"67"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Replication"},{"ns":"https://cisecurity.org/ns","name":"group","value":"7 Replication"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.3_Ensure_base_backups_are_configured_and_functional"}],"steps":[{"uuid":"989241ab-31a0-5c17-b369-929b28bef324","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.3_Ensure_base_backups_are_configured_and_functional"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/10/subcontrol/3"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/11/subcontrol/5"}],"title":"Audit for Ensure base backups are configured and functional","description":"## Description\n\nA 'base backup' is a copy of the PRIMARY host's data cluster ( ` $PGDATA ` ) and is used to create STANDBY hosts and for Point In Time Recovery (PITR) mechanisms. Base backups should be copied across networks in a secure manner using an encrypted transport mechanism. The PostgreSQL CLI ` pg_basebackup ` can be used, however, TLS encryption should be enabled on the server as per section 6.8 of this benchmark. The pgBackRest tool detailed in section 8.2 of this benchmark can also be used to create a 'base backup'."},{"uuid":"5bbca093-2f6e-5940-a70b-35ae76f4ed10","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.3_Ensure_base_backups_are_configured_and_functional"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure base backups are configured and functional","description":"Executing base backups using ` pg_basebackup ` requires the following steps on the ** standby ** server: \n\n \n```bash\n$ whoami \n postgres \n $ pg_basebackup --host=name_or_IP_of_master \\ \n --port=5432 \\ \n --username=replication_user \\ \n --pgdata=~postgres/18/data \\ \n --progress --verbose --write-recovery-conf --wal-method=stream\n```"}],"title":"Ensure base backups are configured and functional","description":"A 'base backup' is a copy of the PRIMARY host's data cluster ( $PGDATA ) and is used to create STANDBY hosts and for Point In Time Recovery (PITR) mechanisms. Base backups should be copied across networks in a secure manner using an encrypted transport mechanism. The PostgreSQL CLI pg_basebackup can be used, however, TLS encryption should be enabled on the server as per section 6.8 of this benchmark. The pgBackRest tool detailed in section 8.2 of this benchmark can also be used to create a 'base backup'."},{"uuid":"621462a2-f9b7-5fad-ba8f-12990973c494","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"68"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Replication"},{"ns":"https://cisecurity.org/ns","name":"group","value":"7 Replication"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.4_Ensure_WAL_archiving_is_configured_and_functional"}],"steps":[{"uuid":"a789fd1f-67cd-56cb-9401-1cd0e7443550","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.4_Ensure_WAL_archiving_is_configured_and_functional"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/10"}],"title":"Audit for Ensure WAL archiving is configured and functional","remarks":"Unless the server has been correctly configured, one runs the risk of sending WALs in an unsecured, unencrypted fashion.","description":"## Description\n\nWrite Ahead Log (WAL) Archiving, or Log Shipping, is the process of sending transaction log files from the PRIMARY host either to one or more STANDBY hosts or to be archived on a remote storage device for later use, e.g. ` PITR ` . There are several utilities that can copy WALs including, but not limited to, ` cp ` , ` scp ` , ` sftp ` , and ` rynsc ` . Basically, the server follows a set of runtime parameters which define when the WAL should be copied using one of the aforementioned utilities."},{"uuid":"56cd736b-38d6-5ecf-bca7-999941cae07a","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.4_Ensure_WAL_archiving_is_configured_and_functional"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure WAL archiving is configured and functional","description":"Change parameters and restart the server as required."}],"title":"Ensure WAL archiving is configured and functional","description":"Write Ahead Log (WAL) Archiving, or Log Shipping, is the process of sending transaction log files from the PRIMARY host either to one or more STANDBY hosts or to be archived on a remote storage device for later use, e.g. PITR . There are several utilities that can copy WALs including, but not limited to, cp , scp , sftp , and rynsc . Basically, the server follows a set of runtime parameters which define when the WAL should be copied using one of the aforementioned utilities."