diff --git a/package-lock.json b/package-lock.json index 34537a9c..ece734f4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -940,9 +940,9 @@ "integrity": "sha512-1dVNHT76Uu5N3eJNTYcvxee+jzX4Z9lfciqRRHCU27ihbUcYi+iSc2iml5Ke1LXe1SyJCLA0+14Jh4tXJgOppA==" }, "@hapi/hoek": { - "version": "8.5.0", - "resolved": "https://registry.npmjs.org/@hapi/hoek/-/hoek-8.5.0.tgz", - "integrity": "sha512-7XYT10CZfPsH7j9F1Jmg1+d0ezOux2oM2GfArAzLwWe4mE2Dr3hVjsAL6+TFY49RRJlCdJDMw3nJsLFroTc8Kw==" + "version": "8.5.1", + "resolved": "https://registry.npmjs.org/@hapi/hoek/-/hoek-8.5.1.tgz", + "integrity": "sha512-yN7kbciD87WzLGc5539Tn0sApjyiGHAJgKvG9W8C7O+6c7qmoQMfVs0W4bX17eqz6C78QJqqFrtgdK5EWf6Qow==" }, "@hapi/joi": { "version": "15.1.1", @@ -2479,6 +2479,14 @@ "@types/node": "*" } }, + "@types/xml-js": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@types/xml-js/-/xml-js-1.0.0.tgz", + "integrity": "sha1-8FNa6hzBJvs0/A0KJ4ylmZfIme4=", + "requires": { + "xml-js": "*" + } + }, "@types/zen-observable": { "version": "0.8.0", "resolved": "https://registry.npmjs.org/@types/zen-observable/-/zen-observable-0.8.0.tgz", @@ -4416,9 +4424,9 @@ }, "dependencies": { "readable-stream": { - "version": "2.3.6", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz", - "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==", + "version": "2.3.7", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", + "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", "dev": true, "requires": { "core-util-is": "~1.0.0", @@ -7067,9 +7075,9 @@ "dev": true }, "d3": { - "version": "5.13.1", - "resolved": "https://registry.npmjs.org/d3/-/d3-5.13.1.tgz", - "integrity": "sha512-wF/2GY0oJeAzKFtH268nn+0rLu0IvP2n0Y+lJ6gZnfhrzSGT+gzF1VY0Bq55I3c2I4Fn2Xb1KH0cP6c7OUaHXg==", + "version": "5.15.0", + "resolved": "https://registry.npmjs.org/d3/-/d3-5.15.0.tgz", + "integrity": "sha512-C+E80SL2nLLtmykZ6klwYj5rPqB5nlfN5LdWEAVdWPppqTD8taoJi2PxLZjPeYT8FFRR2yucXq+kBlOnnvZeLg==", "requires": { "d3-array": "1", "d3-axis": "1", @@ -7115,9 +7123,9 @@ "integrity": "sha512-ejINPfPSNdGFKEOAtnBtdkpr24c4d4jsei6Lg98mxf424ivoDP2956/5HDpIAtmHo85lqT4pruy+zEgvRUBqaQ==" }, "d3-brush": { - "version": "1.1.4", - "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.1.4.tgz", - "integrity": "sha512-DRcFXGcVZiJF644i78m/HM8P0U19hWYRFcAnacOVGvpOpzkqGm3H0EAoAH6jwyY/lqfH49d+5vz2TgznP/zlMA==", + "version": "1.1.5", + "resolved": "https://registry.npmjs.org/d3-brush/-/d3-brush-1.1.5.tgz", + "integrity": "sha512-rEaJ5gHlgLxXugWjIkolTA0OyMvw8UWU1imYXy1v642XyyswmI1ybKOv05Ft+ewq+TFmdliD3VuK0pRp1VT/5A==", "requires": { "d3-dispatch": "1", "d3-drag": "1", @@ -7202,9 +7210,9 @@ } }, "d3-format": { - "version": "1.4.2", - "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-1.4.2.tgz", - "integrity": "sha512-gco1Ih54PgMsyIXgttLxEhNy/mXxq8+rLnCb5shQk+P5TsiySrwWU5gpB4zen626J4LIwBxHvDChyA8qDm57ww==" + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-1.4.3.tgz", + "integrity": "sha512-mm/nE2Y9HgGyjP+rKIekeITVgBtX97o1nrvHCWX8F/yBYyevUTvu9vb5pUnKwrcSw7o7GuwMOWjS9gFDs4O+uQ==" }, "d3-geo": { "version": "1.11.9", @@ -7220,9 +7228,9 @@ "integrity": "sha512-j8tPxlqh1srJHAtxfvOUwKNYJkQuBFdM1+JAUfq6xqH5eAqf93L7oG1NVqDa4CpFZNvnNKtCYEUC8KY9yEn9lQ==" }, "d3-interpolate": { - "version": "1.3.3", - "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-1.3.3.tgz", - "integrity": "sha512-wTsi4AqnC2raZ3Q9eqFxiZGUf5r6YiEdi23vXjjKSWXFYLCQNUtBVMk6uk2tg4cOY6YrjRdmSmI/Mf0ze1zPzQ==", + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-1.4.0.tgz", + "integrity": "sha512-V9znK0zc3jOPV4VD2zZn0sDhZU3WAE2bmlxdIwwQPPzPjvyLkd8B3JUVdS1IDUFDkWZ72c9qnv1GK2ZagTZ8EA==", "requires": { "d3-color": "1" } @@ -7288,9 +7296,9 @@ "integrity": "sha512-Xh0isrZ5rPYYdqhAVk8VLnMEidhz5aP7htAADH6MfzgmmicPkTo8LhkLxci61/lCB7n7UmE3bN0leRt+qvkLxA==" }, "d3-time-format": { - "version": "2.2.2", - "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-2.2.2.tgz", - "integrity": "sha512-pweL2Ri2wqMY+wlW/wpkl8T3CUzKAha8S9nmiQlMABab8r5MJN0PD1V4YyRNVaKQfeh4Z0+VO70TLw6ESVOYzw==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-2.2.3.tgz", + "integrity": "sha512-RAHNnD8+XvC4Zc4d2A56Uw0yJoM7bsvOlJR33bclxq399Rak/b9bhvu/InjxdWhPtkgU53JJcleJTGkNRnN6IA==", "requires": { "d3-time": "1" } @@ -7301,9 +7309,9 @@ "integrity": "sha512-B1JDm0XDaQC+uvo4DT79H0XmBskgS3l6Ve+1SBCfxgmtIb1AVrPIoqd+nPSv+loMX8szQ0sVUhGngL7D5QPiXw==" }, "d3-transition": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-1.2.1.tgz", - "integrity": "sha512-0cnceCDDmFEAFu6VRLZ6SO5MR+15znpt/B68A5uInn7y2lcIVbCPZBiDmDw5pMtnSLZoCMvZtjgWc9l1m7/BWg==", + "version": "1.3.2", + "resolved": "https://registry.npmjs.org/d3-transition/-/d3-transition-1.3.2.tgz", + "integrity": "sha512-sc0gRU4PFqZ47lPVHloMn9tlPcv8jxgOQg+0zjhfZXMQuvppjG6YuwdMBE0TuqCZjeJkLecku/l9R0JPcRhaDA==", "requires": { "d3-color": "1", "d3-dispatch": "1", @@ -11388,13 +11396,10 @@ "integrity": "sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=" }, "is-finite": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/is-finite/-/is-finite-1.0.2.tgz", - "integrity": "sha1-zGZ3aVYCvlUO8R6LSqYwU0K20Ko=", - "dev": true, - "requires": { - "number-is-nan": "^1.0.0" - } + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/is-finite/-/is-finite-1.1.0.tgz", + "integrity": "sha512-cdyMtqX/BOqqNBBiKlIVkytNHm49MtMlYyn1zxzvJKWmFMlGzm+ry5BBfYyeY9YmNKbRSo/o7OX9w9ale0wg3w==", + "dev": true }, "is-fullwidth-code-point": { "version": "2.0.0", @@ -11666,9 +11671,9 @@ "integrity": "sha1-o/Iiqarp+Wb10nx5ZRDigJF2Qhc=" }, "js-base64": { - "version": "2.5.1", - "resolved": "https://registry.npmjs.org/js-base64/-/js-base64-2.5.1.tgz", - "integrity": "sha512-M7kLczedRMYX4L8Mdh4MzyAMM9O5osx+4FcOQuTvr3A9F2D9S5JXheN0ewNbrvK2UatkTRhL5ejGmGSjNMiZuw==", + "version": "2.5.2", + "resolved": "https://registry.npmjs.org/js-base64/-/js-base64-2.5.2.tgz", + "integrity": "sha512-Vg8czh0Q7sFBSUMWWArX/miJeBWYBPpdU/3M/DKSaekLMqrqVPaedp+5mZhie/r0lgrcaYBfwXatEew6gwgiQQ==", "dev": true }, "js-levenshtein": { @@ -13391,9 +13396,9 @@ } }, "node-sass": { - "version": "4.13.0", - "resolved": "https://registry.npmjs.org/node-sass/-/node-sass-4.13.0.tgz", - "integrity": "sha512-W1XBrvoJ1dy7VsvTAS5q1V45lREbTlZQqFbiHb3R3OTTCma0XBtuG6xZ6Z4506nR4lmHPTqVRwxT6KgtWC97CA==", + "version": "4.13.1", + "resolved": "https://registry.npmjs.org/node-sass/-/node-sass-4.13.1.tgz", + "integrity": "sha512-TTWFx+ZhyDx1Biiez2nB0L3YrCZ/8oHagaDalbuBSlqXgUPsdkUSzJsVxeDO9LtPB49+Fh3WQl3slABo6AotNw==", "dev": true, "requires": { "async-foreach": "^0.1.3", @@ -16808,9 +16813,9 @@ }, "dependencies": { "readable-stream": { - "version": "2.3.6", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz", - "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==", + "version": "2.3.7", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz", + "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==", "dev": true, "requires": { "core-util-is": "~1.0.0", @@ -17635,22 +17640,28 @@ } }, "terser-webpack-plugin": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-1.4.1.tgz", - "integrity": "sha512-ZXmmfiwtCLfz8WKZyYUuuHf3dMYEjg8NrjHMb0JqHVHVOSkzp3cW2/XG1fP3tRhqEqSzMwzzRQGtAPbs4Cncxg==", + "version": "1.4.3", + "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-1.4.3.tgz", + "integrity": "sha512-QMxecFz/gHQwteWwSo5nTc6UaICqN1bMedC5sMtUc7y3Ha3Q8y6ZO0iCR8pq4RJC8Hjf0FEPEHZqcMB/+DFCrA==", "dev": true, "requires": { "cacache": "^12.0.2", "find-cache-dir": "^2.1.0", "is-wsl": "^1.1.0", "schema-utils": "^1.0.0", - "serialize-javascript": "^1.7.0", + "serialize-javascript": "^2.1.2", "source-map": "^0.6.1", "terser": "^4.1.2", "webpack-sources": "^1.4.0", "worker-farm": "^1.7.0" }, "dependencies": { + "serialize-javascript": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz", + "integrity": "sha512-rs9OggEUF0V4jUSecXazOYsLfu7OGK2qIn3c7IPBiffz32XniEp/TX9Xmc9LQfK2nQ2QKHvZ2oygKUGU0lG4jQ==", + "dev": true + }, "source-map": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", @@ -18930,9 +18941,9 @@ "dev": true }, "webpack": { - "version": "4.41.2", - "resolved": "https://registry.npmjs.org/webpack/-/webpack-4.41.2.tgz", - "integrity": "sha512-Zhw69edTGfbz9/8JJoyRQ/pq8FYUoY0diOXqW0T6yhgdhCv6wr0hra5DwwWexNRns2Z2+gsnrNcbe9hbGBgk/A==", + "version": "4.41.6", + "resolved": "https://registry.npmjs.org/webpack/-/webpack-4.41.6.tgz", + "integrity": "sha512-yxXfV0Zv9WMGRD+QexkZzmGIh54bsvEs+9aRWxnN8erLWEOehAKUTeNBoUbA6HPEZPlRo7KDi2ZcNveoZgK9MA==", "dev": true, "requires": { "@webassemblyjs/ast": "1.8.5", @@ -18955,7 +18966,7 @@ "node-libs-browser": "^2.2.1", "schema-utils": "^1.0.0", "tapable": "^1.1.3", - "terser-webpack-plugin": "^1.4.1", + "terser-webpack-plugin": "^1.4.3", "watchpack": "^1.6.0", "webpack-sources": "^1.4.1" } @@ -19376,6 +19387,14 @@ } } }, + "xml-js": { + "version": "1.6.11", + "resolved": "https://registry.npmjs.org/xml-js/-/xml-js-1.6.11.tgz", + "integrity": "sha512-7rVi2KMfwfWFl+GpPg6m80IVMWXLRjO+PxTq7V2CDhoGak0wzYzFgUY2m4XJ47OGdXd8eLE8EmwfAmdjw7lC1g==", + "requires": { + "sax": "^1.2.4" + } + }, "xml-name-validator": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-3.0.0.tgz", diff --git a/package.json b/package.json index 021e65f9..73c4db10 100644 --- a/package.json +++ b/package.json @@ -31,6 +31,7 @@ "@types/d3": "^5.7.2", "@types/diff": "^4.0.2", "@types/prismjs": "^1.16.0", + "@types/xml-js": "^1.0.0", "@vue/cli": "^4.0.5", "apexcharts": "^3.10.1", "aws-sdk": "^2.573.0", @@ -38,7 +39,7 @@ "chroma-js": "^2.1.0", "connect": "^3.7.0", "core-js": "^3.4.1", - "d3": "^5.13.1", + "d3": "^5.15.0", "date-fns": "^2.6.0", "diff": "^4.0.1", "file-saver": "^2.0.2", @@ -67,7 +68,8 @@ "vue-toasted": "^1.1.27", "vuetify": "^2.1.10", "vuex": "^3.1.2", - "xlsx": "^0.15.2" + "xlsx": "^0.15.2", + "xml-js": "^1.6.11" }, "devDependencies": { "@mdi/font": "^3.9.97", @@ -95,7 +97,7 @@ "fibers": "^4.0.2", "lint-staged": "^8.1.5", "material-design-icons-iconfont": "^5.0.1", - "node-sass": "^4.13.0", + "node-sass": "^4.13.1", "prettier": "^1.19.1", "sass": "^1.23.6", "sass-loader": "^7.3.1", diff --git a/src/components/generic/ErrorTooltip.vue b/src/components/generic/ErrorTooltip.vue new file mode 100644 index 00000000..749b0f49 --- /dev/null +++ b/src/components/generic/ErrorTooltip.vue @@ -0,0 +1,50 @@ + + + diff --git a/src/components/generic/ExperimentalTooltip.vue b/src/components/generic/ExperimentalTooltip.vue new file mode 100644 index 00000000..e4c3fee6 --- /dev/null +++ b/src/components/generic/ExperimentalTooltip.vue @@ -0,0 +1,46 @@ + + + diff --git a/src/components/global/UploadNexus.vue b/src/components/global/UploadNexus.vue index 51f8b534..a7452d45 100644 --- a/src/components/global/UploadNexus.vue +++ b/src/components/global/UploadNexus.vue @@ -33,22 +33,11 @@ - + - - -

Coming Soon

- - -

- Soon Heimdall will be able to consume Heimdall Results Format data - from a Splunk data source making it easy to access your enterprise - security data right from the browsers, any-time and any-where. -

- - + @@ -64,6 +53,7 @@ import Modal from "@/components/global/Modal.vue"; import FileReader from "@/components/global/upload_tabs/FileReader.vue"; import HelpFooter from "@/components/global/upload_tabs/HelpFooter.vue"; import S3Reader from "@/components/global/upload_tabs/aws/S3Reader.vue"; +import SplunkReader from "@/components/global/upload_tabs/splunk/SplunkReader.vue"; import SampleList from "@/components/global/upload_tabs/SampleList.vue"; import { LocalStorageVal } from "../../utilities/helper_util"; @@ -87,6 +77,7 @@ const Props = Vue.extend({ FileReader, HelpFooter, S3Reader, + SplunkReader, SampleList } }) diff --git a/src/components/global/upload_tabs/aws/AuthStepMFA.vue b/src/components/global/upload_tabs/aws/AuthStepMFA.vue index 18ce4b56..323cf8c1 100644 --- a/src/components/global/upload_tabs/aws/AuthStepMFA.vue +++ b/src/components/global/upload_tabs/aws/AuthStepMFA.vue @@ -4,26 +4,28 @@ - - Cancel - Login + + Cancel + @@ -88,5 +90,10 @@ export default class S3Reader extends Props { local_mfa_serial.set(new_value); this.$emit("update:mfa_serial", new_value); } + + /** When button is pressed or enter is pressed */ + proceed() { + this.$emit("exit-mfa"); + } } diff --git a/src/components/global/upload_tabs/aws/FileList.vue b/src/components/global/upload_tabs/aws/FileList.vue index 04f96793..05f3cbac 100644 --- a/src/components/global/upload_tabs/aws/FileList.vue +++ b/src/components/global/upload_tabs/aws/FileList.vue @@ -2,7 +2,11 @@
- + mdi-cloud-download
+ No items found! Try refreshing?No items found! Try different terms? diff --git a/src/components/global/upload_tabs/aws/S3Reader.vue b/src/components/global/upload_tabs/aws/S3Reader.vue index 85afe3e1..afbbffbf 100644 --- a/src/components/global/upload_tabs/aws/S3Reader.vue +++ b/src/components/global/upload_tabs/aws/S3Reader.vue @@ -1,42 +1,44 @@ diff --git a/src/components/global/upload_tabs/splunk/FileList.vue b/src/components/global/upload_tabs/splunk/FileList.vue new file mode 100644 index 00000000..ff4f54f4 --- /dev/null +++ b/src/components/global/upload_tabs/splunk/FileList.vue @@ -0,0 +1,196 @@ + + + diff --git a/src/components/global/upload_tabs/splunk/SplunkReader.vue b/src/components/global/upload_tabs/splunk/SplunkReader.vue new file mode 100644 index 00000000..c2bf225e --- /dev/null +++ b/src/components/global/upload_tabs/splunk/SplunkReader.vue @@ -0,0 +1,174 @@ + + + diff --git a/src/how_to_release.md b/src/how_to_release.md new file mode 100644 index 00000000..8f725254 --- /dev/null +++ b/src/how_to_release.md @@ -0,0 +1,30 @@ +# Releasing + +I'm documenting this here so the bus factor on creaing new versions isn't one. +Obviously, before any of them make well sure that: + +1. The code works as you expect +2. You've scrubbed it for obsceneties or private keys +3. You've incremented the version number in package.json +4. You've done `npm run lint` +5. You've done `npm run build` +6. You've committed, pushed, and merged everything you want. + +Great! You'r ready to start publishing! + +## Publishing to NPM + +1. Run `npm publish` +2. You're done! + +If this seems short, know that most of the work was done in the initial steps. + +## Publishing on github + +1. Go to https://github.com/mitre/heimdall-lite/releases +2. I'm pretty sure you edit the most recently drafted release, and then... ??? +3. Ask Aaron about this one haha I haven't done it! + +## Publishing elsewhere? + +1. I don't think we do, yet. diff --git a/src/utilities/async_util.ts b/src/utilities/async_util.ts index 46e0aba7..f84f24be 100644 --- a/src/utilities/async_util.ts +++ b/src/utilities/async_util.ts @@ -30,3 +30,8 @@ export function defined(x: T | null | undefined): T { return x; } } + +/** Sleeps for a given # of milliseconds */ +export function delay(ms: number): Promise { + return new Promise(resolve => setTimeout(resolve, ms)); +} diff --git a/src/utilities/aws_util.ts b/src/utilities/aws_util.ts index 605f1189..650cdae6 100644 --- a/src/utilities/aws_util.ts +++ b/src/utilities/aws_util.ts @@ -72,7 +72,6 @@ export async function list_buckets(creds: AuthCreds) { export interface MFA_Info { SerialNumber: string | null; // If null, use deduced token TokenCode: string; - DurationSeconds: number; } /** Attempts to deduce the virtual mfa device serial code from the provided */ @@ -91,6 +90,7 @@ export function derive_mfa_serial(user_access_token: string): string | null { export async function get_session_token( access_token: string, secret_key: string, + duration: number, mfa_info?: MFA_Info ): Promise { // Instanciate STS with our base and secret token @@ -122,7 +122,7 @@ export async function get_session_token( mfa_info.SerialNumber || info.probable_user_mfa_device!; // We cannot get to this stage if result = sts .getSessionToken({ - DurationSeconds: mfa_info.DurationSeconds, + DurationSeconds: duration, SerialNumber: mfa_info.SerialNumber, TokenCode: mfa_info.TokenCode }) @@ -162,7 +162,7 @@ export function transcribe_error(error: AWSError): string { case "InvalidAccessKeyId": return "Provided access key is invalid."; case "AccessDenied": - return `Access denied: ${message}`; + return `Access denied. This likely means that your account does not have access to the specified bucket, or that it requires MFA authentication.`; case "AccountProblem": return `Account problem detected: ${message}`; case "CredentialsNotSupported": diff --git a/src/utilities/helper_util.ts b/src/utilities/helper_util.ts index 5765d3bb..31614daa 100644 --- a/src/utilities/helper_util.ts +++ b/src/utilities/helper_util.ts @@ -110,3 +110,55 @@ export class LocalStorageVal { window.localStorage.removeItem(this.storage_key); } } + +/** A useful shorthand */ +export type Hash = { [key: string]: T }; + +/** Groups items by using the provided key function */ +export function group_by( + items: Array, + key_getter: (v: T) => string +): Hash> { + let result: Hash> = {}; + for (let i of items) { + // Get the items key + let key = key_getter(i); + + // Get the list it should go in + let corr_list = result[key]; + if (corr_list) { + // If list exists, place + corr_list.push(i); + } else { + // List does not exist; create and put + result[key] = [i]; + } + } + return result; +} + +/** Maps a hash to a new hash, with the same keys but each value replaced with a new (mapped) value */ +export function map_hash( + old: Hash, + map_function: (v: T) => G +): Hash { + let result: Hash = {}; + for (let key in old) { + result[key] = map_function(old[key]); + } + return result; +} + +/** Converts a simple, single level json dict into uri params */ +export function to_uri_params(params: Hash) { + let esc = encodeURIComponent; + let query = Object.keys(params) + .map(k => esc(k) + "=" + esc(params[k])) + .join("&"); + return query; +} + +/** Generate a basic authentication string for http requests */ +export function basic_auth(username: string, password: string): string { + return "Basic " + Buffer.from(`${username}:${password}`).toString("base64"); +} diff --git a/src/utilities/splunk_util.ts b/src/utilities/splunk_util.ts new file mode 100644 index 00000000..0a600f73 --- /dev/null +++ b/src/utilities/splunk_util.ts @@ -0,0 +1,448 @@ +import { xml2js, ElementCompact } from "xml-js"; +import { delay } from "./async_util"; +import { parse } from "inspecjs"; +import { Hash, group_by, map_hash, basic_auth } from "./helper_util"; +import { schemas_1_0 } from "inspecjs"; + +// env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; + +export type JobID = string; + +// Interfaces +/** The parent type to other interfaces, to save duplication */ +interface AbsMetaInfo { + /** The file this came from */ + filename: string; + + /** The type of the file (NOT of this event!) */ + filetype: "evaluation" | "profile"; + + /** The subtype of this specific event */ + subtype: "header" | "profile" | "control"; + + /** A randomly generated GUID capturing all of the events in this file */ + guid: string; + + /** When this event was parsed */ + parse_time: string; + + /** The schema version: */ + hdf_splunk_schema: string; + + /** The sha256 hash of the profile that is/contains this event */ + profile_sha256: string; + + /** The start time of the control in ISO format */ + start_time: string; + + /** The control ID, repeated for convenience in splunk searches */ + control_id: string; +} + +/** The meta information for an event with the "evaluation" subtype */ +export interface ExecutionMetaInfo + extends Omit { + subtype: "header"; +} + +/** The meta information for an event with the "profile" subtype */ +export interface ProfileMetaInfo + extends Omit { + subtype: "profile"; +} + +/** The meta information for an event with the "control" subtype */ +export interface ControlMetaInfo extends AbsMetaInfo { + subtype: "control"; +} + +/** This is what we expect to find in every parsed event representing an Evaluation + * Note that Profiles will typically be initially empty + */ +export interface ExecutionPayload { + meta: ExecutionMetaInfo; + profiles: ProfilePayload[]; + [x: string]: any; +} + +/** This is what we expect to find in every parsed event representing a Profile. + * Note that controls will typically be initially empty + */ +export interface ProfilePayload { + meta: ProfileMetaInfo; + controls: ControlPayload[]; + [x: string]: any; +} + +/** This is what we expect to find in every parsed event representing a Control */ +export interface ControlPayload { + meta: ControlMetaInfo; + [x: string]: any; +} + +// Could be any! +export type UnknownPayload = ExecutionPayload | ProfilePayload | ControlPayload; + +/* Job states */ +type CompleteJobStatus = "succeeded" | "failed"; +type PendingJobStatus = "pending"; // There are others, but we don't handle them for now +type JobStatus = CompleteJobStatus | PendingJobStatus; +interface JobState { + status: JobStatus; + job_id: JobID; +} + +/** This info is used to negotiate splunk connections */ +export class SplunkEndpoint { + /** The full host information, including port (typically 8089). + * EX: https://localhost:8089 + */ + host: string; + + /** Username to use for authentication */ + username: string; + + /** Password to use for authentication */ + password: string; + + constructor(host: string, username: string, password: string) { + this.host = host; + this.username = username; + this.password = password; + } + + /** Checks whether we're able to successfully get jobs, + * which indicates proper auth. + * + * Will error if we aren't + */ + async check_auth(): Promise { + return fetch(`${this.host}/services/search/jobs`, { + headers: { + Authorization: this.auth_string + }, + method: "GET" + }).then( + response => { + if (!response.ok) { + throw process_error(response); + } + }, + failure => { + throw process_error(failure); + } + ); + } + + /** Provides a list of Evaluation meta headers from recent executions. + * We should eventually change this to allow more specific criteria + */ + async fetch_execution_list(): Promise { + // This search lists evaluation headers + let get_executions_search = + 'spath "meta.subtype" | search "meta.subtype"=header'; + + return this.hdf_event_search(get_executions_search).then(events => { + // Because we only searched for headers, we can assume these to be eval events + let eval_events = events as ExecutionPayload[]; + + // Could perhaps just return e but I'd rather people didn't screw themselves + return eval_events.map(e => e.meta); + }); + } + + async get_execution_events( + execution_guid: string + ): Promise { + // This search, provided a guid, returns all headers for that guid + let specific_evaluation = `spath "meta.guid" | search "meta.guid"=${execution_guid}`; + return this.hdf_event_search(specific_evaluation); + } + + async get_execution( + execution_guid: string + ): Promise { + return this.get_execution_events(execution_guid) + .then(events => consolidate_payloads(events)) + .then(execs => { + if (execs.length != 1) { + throw SplunkErrorCode.InvalidGUID; + } else { + return execs[0]; + } + }) + .then(full_event => { + // This is dumb and we should make the inspecjs layer more accepting of many file types + let result: parse.ConversionResult; + try { + result = parse.convertFile(JSON.stringify(full_event)); + } catch (e) { + throw SplunkErrorCode.SchemaViolation; + } + + // Determine what sort of file we (hopefully) have, then add it + if (result["1_0_ExecJson"]) { + // Handle as exec + let execution = result["1_0_ExecJson"]; + return execution; + } else { + throw SplunkErrorCode.SchemaViolation; + } + }); + } + + /** Creates a proper base64 encoded auth string, using this objects credentials. */ + private get auth_string(): string { + let auth_string = basic_auth(this.username, this.password); + return auth_string; + } + + /** Performs the entire process of search string -> results array + * Performs no consolidation. + * Assumes your search string is properly constrained to the hdf index + */ + async hdf_event_search(search_string: string): Promise { + return this.create_search(search_string) + .then(job_id => this.pend_job(job_id, 500)) + .then(job_state => { + if (job_state.status === "failed") { + throw SplunkErrorCode.SearchFailed; + } + + return this.get_search_results(job_state.job_id); + }) + .catch(error => { + throw process_error(error); + }); + } + + /** Returns the job id */ + private async create_search(search_string: string): Promise { + return fetch(`${this.host}/services/search/jobs`, { + method: "POST", + headers: new Headers({ + Authorization: this.auth_string + }), + body: `search=search index="hdf" | ${search_string}` + }) + .then(response => { + if (!response.ok) throw process_error(response); + return response.text(); + }) + .then(text => { + // Parse the xml + let xml = xml2js(text, { + compact: true + }) as ElementCompact; + return xml.response.sid._text as string; + }); + } + + /** Returns the current state of the job */ + private async check_job(job_id: JobID): Promise { + return fetch(`${this.host}/services/search/jobs/${job_id}`, { + method: "GET", + headers: new Headers({ + Authorization: this.auth_string + }) + }) + .then(response => { + if (!response.ok) throw process_error(response); + return response.text(); + }) + .then(text => { + // Parse the xml + let xml = xml2js(text, { + compact: true + }) as ElementCompact; + + // Get the keys, and find the one with name "dispatchState" + let keys = xml.entry.content["s:dict"]["s:key"]; + let state: string | undefined; + for (let k of keys) { + if (k._attributes.name === "dispatchState") { + state = k._text; + } + } + + // Check we found state + if (!state) { + // It probably failed if we can't find it lol + state = "FAILED"; + } + + // Decide result based on state + let status: JobStatus; + if (state == "DONE") { + status = "succeeded"; + } else if (state == "FAILED") { + status = "failed"; + } else { + status = "pending"; + } + + // Construct the state + return { + status, + job_id + }; + }); + } + + /** Continually checks the job until resolution */ + private async pend_job(job_id: JobID, interval: number): Promise { + /* eslint-disable */ + while (true) { + /* eslint-enable */ + let state = await this.check_job(job_id); + if (state.status === "pending") { + await delay(interval); + continue; + } else { + return state; + } + } + } + + /** Gets the search results for a given job id, if it is done */ + private async get_search_results(job_id: JobID): Promise { + return fetch( + `${this.host}/services/search/jobs/${job_id}/results/?output_mode=json&count=0`, + { + headers: { + Authorization: this.auth_string + }, + method: "GET" + } + ) + .then(response => { + if (!response.ok) throw process_error(response); + return response.json(); + }) + .then(data => { + // We basically can't, and really shouldn't, do typescript here. Output is 50% guaranteed to be wonk + // Get all the raws + let raws: Array = data["results"].map( + (datum: any) => datum._raw + ); + + // Parse to json, and freeze + let parsed = [] as UnknownPayload[]; + for (let v of raws) { + try { + parsed.push(JSON.parse(v) as UnknownPayload); + } catch (err) { + console.warn(err); + } + } + + return parsed; + }); + } +} + +/** Given: A list of all payloads from a search, + * Produce: A list of Evaluation payloads containing all data properly reconstructed, recursively, into a "normal" + * HDF heirarchy. + * + * TODO: Provide a mechanism for also returning orphaned items + */ +export function consolidate_payloads( + payloads: UnknownPayload[] +): ExecutionPayload[] { + // Group by exec id + let grouped = group_by(payloads, pl => pl.meta.guid); + + let built = map_hash(grouped, consolidate_file_payloads); + + return Object.values(built); +} + +/** Given: A list of all payloads from a search with the same GUID + * Produce: A single EvaluationPayload containing all of these payloads reconstructed into the expected HDF heirarchy + */ +function consolidate_file_payloads( + file_payloads: UnknownPayload[] +): ExecutionPayload { + // In the end we wish to produce a single evaluation EventPayload which in fact contains all data for the guid + // Group by subtype + let subtypes = group_by(file_payloads, event => event.meta.subtype); + let exec_events = (subtypes["header"] || []) as ExecutionPayload[]; + let profile_events = (subtypes["profile"] || []) as ProfilePayload[]; + let control_events = (subtypes["control"] || []) as ControlPayload[]; + + // Verify we only have one exec event + if (exec_events.length !== 1) { + throw new Error( + `Incorrect # of Evaluation events. Expected 1, got ${exec_events.length}` + ); + } + + // Pull it out + let exec = exec_events[0]; + + // Put all the profiles into the exec + exec.profiles.push(...profile_events); + + // Group controls, and then put them into the profiles + let sha_grouped_controls = group_by( + control_events, + ctrl => ctrl.meta.profile_sha256 + ); + for (let profile of profile_events) { + // Get the corresponding controls, and put them into the profile + let sha = profile.meta.profile_sha256; + let corr_controls = sha_grouped_controls[sha] || []; + profile.controls.push(...corr_controls); + } + + // Spit it back out + return exec; +} + +export enum SplunkErrorCode { + BadNetwork, // Server could not be reached, either due to bad address or bad CORS + BadUrl, // URL poorly formed + PageNotFound, // Server gave error 404 + BadAuth, // Authorization credentials are no good + SearchFailed, // For whatever reason, the splunk search failed + ConsolidationFailed, // Something went wrong during event consolidation phase + SchemaViolation, // The data we got out isn't valid HDF. Hope to not see this too often + InvalidGUID, // If the provided GUID did not match to exactly one header + UnknownError // No clue! +} + +/** Converts Responses and Errorcodes into purely just errorcodes */ +export function process_error( + r: Response | SplunkErrorCode | TypeError +): SplunkErrorCode { + console.warn("Got error in splunk operations"); + console.warn(r); + if (r instanceof TypeError) { + console.warn("Typeerror"); + if (r.message.includes("NetworkError")) { + return SplunkErrorCode.BadNetwork; + } else if (r.message.includes("not a valid URL")) { + return SplunkErrorCode.BadUrl; + } + } else if (r instanceof Response) { + console.warn("Bad Response"); + // Based on the network code, guess + let response = r as Response; + switch (response.status) { + case 401: // Bad username/password + return SplunkErrorCode.BadAuth; + case 404: // URL got borked + return SplunkErrorCode.PageNotFound; + default: + console.log("Unsure how to handle error " + response.status); + return SplunkErrorCode.UnknownError; + } + } else if (typeof r === typeof SplunkErrorCode.UnknownError) { + // It's already an error code - pass along + console.warn("SplunkErrorCode"); + return r; + } + // idk lol + return SplunkErrorCode.UnknownError; +} diff --git a/tests/hdf_data/raw_data/cms_postgres_overlay_sample.json b/tests/hdf_data/raw_data/cms_postgres_overlay_sample.json deleted file mode 100644 index 6caac192..00000000 --- a/tests/hdf_data/raw_data/cms_postgres_overlay_sample.