},{"uuid":"30cb3dd9-7ca1-571f-a446-909ec0d71f93","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"69"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Replication"},{"ns":"https://cisecurity.org/ns","name":"group","value":"7 Replication"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.5_Ensure_streaming_replication_parameters_are_configured_correctly"}],"steps":[{"uuid":"cac53c27-601f-5622-ae8b-4391d72089a4","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.5_Ensure_streaming_replication_parameters_are_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/4"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/10"}],"title":"Audit for Ensure streaming replication parameters are configured correctly","remarks":"Unencrypted transmissions could reveal sensitive information to unauthorized parties. Unauthenticated connections could enable man-in-the-middle attacks.","description":"## Description\n\nStreaming replication from a PRIMARY host transmits DDL, DML, passwords, and other potentially sensitive activities and data. These connections should be protected with Secure Sockets Layer (SSL)."},{"uuid":"26c49b1c-d659-5c37-a537-66c04e54dd61","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_7.5_Ensure_streaming_replication_parameters_are_configured_correctly"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure streaming replication parameters are configured correctly","description":"Review prior sections in this benchmark regarding TLS certificates, replication user, and WAL archiving. \n\n Confirm the file ` $PGDATA/standby.signal ` is present on the STANDBY host and ` $PGDATA/postgresql.auto.conf ` contains lines similar to the following: \n\n \n```bash\nprimary_conninfo = 'user=replication_user password=mypassword host=mySrcHost port=5432 sslmode=require sslcompression=1'\n```"}],"title":"Ensure streaming replication parameters are configured correctly","description":"Streaming replication from a PRIMARY host transmits DDL, DML, passwords, and other potentially sensitive activities and data. These connections should be protected with Secure Sockets Layer (SSL)."},{"uuid":"634e0444-7b6d-5f7b-b4ce-21d3e69a782d","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"70"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Special Configuration Considerations"},{"ns":"https://cisecurity.org/ns","name":"group","value":"8 Special Configuration Considerations"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.1_Ensure_PostgreSQL_subdirectory_locations_are_outside_the_data_cluster"}],"steps":[{"uuid":"728da39f-dc62-580c-af92-e2614f1e8e28","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.1_Ensure_PostgreSQL_subdirectory_locations_are_outside_the_data_cluster"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Ensure PostgreSQL subdirectory locations are outside the data cluster","remarks":"Some subdirectories contain information, such as logs, which can be of value to others such as developers. Other subdirectories can gain a performance benefit when placed on fast storage devices. Other subdirectories contain temporary files created and used during processing. Finally, relocating a subdirectory to a separate and distinct partition mitigates denial of service and involuntary server shutdown when excessive writes fill the data cluster's partition, e.g. ` pg_wal ` , ` pg_log ` , and ` temp_tablespaces ` .","description":"## Description\n\nThe PostgreSQL cluster is organized to carry out specific tasks in subdirectories. For the purposes of performance, reliability, and security some of these subdirectories should be relocated outside the data cluster."},{"uuid":"c7c0aa6e-c83c-583f-940c-9ae20969ce2e","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.1_Ensure_PostgreSQL_subdirectory_locations_are_outside_the_data_cluster"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure PostgreSQL subdirectory locations are outside the data cluster","description":"Perform the following steps to remediate the subdirectory locations and permissions: \n\n - Determine appropriate data, log, and tablespace directories and locations based on your organization's security policies. If necessary, relocate all listed directories outside the data cluster. - If not relocating ` temp_tablespaces ` , the ` temp_file_limit ` parameter must be changed from its default value. - Ensure file permissions are