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"amazon","release":"2"},"profiles":[{"name":"cms-ars-3.1-crunchy-data-postgresql-9-stig-overlay","version":"0.1.0","sha256":"d0853696af6fc21a9d11941754d7593adccefe5c738f281356f14955a0ad4921","title":".","maintainer":"CMS InSpec Dev team","summary":".","license":"Apache-2.0","copyright":".","supports":[],"attributes":[],"depends":[{"name":"pgstigcheck-inspec","url":"https://github.com/mitre/aws-rds-crunchy-data-postgresql-9-stig-baseline","status":"loaded"}],"groups":[{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72841.rb","controls":["V-72841"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72845.rb","controls":["V-72845"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72849.rb","controls":["V-72849"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72851.rb","controls":["V-72851"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72857.rb","controls":["V-72857"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72859.rb","controls":["V-72859"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72861.rb","controls":["V-72861"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72863.rb","controls":["V-72863"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb","controls":["V-72865"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72867.rb","controls":["V-72867"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72869.rb","controls":["V-72869"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72871.rb","controls":["V-72871"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72873.rb","controls":["V-72873"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72875.rb","controls":["V-72875"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72877.rb","controls":["V-72877"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72883.rb","controls":["V-72883"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72887.rb","controls":["V-72887"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72891.rb","controls":["V-72891"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72893.rb","controls":["V-72893"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72895.rb","controls":["V-72895"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72897.rb","controls":["V-72897"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72899.rb","controls":["V-72899"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb","controls":["V-72901"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72903.rb","controls":["V-72903"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72905.rb","controls":["V-72905"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72909.rb","controls":["V-72909"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72911.rb","controls":["V-72911"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72917.rb","controls":["V-72917"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72919.rb","controls":["V-72919"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72931.rb","controls":["V-72931"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72949.rb","controls":["V-72949"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72953.rb","controls":["V-72953"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72955.rb","controls":["V-72955"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72957.rb","controls":["V-72957"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72959.rb","controls":["V-72959"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72961.rb","controls":["V-72961"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72963.rb","controls":["V-72963"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72965.rb","controls":["V-72965"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72971.rb","controls":["V-72971"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72973.rb","controls":["V-72973"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72979.rb","controls":["V-72979"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72981.rb","controls":["V-72981"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72983.rb","controls":["V-72983"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72987.rb","controls":["V-72987"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72989.rb","controls":["V-72989"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72991.rb","controls":["V-72991"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72993.rb","controls":["V-72993"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72995.rb","controls":["V-72995"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72999.rb","controls":["V-72999"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73001.rb","controls":["V-73001"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73003.rb","controls":["V-73003"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73005.rb","controls":["V-73005"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73011.rb","controls":["V-73011"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73013.rb","controls":["V-73013"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73015.rb","controls":["V-73015"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73017.rb","controls":["V-73017"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73019.rb","controls":["V-73019"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73021.rb","controls":["V-73021"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73023.rb","controls":["V-73023"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73025.rb","controls":["V-73025"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73027.rb","controls":["V-73027"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb","controls":["V-73029"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73031.rb","controls":["V-73031"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73033.rb","controls":["V-73033"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73035.rb","controls":["V-73035"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73037.rb","controls":["V-73037"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73041.rb","controls":["V-73041"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73045.rb","controls":["V-73045"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73047.rb","controls":["V-73047"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73049.rb","controls":["V-73049"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73051.rb","controls":["V-73051"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73055.rb","controls":["V-73055"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73057.rb","controls":["V-73057"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb","controls":["V-73061"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73063.rb","controls":["V-73063"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73065.rb","controls":["V-73065"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73067.rb","controls":["V-73067"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73069.rb","controls":["V-73069"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73071.rb","controls":["V-73071"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73123.rb","controls":["V-73123"]}],"controls":[{"id":"V-72841","title":"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.","desc":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000142-DB-000094","gid":"V-72841","rid":"SV-87493r1_rule","stig_id":"PGS9-00-000100","cci":["CCI-000382","CCI-001762"],"nist":["CM-7 b","CM-7 (1) (b)","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n $ psql -c \"SHOW port\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \"SHOW port\"\n $ export PGPORT=5432"},"code":"control \"V-72841\" do\n title \"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.\"\n desc \"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.\"\n impact 0.5\n \n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000142-DB-000094\"\n tag \"gid\": \"V-72841\"\n tag \"rid\": \"SV-87493r1_rule\"\n tag \"stig_id\": \"PGS9-00-000100\"\n tag \"cci\": [\"CCI-000382\",\"CCI-001762\"]\n tag \"nist\": [\"CM-7 b\", \"CM-7 (1) (b)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, run the following SQL:\n\n $ psql -c \\\"SHOW port\\\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \\\"SHOW port\\\"\n $ export PGPORT=5432\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW port;', [PG_DB]) do\n its('output') { should eq PG_PORT }\n end\n\n describe port(PG_PORT) do\n it { should be_listening }\n its('processes') { should include 'postgres' }\n end\nend\n","source_location":{"line":48,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72841.rb"},"results":[]},{"id":"V-72845","title":"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).","desc":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).","descriptions":[{"label":"default","data":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs)."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000456-DB-000390","gid":"V-72845","rid":"SV-87497r1_rule","stig_id":"PGS9-00-000300","cci":["CCI-002605"],"nist":["SI-2 c","Rev_4"],"check":"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.","fix":"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed."},"code":" control \"V-72845\" do\n title \"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).\"\n desc \"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).\"\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000456-DB-000390\"\n tag \"gid\": \"V-72845\"\n tag \"rid\": \"SV-87497r1_rule\"\n tag \"stig_id\": \"PGS9-00-000300\"\n tag \"cci\": [\"CCI-002605\"]\n tag \"nist\": [\"SI-2 c\", \"Rev_4\"]\n\n tag \"check\": \"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.\"\n\n tag \"fix\": \"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72845.rb"},"results":[]},{"id":"V-72849","title":"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.","desc":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.","descriptions":[{"label":"default","data":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000023-DB-000001","gid":"V-72849","rid":"SV-87501r1_rule","stig_id":"PGS9-00-000500","cci":["CCI-000015"],"nist":["AC-2 (1)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \"postgres\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \"postgres\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate."},"code":"control \"V-72849\" do\n title \"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.\"\n desc \"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000023-DB-000001\"\n tag \"gid\": \"V-72849\"\n tag \"rid\": \"SV-87501r1_rule\"\n tag \"stig_id\": \"PGS9-00-000500\"\n tag \"cci\": [\"CCI-000015\"]\n tag \"nist\": [\"AC-2 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \\\"postgres\\\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \\\"postgres\\\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72849.rb"},"results":[]},{"id":"V-72851","title":"PostgreSQL must provide non-privileged users with error messages that\n provide information necessary for corrective actions without revealing\n information that could be exploited by adversaries.","desc":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers.","descriptions":[{"label":"default","data":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000266-DB-000162","gid":"V-72851","rid":"SV-87503r1_rule","stig_id":"PGS9-00-000600","cci":["CCI-001312"],"nist":["SI-11 a","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n SELECT current_setting('client_min_messages');\n\n If client_min_messages is *not* set to error, this is a finding.","fix":"As the database administrator, edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n Change the client_min_messages parameter to be error:\n client_min_messages = 'error'\n\n Now reload the server with the new configuration (this just reloads settings\n currently in memory, will not cause an interruption):\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ service postgresql-9.5 reload "},"code":"control \"V-72851\" do\n title \"PostgreSQL must provide non-privileged users with error messages that\n provide information necessary for corrective actions without revealing\n information that could be exploited by adversaries.\"\n desc \"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000266-DB-000162\"\n tag \"gid\": \"V-72851\"\n tag \"rid\": \"SV-87503r1_rule\"\n tag \"stig_id\": \"PGS9-00-000600\"\n tag \"cci\": [\"CCI-001312\"]\n tag \"nist\": [\"SI-11 a\", \"Rev_4\"]\n tag \"check\": \"As the database administrator, run the following SQL:\n\n SELECT current_setting('client_min_messages');\n\n If client_min_messages is *not* set to error, this is a finding.\"\n\n tag \"fix\": \"As the database administrator, edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n Change the client_min_messages parameter to be error:\n client_min_messages = 'error'\n\n Now reload the server with the new configuration (this just reloads settings\n currently in memory, will not cause an interruption):\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ service postgresql-9.5 reload \"\n\n default = postgres_conf(PG_CONF_FILE)\n override = postgres_conf(PG_USER_DEFINED_CONF)\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW client_min_messages;', [PG_DB]) do\n its('output') { should match /^error$/i }\n end\n\n cmm_conf = override.client_min_messages ? override : default\n describe cmm_conf do\n its('client_min_messages') { should match /^error$/i }\n end\nend\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72851.rb"},"results":[]},{"id":"V-72857","title":"If passwords are used for authentication, PostgreSQL must transmit only\n encrypted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000172-DB-000075","gid":"V-72857","rid":"SV-87509r1_rule","stig_id":"PGS9-00-000800","cci":["CCI-000197"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. As the database administrator (shown here as \"postgres\"), review\n the authentication entries in pg_hba.conf:\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n If any entries use the auth_method (last column in records) \"password\", this\n is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n As the database administrator (shown here as \"postgres\"), edit\n pg_hba.conf authentication file and change all entries of \"password\" to\n \"md5\":\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n host all all .example.com md5"},"code":" control 'V-72857' do\n desc 'The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database.'\n end\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72857.rb"},"results":[]},{"id":"V-72859","title":"PostgreSQL must enforce approved authorizations for logical access to\n information and system resources in accordance with applicable access\n control policies.","desc":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy.","descriptions":[{"label":"default","data":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000033-DB-000084","gid":"V-72859","rid":"SV-87511r1_rule","stig_id":"PGS9-00-000900","cci":["CCI-000213"],"nist":["AC-3","Rev_4"],"check":"From the system security plan or equivalent documentation,\n determine the appropriate permissions on database objects for each kind\n (group role) of user. If this documentation is missing, this is a finding.\n\n First, as the database administrator (shown here as \"postgres\"),\n check the privileges of all roles in the database by running the\n following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\du'\n\n Review all roles and their associated privileges. If any roles'\n privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured privileges for tables and columns by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\dp'\n\n Review all access privileges and column access privileges list.\n If any roles' privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured authentication settings in pg_hba.conf:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n Review all entries and their associated authentication methods.\n\n If any entries do not have their documented authentication requirements,\n this is a finding.","fix":"Create and/or maintain documentation of each group role's\n appropriate permissions on database objects.\n\n Implement these permissions in the database, and remove any permissions that\n exceed those documented.\n\n The following are examples of how to use role privileges in PostgreSQL to\n enforce access controls. For a complete list of privileges, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\n\n #### Roles Example 1\n The following example demonstrates how to create an admin role with CREATEDB\n and CREATEROLE privileges.\n\n As the database administrator (shown here as \"postgres\"), run the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE admin WITH CREATEDB CREATEROLE\"\n\n #### Roles Example 2\n The following example demonstrates how to create a role with a password that\n expires and makes the role a member of the \"admin\" group.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE joe LOGIN ENCRYPTED PASSWORD 'stig2016!' VALID UNTIL\n'2016-09-20' IN ROLE admin\"\n\n #### Roles Example 3\n The following demonstrates how to revoke privileges from a role using REVOKE.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"REVOKE admin FROM joe\"\n\n #### Roles Example 4\n The following demonstrates how to alter privileges in a role using ALTER.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"ALTER ROLE joe NOLOGIN\"\n\n The following are examples of how to use grant privileges in PostgreSQL to\n enforce access controls on objects. For a complete list of privileges, see the\n official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-grant.html\n\n #### Grant Example 1\n The following example demonstrates how to grant INSERT on a table to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT SELECT ON stig_test TO joe\"\n\n #### Grant Example 2\n The following example demonstrates how to grant ALL PRIVILEGES on a table to a\n role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT ALL PRIVILEGES ON stig_test TO joe\"\n\n #### Grant Example 3\n The following example demonstrates how to grant a role to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT admin TO joe\"\n\n #### Revoke Example 1\n The following example demonstrates how to revoke access from a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"REVOKE admin FROM joe\"\n\n To change authentication requirements for the database, as the database\n administrator (shown here as \"postgres\"), edit pg_hba.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n Edit authentication requirements to the organizational requirements. See the\n official documentation for the complete list of options for authentication:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n After changes to pg_hba.conf, reload the server:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control 'V-72859' do\n desc 'Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy.'\n end\n","source_location":{"line":67,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72859.rb"},"results":[]},{"id":"V-72861","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000314-DB-000310","gid":"V-72861","rid":"SV-87513r1_rule","stig_id":"PGS9-00-001100","cci":["CCI-002264"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72861\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000314-DB-000310\"\n tag \"gid\": \"V-72861\"\n tag \"rid\": \"SV-87513r1_rule\"\n tag \"stig_id\": \"PGS9-00-001100\"\n tag \"cci\": [\"CCI-002264\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72861.rb"},"results":[]},{"id":"V-72863","title":"PostgreSQL must limit the number of concurrent sessions to an\n organization-defined number per user for all accounts and/or account types.","desc":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms..","descriptions":[{"label":"default","data":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms.."},{"label":"caveat","data":"Not applicable for this CMS ARS 3.1 overlay, \n since the related security control is not applied to this \n system categorization in CMS ARS 3.1"}],"impact":0.0,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000001-DB-000031","gid":"V-72863","rid":"SV-87515r1_rule","stig_id":"PGS9-00-001200","cci":["CCI-000054"],"nist":["AC-10","Rev_4"],"check":"To check the total amount of connections allowed by the database,\n as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW max_connections\"\n If the total amount of connections is greater than documented by\n an organization, this is a finding.\n To check the amount of connections allowed for each role, as the\n database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT rolname, rolconnlimit from pg_authid\"\n If any roles have more connections configured than documented,\n this is a finding. A value of -1 indicates Unlimited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To configure the maximum amount of connections allowed to the\n database, as the database administrator (shown here as \"postgres\")\n change the following in postgresql.conf\n\n (the value 10 is an example; set the value to suit local conditions):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n max_connections = 10\n\n Next, restart the database:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\n\n To limit the amount of connections allowed by a specific role,\n as the database administrator, run the following SQL:\n\n $ psql -c \"ALTER ROLE CONNECTION LIMIT 1\";"},"code":" control 'V-72863' do\n impact 'none'\n desc 'caveat', 'Not applicable for this CMS ARS 3.1 overlay, \n since the related security control is not applied to this \n system categorization in CMS ARS 3.1'\n end\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72863.rb"},"results":[]},{"id":"V-72865","title":"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.","desc":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.","descriptions":[{"label":"default","data":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000362","gid":"V-72865","rid":"SV-87517r1_rule","stig_id":"PGS9-00-001300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \"postgres\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"\\dp *.*\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.","fix":"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;"},"code":"control \"V-72865\" do\n # @todo update the title of this control to something sane\n title \"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.\"\n desc \"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000362\"\n tag \"gid\": \"V-72865\"\n tag \"rid\": \"SV-87517r1_rule\"\n tag \"stig_id\": \"PGS9-00-001300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\dp *.*\\\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.\"\n\n tag \"fix\": \"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n object_granted_privileges = 'arwdDxtU'\n object_public_privileges = 'r'\n object_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=[#{object_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n object_acl_regex = Regexp.new(object_acl)\n\n pg_settings_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=rw)\\/\\\\w+,?)+)\\\\|pg_catalog\\\\|pg_settings\\\\|v\"\n pg_settings_acl_regex = Regexp.new(pg_settings_acl)\n\n tested = []\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind \"\\\n \"FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f');\"\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n rows = sql.query(objects_sql, [database])\n if rows.methods.include?(:output) # Handle connection disabled on database\n objects = rows.lines\n\n objects.each do |obj|\n unless tested.include?(obj)\n schema, object, type = obj.split('|')\n relacl_sql = \"SELECT pg_catalog.array_to_string(c.relacl, E','), \"\\\n \"n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE n.nspname = '#{schema}' AND c.relname = '#{object}' \"\\\n \"AND c.relkind = '#{type}';\"\n\n sql_result=sql.query(relacl_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should match object_acl_regex }\n end\n\n describe sql_result do\n its('output') { should match pg_settings_acl_regex }\n end\n end\n # TODO: Add test for column acl\n tested.push(obj)\n end\n end\n end\n end\n\n describe directory(PG_DATA_DIR) do\n it { should be_directory }\n it { should be_owned_by PG_OWNER }\n its('mode') { should cmp '0700' }\n end\nend\n","source_location":{"line":62,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb"},"results":[]},{"id":"V-72867","title":"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).","desc":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.","descriptions":[{"label":"default","data":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000180-DB-000115","gid":"V-72867","rid":"SV-87519r1_rule","stig_id":"PGS9-00-001400","cci":["CCI-000804"],"nist":["IA-8","Rev_4"],"check":"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.","fix":"To drop a role, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"DROP ROLE \"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE LOGIN\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html"},"code":"control \"V-72867\" do\n title \"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).\"\n desc \"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000180-DB-000115\"\n tag \"gid\": \"V-72867\"\n tag \"rid\": \"SV-87519r1_rule\"\n tag \"stig_id\": \"PGS9-00-001400\"\n tag \"cci\": [\"CCI-000804\"]\n tag \"nist\": [\"IA-8\", \"Rev_4\"]\n tag \"check\": \"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"\\\\du\\\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.\"\n tag \"fix\": \"To drop a role, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"DROP ROLE \\\"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE LOGIN\\\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_roles = PG_SUPERUSERS\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r where r.rolsuper;'\n describe sql.query(roles_sql, [PG_DB]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72867.rb"},"results":[]},{"id":"V-72869","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000311-DB-000308","gid":"V-72869","rid":"SV-87521r1_rule","stig_id":"PGS9-00-001700","cci":["CCI-002262"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72869\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000311-DB-000308\"\n tag \"gid\": \"V-72869\"\n tag \"rid\": \"SV-87521r1_rule\"\n tag \"stig_id\": \"PGS9-00-001700\"\n tag \"cci\": [\"CCI-002262\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72869.rb"},"results":[]},{"id":"V-72871","title":"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.","desc":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000160","gid":"V-72871","rid":"SV-87523r1_rule","stig_id":"PGS9-00-001800","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.","fix":"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL."},"code":"control \"V-72871\" do\n title \"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.\"\n desc \"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000160\"\n tag \"gid\": \"V-72871\"\n tag \"rid\": \"SV-87523r1_rule\"\n tag \"stig_id\": \"PGS9-00-001800\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.\"\n\n tag \"fix\": \"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72871.rb"},"results":[]},{"id":"V-72873","title":"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000391","gid":"V-72873","rid":"SV-87525r1_rule","stig_id":"PGS9-00-001900","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.","fix":"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so."},"code":"control \"V-72873\" do\n title \"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000391\"\n tag \"gid\": \"V-72873\"\n tag \"rid\": \"SV-87525r1_rule\"\n tag \"stig_id\": \"PGS9-00-001900\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72873.rb"},"results":[]},{"id":"V-72875","title":"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000392","gid":"V-72875","rid":"SV-87527r1_rule","stig_id":"PGS9-00-002000","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.","fix":"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements)."},"code":"control \"V-72875\" do\n title \"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000392\"\n tag \"gid\": \"V-72875\"\n tag \"rid\": \"SV-87527r1_rule\"\n tag \"stig_id\": \"PGS9-00-002000\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements).\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72875.rb"},"results":[]},{"id":"V-72877","title":"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.","desc":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.","descriptions":[{"label":"default","data":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000357-DB-000316","gid":"V-72877","rid":"SV-87529r1_rule","stig_id":"PGS9-00-002100","cci":["CCI-001849"],"nist":["AU-4","Rev_4"],"check":"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.","fix":"Allocate sufficient audit file/table space to support peak demand."},"code":"control \"V-72877\" do\n title \"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.\"\n desc \"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000357-DB-000316\"\n tag \"gid\": \"V-72877\"\n tag \"rid\": \"SV-87529r1_rule\"\n tag \"stig_id\": \"PGS9-00-002100\"\n tag \"cci\": [\"CCI-001849\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"check\": \"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.\"\n tag \"fix\": \"Allocate sufficient audit file/table space to support peak demand.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72877.rb"},"results":[]},{"id":"V-72883","title":"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.","desc":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.","descriptions":[{"label":"default","data":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000328-DB-000301","gid":"V-72883","rid":"SV-87535r1_rule","stig_id":"PGS9-00-002200","cci":["CCI-002165"],"nist":["AC-3 (4)","Rev_4"],"check":"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \"\\dn *.*\"\n $ psql -c \"\\dt *.*\"\n $ psql -c \"\\ds *.*\"\n $ psql -c \"\\dv *.*\"\n $ psql -c \"\\df+ *.*\"\n If any role is given privileges to objects it should not have, this is a\n finding.","fix":"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test\"\n $ psql -c \"GRANT CREATE ON SCHEMA test TO bob\"\n $ psql -c \"CREATE TABLE test.test_table(id INT)\"\n $ psql -c \"GRANT SELECT ON TABLE test.test_table TO bob\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ psql -c \"REVOKE SELECT ON TABLE test.test_table FROM bob\"\n $ psql -c \"REVOKE CREATE ON SCHEMA test FROM bob\""},"code":"control \"V-72883\" do\n title \"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.\"\n desc \"Discretionary Access Control (DAC) is based on the notion that\n individual users are \\\"owners\\\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000328-DB-000301\"\n tag \"gid\": \"V-72883\"\n tag \"rid\": \"SV-87535r1_rule\"\n tag \"stig_id\": \"PGS9-00-002200\"\n tag \"cci\": [\"CCI-002165\"]\n tag \"nist\": [\"AC-3 (4)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \\\"\\\\dn *.*\\\"\n $ psql -c \\\"\\\\dt *.*\\\"\n $ psql -c \\\"\\\\ds *.*\\\"\n $ psql -c \\\"\\\\dv *.*\\\"\n $ psql -c \\\"\\\\df+ *.*\\\"\n If any role is given privileges to objects it should not have, this is a\n finding.\"\n tag \"fix\": \"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test\\\"\n $ psql -c \\\"GRANT CREATE ON SCHEMA test TO bob\\\"\n $ psql -c \\\"CREATE TABLE test.test_table(id INT)\\\"\n $ psql -c \\\"GRANT SELECT ON TABLE test.test_table TO bob\\\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ psql -c \\\"REVOKE SELECT ON TABLE test.test_table FROM bob\\\"\n $ psql -c \\\"REVOKE CREATE ON SCHEMA test FROM bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n \n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72883.rb"},"results":[]},{"id":"V-72887","title":"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).","desc":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000374-DB-000322","gid":"V-72887","rid":"SV-87539r1_rule","stig_id":"PGS9-00-002400","cci":["CCI-001890"],"nist":["AU-8 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \"postgres\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_timezone\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \"postgres\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart"},"code":"control \"V-72887\" do\n title \"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).\"\n desc \"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000374-DB-000322\"\n tag \"gid\": \"V-72887\"\n tag \"rid\": \"SV-87539r1_rule\"\n tag \"stig_id\": \"PGS9-00-002400\"\n tag \"cci\": [\"CCI-001890\"]\n tag \"nist\": [\"AU-8 b\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \\\"postgres\\\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_timezone\\\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \\\"postgres\\\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_timezone;', [PG_DB]) do\n its('output') { should eq PG_TIMEZONE }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72887.rb"},"results":[]},{"id":"V-72891","title":"PostgreSQL must allow only the ISSM (or individuals or roles appointed\n by the ISSM) to select which auditable events are to be audited.","desc":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000090-DB-000065","gid":"V-72891","rid":"SV-87543r1_rule","stig_id":"PGS9-00-002600","cci":["CCI-000171"],"nist":["AU-12 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Check PostgreSQL settings and documentation to determine whether designated\n personnel are able to select which auditable events are being audited.\n As the database administrator (shown here as \"postgres\"), verify the\n permissions for PGDATA:\n $ ls -la ${PGDATA?}\n If anything in PGDATA is not owned by the database administrator, this is a\n finding.\n Next, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n Review the role permissions, if any role is listed as superuser but should not\n have that access, this is a finding.","fix":"Configure PostgreSQL's settings to allow designated personnel to\n select which auditable events are audited.\n Using pgaudit allows administrators the flexibility to choose what they log.\n For an overview of the capabilities of pgaudit, see\n https://github.com/pgaudit/pgaudit.\n See supplementary content APPENDIX-B for documentation on installing pgaudit.\n See supplementary content APPENDIX-C for instructions on enabling logging.\n Only administrators/superuser can change PostgreSQL configurations. Access to\n the database administrator must be limited to designated personnel only.\n To ensure that postgresql.conf is owned by the database owner:\n $ chown postgres:postgres ${PGDATA?}/postgresql.conf\n $ chmod 600 ${PGDATA?}/postgresql.conf"},"code":"control \"V-72891\" do\n\n title \"PostgreSQL must allow only the ISSM (or individuals or roles appointed\n by the ISSM) to select which auditable events are to be audited.\"\n desc \"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000090-DB-000065\"\n tag \"gid\": \"V-72891\"\n tag \"rid\": \"SV-87543r1_rule\"\n tag \"stig_id\": \"PGS9-00-002600\"\n tag \"cci\": [\"CCI-000171\"]\n tag \"nist\": [\"AU-12 b\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Check PostgreSQL settings and documentation to determine whether designated\n personnel are able to select which auditable events are being audited.\n As the database administrator (shown here as \\\"postgres\\\"), verify the\n permissions for PGDATA:\n $ ls -la ${PGDATA?}\n If anything in PGDATA is not owned by the database administrator, this is a\n finding.\n Next, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"\\\\du\\\"\n Review the role permissions, if any role is listed as superuser but should not\n have that access, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL's settings to allow designated personnel to\n select which auditable events are audited.\n Using pgaudit allows administrators the flexibility to choose what they log.\n For an overview of the capabilities of pgaudit, see\n https://github.com/pgaudit/pgaudit.\n See supplementary content APPENDIX-B for documentation on installing pgaudit.\n See supplementary content APPENDIX-C for instructions on enabling logging.\n Only administrators/superuser can change PostgreSQL configurations. Access to\n the database administrator must be limited to designated personnel only.\n To ensure that postgresql.conf is owned by the database owner:\n $ chown postgres:postgres ${PGDATA?}/postgresql.conf\n $ chmod 600 ${PGDATA?}/postgresql.conf\"\n\n describe directory(PG_DATA_DIR) do\n it { should be_directory }\n it { should be_owned_by PG_OWNER }\n its('mode') { should cmp '0700' }\n end\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\nend\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72891.rb"},"results":[]},{"id":"V-72893","title":"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.","desc":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000360-DB-000320","gid":"V-72893","rid":"SV-87545r1_rule","stig_id":"PGS9-00-002700","cci":["CCI-001858"],"nist":["AU-5 (2)","Rev_4"],"check":"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.","fix":"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL."},"code":"control \"V-72893\" do\n title \"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \\\"the system\\\" is used to encompass all of these.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000360-DB-000320\"\n tag \"gid\": \"V-72893\"\n tag \"rid\": \"SV-87545r1_rule\"\n tag \"stig_id\": \"PGS9-00-002700\"\n tag \"cci\": [\"CCI-001858\"]\n tag \"nist\": [\"AU-5 (2)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.\"\n tag \"fix\": \"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72893.rb"},"results":[]},{"id":"V-72895","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000442-DB-000379","gid":"V-72895","rid":"SV-87547r1_rule","stig_id":"PGS9-00-003000","cci":["CCI-002422"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.","fix":"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL."},"code":"control \"V-72895\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000442-DB-000379\"\n tag \"gid\": \"V-72895\"\n tag \"rid\": \"SV-87547r1_rule\"\n tag \"stig_id\": \"PGS9-00-003000\"\n tag \"cci\": [\"CCI-002422\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.\"\n\n tag \"fix\": \"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72895.rb"},"results":[]},{"id":"V-72897","title":"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.","desc":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.","descriptions":[{"label":"default","data":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000200","gid":"V-72897","rid":"SV-87549r1_rule","stig_id":"PGS9-00-003100","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \"\\dn *.*\"\n $ psql -x -c \"\\dt *.*\"\n $ psql -x -c \"\\ds *.*\"\n $ psql -x -c \"\\dv *.*\"\n $ psql -x -c \"\\df+ *.*\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.","fix":"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \"ALTER SCHEMA test OWNER TO bob\""},"code":"control \"V-72897\" do\n title \"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.\"\n desc \"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000200\"\n tag \"gid\": \"V-72897\"\n tag \"rid\": \"SV-87549r1_rule\"\n tag \"stig_id\": \"PGS9-00-003100\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dn *.*\\\"\n $ psql -x -c \\\"\\\\dt *.*\\\"\n $ psql -x -c \\\"\\\\ds *.*\\\"\n $ psql -x -c \\\"\\\\dv *.*\\\"\n $ psql -x -c \\\"\\\\df+ *.*\\\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.\"\n tag \"fix\": \"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"ALTER SCHEMA test OWNER TO bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72897.rb"},"results":[]},{"id":"V-72899","title":"The PostgreSQL software installation account must be restricted to\n authorized users.","desc":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000198","gid":"V-72899","rid":"SV-87551r1_rule","stig_id":"PGS9-00-003200","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.","fix":"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account."},"code":"control \"V-72899\" do\n title \"The PostgreSQL software installation account must be restricted to\n authorized users.\"\n desc \"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000198\"\n tag \"gid\": \"V-72899\"\n tag \"rid\": \"SV-87551r1_rule\"\n tag \"stig_id\": \"PGS9-00-003200\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.\"\n tag \"fix\": \"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72899.rb"},"results":[]},{"id":"V-72901","title":"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.","desc":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000199","gid":"V-72901","rid":"SV-87553r1_rule","stig_id":"PGS9-00-003300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.","fix":"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory."},"code":"control \"V-72901\" do\n title \"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.\"\n desc \"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000199\"\n tag \"gid\": \"V-72901\"\n tag \"rid\": \"SV-87553r1_rule\"\n tag \"stig_id\": \"PGS9-00-003300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.\"\n tag \"fix\": \"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory.\"\n\n PG_SHARED_DIRS.each do |dir|\n describe directory(dir) do\n it { should be_directory }\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n its('mode') { should cmp '0755' }\n end\n\n describe command(\"lsof | awk '$9 ~ \\\"#{dir}\\\" {print $1}'\") do\n its('stdout') { should match /^$|postgres|postmaster/ }\n its('stderr') { should eq '' }\n end\n end\nend\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb"},"results":[]},{"id":"V-72903","title":"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000101-DB-000044","gid":"V-72903","rid":"SV-87555r1_rule","stig_id":"PGS9-00-003500","cci":["CCI-000135"],"nist":["AU-3 (1)","Rev_4"],"check":"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.","fix":"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":"control \"V-72903\" do\n title \"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000101-DB-000044\"\n tag \"gid\": \"V-72903\"\n tag \"rid\": \"SV-87555r1_rule\"\n tag \"stig_id\": \"PGS9-00-003500\"\n tag \"cci\": [\"CCI-000135\"]\n tag \"nist\": [\"AU-3 (1)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72903.rb"},"results":[]},{"id":"V-72905","title":"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.","desc":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000342-DB-000302","gid":"V-72905","rid":"SV-87557r1_rule","stig_id":"PGS9-00-003600","cci":["CCI-002233"],"nist":["AC-6 (8)","Rev_4"],"check":"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\"\n In the query results, a prosecdef value of \"t\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.","fix":"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \"postgres\"), run the following SQL: $ sudo su - postgres\n $ psql -c \"ALTER FUNCTION SECURITY INVOKER;\""},"code":"control \"V-72905\" do\n title \"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.\"\n desc \"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000342-DB-000302\"\n tag \"gid\": \"V-72905\"\n tag \"rid\": \"SV-87557r1_rule\"\n tag \"stig_id\": \"PGS9-00-003600\"\n tag \"cci\": [\"CCI-002233\"]\n tag \"nist\": [\"AC-6 (8)\", \"Rev_4\"]\n tag \"check\": \"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\\\"\n In the query results, a prosecdef value of \\\"t\\\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.\"\n tag \"fix\": \"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\\\n $ sudo su - postgres\n $ psql -c \\\"ALTER FUNCTION SECURITY INVOKER;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n security_definer_sql = \"SELECT nspname, proname, prosecdef \"\\\n \"FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid \"\\\n \"JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't';\"\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(security_definer_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72905.rb"},"results":[]},{"id":"V-72909","title":"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.","desc":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.","descriptions":[{"label":"default","data":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000356-DB-000314","gid":"V-72909","rid":"SV-87561r1_rule","stig_id":"PGS9-00-003800","cci":["CCI-001844"],"nist":["AU-3 (2)","Rev_4"],"check":"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \"postgres\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_destination\"\n As the database owner (shown here as \"postgres\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW syslog_facility\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \"postgres\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72909\" do\n title \"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.\"\n desc \"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000356-DB-000314\"\n tag \"gid\": \"V-72909\"\n tag \"rid\": \"SV-87561r1_rule\"\n tag \"stig_id\": \"PGS9-00-003800\"\n tag \"cci\": [\"CCI-001844\"]\n tag \"nist\": [\"AU-3 (2)\", \"Rev_4\"]\n tag \"check\": \"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \\\"postgres\\\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_destination\\\"\n As the database owner (shown here as \\\"postgres\\\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW syslog_facility\\\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \\\"postgres\\\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /syslog/i }\n end\n\n describe sql.query('SHOW syslog_facility;', [PG_DB]) do\n its('output') { should match /local[0-7]/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72909.rb"},"results":[]},{"id":"V-72911","title":"PostgreSQL must isolate security functions from non-security functions.","desc":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000233-DB-000124","gid":"V-72911","rid":"SV-87563r1_rule","stig_id":"PGS9-00-004000","cci":["CCI-001084"],"nist":["SC-3","Rev_4"],"check":"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \"postgres\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \"\\dp pg_catalog.*\"\n $ psql -x -c \"\\dp information_schema.*\"\n Repeat the \\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \"\\df+ pg_catalog.*\"\n $ psql -x -c \"\\df+ information_schema.*\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.","fix":"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval."},"code":"control \"V-72911\" do\n title \"PostgreSQL must isolate security functions from non-security functions.\"\n desc \"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000233-DB-000124\"\n tag \"gid\": \"V-72911\"\n tag \"rid\": \"SV-87563r1_rule\"\n tag \"stig_id\": \"PGS9-00-004000\"\n tag \"cci\": [\"CCI-001084\"]\n tag \"nist\": [\"SC-3\", \"Rev_4\"]\n tag \"check\": \"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \\\"postgres\\\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dp pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\dp information_schema.*\\\"\n Repeat the \\\\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\\\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\df+ pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\df+ information_schema.*\\\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\\\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.\"\n tag \"fix\": \"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval.\"\n\n exceptions = \"#{PG_OBJECT_EXCEPTIONS.map { |e| \"'#{e}'\" }.join(',')}\"\n object_acl = \"^(((#{PG_OWNER}=[#{PG_OBJECT_GRANTED_PRIVILEGES}]+|\"\\\n \"=[#{PG_OBJECT_PUBLIC_PRIVILEGES}]+)\\\\/\\\\w+,?)+|)$\"\n schemas = ['pg_catalog', 'information_schema']\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n schemas.each do |schema|\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') \"\\\n \"AND n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.array_to_string(c.relacl, E',') !~ '#{object_acl}' \"\\\n \"AND c.relname NOT IN (#{exceptions});\"\n\n describe sql.query(objects_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n\n describe sql.query(functions_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n end\nend\n","source_location":{"line":70,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72911.rb"},"results":[]},{"id":"V-72917","title":"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.","desc":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.","descriptions":[{"label":"default","data":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000454-DB-000389","gid":"V-72917","rid":"SV-87569r1_rule","stig_id":"PGS9-00-004300","cci":["CCI-002617"],"nist":["SI-2 (6)","Rev_4"],"check":"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.","fix":"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated."},"code":"control \"V-72917\" do\n title \"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.\"\n desc \"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000454-DB-000389\"\n tag \"gid\": \"V-72917\"\n tag \"rid\": \"SV-87569r1_rule\"\n tag \"stig_id\": \"PGS9-00-004300\"\n tag \"cci\": [\"CCI-002617\"]\n tag \"nist\": [\"SI-2 (6)\", \"Rev_4\"]\n tag \"check\": \"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.\"\n tag \"fix\": \"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72917.rb"},"results":[]},{"id":"V-72919","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000344","gid":"V-72919","rid":"SV-87571r1_rule","stig_id":"PGS9-00-004400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72919\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000344\"\n tag \"gid\": \"V-72919\"\n tag \"rid\": \"SV-87571r1_rule\"\n tag \"stig_id\": \"PGS9-00-004400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72919.rb"},"results":[]},{"id":"V-72931","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000349","gid":"V-72931","rid":"SV-87583r1_rule","stig_id":"PGS9-00-005000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72931\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000502-DB-000349\"\n tag \"gid\": \"V-72931\"\n tag \"rid\": \"SV-87583r1_rule\"\n tag \"stig_id\": \"PGS9-00-005000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72931.rb"},"results":[]},{"id":"V-72949","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000347","gid":"V-72949","rid":"SV-87601r1_rule","stig_id":"PGS9-00-005600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72949\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000347\"\n tag \"gid\": \"V-72949\"\n tag \"rid\": \"SV-87601r1_rule\"\n tag \"stig_id\": \"PGS9-00-005600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72949.rb"},"results":[]},{"id":"V-72953","title":"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.","desc":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.","descriptions":[{"label":"default","data":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000504-DB-000354","gid":"V-72953","rid":"SV-87605r1_rule","stig_id":"PGS9-00-005800","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72953\" do\n title \"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.\"\n desc \"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000504-DB-000354\"\n tag \"gid\": \"V-72953\"\n tag \"rid\": \"SV-87605r1_rule\"\n tag \"stig_id\": \"PGS9-00-005800\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72953.rb"},"results":[]},{"id":"V-72955","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000345","gid":"V-72955","rid":"SV-87607r1_rule","stig_id":"PGS9-00-005900","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72955\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000345\"\n tag \"gid\": \"V-72955\"\n tag \"rid\": \"SV-87607r1_rule\"\n tag \"stig_id\": \"PGS9-00-005900\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72955.rb"},"results":[]},{"id":"V-72957","title":"PostgreSQL must be able to generate audit records when security objects\n are accessed.","desc":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.","descriptions":[{"label":"default","data":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000492-DB-000332","gid":"V-72957","rid":"SV-87609r1_rule","stig_id":"PGS9-00-006000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72957\" do\n title \"PostgreSQL must be able to generate audit records when security objects\n are accessed.\"\n desc \"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000492-DB-000332\"\n tag \"gid\": \"V-72957\"\n tag \"rid\": \"SV-87609r1_rule\"\n tag \"stig_id\": \"PGS9-00-006000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72957.rb"},"results":[]},{"id":"V-72959","title":"PostgreSQL must generate audit records when privileges/permissions are\n deleted.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000499-DB-000330","gid":"V-72959","rid":"SV-87611r1_rule","stig_id":"PGS9-00-006100","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72959\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n deleted.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000499-DB-000330\"\n tag \"gid\": \"V-72959\"\n tag \"rid\": \"SV-87611r1_rule\"\n tag \"stig_id\": \"PGS9-00-006100\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72959.rb"},"results":[]},{"id":"V-72961","title":"PostgreSQL must generate audit records when concurrent\n logons/connections by the same user from different workstations occur.","desc":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)","descriptions":[{"label":"default","data":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)"}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000506-DB-000353","gid":"V-72961","rid":"SV-87613r1_rule","stig_id":"PGS9-00-006200","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify that\n log_connections and log_disconnections are enabled by running the following\n SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n If either is off, this is a finding.\n Next, verify that log_line_prefix contains sufficient information by running\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain at least %m %u %d %c, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First, as the database administrator (shown here as \"postgres\"), edit\n postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Edit the following parameters as such:\n log_connections = on\n log_disconnections = on\n log_line_prefix = '< %m %u %d %c: >'\n Where:\n * %m is the time and date\n * %u is the username\n * %d is the database\n * %c is the session ID for the connection\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control 'V-72961' do\n desc 'For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72961.rb"},"results":[]},{"id":"V-72963","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.","desc":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.","descriptions":[{"label":"default","data":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000501-DB-000337","gid":"V-72963","rid":"SV-87615r1_rule","stig_id":"PGS9-00-006300","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72963\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.\"\n desc \"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000501-DB-000337\"\n tag \"gid\": \"V-72963\"\n tag \"rid\": \"SV-87615r1_rule\"\n tag \"stig_id\": \"PGS9-00-006300\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72963.rb"},"results":[]},{"id":"V-72965","title":"PostgreSQL must generate audit records when privileges/permissions are\n modified.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000495-DB-000328","gid":"V-72965","rid":"SV-87617r1_rule","stig_id":"PGS9-00-006400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, this is a finding.","fix":"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72965\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n modified.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000495-DB-000328\"\n tag \"gid\": \"V-72965\"\n tag \"rid\": \"SV-87617r1_rule\"\n tag \"stig_id\": \"PGS9-00-006400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['role']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72965.rb"},"results":[]},{"id":"V-72971","title":"PostgreSQL must generate audit records when security objects are\n modified.","desc":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.","descriptions":[{"label":"default","data":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000496-DB-000334","gid":"V-72971","rid":"SV-87623r1_rule","stig_id":"PGS9-00-006600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \"SHOW pgaudit.log_catalog\"\n If log_catalog is not `on`, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72971\" do\n title \"PostgreSQL must generate audit records when security objects are\n modified.\"\n desc \"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000496-DB-000334\"\n tag \"gid\": \"V-72971\"\n tag \"rid\": \"SV-87623r1_rule\"\n tag \"stig_id\": \"PGS9-00-006600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \\\"SHOW pgaudit.log_catalog\\\"\n If log_catalog is not `on`, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW pgaudit.log_catalog;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72971.rb"},"results":[]},{"id":"V-72973","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000346","gid":"V-72973","rid":"SV-87625r1_rule","stig_id":"PGS9-00-006700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control \"V-72973\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000346\"\n tag \"gid\": \"V-72973\"\n tag \"rid\": \"SV-87625r1_rule\"\n tag \"stig_id\": \"PGS9-00-006700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72973.rb"},"results":[]},{"id":"V-72979","title":"PostgreSQL, when utilizing PKI-based authentication, must validate\n certificates by performing RFC 5280-compliant certification path validation.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000175-DB-000067","gid":"V-72979","rid":"SV-87631r1_rule","stig_id":"PGS9-00-007000","cci":["CCI-000185"],"nist":["IA-5 (2) (a)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To verify that a CRL file exists, as the database administrator (shown here as\n \"postgres\"), run the following:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl_crl_file\" If this is not set to a CRL file, this is a finding.\n Next verify the existence of the CRL file by checking the directory set in\n postgresql.conf in the ssl_crl_file parameter from above:\n Note: If no directory is specified, then the CRL file should be located in the\n same directory as postgresql.conf (PGDATA).\n If the CRL file does not exist, this is a finding.\n Next, verify that hostssl entries in pg_hba.conf have \"cert\" and\n \"clientcert=1\" enabled:\n $ sudo su - postgres\n $ grep hostssl ${PGDATA?}/postgresql.conf\n If hostssl entries does not contain cert or clientcert=1, this is a finding.\n If certificates are not being validated by performing RFC 5280-compliant\n certification path validation, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.\n To generate a Certificate Revocation List, see the official Red Hat\n Documentation:\n https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/\n 2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-\n Administration_Guide-Certification_Revocation_List_CRL.html\n As the database administrator (shown here as \"postgres\"), copy the CRL file\n into the data directory:\n First, as the system administrator, copy the CRL file into the PostgreSQL Data\n Directory:\n $ sudo cp root.crl ${PGDATA?}/root.crl\n As the database administrator (shown here as \"postgres\"), set the\n ssl_crl_file parameter to the filename of the CRL:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n ssl_crl_file = 'root.crl'\n Next, in pg_hba.conf, require ssl authentication:\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n hostssl