restricted as much as possible, i.e. only superuser read access. - When directories are relocated to other partitions, ensure that they are of sufficient size to mitigate against excessive space utilization. - Lastly, change the settings accordingly in the ` postgresql.conf ` configuration file and restart the database cluster for changes to take effect. To relocate ` temp_tablespaces ` to an existing mount point outside the data cluster is accomplished by: \n\n \n```bash\npostgres=# CREATE TABLESPACE temp_tablespc LOCATION '/path/to/existing/desired/mount/point'; \n postgres=# ALTER SYSTEM SET temp_tablespaces = 'temp_tablespc'; \n postgres=# SELECT pg_reload_conf();\n```"}],"title":"Ensure PostgreSQL subdirectory locations are outside the data cluster","description":"The PostgreSQL cluster is organized to carry out specific tasks in subdirectories. For the purposes of performance, reliability, and security some of these subdirectories should be relocated outside the data cluster."},{"uuid":"acdc1e67-57ef-5a78-b66c-ed2d90164ee1","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"71"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Special Configuration Considerations"},{"ns":"https://cisecurity.org/ns","name":"group","value":"8 Special Configuration Considerations"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.2_Ensure_the_backup_and_restore_tool_pgBackRest_is_installed_and_configured"}],"steps":[{"uuid":"b330a0ff-5254-5b69-a17d-cec329a21289","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.2_Ensure_the_backup_and_restore_tool_pgBackRest_is_installed_and_configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/10/subcontrol/1"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/10/subcontrol/2"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/11/subcontrol/2"}],"title":"Audit for Ensure the backup and restore tool, 'pgBackRest', is installed and configured","remarks":"The native PostgreSQL backup facility ` pg_dump ` provides adequate logical backup operations but does not provide for Point In Time Recovery (PITR). The PostgreSQL facility ` pg_basebackup ` performs a physical backup of the database files and does provide for PITR, but it is constrained by single threading. Both of these methodologies are standard in the PostgreSQL ecosystem and appropriate for particular backup/recovery needs. ` pgBackRest ` offers another option with much more robust features and flexibility.\n\n ` pgBackRest ` is open-source software developed to perform efficient backups on PostgreSQL databases that measure in tens of terabytes and greater. It supports per-file checksums, compression, partial/failed backup resume, high-performance parallel transfer, asynchronous archiving, tablespaces, expiration, full/differential/incremental backups, local/remote operation via SSH or TLS, hard-linking, restore, ** backup encryption ** , and more. ` pgBackRest ` is written in C and does not depend on ` rsync ` or ` tar ` but instead performs its own deltas which give it maximum flexibility. Finally, ` pgBackRest ` provides an easy-to-use internal repository listing backup details accessible via the ` pgbackrest info ` command, as illustrated below.\n\n```bash\n$ pgbackrest info \n stanza: proddb01 \n status: ok \n \n db (current) \n wal archive min/max (18.0-1): 000000010000000000000012 / 000000010000000000000017 \n \n full backup: 20231012-153106F \n timestamp start/stop: 2023-10-12 15:31:06 / 2023-10-12 15:31:49 \n wal start/stop: 000000010000000000000012 / 000000010000000000000012 \n database size: 29.4MB, backup size: 29.4MB \n repository size: 3.4MB, repository backup size: 3.4MB \n \n diff backup: 20231012-153106F_20231012-173109D \n timestamp start/stop: 2023-10-12 17:31:09 / 2023-10-12 17:31:19 \n wal start/stop: 000000010000000000000015 / 000000010000000000000015 \n database size: 29.4MB, backup size: 2.6MB \n repository size: 3.4MB, repository backup size: 346.8KB \n backup reference list: 20231012-153106F \n \n incr backup: 20231012-153106F_20231012-183114I \n timestamp start/stop: 2023-10-12 18:31:14 / 2023-10-12 18:31:22 \n wal start/stop: 000000010000000000000017 / 000000010000000000000017 \n database size: 29.4MB, backup size: 8.2KB \n repository size: 3.4MB, repository backup size: 519B \n backup reference list: 20231012-153106F, 20231012-153106F_20231012-173109D\n```","description":"## Description\n\npgBackRest aims to be a simple, reliable backup and restore system that can seamlessly scale up to the largest databases and workloads. Instead of relying on traditional backup tools like ` tar ` and ` rsync ` , pgBackRest implements all backup features internally and uses a custom protocol for communicating with remote systems. Removing reliance on ` tar ` and ` rsync ` allows for better solutions to database-specific backup challenges. The custom remote protocol allows for more flexibility and limits the types of connections that are required to perform a backup which increases security."