cert clientcert=1\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control 'V-72979' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database.'\n end\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72979.rb"},"results":[]},{"id":"V-72981","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000441-DB-000378","gid":"V-72981","rid":"SV-87633r1_rule","stig_id":"PGS9-00-007200","cci":["CCI-002420"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \"postgres\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-72981\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000441-DB-000378\"\n tag \"gid\": \"V-72981\"\n tag \"rid\": \"SV-87633r1_rule\"\n tag \"stig_id\": \"PGS9-00-007200\"\n tag \"cci\": [\"CCI-002420\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \\\"postgres\\\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72981.rb"},"results":[]},{"id":"V-72983","title":"PostgreSQL must provide audit record generation capability \n for CMS-defined auditable events within all DBMS/database \n components.","desc":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing.","descriptions":[{"label":"default","data":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing."},{"label":"fix","data":"Configure PostgreSQL to generate audit records for at \n least the CMS minimum set of events.\n\n Using pgaudit PostgreSQL can be configured to audit these \n requests. See supplementary content APPENDIX-B for documentation \n on installing pgaudit.\n\n To ensure that logging is enabled, review supplementary content \n APPENDIX-C for instructions on enabling logging."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000089-DB-000064","gid":"V-72983","rid":"SV-87635r1_rule","stig_id":"PGS9-00-007400","cci":["CCI-000169"],"nist":["AU-12 a","Rev_4"],"check":"Check PostgreSQL auditing to determine whether\n organization-defined auditable events are being audited by the system.\n If organization-defined auditable events are not being audited, this is a\n finding.","fix":"Configure PostgreSQL to generate audit records for at least the\n DoD minimum set of events.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":" control 'V-72983' do\n title 'PostgreSQL must provide audit record generation capability \n for CMS-defined auditable events within all DBMS/database \n components.'\n desc 'Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing.'\n desc 'fix', 'Configure PostgreSQL to generate audit records for at \n least the CMS minimum set of events.\n\n Using pgaudit PostgreSQL can be configured to audit these \n requests. See supplementary content APPENDIX-B for documentation \n on installing pgaudit.\n\n To ensure that logging is enabled, review supplementary content \n APPENDIX-C for instructions on enabling logging.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72983.rb"},"results":[]},{"id":"V-72987","title":"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded."}],"impact":0.5,"refs":[],"tags":{"check":"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \"postgres\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.","fix":"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \"postgres\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72987\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.\"\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \\\"postgres\\\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72987.rb"},"results":[]},{"id":"V-72989","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.","desc":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000381","gid":"V-72989","rid":"SV-87641r1_rule","stig_id":"PGS9-00-008000","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72989\" do\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000381\"\n tag \"gid\": \"V-72989\"\n tag \"rid\": \"SV-87641r1_rule\"\n tag \"stig_id\": \"PGS9-00-008000\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72989.rb"},"results":[]},{"id":"V-72991","title":"PostgreSQL must use CMS-approved cryptography to protect \n classified sensitive information in accordance with the data owners \n requirements.","desc":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards."},{"label":"check","data":"If PostgreSQL is not using CMS-approved cryptography \n to protect classified sensitive information in accordance with \n applicable federal laws, Executive Orders, directives, policies, \n regulations, and standards, this is a finding.\n\n To check if PostgreSQL is configured to use SSL, as the database \n administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding."},{"label":"fix","data":"Note: The following instructions use the PGDATA \n environment variable. See supplementary content APPENDIX-F for \n instructions on configuring PGDATA.\n\n To configure PostgreSQL to use SSL, as a database administrator \n (shown here as \"postgres\"), edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameter:\n\n ssl = on\n\n Now, as the system administrator, reload the server with the \n new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n\n For more information on configuring PostgreSQL to use SSL, see \n supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000416-DB-000380","gid":"V-72991","rid":"SV-87643r1_rule","stig_id":"PGS9-00-008100","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"If PostgreSQL is deployed in an unclassified environment, this is\nnot applicable (NA).\n\nIf PostgreSQL is not using NSA-approved cryptography to protect classified\ninformation in accordance with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, and standards, this is a finding.\n\nTo check if PostgreSQL is configured to use SSL, as the database administrator\n(shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf SSL is off, this is a finding.\n\nConsult network administration staff to determine whether the server is protected by\nNSA-approved encrypting devices. If not, this a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo configure PostgreSQL to use SSL, as a database administrator (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nDeploy NSA-approved encrypting devices to protect the server on the network."},"code":" control 'V-72991' do\n title 'PostgreSQL must use CMS-approved cryptography to protect \n classified sensitive information in accordance with the data owners \n requirements.'\n desc 'Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards.'\n desc 'check', 'If PostgreSQL is not using CMS-approved cryptography \n to protect classified sensitive information in accordance with \n applicable federal laws, Executive Orders, directives, policies, \n regulations, and standards, this is a finding.\n\n To check if PostgreSQL is configured to use SSL, as the database \n administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding.'\n desc 'fix', 'Note: The following instructions use the PGDATA \n environment variable. See supplementary content APPENDIX-F for \n instructions on configuring PGDATA.\n\n To configure PostgreSQL to use SSL, as a database administrator \n (shown here as \"postgres\"), edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameter:\n\n ssl = on\n\n Now, as the system administrator, reload the server with the \n new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n\n For more information on configuring PostgreSQL to use SSL, see \n supplementary content APPENDIX-G.'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72991.rb"},"results":[]},{"id":"V-72993","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.","desc":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000383","gid":"V-72993","rid":"SV-87645r1_rule","stig_id":"PGS9-00-008200","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72993\" do\n\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000383\"\n tag \"gid\": \"V-72993\"\n tag \"rid\": \"SV-87645r1_rule\"\n tag \"stig_id\": \"PGS9-00-008200\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":26,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72993.rb"},"results":[]},{"id":"V-72995","title":"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.","desc":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.","descriptions":[{"label":"default","data":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000231-DB-000154","gid":"V-72995","rid":"SV-87647r1_rule","stig_id":"PGS9-00-008300","cci":["CCI-001199"],"nist":["SC-28","Rev_4"],"check":"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.","fix":"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));"},"code":"control \"V-72995\" do\n\n title \"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.\"\n desc \"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000231-DB-000154\"\n tag \"gid\": \"V-72995\"\n tag \"rid\": \"SV-87647r1_rule\"\n tag \"stig_id\": \"PGS9-00-008300\"\n tag \"cci\": [\"CCI-001199\"]\n tag \"nist\": [\"SC-28\", \"Rev_4\"]\n\n tag \"check\": \"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.\"\n tag \"fix\": \"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72995.rb"},"results":[]},{"id":"V-72999","title":"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.","desc":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.","descriptions":[{"label":"default","data":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000211-DB-000122","gid":"V-72999","rid":"SV-87651r1_rule","stig_id":"PGS9-00-008500","cci":["CCI-001082"],"nist":["SC-2","Rev_4"],"check":"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \"postgres\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf any non-administrative role has the attribute \"Superuser\", \"Create role\",\n\"Create DB\" or \"Bypass RLS\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.","fix":"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;"},"code":"control \"V-72999\" do\n\n title \"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.\"\n desc \"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000211-DB-000122\"\n tag \"gid\": \"V-72999\"\n tag \"rid\": \"SV-87651r1_rule\"\n tag \"stig_id\": \"PGS9-00-008500\"\n tag \"cci\": [\"CCI-001082\"]\n tag \"nist\": [\"SC-2\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \\\"postgres\\\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\\\"\n\nIf any non-administrative role has the attribute \\\"Superuser\\\", \\\"Create role\\\",\n\\\"Create DB\\\" or \\\"Bypass RLS\\\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;\"\n\n privileges = %w(rolcreatedb rolcreaterole rolsuper)\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n privileges.each do |privilege|\n privilege_sql = \"SELECT r.#{privilege} FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(privilege_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72999.rb"},"results":[]},{"id":"V-73001","title":"PostgreSQL must initiate session auditing upon startup.","desc":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.","descriptions":[{"label":"default","data":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000092-DB-000208","gid":"V-73001","rid":"SV-87653r1_rule","stig_id":"PGS9-00-008600","cci":["CCI-001464"],"nist":["AU-14 (1)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \"postgres\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \"SHOW logging_destination\"\n\nIf stderr or syslog are not in the current setting, this is a finding.","fix":"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B."},"code":"control \"V-73001\" do\n title \"PostgreSQL must initiate session auditing upon startup.\"\n desc \"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000092-DB-000208\"\n tag \"gid\": \"V-73001\"\n tag \"rid\": \"SV-87653r1_rule\"\n tag \"stig_id\": \"PGS9-00-008600\"\n tag \"cci\": [\"CCI-001464\"]\n tag \"nist\": [\"AU-14 (1)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \\\"postgres\\\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \\\"SHOW logging_destination\\\"\n\nIf stderr or syslog are not in the current setting, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /stderr|syslog/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73001.rb"},"results":[]},{"id":"V-73003","title":"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000428-DB-000386","gid":"V-73003","rid":"SV-87655r1_rule","stig_id":"PGS9-00-008700","cci":["CCI-002475"],"nist":["SC-28 (1)","Rev_4"],"check":"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73003\" do\n title \"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000428-DB-000386\"\n tag \"gid\": \"V-73003\"\n tag \"rid\": \"SV-87655r1_rule\"\n tag \"stig_id\": \"PGS9-00-008700\"\n tag \"cci\": [\"CCI-002475\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\n\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73003.rb"},"results":[]},{"id":"V-73005","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000098-DB-000042","gid":"V-73005","rid":"SV-87657r1_rule","stig_id":"PGS9-00-008800","cci":["CCI-000133"],"nist":["AU-3","Rev_4"],"check":"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \"log_hostname\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n$ psql -c \"SHOW log_hostname\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73005\" do\n\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000098-DB-000042\"\n tag \"gid\": \"V-73005\"\n tag \"rid\": \"SV-87657r1_rule\"\n tag \"stig_id\": \"PGS9-00-008800\"\n tag \"cci\": [\"CCI-000133\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \\\"log_hostname\\\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n$ psql -c \\\"SHOW log_hostname\\\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_hostname;', [PG_DB]) do\n its('output') { should match /(on|true)/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73005.rb"},"results":[]},{"id":"V-73011","title":"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.","desc":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.","descriptions":[{"label":"default","data":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000141-DB-000092","gid":"V-73011","rid":"SV-87663r1_rule","stig_id":"PGS9-00-009200","cci":["CCI-000381"],"nist":["CM-7 a","Rev_4"],"check":"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.","fix":"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove "},"code":"control \"V-73011\" do\n title \"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.\"\n desc \"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000141-DB-000092\"\n tag \"gid\": \"V-73011\"\n tag \"rid\": \"SV-87663r1_rule\"\n tag \"stig_id\": \"PGS9-00-009200\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"check\": \"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.\"\n tag \"fix\": \"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove \"\n\n# @todo how do I identify the packages that are not required for the current OS? need datafile of approved?\n# @todo assume need two tests, one for RHEL/CENT, and one for Debian?\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73011.rb"},"results":[]},{"id":"V-73013","title":"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.","desc":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000313-DB-000309","gid":"V-73013","rid":"SV-87665r1_rule","stig_id":"PGS9-00-009400","cci":["CCI-002263"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \"postgres\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \"\\d+ .\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.","fix":"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-73013\" do\n title \"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.\"\n desc \"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000313-DB-000309\"\n tag \"gid\": \"V-73013\"\n tag \"rid\": \"SV-87665r1_rule\"\n tag \"stig_id\": \"PGS9-00-009400\"\n tag \"cci\": [\"CCI-002263\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\d+ .\\\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73013.rb"},"results":[]},{"id":"V-73015","title":"If passwords are used for authentication, PostgreSQL must store only\nhashed, salted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000171-DB-000074","gid":"V-73015","rid":"SV-87667r1_rule","stig_id":"PGS9-00-009500","cci":["CCI-000196"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"To check if password encryption is enabled, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW password_encryption\"\n\nIf password_encryption is not on, this is a finding.\n\nNext, to identify if any passwords have been stored without being hashed and salted,\nas the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \"SELECT * FROM pg_shadow\"\n\nIf any password is in plaintext, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = on\n\nInstitute a policy of not using the \"WITH UNENCRYPTED PASSWORD\" option with the\nCREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of\nthe password_encryption configuration parameter.)\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":" control 'V-73015' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL.'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73015.rb"},"results":[]},{"id":"V-73017","title":"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).","desc":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.","descriptions":[{"label":"default","data":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000380-DB-000360","gid":"V-73017","rid":"SV-87669r1_rule","stig_id":"PGS9-00-009600","cci":["CCI-001813"],"nist":["CM-5 (1)","Rev_4"],"check":"To list all the permissions of individual roles, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\l\"\n$ psql -c \"\\dn+\"\n\nIf any database or schema has update (\"W\") or create (\"C\") privileges and should\nnot, this is a finding.","fix":"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \"ALTER ROLE NOSUPERUSER\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \"REVOKE ALL PRIVILEGES ON FROM ;"},"code":"control \"V-73017\" do\n title \"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).\"\n desc \"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000380-DB-000360\"\n tag \"gid\": \"V-73017\"\n tag \"rid\": \"SV-87669r1_rule\"\n tag \"stig_id\": \"PGS9-00-009600\"\n tag \"cci\": [\"CCI-001813\"]\n tag \"nist\": [\"CM-5 (1)\", \"Rev_4\"]\n tag \"check\": \"To list all the permissions of individual roles, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\l\\\"\n$ psql -c \\\"\\\\dn+\\\"\n\nIf any database or schema has update (\\\"W\\\") or create (\\\"C\\\") privileges and should\nnot, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \\\"ALTER ROLE NOSUPERUSER\\\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \\\"REVOKE ALL PRIVILEGES ON
FROM ;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n database_granted_privileges = 'CTc'\n database_public_privileges = 'c'\n database_acl = \"^((((#{owners})=[#{database_granted_privileges}]+|\"\\\n \"=[#{database_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n database_acl_regex = Regexp.new(database_acl)\n\n schema_granted_privileges = 'UC'\n schema_public_privileges = 'U'\n schema_acl = \"^((((#{owners})=[#{schema_granted_privileges}]+|\"\\\n \"=[#{schema_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n schema_acl_regex = Regexp.new(schema_acl)\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n datacl_sql = \"SELECT pg_catalog.array_to_string(datacl, E','), datname \"\\\n \"FROM pg_catalog.pg_database WHERE datname = '#{database}';\"\n\n describe sql.query(datacl_sql, [PG_DB]) do\n its('output') { should match database_acl_regex }\n end\n\n schemas_sql = \"SELECT n.nspname, FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n schemas_query = sql.query(schemas_query, [database])\n # Handle connection disabled on database\n if schemas_query.methods.include?(:output)\n schemas = schemas_query.lines\n\n schemas.each do |schema|\n nspacl_sql = \"SELECT pg_catalog.array_to_string(n.nspacl, E','), \"\\\n \"n.nspname FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname = '#{schema}';\"\n\n describe sql.query(nspacl_sql) do\n its('output') { should match schema_acl_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73017.rb"},"results":[]},{"id":"V-73019","title":"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.","desc":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.","descriptions":[{"label":"default","data":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000080-DB-000063","gid":"V-73019","rid":"SV-87671r1_rule","stig_id":"PGS9-00-009700","cci":["CCI-000166"],"nist":["AU-10","Rev_4"],"check":"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain \"pgaudit\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL."},"code":"control \"V-73019\" do\n title \"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.\"\n desc \"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000080-DB-000063\"\n tag \"gid\": \"V-73019\"\n tag \"rid\": \"SV-87671r1_rule\"\n tag \"stig_id\": \"PGS9-00-009700\"\n tag \"cci\": [\"CCI-000166\"]\n tag \"nist\": [\"AU-10\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain \\\"pgaudit\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73019.rb"},"results":[]},{"id":"V-73021","title":"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.","desc":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.","descriptions":[{"label":"default","data":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000093-DB-000052","gid":"V-73021","rid":"SV-87673r1_rule","stig_id":"PGS9-00-009800","cci":["CCI-001462"],"nist":["AU-14 (2)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.","fix":"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \"postgres\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73021\" do\n title \"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.\"\n desc \"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000093-DB-000052\"\n tag \"gid\": \"V-73021\"\n tag \"rid\": \"SV-87673r1_rule\"\n tag \"stig_id\": \"PGS9-00-009800\"\n tag \"cci\": [\"CCI-001462\"]\n tag \"nist\": [\"AU-14 (2)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \\\"SHOW pgaudit.log\\\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.\"\n tag \"fix\": \"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \\\"postgres\\\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \\\"postgres\\\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73021.rb"},"results":[]},{"id":"V-73023","title":"The system must provide a warning to appropriate support \n staff when allocated audit record storage volume reaches 80% \n of maximum audit record storage capacity.","desc":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA.","descriptions":[{"label":"default","data":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA."},{"label":"check","data":"Review system configuration.\n\n If no script/tool is monitoring the partition for the PostgreSQL \n log directories, this is a finding.\n\n If appropriate support staff are not notified immediately upon \n storage volume utilization reaching 80%, this is a finding."},{"label":"fix","data":"Configure the system to notify appropriate support \n staff immediately upon storage volume utilization reaching 80%.\n\n PostgreSQL does not monitor storage, however, it is possible to \n monitor storage with a script.\n\n ##### Example Monitoring Script\n\n #!/bin/bash\n\n PGDATA=/var/lib/psql/9.5/data\n CURRENT=$(df ${PGDATA?} | grep / | awk \"{ print $5}\" \n | sed \"s/%//g\")\n THRESHOLD=80\n\n if [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\n mail -s \"Disk Space Alert\" mail@support.com << EOF\n The data directory volume is almost full. Used: $CURRENT\n %EOF\n fi\n\n Schedule this script in cron to run around the clock."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000359-DB-000319","gid":"V-73023","rid":"SV-87675r1_rule","stig_id":"PGS9-00-009900","cci":["CCI-001855"],"nist":["AU-5 (1)","Rev_4"],"check":"Review system configuration.\n\nIf no script/tool is monitoring the partition for the PostgreSQL log directories,\nthis is a finding.\n\nIf appropriate support staff are not notified immediately upon storage volume\nutilization reaching 75%, this is a finding.","fix":"Configure the system to notify appropriate support staff immediately\nupon storage volume utilization reaching 75%.\n\nPostgreSQL does not monitor storage, however, it is possible to monitor storage with\na script.\n\n##### Example Monitoring Script\n\n#!/bin/bash\n\nPGDATA=/var/lib/psql/9.5/data\nCURRENT=$(df ${PGDATA?} | grep / | awk '{ print $5}' | sed 's/%//g')\nTHRESHOLD=75\n\nif [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\nmail -s 'Disk Space Alert' mail@support.com << EOF\nThe data directory volume is almost full. Used: $CURRENT\n%EOF\nfi\n\nSchedule this script in cron to run around the clock."},"code":" control 'V-73023' do\n title 'The system must provide a warning to appropriate support \n staff when allocated audit record storage volume reaches 80% \n of maximum audit record storage capacity.'\n desc 'Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA.'\n desc 'check', 'Review system configuration.\n\n If no script/tool is monitoring the partition for the PostgreSQL \n log directories, this is a finding.\n\n If appropriate support staff are not notified immediately upon \n storage volume utilization reaching 80%, this is a finding.'\n\n desc 'fix', 'Configure the system to notify appropriate support \n staff immediately upon storage volume utilization reaching 80%.\n\n PostgreSQL does not monitor storage, however, it is possible to \n monitor storage with a script.\n\n ##### Example Monitoring Script\n\n #!/bin/bash\n\n PGDATA=/var/lib/psql/9.5/data\n CURRENT=$(df ${PGDATA?} | grep / | awk \"{ print $5}\" \n | sed \"s/%//g\")\n THRESHOLD=80\n\n if [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\n mail -s \"Disk Space Alert\" mail@support.com << EOF\n The data directory volume is almost full. Used: $CURRENT\n %EOF\n fi\n\n Schedule this script in cron to run around the clock.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73023.rb"},"results":[]},{"id":"V-73025","title":"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.","desc":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.","descriptions":[{"label":"default","data":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000353-DB-000324","gid":"V-73025","rid":"SV-87677r1_rule","stig_id":"PGS9-00-010000","cci":["CCI-001914"],"nist":["AU-12 (3)","Rev_4"],"check":"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not present in the result from the query, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \"SELECT password FROM public.stig_audit_example;\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\""},"code":"control \"V-73025\" do\n title \"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.\"\n desc \"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000353-DB-000324\"\n tag \"gid\": \"V-73025\"\n tag \"rid\": \"SV-87677r1_rule\"\n tag \"stig_id\": \"PGS9-00-010000\"\n tag \"cci\": [\"CCI-001914\"]\n tag \"nist\": [\"AU-12 (3)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not present in the result from the query, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \\\"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\\\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT password FROM public.stig_audit_example;\\\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \\\"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\\\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \\\"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73025.rb"},"results":[]},{"id":"V-73027","title":"PostgreSQL must require users to reauthenticate when organization-defined\ncircumstances or situations require reauthentication.","desc":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes.","descriptions":[{"label":"default","data":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000389-DB-000372","gid":"V-73027","rid":"SV-87679r1_rule","stig_id":"PGS9-00-010100","cci":["CCI-002038"],"nist":["IA-11","Rev_4"],"check":"Determine all situations where a user must re-authenticate. Check if\nthe mechanisms that handle such situations use the following SQL:\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, run the following:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force re-authentication, this is a finding.","fix":"Modify and/or configure PostgreSQL and related applications and tools\nso that users are always required to reauthenticate when changing role or escalating\nprivileges.\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'"},"code":" control 'V-73027' do\n desc 'The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73027.rb"},"results":[]},{"id":"V-73029","title":"PostgreSQL must enforce authorized access to all PKI private keys\nstored/utilized by PostgreSQL.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions."}],"impact":0.7,"refs":[{"ref":[]}],"tags":{"severity":"high","gtitle":"SRG-APP-000176-DB-000068","gid":"V-73029","rid":"SV-87681r1_rule","stig_id":"PGS9-00-010200","cci":["CCI-000186"],"nist":["IA-5 (2) (b)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify the following settings:\n\nNote: If no specific directory given before the name, the files are stored in\nPGDATA.\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n$ psql -c \"SHOW ssl_crl_file\"\n$ psql -c \"SHOW ssl_key_file\"\n\nIf the directory these files are stored in is not protected, this is a finding.","fix":"Store all PostgreSQL PKI private keys in a FIPS 140-2 validated\ncryptographic module. Ensure access to PostgreSQL PKI private keys is restricted to\nonly authenticated and authorized users.\n\nPostgreSQL private key(s) can be stored in $PGDATA directory, which is only\naccessible by the database owner (usually postgres, DBA) user. Do not allow access\nto this system account to unauthorized users.\n\nTo put the keys in a different directory, as the database administrator (shown here\nas \"postgres\"), set the following settings to a protected directory:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nssl_ca_file = \"/some/protected/directory/root.crt\"\nssl_crl_file = \"/some/protected/directory/root.crl\"\nssl_cert_file = \"/some/protected/directory/server.crt\"\nssl_key_file = \"/some/protected/directory/server.key\"\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restartpostgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":" control 'V-73029' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL\\'s private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions.'\n end\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb"},"results":[]},{"id":"V-73031","title":"PostgreSQL must only accept end entity certificates issued by \n CMS PKI or CMS-approved PKI Certification Authorities (CAs) for \n the establishment of all encrypted sessions.","desc":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet.","descriptions":[{"label":"default","data":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet."},{"label":"fix","data":"Revoke trust in any certificates not issued by a \n CMS-approved certificate authority.\n\n Configure PostgreSQL to accept only CMS and CMS-approved PKI \n end-entity certificates.\n\n To configure PostgreSQL to accept approved CA's, see the \n official PostgreSQL documentation: \n http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\n For more information on configuring PostgreSQL to use SSL, \n see supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000427-DB-000385","gid":"V-73031","rid":"SV-87683r1_rule","stig_id":"PGS9-00-010300","cci":["CCI-002470"],"nist":["SC-23 (5)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe following setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n\nIf the database is not configured to used approved certificates, this is a finding.","fix":"Revoke trust in any certificates not issued by a DoD-approved\ncertificate authority.\n\nConfigure PostgreSQL to accept only DoD and DoD-approved PKI end-entity certificates.\n\nTo configure PostgreSQL to accept approved CA's, see the official PostgreSQL\ndocumentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":" control 'V-73031' do\n title 'PostgreSQL must only accept end entity certificates issued by \n CMS PKI or CMS-approved PKI Certification Authorities (CAs) for \n the establishment of all encrypted sessions.'\n \n desc 'Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet.'\n\n desc 'fix', 'Revoke trust in any certificates not issued by a \n CMS-approved certificate authority.\n\n Configure PostgreSQL to accept only CMS and CMS-approved PKI \n end-entity certificates.\n\n To configure PostgreSQL to accept approved CA\\'s, see the \n official PostgreSQL documentation: \n http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\n For more information on configuring PostgreSQL to use SSL, \n see supplementary content APPENDIX-G.'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73031.rb"},"results":[]},{"id":"V-73033","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000095-DB-000039","gid":"V-73033","rid":"SV-87685r1_rule","stig_id":"PGS9-00-010400","cci":["CCI-000130"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf both settings are off, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73033\" do\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000095-DB-000039\"\n tag \"gid\": \"V-73033\"\n tag \"rid\": \"SV-87685r1_rule\"\n tag \"stig_id\": \"PGS9-00-010400\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf both settings are off, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73033.rb"},"results":[]},{"id":"V-73035","title":"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000429-DB-000387","gid":"V-73035","rid":"SV-87687r1_rule","stig_id":"PGS9-00-010500","cci":["CCI-002476"],"nist":["SC-28 (1)","Rev_4"],"check":"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73035\" do\n title \"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000429-DB-000387\"\n tag \"gid\": \"V-73035\"\n tag \"rid\": \"SV-87687r1_rule\"\n tag \"stig_id\": \"PGS9-00-010500\"\n tag \"cci\": [\"CCI-002476\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n tag \"check\": \"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73035.rb"},"results":[]},{"id":"V-73037","title":"PostgreSQL must invalidate session identifiers upon user logout or other\nsession termination.","desc":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked.","descriptions":[{"label":"default","data":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000220-DB-000149","gid":"V-73037","rid":"SV-87689r1_rule","stig_id":"PGS9-00-010600","cci":["CCI-001184"],"nist":["SC-23","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run the\nfollowing SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW tcp_keepalives_idle\"\n$ psql -c \"SHOW tcp_keepalives_interval\"\n$ psql -c \"SHOW tcp_keepalives_count\"\n$ psql -c \"SHOW statement_timeout\"\n\nIf these settings are not set, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi $PGDATA/postgresql.conf\n\nSet the following parameters to organizational requirements:\n\nstatement_timeout = 10000 #milliseconds\ntcp_keepalives_idle = 10 # seconds\ntcp_keepalives_interval = 10 # seconds\ntcp_keepalives_count = 10\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":" control 'V-73037' do\n tag \"cci\": ['CCI-001184']\n tag \"nist\": ['SC-23', 'Rev_4']\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73037.rb"},"results":[]},{"id":"V-73041","title":"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000096-DB-000040","gid":"V-73041","rid":"SV-87693r1_rule","stig_id":"PGS9-00-011100","cci":["CCI-000131"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf the query result does not contain \"%m\", this is a finding.","fix":"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73041\" do\n title \"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000096-DB-000040\"\n tag \"gid\": \"V-73041\"\n tag \"rid\": \"SV-87693r1_rule\"\n tag \"stig_id\": \"PGS9-00-011100\"\n tag \"cci\": [\"CCI-000131\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf the query result does not contain \\\"%m\\\", this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = ['%m']\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73041.rb"},"results":[]},{"id":"V-73045","title":"PostgreSQL must off-load audit data to a separate log management facility;\nthis must be continuous and in near real time for systems with a network connection\nto the storage facility and weekly or more often for stand-alone systems.","desc":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000515-DB-000318","gid":"V-73045","rid":"SV-87697r1_rule","stig_id":"PGS9-00-011300","cci":["CCI-001848"],"nist":["AU-4","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_destination\"\n\nIf log_destination is not syslog, this is a finding.