},{"uuid":"8e225274-a85b-50a5-826f-192317447d1f","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.2_Ensure_the_backup_and_restore_tool_pgBackRest_is_installed_and_configured"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure the backup and restore tool, 'pgBackRest', is installed and configured","description":"` pgBackRest ` is not installed nor configured for PostgreSQL by default, but instead is maintained as a GitHub project. Fortunately, it is a part of the PGDG repository and can be easily installed: \n\n \n```bash\n# whoami \n root \n # dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \n \n Installed: \n epel-release-9-10.el9.noarch \n \n Complete! \n # dnf -y install pgbackrest \n \n Installed: \n libssh2-1.11.1-1.el9.x86_64 pgbackrest-2.58.0-1PGDG.rhel9.7.x86_64 \n \n Complete!\n```\n Once installed, ` pgBackRest ` must be configured for things like stanza name, backup location, retention policy, logging, etc. Please consult the configuration guide . \n\n If employing ` pgBackRest ` for your backup/recovery solution, ensure the repository, base backups, and WAL archives are stored on a reliable file system separate from the database server. Further, the external storage system where backups reside should have limited access to only those system administrators as necessary. Finally, as with any backup/recovery solution, stringent testing must be conducted. ** A backup is only good if it can be restored successfully. **"}],"title":"Ensure the backup and restore tool, 'pgBackRest', is installed and configured","description":"pgBackRest aims to be a simple, reliable backup and restore system that can seamlessly scale up to the largest databases and workloads. Instead of relying on traditional backup tools like tar and rsync , pgBackRest implements all backup features internally and uses a custom protocol for communicating with remote systems. Removing reliance on tar and rsync allows for better solutions to database-specific backup challenges. The custom remote protocol allows for more flexibility and limits the types of connections that are required to perform a backup which increases security."},{"uuid":"bfc49068-7628-5509-8ce1-41997544f617","props":[{"name":"method","value":"EXAMINE"},{"ns":"https://cisecurity.org/ns","name":"sequence","value":"72"},{"ns":"https://cisecurity.org/ns","name":"category","value":"Special Configuration Considerations"},{"ns":"https://cisecurity.org/ns","name":"group","value":"8 Special Configuration Considerations"},{"ns":"https://cisecurity.org/ns","name":"cis-group-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.3_Ensure_miscellaneous_configuration_settings_are_correct"}],"steps":[{"uuid":"0f9123df-1c34-5ebc-b5e1-981afa3103f1","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.3_Ensure_miscellaneous_configuration_settings_are_correct"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"audit"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v7.0/control/18/subcontrol/11"},{"ns":"https://cisecurity.org/ns","name":"cis-control-uri","value":"http://cisecurity.org/20-cc/v8.0/control/16/subcontrol/7"}],"title":"Audit for Ensure miscellaneous configuration settings are correct","description":"## Description\n\nThis recommendation covers non-regular, special files, and dynamic libraries.\n\n PostgreSQL permits local logins via the UNIX DOMAIN SOCKET and, for the most part, anyone with a legitimate Unix login account can make the attempt. Limiting PostgreSQL login attempts can be made by relocating the UNIX DOMAIN SOCKET to a subdirectory with restricted permissions.\n\n The creation and implementation of user-defined dynamic libraries is an extraordinary powerful capability. In the hands of an experienced DBA/programmer, it can significantly enhance the power and flexibility of the RDBMS; but new and unexpected behavior can also be assigned to the RDBMS, resulting in a very dangerous environment in what should otherwise be trusted."},{"uuid":"688f0160-38e7-55e4-b875-a40f4b288abf","props":[{"ns":"https://cisecurity.org/ns","name":"assessment-status","value":"manual"},{"ns":"https://cisecurity.org/ns","name":"cis-rule-id","value":"xccdf_org.cisecurity.benchmarks_rule_8.3_Ensure_miscellaneous_configuration_settings_are_correct"},{"ns":"https://cisecurity.org/ns","name":"step-type","value":"remediation"}],"title":"Remediation for Ensure miscellaneous configuration settings are correct","description":"Follow these steps to remediate the configuration: \n\n - Determine permissions based on your organization's security policies. - Relocate all files and ensure their permissions are restricted as much as possible, i.e. only superuser read access. - Ensure all directories where these files are located have restricted permissions such that the superuser can read but not write. - Lastly, change the settings accordingly in the ` postgresql.conf ` configuration file and restart the database cluster for changes to take effect."}],"title":"Ensure miscellaneous configuration settings are correct","description":"This recommendation covers non-regular, special files, and dynamic libraries. PostgreSQL permits local logins via the UNIX DOMAIN SOCKET and, for the most part, anyone with a legitimate Unix login account can make the attempt. Limiting PostgreSQL login attempts can be made by relocating the UNIX DOMAIN SOCKET to a subdirectory with restricted permissions. The creation and implementation of user-defined dynamic libraries is an extraordinary powerful capability. In the hands of an experienced DBA/programmer, it can significantly enhance the power and flexibility of the RDBMS; but new and unexpected behavior can also be assigned to the RDBMS, resulting in a very dangerous environment in what should otherwise be trusted."}]},"reviewed-controls":{"control-selections":[{"props":[{"ns":"https://cisecurity.org/ns","name":"framework","value":"CIS Controls v8.0"},{"ns":"https://cisecurity.org/ns","name":"resolution-status","value":"synthetic-ids"}],"description":"CIS Controls v8.0 derived from benchmark cc8:controlURI paths. Provide a CIS Controls v8 OSCAL catalog via --cis-catalog-v8 for authoritative control-id resolution.","include-controls":[{"control-id":"cis-2.1"},{"control-id":"cis-2.2"},{"control-id":"cis-3.3"},{"control-id":"cis-3.5"},{"control-id":"cis-3.10"},{"control-id":"cis-3.11"},{"control-id":"cis-4.1"},{"control-id":"cis-4.8"},{"control-id":"cis-5.2"},{"control-id":"cis-5.4"},{"control-id":"cis-6.5"},{"control-id":"cis-8.2"},{"control-id":"cis-8.3"},{"control-id":"cis-8.5"},{"control-id":"cis-11.2"},{"control-id":"cis-11.5"},{"control-id":"cis-16.7"},{"control-id":"cis-16.10"}]},{"props":[{"ns":"https://cisecurity.org/ns","name":"framework","value":"CIS Controls v7.0"},{"ns":"https://cisecurity.org/ns","name":"resolution-status","value":"synthetic-ids"}],"description":"CIS Controls v7.0 derived from benchmark cc7:controlURI paths. Provide a CIS Controls v7 OSCAL catalog via --cis-catalog-v7 for authoritative control-id resolution.","include-controls":[{"control-id":"cis-2.1"},{"control-id":"cis-4.3"},{"control-id":"cis-4.4"},{"control-id":"cis-4.5"},{"control-id":"cis-5.1"},{"control-id":"cis-6.2"},{"control-id":"cis-6.3"},{"control-id":"cis-6.4"},{"control-id":"cis-10.1"},{"control-id":"cis-10.2"},{"control-id":"cis-10.3"},{"control-id":"cis-14.4"},{"control-id":"cis-14.6"},{"control-id":"cis-14.8"},{"control-id":"cis-18.11"}]}]},"assessment-subjects":[{"type":"component","description":"Target system under assessment.","include-all":{}}],"assessment-assets":{"assessment-platforms":[{"uuid":"081e4a02-df37-52cd-83d6-68a9d5c5249e","title":"CIS Benchmark Assessment Platform","remarks":"Platform used to assess CIS benchmark controls."}]},"tasks":[{"type":"milestone","uuid":"d0578cd6-4d45-5c00-8b4d-e78f08addec8","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_1_Installation_and_Patches"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"1"}],"title":"1. Installation and Patches","description":"One of the best ways to ensure PostgreSQL security is to implement security updates as they come out, along with any applicable OS patches that will not interfere with system operations. It is additionally prudent to ensure the installed version has not reached