\n\nNext, as the database administrator, check which log facility is configured by\nrunning the following SQL:\n\n$ psql -c \"SHOW syslog_facility\"\n\nCheck with the organization to see how syslog facilities are defined in their\norganization.\n\nIf the wrong facility is configured, this is a finding.\n\nIf PostgreSQL does not have a continuous network connection to the centralized log\nmanagement system, and PostgreSQL audit records are not transferred to the\ncentralized log management system weekly or more often, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL or deploy and configure software tools to transfer audit\nrecords to a centralized log management system, continuously and in near-real time\nwhere a continuous network connection to the log management system exists, or at\nleast weekly in the absence of such a connection.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nconfigure the follow parameters in postgresql.conf (the example uses the default\nvalues - tailor for environment):\n\nNote: Consult the organization on how syslog facilities are defined in the syslog\ndaemon configuration.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_destination = 'syslog'\nsyslog_facility = 'LOCAL0'\nsyslog_ident = 'postgres'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":" control 'V-73045' do\n tag\t\"cci\": ['CCI-001848']\n tag \"nist\": ['AU-4', 'Rev_4']\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73045.rb"},"results":[]},{"id":"V-73047","title":"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.","desc":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.","descriptions":[{"label":"default","data":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000224-DB-000384","gid":"V-73047","rid":"SV-87699r1_rule","stig_id":"PGS9-00-011400","cci":["CCI-001188"],"nist":["SC-23 (3)","Rev_4"],"check":"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf this is not set to `on`, this is a finding.","fix":"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html"},"code":"control \"V-73047\" do\n title \"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.\"\n desc \"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000224-DB-000384\"\n tag \"gid\": \"V-73047\"\n tag \"rid\": \"SV-87699r1_rule\"\n tag \"stig_id\": \"PGS9-00-011400\"\n tag \"cci\": [\"CCI-001188\"]\n tag \"nist\": [\"SC-23 (3)\", \"Rev_4\"]\n tag \"check\": \"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl\\\"\n\nIf this is not set to `on`, this is a finding.\"\n\n tag \"fix\": \"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73047.rb"},"results":[]},{"id":"V-73049","title":"PostgreSQL must uniquely identify and authenticate organizational users (or\nprocesses acting on behalf of organizational users).","desc":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000148-DB-000103","gid":"V-73049","rid":"SV-87701r1_rule","stig_id":"PGS9-00-011500","cci":["CCI-000764"],"nist":["IA-2","Rev_4"],"check":"Review PostgreSQL settings to determine whether organizational users\nare uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as\n\"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf organizational users are not uniquely identified and authenticated, this is a\nfinding.\n\nNext, as the database administrator (shown here as \"postgres\"), verify the current\npg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication rcmpuirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all\norganizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-createrole.html\n\nFor each role created, the database administrator can specify database\nauthentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 md5\n\nFor more information on pg_hba.conf, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html"},"code":"control \"V-73049\" do\n title \"PostgreSQL must uniquely identify and authenticate organizational users (or\nprocesses acting on behalf of organizational users).\"\n desc \"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000148-DB-000103\"\n tag \"gid\": \"V-73049\"\n tag \"rid\": \"SV-87701r1_rule\"\n tag \"stig_id\": \"PGS9-00-011500\"\n tag \"cci\": [\"CCI-000764\"]\n tag \"nist\": [\"IA-2\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL settings to determine whether organizational users\nare uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as\n\\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\\\"\n\nIf organizational users are not uniquely identified and authenticated, this is a\nfinding.\n\nNext, as the database administrator (shown here as \\\"postgres\\\"), verify the current\npg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication rcmpuirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all\norganizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-createrole.html\n\nFor each role created, the database administrator can specify database\nauthentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 md5\n\nFor more information on pg_hba.conf, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_roles = PG_USERS\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n\n describe sql.query(roles_sql, [PG_DB]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'local' } do\n its('user.uniq') { should cmp PG_OWNER }\n its('auth_method.uniq') { should_not include 'trust'}\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { database == 'replication' } do\n its('type.uniq') { should cmp 'host' }\n its('address.uniq.sort') { should cmp PG_REPLICAS.sort }\n its('user.uniq') { should cmp 'replication' }\n its('auth_method.uniq') { should cmp 'md5' }\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'host' } do\n its('auth_method.uniq') { should cmp 'md5'}\n end\nend\n","source_location":{"line":68,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73049.rb"},"results":[]},{"id":"V-73051","title":"PostgreSQL must automatically terminate a user session after\norganization-defined conditions or trigger events requiring session disconnect.","desc":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance.","descriptions":[{"label":"default","data":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000295-DB-000305","gid":"V-73051","rid":"SV-87703r1_rule","stig_id":"PGS9-00-011600","cci":["CCI-002361"],"nist":["AC-12","Rev_4"],"check":"Review system documentation to obtain the organization's definition\nof circumstances requiring automatic session termination. If the documentation\nexplicitly states that such termination is not required or is prohibited, this is\nnot a finding.\n\nIf the documentation requires automatic session termination, but PostgreSQL is not\nconfigured accordingly, this is a finding.","fix":"Configure PostgreSQL to automatically terminate a user session after\norganization-defined conditions or trigger events requiring session termination.\n\nExamples follow.\n\n### Change a role to nologin and disconnect the user\n\nALTER ROLE '' NOLOGIN;\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE username='';\n\n### Disconnecting users during a specific time range\nSee supplementary content APPENDIX-A for a bash script for this example.\n\nThe script found in APPENDIX-A using the -l command can disable all users with\nrolcanlogin=t from logging in. The script keeps track of who it disables in a\n.restore_login file. After the specified time is over, the same script can be run\nwith the -r command to restore all login connections.\n\nThis script would be added to a cron job:\n\n# lock at 5 am every day of the week, month, year at the 0 minute mark.\n0 5 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -l\n# restore at 5 pm every day of the week, month, year at the 0 minute mark.\n0 17 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -r"},"code":" control 'V-73051' do\n describe 'For this CMS ARS 3.1 overlay, this control must be reviewed manually' do \n skip 'For this CMS ARS 3.1 overlay, this control must be reviewed manually'\n end\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73051.rb"},"results":[]},{"id":"V-73055","title":"PostgreSQL must map the PKI-authenticated identity to an associated user\naccount.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000177-DB-000069","gid":"V-73055","rid":"SV-87707r1_rule","stig_id":"PGS9-00-011800","cci":["CCI-000187"],"nist":["IA-5 (2) (c)","Rev_4"],"check":"The cn (Common Name) attribute of the certificate will be compared\nto the requested database user name, and if they match the login will be allowed.\n\nTo check the cn of the certificate, using openssl, do the following:\n\n$ openssl x509 -noout -subject -in client_cert\n\nIf the cn does not match the users listed in PostgreSQL and no user mapping is used,\nthis is a finding.\n\nUser name mapping can be used to allow cn to be different from the database user\nname. If User Name Maps are used, run the following as the database administrator\n(shown here as \"postgres\"), to get a list of maps used for authentication:\n\n$ sudo su - postgres\n$ grep \"map\" ${PGDATA?}/pg_hba.conf\n\nWith the names of the maps used, check those maps against the user name mappings in\npg_ident.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_ident.conf\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.\n\nIf the cn and the username mapping do not match, this is a finding.","fix":"Configure PostgreSQL to map authenticated identities directly to\nPostgreSQL user accounts.\n\nFor information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":" control 'V-73055' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73055.rb"},"results":[]},{"id":"V-73057","title":"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.","desc":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.","descriptions":[{"label":"default","data":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000243-DB-000128","gid":"V-73057","rid":"SV-87709r1_rule","stig_id":"PGS9-00-011900","cci":["CCI-001090"],"nist":["SC-4","Rev_4"],"check":"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.","fix":"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations."},"code":"control \"V-73057\" do\n title \"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.\"\n desc \"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000243-DB-000128\"\n tag \"gid\": \"V-73057\"\n tag \"rid\": \"SV-87709r1_rule\"\n tag \"stig_id\": \"PGS9-00-011900\"\n tag \"cci\": [\"CCI-001090\"]\n tag \"nist\": [\"SC-4\", \"Rev_4\"]\n tag \"check\": \"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.\"\n\n tag \"fix\": \"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73057.rb"},"results":[]},{"id":"V-73061","title":"PostgreSQL must protect its audit configuration from unauthorized\n modification.","desc":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.","descriptions":[{"label":"default","data":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000122-DB-000203","gid":"V-73061","rid":"SV-87713r1_rule","stig_id":"PGS9-00-012200","cci":["CCI-001494"],"nist":["AU-9","Rev_4"],"check":"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \"postgres\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_file_mode\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.","fix":"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \"postgres\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf"},"code":"control \"V-73061\" do\n title \"PostgreSQL must protect its audit configuration from unauthorized\n modification.\"\n desc \"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000122-DB-000203\"\n tag \"gid\": \"V-73061\"\n tag \"rid\": \"SV-87713r1_rule\"\n tag \"stig_id\": \"PGS9-00-012200\"\n tag \"cci\": [\"CCI-001494\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n\n tag \"check\": \"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_file_mode\\\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.\"\n\n tag \"fix\": \"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \\\"postgres\\\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf\"\n\n describe file(PG_CONF_FILE) do\n it { should be_file }\n its('mode') { should cmp '0600' }\n end\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_destination_query = sql.query('SHOW log_destination;', [PG_DB])\n log_destination = log_destination_query.output\n\n if log_destination =~ /stderr/i\n describe sql.query('SHOW log_file_mode;', [PG_DB]) do\n its('output') { should cmp '0600' }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb"},"results":[]},{"id":"V-73063","title":"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.","desc":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.","descriptions":[{"label":"default","data":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73063","rid":"SV-87715r1_rule","stig_id":"PGS9-00-012300","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"As the system administrator, run the following:\n\n $ openssl version\n If \"fips\" is not included in the openssl version, this is a finding.","fix":"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-73063\" do\n title \"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.\"\n desc \"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73063\"\n tag \"rid\": \"SV-87715r1_rule\"\n tag \"stig_id\": \"PGS9-00-012300\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"As the system administrator, run the following:\n\n $ openssl version\n If \\\"fips\\\" is not included in the openssl version, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n only_if do\n command('openssl').exist?\n end\n\n describe command('openssl version') do\n its('stdout') { should include 'fips' }\n end\nend\n","source_location":{"line":87,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73063.rb"},"results":[]},{"id":"V-73065","title":"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000348","gid":"V-73065","rid":"SV-87717r1_rule","stig_id":"PGS9-00-012500","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73065\" do\n title \"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000502-DB-000348\"\n tag \"gid\": \"V-73065\"\n tag \"rid\": \"SV-87717r1_rule\"\n tag \"stig_id\": \"PGS9-00-012500\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73065.rb"},"results":[]},{"id":"V-73067","title":"PostgreSQL must generate audit records when successful accesses to\n objects occur.","desc":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.","descriptions":[{"label":"default","data":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000507-DB-000356","gid":"V-73067","rid":"SV-87719r1_rule","stig_id":"PGS9-00-012600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain read and write, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \"postgres\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73067\" do\n title \"PostgreSQL must generate audit records when successful accesses to\n objects occur.\"\n desc \"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000507-DB-000356\"\n tag \"gid\": \"V-73067\"\n tag \"rid\": \"SV-87719r1_rule\"\n tag \"stig_id\": \"PGS9-00-012600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain read and write, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['read', 'write']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73067.rb"},"results":[]},{"id":"V-73069","title":"PostgreSQL must generate audit records for all direct access to the\n database(s).","desc":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.","descriptions":[{"label":"default","data":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000508-DB-000358","gid":"V-73069","rid":"SV-87721r1_rule","stig_id":"PGS9-00-012700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n\n If the output does not contain \"on\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73069\" do\n title \"PostgreSQL must generate audit records for all direct access to the\n database(s).\"\n desc \"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000508-DB-000358\"\n tag \"gid\": \"V-73069\"\n tag \"rid\": \"SV-87721r1_rule\"\n tag \"stig_id\": \"PGS9-00-012700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_connections\\\"\n $ psql -c \\\"SHOW log_disconnections\\\"\n\n If the output does not contain \\\"on\\\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73069.rb"},"results":[]},{"id":"V-73071","title":"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.","desc":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.","descriptions":[{"label":"default","data":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73071","rid":"SV-87723r1_rule","stig_id":"PGS9-00-012800","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.","fix":"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS."},"code":"control \"V-73071\" do\n title \"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.\"\n desc \"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73071\"\n tag \"rid\": \"SV-87723r1_rule\"\n tag \"stig_id\": \"PGS9-00-012800\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.\"\n\n # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html\n\n # fips=1 kernel option to the kernel command line during system\n # installation.\n\n # PRELINKING=no option in the /etc/sysconfig/prelink\n # run\n\n # yum install dracut-fips\n # For the CPUs with the AES New Instructions (AES-NI) support, install the\n # vdracut-fips-aesni package as well:\n\n # in the CM:\n # To disable existing prelinking on all system files, use the\n # prelink -u -a command.\n\n tag \"fix\": \"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73071.rb"},"results":[]},{"id":"V-73123","title":"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000097-DB-000041","gid":"V-73123","rid":"SV-87775r1_rule","stig_id":"PGS9-00-007100","cci":["CCI-000132"],"nist":["AU-3","Rev_4"],"check":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \"postgres\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \"postgres\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73123\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000097-DB-000041\"\n tag \"gid\": \"V-73123\"\n tag \"rid\": \"SV-87775r1_rule\"\n tag \"stig_id\": \"PGS9-00-007100\"\n tag \"cci\": [\"CCI-000132\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \\\"postgres\\\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73123.rb"},"results":[]}],"status":"loaded"},{"name":"crunchydata-postgres-stig","version":"1.0.0","sha256":"87cbf5c911e50ee9b609e5476a7e22ae111c8a041a4b2e4dbbf138af7cdfe7dd","title":"Crunchy PostgreSQL 9.5 Security Technical Implementation Guide InSpec profile","maintainer":"Yogesh Sharma , Aaron Lippold ","summary":"The Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Release Date: 2017-01-20 Version: 1 Publisher: DISA Source: STIG.DOD.MIL uri: http://iase.disa.mil","license":"Apache 2.0","copyright":"Crunchy Data","copyright_email":"info@crunchydata.com","supports":[],"attributes":[{"name":"pg_dba","options":{"description":"The postgres DBA user to access the test database"}},{"name":"pg_dba_password","options":{"description":"The password for the postgres DBA user"}},{"name":"pg_db","options":{"description":"The database used for tests"}},{"name":"pg_host","options":{"description":"The hostname or IP address used to connect to the database"}},{"name":"pg_port","options":{"description":"The port used to connect to the database"}},{"name":"pg_data_dir","options":{"description":"The postgres data directory"}},{"name":"pg_conf_file","options":{"description":"The postgres configuration file"}},{"name":"pg_user_defined_conf","options":{"description":"An additional postgres configuration file used to override default values"}},{"name":"pg_hba_conf_file","options":{"description":"The postgres hba configuration file"}},{"name":"pg_owner","options":{"description":"The system user of the postgres process"}},{"name":"pg_superusers","options":{"description":"Authorized superuser accounts"}},{"name":"pg_replicas","options":{"description":"List of postgres replicas in CIDR notation"}},{"name":"pg_max_connections","options":{"description":"The maximum number of connections a user can have open at one time"}},{"name":"pg_group","options":{"description":"The system group of the postgres process"}},{"name":"pg_timezone","options":{"description":"PostgreSQL timezone"}},{"name":"pg_version","options":{"description":"The version of postgres"}},{"name":"pg_shared_dirs","options":{"description":"defines the locations of the postgresql shared library directories"}},{"name":"pg_object_granted_privileges","options":{"description":"Privileges that can be granted to a role for a database object","value":"arwdDxt"}},{"name":"pg_object_public_privileges","options":{"description":"Privileges that can be granted to public for a database object","value":"r"}},{"name":"pg_object_exceptions","options":{"description":"List of database objects that should be excepted from tests","value":["pg_settings"]}},{"name":"pg_users","options":{"description":"Authorized accounts","value":"postgres"}}],"parent_profile":"pgstigcheck-inspec","groups":[{"id":"controls/V-72841.rb","controls":["V-72841"]},{"id":"controls/V-72845.rb","controls":["V-72845"]},{"id":"controls/V-72849.rb","controls":["V-72849"]},{"id":"controls/V-72851.rb","controls":["V-72851"]},{"id":"controls/V-72857.rb","controls":["V-72857"]},{"id":"controls/V-72859.rb","controls":["V-72859"]},{"id":"controls/V-72861.rb","controls":["V-72861"]},{"id":"controls/V-72863.rb","controls":["V-72863"]},{"id":"controls/V-72865.rb","controls":["V-72865"]},{"id":"controls/V-72867.rb","controls":["V-72867"]},{"id":"controls/V-72869.rb","controls":["V-72869"]},{"id":"controls/V-72871.rb","controls":["V-72871"]},{"id":"controls/V-72873.rb","controls":["V-72873"]},{"id":"controls/V-72875.rb","controls":["V-72875"]},{"id":"controls/V-72877.rb","controls":["V-72877"]},{"id":"controls/V-72883.rb","controls":["V-72883"]},{"id":"controls/V-72887.rb","controls":["V-72887"]},{"id":"controls/V-72891.rb","controls":["V-72891"]},{"id":"controls/V-72893.rb","controls":["V-72893"]},{"id":"controls/V-72895.rb","controls":["V-72895"]},{"id":"controls/V-72897.rb","controls":["V-72897"]},{"id":"controls/V-72899.rb","controls":["V-72899"]},{"id":"controls/V-72901.rb","controls":["V-72901"]},{"id":"controls/V-72903.rb","controls":["V-72903"]},{"id":"controls/V-72905.rb","controls":["V-72905"]},{"id":"controls/V-72909.rb","controls":["V-72909"]},{"id":"controls/V-72911.rb","controls":["V-72911"]},{"id":"controls/V-72917.rb","controls":["V-72917"]},{"id":"controls/V-72919.rb","controls":["V-72919"]},{"id":"controls/V-72931.rb","controls":["V-72931"]},{"id":"controls/V-72949.rb","controls":["V-72949"]},{"id":"controls/V-72953.rb","controls":["V-72953"]},{"id":"controls/V-72955.rb","controls":["V-72955"]},{"id":"controls/V-72957.rb","controls":["V-72957"]},{"id":"controls/V-72959.rb","controls":["V-72959"]},{"id":"controls/V-72961.rb","controls":["V-72961"]},{"id":"controls/V-72963.rb","controls":["V-72963"]},{"id":"controls/V-72965.rb","controls":["V-72965"]},{"id":"controls/V-72971.rb","controls":["V-72971"]},{"id":"controls/V-72973.rb","controls":["V-72973"]},{"id":"controls/V-72979.rb","controls":["V-72979"]},{"id":"controls/V-72981.rb","controls":["V-72981"]},{"id":"controls/V-72983.rb","controls":["V-72983"]},{"id":"controls/V-72987.rb","controls":["V-72987"]},{"id":"controls/V-72989.rb","controls":["V-72989"]},{"id":"controls/V-72991.rb","controls":["V-72991"]},{"id":"controls/V-72993.rb","controls":["V-72993"]},{"id":"controls/V-72995.rb","controls":["V-72995"]},{"id":"controls/V-72999.rb","controls":["V-72999"]},{"id":"controls/V-73001.rb","controls":["V-73001"]},{"id":"controls/V-73003.rb","controls":["V-73003"]},{"id":"controls/V-73005.rb","controls":["V-73005"]},{"id":"controls/V-73011.rb","controls":["V-73011"]},{"id":"controls/V-73013.rb","controls":["V-73013"]},{"id":"controls/V-73015.rb","controls":["V-73015"]},{"id":"controls/V-73017.rb","controls":["V-73017"]},{"id":"controls/V-73019.rb","controls":["V-73019"]},{"id":"controls/V-73021.rb","controls":["V-73021"]},{"id":"controls/V-73023.rb","controls":["V-73023"]},{"id":"controls/V-73025.rb","controls":["V-73025"]},{"id":"controls/V-73027.rb","controls":["V-73027"]},{"id":"controls/V-73029.rb","controls":["V-73029"]},{"id":"controls/V-73031.rb","controls":["V-73031"]},{"id":"controls/V-73033.rb","controls":["V-73033"]},{"id":"controls/V-73035.rb","controls":["V-73035"]},{"id":"controls/V-73037.rb","controls":["V-73037"]},{"id":"controls/V-73041.rb","controls":["V-73041"]},{"id":"controls/V-73045.rb","controls":["V-73045"]},{"id":"controls/V-73047.rb","controls":["V-73047"]},{"id":"controls/V-73049.rb","controls":["V-73049"]},{"id":"controls/V-73051.rb","controls":["V-73051"]},{"id":"controls/V-73055.rb","controls":["V-73055"]},{"id":"controls/V-73057.rb","controls":["V-73057"]},{"id":"controls/V-73061.rb","controls":["V-73061"]},{"id":"controls/V-73063.rb","controls":["V-73063"]},{"id":"controls/V-73065.rb","controls":["V-73065"]},{"id":"controls/V-73067.rb","controls":["V-73067"]},{"id":"controls/V-73069.rb","controls":["V-73069"]},{"id":"controls/V-73071.rb","controls":["V-73071"]},{"id":"controls/V-73123.rb","controls":["V-73123"]}],"controls":[{"id":"V-72841","title":"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.","desc":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000142-DB-000094","gid":"V-72841","rid":"SV-87493r1_rule","stig_id":"PGS9-00-000100","cci":["CCI-000382","CCI-001762"],"nist":["CM-7 b","CM-7 (1) (b)","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n $ psql -c \"SHOW port\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \"SHOW port\"\n $ export PGPORT=5432"},"code":"control \"V-72841\" do\n title \"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.\"\n desc \"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.\"\n impact 0.5\n \n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000142-DB-000094\"\n tag \"gid\": \"V-72841\"\n tag \"rid\": \"SV-87493r1_rule\"\n tag \"stig_id\": \"PGS9-00-000100\"\n tag \"cci\": [\"CCI-000382\",\"CCI-001762\"]\n tag \"nist\": [\"CM-7 b\", \"CM-7 (1) (b)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, run the following SQL:\n\n $ psql -c \\\"SHOW port\\\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \\\"SHOW port\\\"\n $ export PGPORT=5432\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW port;', [PG_DB]) do\n its('output') { should eq PG_PORT }\n end\n\n describe port(PG_PORT) do\n it { should be_listening }\n its('processes') { should include 'postgres' }\n end\nend\n","source_location":{"line":48,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72841.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW port; output should eq \"5432\"","run_time":0.000824361,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"5432\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1,2 +1,5 @@\n-5432\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"Port 5432 should be listening","run_time":0.054252714,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Port 5432.listening?` to return true, got false"},{"status":"failed","code_desc":"Port 5432 processes should include \"postgres\"","run_time":0.000316652,"start_time":"2019-04-22T14:20:39+00:00","message":"expected [] to include \"postgres\""}]},{"id":"V-72845","title":"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).","desc":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).","descriptions":[{"label":"default","data":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs)."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000456-DB-000390","gid":"V-72845","rid":"SV-87497r1_rule","stig_id":"PGS9-00-000300","cci":["CCI-002605"],"nist":["SI-2 c","Rev_4"],"check":"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.","fix":"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed."},"code":" control \"V-72845\" do\n title \"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).\"\n desc \"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).\"\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000456-DB-000390\"\n tag \"gid\": \"V-72845\"\n tag \"rid\": \"SV-87497r1_rule\"\n tag \"stig_id\": \"PGS9-00-000300\"\n tag \"cci\": [\"CCI-002605\"]\n tag \"nist\": [\"SI-2 c\", \"Rev_4\"]\n\n tag \"check\": \"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.\"\n\n tag \"fix\": \"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72845.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":1.3398e-05,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72849","title":"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.","desc":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.","descriptions":[{"label":"default","data":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000023-DB-000001","gid":"V-72849","rid":"SV-87501r1_rule","stig_id":"PGS9-00-000500","cci":["CCI-000015"],"nist":["AC-2 (1)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \"postgres\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \"postgres\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate."},"code":"control \"V-72849\" do\n title \"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.\"\n desc \"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000023-DB-000001\"\n tag \"gid\": \"V-72849\"\n tag \"rid\": \"SV-87501r1_rule\"\n tag \"stig_id\": \"PGS9-00-000500\"\n tag \"cci\": [\"CCI-000015\"]\n tag \"nist\": [\"AC-2 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \\\"postgres\\\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \\\"postgres\\\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72849.