end-of-life.","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"66010ee5-6768-59ec-8fab-b14bcc389987"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"27c5f401-2479-51b1-976c-e2a23cc5daff"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"edcda71b-f1ab-5983-ad5c-b002d33cd948"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"05eb40b2-ad4e-55f8-bd6d-ed57fbe3a585"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"eaec4db5-f4ba-5679-b00c-0762bc9f8c8c"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"4d374a26-ce2d-57e2-8930-4ebc586b73b6"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"82feb3a2-a079-5019-9175-468feeb6b2ee"}]},{"type":"milestone","uuid":"d219e52d-013a-5256-9a77-bcae8f7edef1","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_2_Directory_and_File_Permissions"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"2"}],"title":"2. Directory and File Permissions","description":"This section provides guidance on securing all operating system specific objects for PostgreSQL.","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"5e308a8d-4259-51eb-bb81-a2f9bdb1916b"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"8926c68a-532a-5b6e-9ffc-5f4d15090b3a"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"1a19face-1e5d-5637-b6fa-fd2e55d4d625"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"de429f18-0b16-55d5-8f10-b05e19c91bf7"}]},{"type":"milestone","uuid":"38c404b0-095c-530d-9851-b7c3969b2a7c","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_3_Logging_And_Auditing"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"3"}],"title":"3. Logging And Auditing","description":"This section provides guidance with respect to PostgreSQL's auditing and logging behavior.","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"2b1083cc-3f01-5efc-8d1c-39bee89fbf14"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"0af723c0-f32a-5ecd-84d7-b41d08e23b60"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"f30a54e7-7ed8-5f7a-a43f-ce74ccdc1753"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"d4879b90-5a78-5677-b92a-2d0f3ce0cac8"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"3d0406a7-86a9-5eff-91dc-134520165c52"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"a2bb933c-d1eb-5fe0-95eb-5149ea4a2614"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"72f20f45-6d14-59fb-b63c-62f1eeb722c8"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"a94c743b-09a4-525a-aa80-07149e56307f"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"4b3b9dc7-903c-5a79-bc9c-4e387bb0730f"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"cbf45017-c589-5335-bea1-38a2b1166e1c"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"031b7993-bfb9-5344-89fb-5d0f2221666b"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"0ea1dbd0-5d1e-53f5-8494-f52375f5c5af"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"840b4d36-6448-5474-9e85-51333516a75b"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"a80d077e-c2b2-59a9-b0b0-5f231c3dbe7c"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"184b48f3-b9e8-57d1-98f9-f9456aac7414"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"eeb9820c-2b2d-55f9-a0ba-a60a4d87c48c"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"c13d33d7-7ed3-5949-8e50-040e2adaa7af"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"680f4a05-b8b9-545e-9858-3e403b51d851"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"3c63d3ac-d27c-5ec1-af61-60e1d20f508e"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"ed52a529-b71d-5eb2-b576-818edf3c7d02"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"d5dbf90d-b024-5e17-88a3-1df4c66520f1"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"aa849004-4818-5444-9e22-7d5b157382ef"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"35fbe7ca-704f-5eba-a9c6-4d1d60a2e3d1"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"e30db314-6334-5cd3-b43f-d608fc05f0c8"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"e4b43023-0c6f-5e02-96b6-28bdb30dbf96"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"704767c1-87de-583c-b9f9-343298cc9f5e"}]},{"type":"milestone","uuid":"565b9873-9445-545c-a2c0-489241d4483b","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_4_User_Access_and_Authorization"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"4"}],"title":"4. User Access and Authorization","description":"The capability to use database resources at a given level, known as user authorization rules, allows for user manipulation of the various parts of the PostgreSQL database. These authorizations must be structured to block unauthorized use and/or corruption of vital data and services by setting