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":8.118e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72851","title":"PostgreSQL must provide non-privileged users with error messages that\n provide information necessary for corrective actions without revealing\n information that could be exploited by adversaries.","desc":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers.","descriptions":[{"label":"default","data":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000266-DB-000162","gid":"V-72851","rid":"SV-87503r1_rule","stig_id":"PGS9-00-000600","cci":["CCI-001312"],"nist":["SI-11 a","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n SELECT current_setting('client_min_messages');\n\n If client_min_messages is *not* set to error, this is a finding.","fix":"As the database administrator, edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n Change the client_min_messages parameter to be error:\n client_min_messages = 'error'\n\n Now reload the server with the new configuration (this just reloads settings\n currently in memory, will not cause an interruption):\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ service postgresql-9.5 reload "},"code":"control \"V-72851\" do\n title \"PostgreSQL must provide non-privileged users with error messages that\n provide information necessary for corrective actions without revealing\n information that could be exploited by adversaries.\"\n desc \"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000266-DB-000162\"\n tag \"gid\": \"V-72851\"\n tag \"rid\": \"SV-87503r1_rule\"\n tag \"stig_id\": \"PGS9-00-000600\"\n tag \"cci\": [\"CCI-001312\"]\n tag \"nist\": [\"SI-11 a\", \"Rev_4\"]\n tag \"check\": \"As the database administrator, run the following SQL:\n\n SELECT current_setting('client_min_messages');\n\n If client_min_messages is *not* set to error, this is a finding.\"\n\n tag \"fix\": \"As the database administrator, edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n Change the client_min_messages parameter to be error:\n client_min_messages = 'error'\n\n Now reload the server with the new configuration (this just reloads settings\n currently in memory, will not cause an interruption):\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ service postgresql-9.5 reload \"\n\n default = postgres_conf(PG_CONF_FILE)\n override = postgres_conf(PG_USER_DEFINED_CONF)\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW client_min_messages;', [PG_DB]) do\n its('output') { should match /^error$/i }\n end\n\n cmm_conf = override.client_min_messages ? override : default\n describe cmm_conf do\n its('client_min_messages') { should match /^error$/i }\n end\nend\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72851.rb"},"results":[{"status":"failed","code_desc":"Control Source Code Error /home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72851.rb:57 ","run_time":7.7443e-05,"start_time":"2019-04-22T14:20:39+00:00","message":"can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)","exception":"RuntimeError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/rule.rb:64:in `block (2 levels) in initialize'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-72857","title":"If passwords are used for authentication, PostgreSQL must transmit only\n encrypted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000172-DB-000075","gid":"V-72857","rid":"SV-87509r1_rule","stig_id":"PGS9-00-000800","cci":["CCI-000197"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. As the database administrator (shown here as \"postgres\"), review\n the authentication entries in pg_hba.conf:\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n If any entries use the auth_method (last column in records) \"password\", this\n is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n As the database administrator (shown here as \"postgres\"), edit\n pg_hba.conf authentication file and change all entries of \"password\" to\n \"md5\":\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n host all all .example.com md5"},"code":"control \"V-72857\" do\n title \"If passwords are used for authentication, PostgreSQL must transmit only\n encrypted representations of passwords.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates.\n Authentication based on User ID and Password may be used only when it is\n not possible to employ a PKI certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all times, and\n encryption is the standard method for protecting passwords during\n transmission.\n\n PostgreSQL passwords sent in clear text format across the network are\n vulnerable to discovery by unauthorized users. Disclosure of passwords\n may easily lead to unauthorized access to the database.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000172-DB-000075\"\n tag \"gid\": \"V-72857\"\n tag \"rid\": \"SV-87509r1_rule\"\n tag \"stig_id\": \"PGS9-00-000800\"\n tag \"cci\": [\"CCI-000197\"]\n tag \"nist\": [\"IA-5 (1) (c)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. As the database administrator (shown here as \\\"postgres\\\"), review\n the authentication entries in pg_hba.conf:\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n If any entries use the auth_method (last column in records) \\\"password\\\", this\n is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n As the database administrator (shown here as \\\"postgres\\\"), edit\n pg_hba.conf authentication file and change all entries of \\\"password\\\" to\n \\\"md5\\\":\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n host all all .example.com md5\"\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE) do\n its('auth_method') { should_not include 'password' }\n end\nend\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72857.rb"},"results":[{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf","run_time":8.209e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"}]},{"id":"V-72859","title":"PostgreSQL must enforce approved authorizations for logical access to\n information and system resources in accordance with applicable access\n control policies.","desc":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy.","descriptions":[{"label":"default","data":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000033-DB-000084","gid":"V-72859","rid":"SV-87511r1_rule","stig_id":"PGS9-00-000900","cci":["CCI-000213"],"nist":["AC-3","Rev_4"],"check":"From the system security plan or equivalent documentation,\n determine the appropriate permissions on database objects for each kind\n (group role) of user. If this documentation is missing, this is a finding.\n\n First, as the database administrator (shown here as \"postgres\"),\n check the privileges of all roles in the database by running the\n following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\du'\n\n Review all roles and their associated privileges. If any roles'\n privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured privileges for tables and columns by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\dp'\n\n Review all access privileges and column access privileges list.\n If any roles' privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured authentication settings in pg_hba.conf:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n Review all entries and their associated authentication methods.\n\n If any entries do not have their documented authentication requirements,\n this is a finding.","fix":"Create and/or maintain documentation of each group role's\n appropriate permissions on database objects.\n\n Implement these permissions in the database, and remove any permissions that\n exceed those documented.\n\n The following are examples of how to use role privileges in PostgreSQL to\n enforce access controls. For a complete list of privileges, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\n\n #### Roles Example 1\n The following example demonstrates how to create an admin role with CREATEDB\n and CREATEROLE privileges.\n\n As the database administrator (shown here as \"postgres\"), run the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE admin WITH CREATEDB CREATEROLE\"\n\n #### Roles Example 2\n The following example demonstrates how to create a role with a password that\n expires and makes the role a member of the \"admin\" group.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE joe LOGIN ENCRYPTED PASSWORD 'stig2016!' VALID UNTIL\n'2016-09-20' IN ROLE admin\"\n\n #### Roles Example 3\n The following demonstrates how to revoke privileges from a role using REVOKE.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"REVOKE admin FROM joe\"\n\n #### Roles Example 4\n The following demonstrates how to alter privileges in a role using ALTER.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"ALTER ROLE joe NOLOGIN\"\n\n The following are examples of how to use grant privileges in PostgreSQL to\n enforce access controls on objects. For a complete list of privileges, see the\n official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-grant.html\n\n #### Grant Example 1\n The following example demonstrates how to grant INSERT on a table to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT SELECT ON stig_test TO joe\"\n\n #### Grant Example 2\n The following example demonstrates how to grant ALL PRIVILEGES on a table to a\n role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT ALL PRIVILEGES ON stig_test TO joe\"\n\n #### Grant Example 3\n The following example demonstrates how to grant a role to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT admin TO joe\"\n\n #### Revoke Example 1\n The following example demonstrates how to revoke access from a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"REVOKE admin FROM joe\"\n\n To change authentication requirements for the database, as the database\n administrator (shown here as \"postgres\"), edit pg_hba.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n Edit authentication requirements to the organizational requirements. See the\n official documentation for the complete list of options for authentication:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n After changes to pg_hba.conf, reload the server:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72859\" do\n title \"PostgreSQL must enforce approved authorizations for logical access to\n information and system resources in accordance with applicable access\n control policies.\"\n desc \"Authentication with a DoD-approved PKI certificate does not necessarily\n imply authorization to access PostgreSQL. To mitigate the risk of\n unauthorized access to sensitive information by entities that have been\n issued certificates by DoD-approved PKIs, all DoD systems, including\n databases, must be properly configured to implement access control\n policies.\n\n Successful authentication must not automatically give an entity access\n to an asset or security boundary. Authorization procedures and controls\n must be implemented to ensure each authenticated entity also has a\n validated and current authorization. Authorization is the process of\n determining whether an entity, once authenticated, is permitted to\n access a specific asset. Information systems use access control policies\n and enforcement mechanisms to implement this requirement.\n\n Access control policies include identity-based policies, role-based\n policies, and attribute-based policies. Access enforcement mechanisms\n include access control lists, access control matrices, and cryptography.\n\n These policies and mechanisms must be employed by the application to\n control access between users (or processes acting on behalf of users)\n and objects (e.g., devices, files, records, processes, programs, and domains)\n in the information system.\n\n This requirement is applicable to access control enforcement applications,\n a category that includes database management systems. If PostgreSQL does\n not follow applicable policy when approving access, it may be in conflict\n with networks or other applications in the information system. This may\n result in users either gaining or being denied access inappropriately and\n in conflict with applicable policy.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000033-DB-000084\"\n tag \"gid\": \"V-72859\"\n tag \"rid\": \"SV-87511r1_rule\"\n tag \"stig_id\": \"PGS9-00-000900\"\n tag \"cci\": [\"CCI-000213\"]\n tag \"nist\": [\"AC-3\", \"Rev_4\"]\n tag \"check\": \"From the system security plan or equivalent documentation,\n determine the appropriate permissions on database objects for each kind\n (group role) of user. If this documentation is missing, this is a finding.\n\n First, as the database administrator (shown here as \\\"postgres\\\"),\n check the privileges of all roles in the database by running the\n following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\\\du'\n\n Review all roles and their associated privileges. If any roles'\n privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n check the configured privileges for tables and columns by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\\\dp'\n\n Review all access privileges and column access privileges list.\n If any roles' privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n check the configured authentication settings in pg_hba.conf:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n Review all entries and their associated authentication methods.\n\n If any entries do not have their documented authentication requirements,\n this is a finding.\"\n\n tag \"fix\": \"Create and/or maintain documentation of each group role's\n appropriate permissions on database objects.\n\n Implement these permissions in the database, and remove any permissions that\n exceed those documented.\n\n The following are examples of how to use role privileges in PostgreSQL to\n enforce access controls. For a complete list of privileges, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\n\n #### Roles Example 1\n The following example demonstrates how to create an admin role with CREATEDB\n and CREATEROLE privileges.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE admin WITH CREATEDB CREATEROLE\\\"\n\n #### Roles Example 2\n The following example demonstrates how to create a role with a password that\n expires and makes the role a member of the \\\"admin\\\" group.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE joe LOGIN ENCRYPTED PASSWORD 'stig2016!' VALID UNTIL\n'2016-09-20' IN ROLE admin\\\"\n\n #### Roles Example 3\n The following demonstrates how to revoke privileges from a role using REVOKE.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \\\"REVOKE admin FROM joe\\\"\n\n #### Roles Example 4\n The following demonstrates how to alter privileges in a role using ALTER.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \\\"ALTER ROLE joe NOLOGIN\\\"\n\n The following are examples of how to use grant privileges in PostgreSQL to\n enforce access controls on objects. For a complete list of privileges, see the\n official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-grant.html\n\n #### Grant Example 1\n The following example demonstrates how to grant INSERT on a table to a role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"GRANT SELECT ON stig_test TO joe\\\"\n\n #### Grant Example 2\n The following example demonstrates how to grant ALL PRIVILEGES on a table to a\n role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"GRANT ALL PRIVILEGES ON stig_test TO joe\\\"\n\n #### Grant Example 3\n The following example demonstrates how to grant a role to a role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"GRANT admin TO joe\\\"\n\n #### Revoke Example 1\n The following example demonstrates how to revoke access from a role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"REVOKE admin FROM joe\\\"\n\n To change authentication requirements for the database, as the database\n administrator (shown here as \\\"postgres\\\"), edit pg_hba.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n Edit authentication requirements to the organizational requirements. See the\n official documentation for the complete list of options for authentication:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n After changes to pg_hba.conf, reload the server:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n object_granted_privileges = 'arwdDxtU'\n object_public_privileges = 'r'\n object_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=[#{object_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n object_acl_regex = Regexp.new(object_acl)\n\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind \"\\\n \"FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') \"\\\n \"AND n.nspname !~ '^pg_' AND pg_catalog.pg_table_is_visible(c.oid);\"\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n rows = sql.query(objects_sql, [database])\n if rows.methods.include?(:output) # Handle connection disabled on database\n objects = rows.lines\n\n objects.each do |obj|\n schema, object, type = obj.split('|')\n relacl_sql = \"SELECT pg_catalog.array_to_string(c.relacl, E','), \"\\\n \"n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE n.nspname = '#{schema}' AND c.relname = '#{object}' \"\\\n \"AND c.relkind = '#{type}';\"\n\n describe sql.query(relacl_sql, [database]) do\n its('output') { should match object_acl_regex }\n end\n # TODO: Add test for column acl\n end\n end\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'local' } do\n its('user.uniq') { should cmp PG_OWNER }\n its('auth_method.uniq') { should_not cmp 'trust'}\n end\n\n describe.one do\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { database == 'replication' } do\n its('type.uniq') { should cmp 'host' }\n its('address.uniq.sort') { should cmp PG_REPLICAS.sort }\n its('user.uniq') { should cmp 'replication' }\n its('auth_method.uniq') { should cmp 'md5' }\n end\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { database == 'replication' } do\n its('type.uniq') { should cmp 'hostssl' }\n its('address.uniq.sort') { should cmp PG_REPLICAS.sort }\n its('user.uniq') { should cmp 'replication' }\n its('auth_method.uniq') { should cmp 'md5' }\n end\n end\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'host' } do\n its('auth_method.uniq') { should cmp 'md5'}\n end\nend\n","source_location":{"line":67,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72859.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000587162,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000445847,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: No such file or directory' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000355837,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running locally and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000351073,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000356273,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000410892,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000442997,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000385133,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000374934,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000383259,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000418033,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000399554,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000431931,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00040538,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00040601,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000392689,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000398204,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000420328,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000427187,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000416693,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000422926,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000424632,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000412251,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000426744,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000434275,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00039223,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000462673,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000422212,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000333854,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000379128,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000336493,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000421495,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00040653,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000347266,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000362657,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000367765,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"local\"","run_time":7.177e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"local\"","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" type.uniq should cmp == \"host\"","run_time":0.000288727,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"host\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" address.uniq.sort should cmp == #","run_time":0.000229674,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: #\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" user.uniq should cmp == \"replication\"","run_time":0.000196548,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"replication\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" auth_method.uniq should cmp == \"md5\"","run_time":0.000182071,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"md5\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" type.uniq should cmp == \"hostssl\"","run_time":0.000180969,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"hostssl\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" address.uniq.sort should cmp == #","run_time":0.000261951,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: #\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" user.uniq should cmp == \"replication\"","run_time":0.000237182,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"replication\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" auth_method.uniq should cmp == \"md5\"","run_time":0.000177905,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"md5\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"host\"","run_time":4.753e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"host\"","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"}]},{"id":"V-72861","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000314-DB-000310","gid":"V-72861","rid":"SV-87513r1_rule","stig_id":"PGS9-00-001100","cci":["CCI-002264"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72861\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000314-DB-000310\"\n tag \"gid\": \"V-72861\"\n tag \"rid\": \"SV-87513r1_rule\"\n tag \"stig_id\": \"PGS9-00-001100\"\n tag \"cci\": [\"CCI-002264\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72861.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.287e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72863","title":"PostgreSQL must limit the number of concurrent sessions to an\n organization-defined number per user for all accounts and/or account types.","desc":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms..","descriptions":[{"label":"default","data":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms.."},{"label":"caveat","data":"Not applicable for this CMS ARS 3.1 overlay, \n since the related security control is not applied to this \n system categorization in CMS ARS 3.1"}],"impact":0.0,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000001-DB-000031","gid":"V-72863","rid":"SV-87515r1_rule","stig_id":"PGS9-00-001200","cci":["CCI-000054"],"nist":["AC-10","Rev_4"],"check":"To check the total amount of connections allowed by the database,\n as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW max_connections\"\n If the total amount of connections is greater than documented by\n an organization, this is a finding.\n To check the amount of connections allowed for each role, as the\n database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT rolname, rolconnlimit from pg_authid\"\n If any roles have more connections configured than documented,\n this is a finding. A value of -1 indicates Unlimited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To configure the maximum amount of connections allowed to the\n database, as the database administrator (shown here as \"postgres\")\n change the following in postgresql.conf\n\n (the value 10 is an example; set the value to suit local conditions):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n max_connections = 10\n\n Next, restart the database:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\n\n To limit the amount of connections allowed by a specific role,\n as the database administrator, run the following SQL:\n\n $ psql -c \"ALTER ROLE CONNECTION LIMIT 1\";"},"code":"control \"V-72863\" do\n title \"PostgreSQL must limit the number of concurrent sessions to an\n organization-defined number per user for all accounts and/or account types.\"\n desc \"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms..\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000001-DB-000031\"\n tag \"gid\": \"V-72863\"\n tag \"rid\": \"SV-87515r1_rule\"\n tag \"stig_id\": \"PGS9-00-001200\"\n tag \"cci\": [\"CCI-000054\"]\n tag \"nist\": [\"AC-10\", \"Rev_4\"]\n tag \"check\": 'To check the total amount of connections allowed by the database,\n as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW max_connections\"\n If the total amount of connections is greater than documented by\n an organization, this is a finding.\n To check the amount of connections allowed for each role, as the\n database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT rolname, rolconnlimit from pg_authid\"\n If any roles have more connections configured than documented,\n this is a finding. A value of -1 indicates Unlimited, this is a\n finding.'\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To configure the maximum amount of connections allowed to the\n database, as the database administrator (shown here as \\\"postgres\\\")\n change the following in postgresql.conf\n\n (the value 10 is an example; set the value to suit local conditions):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n max_connections = 10\n\n Next, restart the database:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\n\n To limit the amount of connections allowed by a specific role,\n as the database administrator, run the following SQL:\n\n $ psql -c \\\"ALTER ROLE CONNECTION LIMIT 1\\\";\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW max_connections;', [PG_DB]) do\n its('output') { should be <= PG_MAX_CONNECTIONS }\n end\n\n describe sql.query('SELECT rolname, rolconnlimit from pg_authid;', [PG_DB]) do\n its('output') { should_not include '-1' }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72863.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW max_connections; output should be <= Attribute 'pg max connections' does not have a value. Skipping test.","run_time":0.000154085,"start_time":"2019-04-22T14:20:39+00:00","message":"can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)","exception":"TypeError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/built_in/be.rb:147:in `<=>'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/built_in/be.rb:147:in `<='","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/built_in/be.rb:147:in `matches?'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72863.rb:126:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT rolname, rolconnlimit from pg_authid; output should not include \"-1\"","run_time":0.000185673,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-72865","title":"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.","desc":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.","descriptions":[{"label":"default","data":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000362","gid":"V-72865","rid":"SV-87517r1_rule","stig_id":"PGS9-00-001300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \"postgres\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"\\dp *.*\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.","fix":"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;"},"code":"control \"V-72865\" do\n # @todo update the title of this control to something sane\n title \"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.\"\n desc \"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000362\"\n tag \"gid\": \"V-72865\"\n tag \"rid\": \"SV-87517r1_rule\"\n tag \"stig_id\": \"PGS9-00-001300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\dp *.*\\\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.\"\n\n tag \"fix\": \"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n object_granted_privileges = 'arwdDxtU'\n object_public_privileges = 'r'\n object_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=[#{object_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n object_acl_regex = Regexp.new(object_acl)\n\n pg_settings_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=rw)\\/\\\\w+,?)+)\\\\|pg_catalog\\\\|pg_settings\\\\|v\"\n pg_settings_acl_regex = Regexp.new(pg_settings_acl)\n\n tested = []\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind \"\\\n \"FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f');\"\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n rows = sql.query(objects_sql, [database])\n if rows.methods.include?(:output) # Handle connection disabled on database\n objects = rows.lines\n\n objects.each do |obj|\n unless tested.include?