restrictions on user capabilities.","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"3614f5e7-e437-5038-9e3d-ed48fe313039"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"2c9fa292-2058-5125-90b1-54677ce419a7"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"8855e208-8b0e-5e5c-9d4e-35042caf7f3a"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"7b40327f-014c-5e87-87c7-18d3a18cf678"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"ed793b05-11fe-507f-9b51-b017b2d89b4e"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"6f5c44a7-119b-564e-894f-009378508eda"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"7873c10a-f589-5d52-85c2-33ee5f8021e6"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"32c8f570-dcc6-5e98-ad4f-039bc0baf998"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"dd998bee-b8dc-52ba-bf6e-0f14fe1b3e72"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"1272fa72-7c02-546c-86c4-a64b2962de02"}]},{"type":"milestone","uuid":"2c3db699-65e6-5679-9a3c-c7696d9c05f9","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_5_Connection_and_Login"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"5"}],"title":"5. Connection and Login","description":"The restrictions on client/user connections to the PostgreSQL database blocks unauthorized access to data and services by setting access rules. These security measures help to ensure that successful logins cannot be easily made through brute-force password attacks, replaying the password hash, or intuited by clever social engineering exploits.\n\n Settings are generally recommended to be applied to all defined profiles. The following presents standalone examples of logins for particular use cases. The authentication rules are read from the PostgreSQL host-based authentication file, ` pg_hba.conf ` , from top to bottom. The first rule conforming to the condition of the request executes the METHOD and stops further processing of the file . Incorrectly applied rules, as defined by a single line instruction, can substantially alter the intended behavior resulting in either allowing or denying login attempts.\n\n It is strongly recommended that authentication configurations be constructed incrementally with rigid testing for each newly applied rule. Because of the large number of different variations, this benchmark limits itself to a small number of authentication methods that can be successfully applied under most circumstances. Further analysis, using the other authentication methods available in PostgreSQL, is encouraged.","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"e1b9fcfd-3fb5-5c56-8f24-49aabce6f027"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"2c54428b-c11e-5938-afcc-179fd5ca1d00"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"60a1ece2-b413-50df-9543-d5e2f0bb49c5"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"87dc5d53-c510-540c-9037-257471e7d1ee"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"97a160dc-e33f-5419-8e84-b82464661650"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"6f928bbc-2d67-56dd-9085-6b9e100483c9"}]},{"type":"milestone","uuid":"58db7f2b-2522-57fb-8df2-e673f578ca66","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_6_PostgreSQL_Settings"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"6"}],"title":"6. PostgreSQL Settings","description":"As PostgreSQL evolves with each new iteration, configuration parameters are constantly being added, deprecated, or removed. These configuration parameters define not only server function but how well it performs.\n\n Many routine activities, combined with a specific set of configuration parameter values, can sometimes result in degraded performance and, under a specific set of conditions, even comprise the security of the RDBMS. The fact of the matter is that any parameter has the potential to affect the accessibility and performance of a running server.