(obj)\n schema, object, type = obj.split('|')\n relacl_sql = \"SELECT pg_catalog.array_to_string(c.relacl, E','), \"\\\n \"n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE n.nspname = '#{schema}' AND c.relname = '#{object}' \"\\\n \"AND c.relkind = '#{type}';\"\n\n sql_result=sql.query(relacl_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should match object_acl_regex }\n end\n\n describe sql_result do\n its('output') { should match pg_settings_acl_regex }\n end\n end\n # TODO: Add test for column acl\n tested.push(obj)\n end\n end\n end\n end\n\n describe directory(PG_DATA_DIR) do\n it { should be_directory }\n it { should be_owned_by PG_OWNER }\n its('mode') { should cmp '0700' }\n end\nend\n","source_location":{"line":62,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000389178,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000373045,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000334231,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000304745,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: No such file or directory' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000350527,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: No such file or directory' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000301412,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running locally and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000324208,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running locally and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000369427,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000342636,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000386864,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000356538,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000371622,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00040622,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000428787,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000398526,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000367313,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000416288,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000377161,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000436904,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000414518,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000393017,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000381985,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000413268,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000384027,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000437649,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000451109,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000360629,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000407578,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000378953,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000459281,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00041591,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000436418,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000376251,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000432856,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000413616,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000460541,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00046196,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000383008,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000387471,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000419695,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000423472,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000422119,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000392543,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000397637,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000325655,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000341176,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000396559,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000391303,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000384494,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000345952,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,9 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data should be directory","run_time":0.000247227,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /var/lib/pgsql/9.5/data.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data should be owned by \"postgres\"","run_time":0.000287195,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /var/lib/pgsql/9.5/data.owned_by?(\"postgres\")` to return true, got false"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data mode should cmp == \"0700\"","run_time":0.000202288,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb:179:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-72867","title":"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).","desc":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.","descriptions":[{"label":"default","data":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000180-DB-000115","gid":"V-72867","rid":"SV-87519r1_rule","stig_id":"PGS9-00-001400","cci":["CCI-000804"],"nist":["IA-8","Rev_4"],"check":"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.","fix":"To drop a role, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"DROP ROLE \"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE LOGIN\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html"},"code":"control \"V-72867\" do\n title \"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).\"\n desc \"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000180-DB-000115\"\n tag \"gid\": \"V-72867\"\n tag \"rid\": \"SV-87519r1_rule\"\n tag \"stig_id\": \"PGS9-00-001400\"\n tag \"cci\": [\"CCI-000804\"]\n tag \"nist\": [\"IA-8\", \"Rev_4\"]\n tag \"check\": \"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"\\\\du\\\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.\"\n tag \"fix\": \"To drop a role, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"DROP ROLE \\\"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE LOGIN\\\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_roles = PG_SUPERUSERS\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r where r.rolsuper;'\n describe sql.query(roles_sql, [PG_DB]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72867.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT r.rolname FROM pg_catalog.pg_roles r where r.rolsuper; lines.sort should cmp == #","run_time":0.000262791,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: #\n got: [\"\", \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\", \"\\tTCP/IP connections on port 5432?\", \"psql: could not connect to server: Connection refused\"]\n\n(compared using `cmp` matcher)\n"}]},{"id":"V-72869","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000311-DB-000308","gid":"V-72869","rid":"SV-87521r1_rule","stig_id":"PGS9-00-001700","cci":["CCI-002262"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72869\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000311-DB-000308\"\n tag \"gid\": \"V-72869\"\n tag \"rid\": \"SV-87521r1_rule\"\n tag \"stig_id\": \"PGS9-00-001700\"\n tag \"cci\": [\"CCI-002262\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72869.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":4.56e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72871","title":"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.","desc":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000160","gid":"V-72871","rid":"SV-87523r1_rule","stig_id":"PGS9-00-001800","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.","fix":"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL."},"code":"control \"V-72871\" do\n title \"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.\"\n desc \"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000160\"\n tag \"gid\": \"V-72871\"\n tag \"rid\": \"SV-87523r1_rule\"\n tag \"stig_id\": \"PGS9-00-001800\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.\"\n\n tag \"fix\": \"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72871.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.265e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72873","title":"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000391","gid":"V-72873","rid":"SV-87525r1_rule","stig_id":"PGS9-00-001900","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.","fix":"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so."},"code":"control \"V-72873\" do\n title \"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000391\"\n tag \"gid\": \"V-72873\"\n tag \"rid\": \"SV-87525r1_rule\"\n tag \"stig_id\": \"PGS9-00-001900\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72873.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":3.744e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72875","title":"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000392","gid":"V-72875","rid":"SV-87527r1_rule","stig_id":"PGS9-00-002000","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.","fix":"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements)."},"code":"control \"V-72875\" do\n title \"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000392\"\n tag \"gid\": \"V-72875\"\n tag \"rid\": \"SV-87527r1_rule\"\n tag \"stig_id\": \"PGS9-00-002000\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements).\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72875.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":3.531e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72877","title":"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.","desc":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.","descriptions":[{"label":"default","data":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000357-DB-000316","gid":"V-72877","rid":"SV-87529r1_rule","stig_id":"PGS9-00-002100","cci":["CCI-001849"],"nist":["AU-4","Rev_4"],"check":"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.","fix":"Allocate sufficient audit file/table space to support peak demand."},"code":"control \"V-72877\" do\n title \"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.\"\n desc \"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000357-DB-000316\"\n tag \"gid\": \"V-72877\"\n tag \"rid\": \"SV-87529r1_rule\"\n tag \"stig_id\": \"PGS9-00-002100\"\n tag \"cci\": [\"CCI-001849\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"check\": \"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.\"\n tag \"fix\": \"Allocate sufficient audit file/table space to support peak demand.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72877.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":3.404e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72883","title":"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.","desc":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.","descriptions":[{"label":"default","data":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000328-DB-000301","gid":"V-72883","rid":"SV-87535r1_rule","stig_id":"PGS9-00-002200","cci":["CCI-002165"],"nist":["AC-3 (4)","Rev_4"],"check":"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \"\\dn *.*\"\n $ psql -c \"\\dt *.*\"\n $ psql -c \"\\ds *.*\"\n $ psql -c \"\\dv *.*\"\n $ psql -c \"\\df+ *.*\"\n If any role is given privileges to objects it should not have, this is a\n finding.","fix":"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test\"\n $ psql -c \"GRANT CREATE ON SCHEMA test TO bob\"\n $ psql -c \"CREATE TABLE test.test_table(id INT)\"\n $ psql -c \"GRANT SELECT ON TABLE test.test_table TO bob\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ psql -c \"REVOKE SELECT ON TABLE test.test_table FROM bob\"\n $ psql -c \"REVOKE CREATE ON SCHEMA test FROM bob\""},"code":"control \"V-72883\" do\n title \"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.\"\n desc \"Discretionary Access Control (DAC) is based on the notion that\n individual users are \\\"owners\\\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000328-DB-000301\"\n tag \"gid\": \"V-72883\"\n tag \"rid\": \"SV-87535r1_rule\"\n tag \"stig_id\": \"PGS9-00-002200\"\n tag \"cci\": [\"CCI-002165\"]\n tag \"nist\": [\"AC-3 (4)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \\\"\\\\dn *.*\\\"\n $ psql -c \\\"\\\\dt *.*\\\"\n $ psql -c \\\"\\\\ds *.*\\\"\n $ psql -c \\\"\\\\dv *.*\\\"\n $ psql -c \\\"\\\\df+ *.*\\\"\n If any role is given privileges to objects it should not have, this is a\n finding.\"\n tag \"fix\": \"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test\\\"\n $ psql -c \\\"GRANT CREATE ON SCHEMA test TO bob\\\"\n $ psql -c \\\"CREATE TABLE test.test_table(id INT)\\\"\n $ psql -c \\\"GRANT SELECT ON TABLE test.test_table TO bob\\\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ psql -c \\\"REVOKE SELECT ON TABLE test.test_table FROM bob\\\"\n $ psql -c \\\"REVOKE CREATE ON SCHEMA test FROM bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n \n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72883.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000253236,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000624677,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000289191,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000613397,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000327923,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000515415,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000264092,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000584855,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000225944,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000567026,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000332712,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.00068468,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000379156,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000597622,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000317818,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000670999,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000354294,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000736171,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000348917,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.00063466,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000375512,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000765834,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000348215,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000708366,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000332499,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.00079819,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000436299,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000764804,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000361188,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000705468,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000355561,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000671954,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000328146,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000666639,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000361265,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000739848,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000334813,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000660801,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000308785,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000650424,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72887","title":"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).","desc":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000374-DB-000322","gid":"V-72887","rid":"SV-87539r1_rule","stig_id":"PGS9-00-002400","cci":["CCI-001890"],"nist":["AU-8 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \"postgres\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_timezone\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \"postgres\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart"},"code":"control \"V-72887\" do\n title \"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).\"\n desc \"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000374-DB-000322\"\n tag \"gid\": \"V-72887\"\n tag \"rid\": \"SV-87539r1_rule\"\n tag \"stig_id\": \"PGS9-00-002400\"\n tag \"cci\": [\"CCI-001890\"]\n tag \"nist\": [\"AU-8 b\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \\\"postgres\\\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_timezone\\\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \\\"postgres\\\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_timezone;', [PG_DB]) do\n its('output') { should eq PG_TIMEZONE }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72887.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_timezone; output should eq #","run_time":0.000205023,"start_time":"2019-04-22T14:20:39+00:00","message":"can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)","exception":"TypeError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-support-3.8.0/lib/rspec/support/differ.rb:133:in `flatten'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-support-3.8.0/lib/rspec/support/differ.rb:133:in `safely_flatten'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-support-3.8.0/lib/rspec/support/differ.rb:79:in `all_strings?'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-support-3.8.0/lib/rspec/support/differ.rb:15:in `diff'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/expecteds_for_multiple_diffs.rb:66:in `block in diffs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/expecteds_for_multiple_diffs.rb:65:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/expecteds_for_multiple_diffs.rb:65:in `diffs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/expecteds_for_multiple_diffs.rb:48:in `message_with_diff'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/fail_with.rb:33:in `fail_with'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:38:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72887.rb:95:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-72891","title":"PostgreSQL must allow only the ISSM (or individuals or roles appointed\n by the ISSM) to select which auditable events are to be audited.","desc":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000090-DB-000065","gid":"V-72891","rid":"SV-87543r1_rule","stig_id":"PGS9-00-002600","cci":["CCI-000171"],"nist":["AU-12 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Check PostgreSQL settings and documentation to determine whether designated\n personnel are able to select which auditable events are being audited.\n As the database administrator (shown here as \"postgres\"), verify the\n permissions for PGDATA:\n $ ls -la ${PGDATA?}\n If anything in PGDATA is not owned by the database administrator, this is a\n finding.\n Next, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n Review the role permissions, if any role is listed as superuser but should not\n have that access, this is a finding.","fix":"Configure PostgreSQL's settings to allow designated personnel to\n select which auditable events are audited.\n Using pgaudit allows administrators the flexibility to choose what they log.\n For an overview of the capabilities of pgaudit, see\n https://github.com/pgaudit/pgaudit.\n See supplementary content APPENDIX-B for documentation on installing pgaudit.\n See supplementary content APPENDIX-C for instructions on enabling logging.\n Only administrators/superuser can change PostgreSQL configurations. Access to\n the database administrator must be limited to designated personnel only.\n To ensure that postgresql.conf is owned by the database owner:\n $ chown postgres:postgres ${PGDATA?}/postgresql.conf\n $ chmod 600 ${PGDATA?}/postgresql.conf"},"code":"control \"V-72891\" do\n\n title \"PostgreSQL must allow only the ISSM (or individuals or roles appointed\n by the ISSM) to select which auditable events are to be audited.\"\n desc \"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000090-DB-000065\"\n tag \"gid\": \"V-72891\"\n tag \"rid\": \"SV-87543r1_rule\"\n tag \"stig_id\": \"PGS9-00-002600\"\n tag \"cci\": [\"CCI-000171\"]\n tag \"nist\": [\"AU-12 b\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Check PostgreSQL settings and documentation to determine whether designated\n personnel are able to select which auditable events are being audited.\n As the database administrator (shown here as \\\"postgres\\\"), verify the\n permissions for PGDATA:\n $ ls -la ${PGDATA?}\n If anything in PGDATA is not owned by the database administrator, this is a\n finding.\n Next, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"\\\\du\\\"\n Review the role permissions, if any role is listed as superuser but should not\n have that access, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL's settings to allow designated personnel to\n select which auditable events are audited.\n Using pgaudit allows administrators the flexibility to choose what they log.\n For an overview of the capabilities of pgaudit, see\n https://github.com/pgaudit/pgaudit.\n See supplementary content APPENDIX-B for documentation on installing pgaudit.\n See supplementary content APPENDIX-C for instructions on enabling logging.\n Only administrators/superuser can change PostgreSQL configurations. Access to\n the database administrator must be limited to designated personnel only.\n To ensure that postgresql.conf is owned by the database owner:\n $ chown postgres:postgres ${PGDATA?}/postgresql.conf\n $ chmod 600 ${PGDATA?}/postgresql.conf\"\n\n describe directory(PG_DATA_DIR) do\n it { should be_directory }\n it { should be_owned_by PG_OWNER }\n its('mode') { should cmp '0700' }\n end\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\nend\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72891.rb"},"results":[{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data should be directory","run_time":0.00023811,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /var/lib/pgsql/9.5/data.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data should be owned by \"postgres\"","run_time":0.000210341,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /var/lib/pgsql/9.5/data.owned_by?(\"postgres\")` to return true, got false"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data mode should cmp == \"0700\"","run_time":0.000249618,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72891.rb:110:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-72893","title":"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.","desc":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000360-DB-000320","gid":"V-72893","rid":"SV-87545r1_rule","stig_id":"PGS9-00-002700","cci":["CCI-001858"],"nist":["AU-5 (2)","Rev_4"],"check":"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.","fix":"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL."},"code":"control \"V-72893\" do\n title \"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \\\"the system\\\" is used to encompass all of these.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000360-DB-000320\"\n tag \"gid\": \"V-72893\"\n tag \"rid\": \"SV-87545r1_rule\"\n tag \"stig_id\": \"PGS9-00-002700\"\n tag \"cci\": [\"CCI-001858\"]\n tag \"nist\": [\"AU-5 (2)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.\"\n tag \"fix\": \"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72893.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":4.908e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72895","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000442-DB-000379","gid":"V-72895","rid":"SV-87547r1_rule","stig_id":"PGS9-00-003000","cci":["CCI-002422"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.","fix":"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL."},"code":"control \"V-72895\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000442-DB-000379\"\n tag \"gid\": \"V-72895\"\n tag \"rid\": \"SV-87547r1_rule\"\n tag \"stig_id\": \"PGS9-00-003000\"\n tag \"cci\": [\"CCI-002422\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.\"\n\n tag \"fix\": \"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72895.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should not match /off|false/i","run_time":0.000109373,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-72897","title":"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.","desc":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.","descriptions":[{"label":"default","data":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000200","gid":"V-72897","rid":"SV-87549r1_rule","stig_id":"PGS9-00-003100","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \"\\dn *.*\"\n $ psql -x -c \"\\dt *.*\"\n $ psql -x -c \"\\ds *.*\"\n $ psql -x -c \"\\dv *.*\"\n $ psql -x -c \"\\df+ *.*\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.","fix":"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \"ALTER SCHEMA test OWNER TO bob\""},"code":"control \"V-72897\" do\n title \"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.\"\n desc \"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000200\"\n tag \"gid\": \"V-72897\"\n tag \"rid\": \"SV-87549r1_rule\"\n tag \"stig_id\": \"PGS9-00-003100\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dn *.*\\\"\n $ psql -x -c \\\"\\\\dt *.*\\\"\n $ psql -x -c \\\"\\\\ds *.*\\\"\n $ psql -x -c \\\"\\\\dv *.*\\\"\n $ psql -x -c \\\"\\\\df+ *.*\\\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.\"\n tag \"fix\": \"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"ALTER SCHEMA test OWNER TO bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72897.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.0002892,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000590171,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000318437,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000612559,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000272665,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000623466,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000268913,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000607756,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000277061,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000650915,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000367025,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000709028,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000411732,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000685441,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000365254,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000738624,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000405594,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.00077179,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000402771,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000725284,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000405675,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000848069,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000376155,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000721979,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.00035839,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000829025,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000483429,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000832596,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000389403,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000750894,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000373031,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000871473,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000411963,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000812085,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000368015,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000835574,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000428115,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000909727,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000277377,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN (Attribute 'pg_superusers' does not have a value. Skipping test.) AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000546114,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72899","title":"The PostgreSQL software installation account must be restricted to\n authorized users.","desc":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000198","gid":"V-72899","rid":"SV-87551r1_rule","stig_id":"PGS9-00-003200","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.","fix":"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account."},"code":"control \"V-72899\" do\n title \"The PostgreSQL software installation account must be restricted to\n authorized users.\"\n desc \"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000198\"\n tag \"gid\": \"V-72899\"\n tag \"rid\": \"SV-87551r1_rule\"\n tag \"stig_id\": \"PGS9-00-003200\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.\"\n tag \"fix\": \"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72899.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.627e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72901","title":"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.","desc":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000199","gid":"V-72901","rid":"SV-87553r1_rule","stig_id":"PGS9-00-003300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.","fix":"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory."},"code":"control \"V-72901\" do\n title \"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.\"\n desc \"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000199\"\n tag \"gid\": \"V-72901\"\n tag \"rid\": \"SV-87553r1_rule\"\n tag \"stig_id\": \"PGS9-00-003300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.\"\n tag \"fix\": \"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory.\"\n\n PG_SHARED_DIRS.each do |dir|\n describe directory(dir) do\n it { should be_directory }\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n its('mode') { should cmp '0755' }\n end\n\n describe command(\"lsof | awk '$9 ~ \\\"#{dir}\\\" {print $1}'\") do\n its('stdout') { should match /^$|postgres|postmaster/ }\n its('stderr') { should eq '' }\n end\n end\nend\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb"},"results":[{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} should be directory","run_time":0.000230196,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} should be owned by \"root\"","run_time":0.000193768,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} should be grouped into \"root\"","run_time":0.000168748,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} mode should cmp == \"0755\"","run_time":0.000212588,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.027219526,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}\" {print $1}'` stderr should eq \"\"","run_time":0.000187697,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin should be directory","run_time":0.000322888,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/bin.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin should be owned by \"root\"","run_time":0.000324759,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/bin.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin should be grouped into \"root\"","run_time":0.000197194,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/bin.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin mode should cmp == \"0755\"","run_time":0.00032227,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/bin\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.026497349,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/bin\" {print $1}'` stderr should eq \"\"","run_time":0.00018318,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include should be directory","run_time":0.000264614,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/include.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include should be owned by \"root\"","run_time":0.000259132,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/include.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include should be grouped into \"root\"","run_time":0.000283475,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/include.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include mode should cmp == \"0755\"","run_time":0.000314578,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/include\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.025410893,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/include\" {print $1}'` stderr should eq \"\"","run_time":0.000139769,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib should be directory","run_time":0.000251582,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/lib.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib should be owned by \"root\"","run_time":0.000256447,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/lib.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib should be grouped into \"root\"","run_time":0.000208982,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/lib.