\n\n Rather than describing all the possible combinations of events, this benchmark describes how a parameter can be compromised. Examples reflect the most common, and easiest to understand, exploits. Although by no means exhaustive, it is hoped that you will be able to understand the attack vectors in the context of your environment.","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"958bb48f-e56c-5782-9171-e3e502355c4b"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"25e2227a-df64-599a-bafa-9234ca4b3cb0"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"06479a6d-f061-5a1b-910d-c3341ccf6c92"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"7a8c7b10-5343-5a31-823f-805ac1d55b5a"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"dae2aa42-7b02-56d3-abe3-ddf59eb2e6a9"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"a0c7ff91-ef81-5c66-97c0-dfbb346d1fad"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"e72b48ac-094a-5ad5-bf95-bab434332d50"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"0fbf56a8-9b36-523d-90f6-dd8519e0a235"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"3f9f7e1e-c219-52fc-aea9-92e0dbb0c07d"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"c594e686-34a6-57f1-857a-ec23533b25c2"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"8a026e75-8c7d-521a-bbf0-958ce6ffb2e3"}]},{"type":"milestone","uuid":"43a16532-5fe1-536f-8519-f714af7b11f0","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_7_Replication"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"7"}],"title":"7. Replication","description":"Data redundancy often plays a major role as part of an overall database strategy. Replication is an example of data redundancy and fulfills both High Availability and High Performance requirements. However, although the DBA may have expended much time and effort securing the PRIMARY host and taken the time to harden STANDBY configuration parameters, one sometimes overlooks the medium transmitting the data itself over the network. Consequently, replication is an appealing attack vector given that all DDL, and DML operations executed on the PRIMARY host is sent over the wire to the SECONDARY/STANDBY host(s). Fortunately, when correctly understood, defeating such attacks can be implemented in a straightforward manner. This benchmark reviews those issues surrounding the most common mechanisms of replicating data between hosts. There are several PostgreSQL replication mechanisms and includes:\n\n - Warm Standby (also known as LOG Shipping) Transaction logs are copied from the PRIMARY to SECONDARY host that reads the logs in a \"recovery\" mode. For all intents and purposes the host ingesting the WAL cannot be read i.e. it's off-line. - Hot Standby Operates in the exact same fashion as the Warm Standby Server except that, in addition, it offers a read-only environment for client connections to connect and query. - Point In Time Recovery (PITR) Primarily used for database forensics and recovery at particular points in time such as in the case that important data may have been accidentally removed. One can restore the cluster to a point in time before the event occurred. - Streaming Replication Uses an explicit connection, which in a manner of speaking is similar to the standard client connection, between the PRIMARY and STANDBY host. It too reads the transaction logs and ingests them into a read-only server. What's different is that the connection uses a special replication protocol which is faster and more efficient than log shipping. Similar to standard client connections, it also honors the same authentication rules as expressed in the PostgreSQL host-based authentication file, ` pg_hba.conf ` .","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"ed81de84-67c4-563c-8bde-aa44d4bb2612"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"406a1864-662c-512b-94e8-8e153a891e27"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"a260af60-aef7-51af-b717-3c523676f5d7"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"621462a2-f9b7-5fad-ba8f-12990973c494"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"30cb3dd9-7ca1-571f-a446-909ec0d71f93"}]},{"type":"milestone","uuid":"59baff27-7e4f-5e85-b749-1fb531e69aab","props":[{"ns":"https://cisecurity.org/ns","name":"cis-section-id","value":"xccdf_org.cisecurity.benchmarks_group_8_Special_Configuration_Considerations"},{"ns":"https://cisecurity.org/ns","name":"cis-section-number","value":"8"}],"title":"8. Special Configuration Considerations","description":"The recommendations proposed here try to address some of the less common use cases which may warrant additional configuration guidance/consideration.","associated-activities":[{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"634e0444-7b6d-5f7b-b4ce-21d3e69a782d"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"acdc1e67-57ef-5a78-b66c-ed2d90164ee1"},{"subjects":[{"type":"component","description":"Target system component under assessment.","include-all":{}}],"activity-uuid":"bfc49068-7628-5509-8ce1-41997544f617"}]}]}}