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib mode should cmp == \"0755\"","run_time":0.000271818,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/lib\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.025450907,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/lib\" {print $1}'` stderr should eq \"\"","run_time":0.00017671,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share should be directory","run_time":0.000335921,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/share.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share should be owned by \"root\"","run_time":0.000302013,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/share.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share should be grouped into \"root\"","run_time":0.000233565,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/share.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share mode should cmp == \"0755\"","run_time":0.000313359,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/share\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.026898283,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/share\" {print $1}'` stderr should eq \"\"","run_time":0.000194096,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-72903","title":"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000101-DB-000044","gid":"V-72903","rid":"SV-87555r1_rule","stig_id":"PGS9-00-003500","cci":["CCI-000135"],"nist":["AU-3 (1)","Rev_4"],"check":"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.","fix":"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":"control \"V-72903\" do\n title \"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000101-DB-000044\"\n tag \"gid\": \"V-72903\"\n tag \"rid\": \"SV-87555r1_rule\"\n tag \"stig_id\": \"PGS9-00-003500\"\n tag \"cci\": [\"CCI-000135\"]\n tag \"nist\": [\"AU-3 (1)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72903.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":8.984e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72905","title":"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.","desc":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000342-DB-000302","gid":"V-72905","rid":"SV-87557r1_rule","stig_id":"PGS9-00-003600","cci":["CCI-002233"],"nist":["AC-6 (8)","Rev_4"],"check":"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\"\n In the query results, a prosecdef value of \"t\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.","fix":"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \"postgres\"), run the following SQL: $ sudo su - postgres\n $ psql -c \"ALTER FUNCTION SECURITY INVOKER;\""},"code":"control \"V-72905\" do\n title \"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.\"\n desc \"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000342-DB-000302\"\n tag \"gid\": \"V-72905\"\n tag \"rid\": \"SV-87557r1_rule\"\n tag \"stig_id\": \"PGS9-00-003600\"\n tag \"cci\": [\"CCI-002233\"]\n tag \"nist\": [\"AC-6 (8)\", \"Rev_4\"]\n tag \"check\": \"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\\\"\n In the query results, a prosecdef value of \\\"t\\\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.\"\n tag \"fix\": \"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\\\n $ sudo su - postgres\n $ psql -c \\\"ALTER FUNCTION SECURITY INVOKER;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n security_definer_sql = \"SELECT nspname, proname, prosecdef \"\\\n \"FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid \"\\\n \"JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't';\"\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(security_definer_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72905.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.000465141,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000798909,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.000396,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000792151,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.000445426,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000824057,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.000313577,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000748627,"start_time":"2019-04-22T14:20:39+00:00","message":"expected # to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72909","title":"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.","desc":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.","descriptions":[{"label":"default","data":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000356-DB-000314","gid":"V-72909","rid":"SV-87561r1_rule","stig_id":"PGS9-00-003800","cci":["CCI-001844"],"nist":["AU-3 (2)","Rev_4"],"check":"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \"postgres\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_destination\"\n As the database owner (shown here as \"postgres\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW syslog_facility\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \"postgres\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72909\" do\n title \"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.\"\n desc \"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000356-DB-000314\"\n tag \"gid\": \"V-72909\"\n tag \"rid\": \"SV-87561r1_rule\"\n tag \"stig_id\": \"PGS9-00-003800\"\n tag \"cci\": [\"CCI-001844\"]\n tag \"nist\": [\"AU-3 (2)\", \"Rev_4\"]\n tag \"check\": \"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \\\"postgres\\\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_destination\\\"\n As the database owner (shown here as \\\"postgres\\\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW syslog_facility\\\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \\\"postgres\\\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /syslog/i }\n end\n\n describe sql.query('SHOW syslog_facility;', [PG_DB]) do\n its('output') { should match /local[0-7]/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72909.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_destination; output should match /syslog/i","run_time":0.000290267,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /syslog/i\nDiff:\n@@ -1,2 +1,5 @@\n-/syslog/i\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW syslog_facility; output should match /local[0-7]/i","run_time":0.000364884,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /local[0-7]/i\nDiff:\n@@ -1,2 +1,5 @@\n-/local[0-7]/i\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72911","title":"PostgreSQL must isolate security functions from non-security functions.","desc":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000233-DB-000124","gid":"V-72911","rid":"SV-87563r1_rule","stig_id":"PGS9-00-004000","cci":["CCI-001084"],"nist":["SC-3","Rev_4"],"check":"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \"postgres\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \"\\dp pg_catalog.*\"\n $ psql -x -c \"\\dp information_schema.*\"\n Repeat the \\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \"\\df+ pg_catalog.*\"\n $ psql -x -c \"\\df+ information_schema.*\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.","fix":"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval."},"code":"control \"V-72911\" do\n title \"PostgreSQL must isolate security functions from non-security functions.\"\n desc \"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000233-DB-000124\"\n tag \"gid\": \"V-72911\"\n tag \"rid\": \"SV-87563r1_rule\"\n tag \"stig_id\": \"PGS9-00-004000\"\n tag \"cci\": [\"CCI-001084\"]\n tag \"nist\": [\"SC-3\", \"Rev_4\"]\n tag \"check\": \"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \\\"postgres\\\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dp pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\dp information_schema.*\\\"\n Repeat the \\\\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\\\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\df+ pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\df+ information_schema.*\\\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\\\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.\"\n tag \"fix\": \"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval.\"\n\n exceptions = \"#{PG_OBJECT_EXCEPTIONS.map { |e| \"'#{e}'\" }.join(',')}\"\n object_acl = \"^(((#{PG_OWNER}=[#{PG_OBJECT_GRANTED_PRIVILEGES}]+|\"\\\n \"=[#{PG_OBJECT_PUBLIC_PRIVILEGES}]+)\\\\/\\\\w+,?)+|)$\"\n schemas = ['pg_catalog', 'information_schema']\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n schemas.each do |schema|\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') \"\\\n \"AND n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.array_to_string(c.relacl, E',') !~ '#{object_acl}' \"\\\n \"AND c.relname NOT IN (#{exceptions});\"\n\n describe sql.query(objects_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n\n describe sql.query(functions_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n end\nend\n","source_location":{"line":70,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72911.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') AND n.nspname ~ '^(pg_catalog)$' AND pg_catalog.array_to_string(c.relacl, E',') !~ '^(((postgres=[arwdDxt]+|=[r]+)\\/\\w+,?)+|)$' AND c.relname NOT IN ('pg_settings'); output should eq \"\"","run_time":0.000359438,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE n.nspname ~ '^(pg_catalog)$' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'postgres'; output should eq \"\"","run_time":0.000281749,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') AND n.nspname ~ '^(information_schema)$' AND pg_catalog.array_to_string(c.relacl, E',') !~ '^(((postgres=[arwdDxt]+|=[r]+)\\/\\w+,?)+|)$' AND c.relname NOT IN ('pg_settings'); output should eq \"\"","run_time":0.000279125,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE n.nspname ~ '^(information_schema)$' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'postgres'; output should eq \"\"","run_time":0.000323604,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72917","title":"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.","desc":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.","descriptions":[{"label":"default","data":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000454-DB-000389","gid":"V-72917","rid":"SV-87569r1_rule","stig_id":"PGS9-00-004300","cci":["CCI-002617"],"nist":["SI-2 (6)","Rev_4"],"check":"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.","fix":"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated."},"code":"control \"V-72917\" do\n title \"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.\"\n desc \"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000454-DB-000389\"\n tag \"gid\": \"V-72917\"\n tag \"rid\": \"SV-87569r1_rule\"\n tag \"stig_id\": \"PGS9-00-004300\"\n tag \"cci\": [\"CCI-002617\"]\n tag \"nist\": [\"SI-2 (6)\", \"Rev_4\"]\n tag \"check\": \"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.\"\n tag \"fix\": \"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72917.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":8.02e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72919","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000344","gid":"V-72919","rid":"SV-87571r1_rule","stig_id":"PGS9-00-004400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72919\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000344\"\n tag \"gid\": \"V-72919\"\n tag \"rid\": \"SV-87571r1_rule\"\n tag \"stig_id\": \"PGS9-00-004400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72919.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000454343,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000363711,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000399395,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72931","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000349","gid":"V-72931","rid":"SV-87583r1_rule","stig_id":"PGS9-00-005000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72931\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000502-DB-000349\"\n tag \"gid\": \"V-72931\"\n tag \"rid\": \"SV-87583r1_rule\"\n tag \"stig_id\": \"PGS9-00-005000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72931.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000382681,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.00033824,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000328888,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000359177,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.00036445,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72949","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000347","gid":"V-72949","rid":"SV-87601r1_rule","stig_id":"PGS9-00-005600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72949\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000347\"\n tag \"gid\": \"V-72949\"\n tag \"rid\": \"SV-87601r1_rule\"\n tag \"stig_id\": \"PGS9-00-005600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72949.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000356385,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000413405,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.0003661,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000371227,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000458223,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72953","title":"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.","desc":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.","descriptions":[{"label":"default","data":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000504-DB-000354","gid":"V-72953","rid":"SV-87605r1_rule","stig_id":"PGS9-00-005800","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72953\" do\n title \"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.\"\n desc \"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000504-DB-000354\"\n tag \"gid\": \"V-72953\"\n tag \"rid\": \"SV-87605r1_rule\"\n tag \"stig_id\": \"PGS9-00-005800\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72953.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.00035529,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000300885,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000273043,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000391036,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000354172,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72955","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000345","gid":"V-72955","rid":"SV-87607r1_rule","stig_id":"PGS9-00-005900","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72955\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000345\"\n tag \"gid\": \"V-72955\"\n tag \"rid\": \"SV-87607r1_rule\"\n tag \"stig_id\": \"PGS9-00-005900\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72955.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.00041116,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000314689,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000347625,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72957","title":"PostgreSQL must be able to generate audit records when security objects\n are accessed.","desc":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.","descriptions":[{"label":"default","data":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000492-DB-000332","gid":"V-72957","rid":"SV-87609r1_rule","stig_id":"PGS9-00-006000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72957\" do\n title \"PostgreSQL must be able to generate audit records when security objects\n are accessed.\"\n desc \"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000492-DB-000332\"\n tag \"gid\": \"V-72957\"\n tag \"rid\": \"SV-87609r1_rule\"\n tag \"stig_id\": \"PGS9-00-006000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72957.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000291467,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000326374,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000295155,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000382006,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000353533,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72959","title":"PostgreSQL must generate audit records when privileges/permissions are\n deleted.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000499-DB-000330","gid":"V-72959","rid":"SV-87611r1_rule","stig_id":"PGS9-00-006100","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72959\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n deleted.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000499-DB-000330\"\n tag \"gid\": \"V-72959\"\n tag \"rid\": \"SV-87611r1_rule\"\n tag \"stig_id\": \"PGS9-00-006100\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72959.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000333269,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000298191,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000308823,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000333391,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000375075,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72961","title":"PostgreSQL must generate audit records when concurrent\n logons/connections by the same user from different workstations occur.","desc":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)","descriptions":[{"label":"default","data":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)"}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000506-DB-000353","gid":"V-72961","rid":"SV-87613r1_rule","stig_id":"PGS9-00-006200","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify that\n log_connections and log_disconnections are enabled by running the following\n SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n If either is off, this is a finding.\n Next, verify that log_line_prefix contains sufficient information by running\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain at least %m %u %d %c, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First, as the database administrator (shown here as \"postgres\"), edit\n postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Edit the following parameters as such:\n log_connections = on\n log_disconnections = on\n log_line_prefix = '< %m %u %d %c: >'\n Where:\n * %m is the time and date\n * %u is the username\n * %d is the database\n * %c is the session ID for the connection\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72961\" do\n title \"PostgreSQL must generate audit records when concurrent\n logons/connections by the same user from different workstations occur.\"\n desc \"For completeness of forensic analysis, it is necessary to track who\n logs on to PostgreSQL.\n Concurrent connections by the same user from multiple workstations may be\n valid use of the system; or such connections may be due to improper\n circumvention of the requirement to use the CAC for authentication; or they\n may indicate unauthorized account sharing; or they may be because an account\n has been compromised.\n (If the fact of multiple, concurrent logons by a given user can be reliably\n reconstructed from the log entries for other events (logons/connections;\n voluntary and involuntary disconnections), then it is not mandatory to create\n additional log entries specifically for this..\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000506-DB-000353\"\n tag \"gid\": \"V-72961\"\n tag \"rid\": \"SV-87613r1_rule\"\n tag \"stig_id\": \"PGS9-00-006200\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify that\n log_connections and log_disconnections are enabled by running the following\n SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_connections\\\"\n $ psql -c \\\"SHOW log_disconnections\\\"\n If either is off, this is a finding.\n Next, verify that log_line_prefix contains sufficient information by running\n the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n If log_line_prefix does not contain at least %m %u %d %c, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First, as the database administrator (shown here as \\\"postgres\\\"), edit\n postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Edit the following parameters as such:\n log_connections = on\n log_disconnections = on\n log_line_prefix = '< %m %u %d %c: >'\n Where:\n * %m is the time and date\n * %u is the username\n * %d is the database\n * %c is the session ID for the connection\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n log_line_prefix_escapes = %w(%m %u %d %c)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72961.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should not match /off|false/i","run_time":0.000100438,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should not match /off|false/i","run_time":0.000108576,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000394441,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000335363,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000322436,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%c\"","run_time":0.000337736,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%c\"\nDiff:\n@@ -1,2 +1,5 @@\n-%c\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72963","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.","desc":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.","descriptions":[{"label":"default","data":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000501-DB-000337","gid":"V-72963","rid":"SV-87615r1_rule","stig_id":"PGS9-00-006300","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72963\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.\"\n desc \"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000501-DB-000337\"\n tag \"gid\": \"V-72963\"\n tag \"rid\": \"SV-87615r1_rule\"\n tag \"stig_id\": \"PGS9-00-006300\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72963.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000324973,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000356659,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000317602,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000345728,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000404891,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72965","title":"PostgreSQL must generate audit records when privileges/permissions are\n modified.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000495-DB-000328","gid":"V-72965","rid":"SV-87617r1_rule","stig_id":"PGS9-00-006400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, this is a finding.","fix":"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72965\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n modified.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000495-DB-000328\"\n tag \"gid\": \"V-72965\"\n tag \"rid\": \"SV-87617r1_rule\"\n tag \"stig_id\": \"PGS9-00-006400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['role']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72965.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000340437,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000355857,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72971","title":"PostgreSQL must generate audit records when security objects are\n modified.","desc":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.","descriptions":[{"label":"default","data":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000496-DB-000334","gid":"V-72971","rid":"SV-87623r1_rule","stig_id":"PGS9-00-006600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \"SHOW pgaudit.log_catalog\"\n If log_catalog is not `on`, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72971\" do\n title \"PostgreSQL must generate audit records when security objects are\n modified.\"\n desc \"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000496-DB-000334\"\n tag \"gid\": \"V-72971\"\n tag \"rid\": \"SV-87623r1_rule\"\n tag \"stig_id\": \"PGS9-00-006600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \\\"SHOW pgaudit.log_catalog\\\"\n If log_catalog is not `on`, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW pgaudit.log_catalog;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72971.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000338544,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000390563,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000362373,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000371527,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000392675,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log_catalog; output should match /on|true/i","run_time":0.00012043,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-72973","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000346","gid":"V-72973","rid":"SV-87625r1_rule","stig_id":"PGS9-00-006700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control \"V-72973\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000346\"\n tag \"gid\": \"V-72973\"\n tag \"rid\": \"SV-87625r1_rule\"\n tag \"stig_id\": \"PGS9-00-006700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72973.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000334579,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000337367,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000302805,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.00034764,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000331242,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72979","title":"PostgreSQL, when utilizing PKI-based authentication, must validate\n certificates by performing RFC 5280-compliant certification path validation.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000175-DB-000067","gid":"V-72979","rid":"SV-87631r1_rule","stig_id":"PGS9-00-007000","cci":["CCI-000185"],"nist":["IA-5 (2) (a)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To verify that a CRL file exists, as the database administrator (shown here as\n \"postgres\"), run the following:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl_crl_file\" If this is not set to a CRL file, this is a finding.\n Next verify the existence of the CRL file by checking the directory set in\n postgresql.conf in the ssl_crl_file parameter from above:\n Note: If no directory is specified, then the CRL file should be located in the\n same directory as postgresql.conf (PGDATA).\n If the CRL file does not exist, this is a finding.\n Next, verify that hostssl entries in pg_hba.conf have \"cert\" and\n \"clientcert=1\" enabled:\n $ sudo su - postgres\n $ grep hostssl ${PGDATA?}/postgresql.conf\n If hostssl entries does not contain cert or clientcert=1, this is a finding.\n If certificates are not being validated by performing RFC 5280-compliant\n certification path validation, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.\n To generate a Certificate Revocation List, see the official Red Hat\n Documentation:\n https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/\n 2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-\n Administration_Guide-Certification_Revocation_List_CRL.html\n As the database administrator (shown here as \"postgres\"), copy the CRL file\n into the data directory:\n First, as the system administrator, copy the CRL file into the PostgreSQL Data\n Directory:\n $ sudo cp root.crl ${PGDATA?}/root.crl\n As the database administrator (shown here as \"postgres\"), set the\n ssl_crl_file parameter to the filename of the CRL:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n ssl_crl_file = 'root.crl'\n Next, in pg_hba.conf, require ssl authentication:\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n hostssl
cert clientcert=1\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72979\" do\n title \"PostgreSQL, when utilizing PKI-based authentication, must validate\n certificates by performing RFC 5280-compliant certification path validation.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates.\n A certificate’s certification path is the path from the end entity certificate\n to a trusted root certification authority (CA). Certification path validation\n is necessary for a relying party to make an informed decision regarding\n acceptance of an end entity certificate. Certification path validation\n includes checks such as certificate issuer trust, time validity and revocation\n status for each certificate in the certification path. Revocation status\n information for CA and subject certificates in a certification path is\n commonly provided via certificate revocation lists (CRLs) or online\n certificate status protocol (OCSP) responses.\n Database Management Systems that do not validate certificates by performing\n RFC 5280-compliant certification path validation are in danger of accepting\n certificates that are invalid and/or counterfeit. This could allow unauthorized\n access to the database.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000175-DB-000067\"\n tag \"gid\": \"V-72979\"\n tag \"rid\": \"SV-87631r1_rule\"\n tag \"stig_id\": \"PGS9-00-007000\"\n tag \"cci\": [\"CCI-000185\"]\n tag \"nist\": [\"IA-5 (2) (a)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To verify that a CRL file exists, as the database administrator (shown here as\n \\\"postgres\\\"), run the following:\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl_crl_file\\\" If this is not set to a CRL file, this is a finding.\n Next verify the existence of the CRL file by checking the directory set in\n postgresql.conf in the ssl_crl_file parameter from above:\n Note: If no directory is specified, then the CRL file should be located in the\n same directory as postgresql.conf (PGDATA).\n If the CRL file does not exist, this is a finding.\n Next, verify that hostssl entries in pg_hba.conf have \\\"cert\\\" and\n \\\"clientcert=1\\\" enabled:\n $ sudo su - postgres\n $ grep hostssl ${PGDATA?}/postgresql.conf\n If hostssl entries does not contain cert or clientcert=1, this is a finding.\n If certificates are not being validated by performing RFC 5280-compliant\n certification path validation, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.\n To generate a Certificate Revocation List, see the official Red Hat\n Documentation:\n https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/\n 2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-\n Administration_Guide-Certification_Revocation_List_CRL.html\n As the database administrator (shown here as \\\"postgres\\\"), copy the CRL file\n into the data directory:\n First, as the system administrator, copy the CRL file into the PostgreSQL Data\n Directory:\n $ sudo cp root.crl ${PGDATA?}/root.crl\n As the database administrator (shown here as \\\"postgres\\\"), set the\n ssl_crl_file parameter to the filename of the CRL:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n ssl_crl_file = 'root.crl'\n Next, in pg_hba.conf, require ssl authentication:\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n hostssl
cert clientcert=1\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n ssl_crl_file_query = sql.query('SHOW ssl_crl_file;', [PG_DB])\n\n describe ssl_crl_file_query do\n its('output') { should match /^\\w+\\.crl$/ }\n end\n\n ssl_crl_file = ssl_crl_file_query.output\n\n if ssl_crl_file.empty?\n ssl_crl_file = \"#{PG_DATA_DIR}/root.crl\"\n elsif File.dirname(ssl_crl_file) == '.'\n ssl_crl_file = \"#{PG_DATA_DIR}/#{ssl_crl_file}\"\n end\n\n describe file(ssl_crl_file) do\n it { should be_file }\n end\n\n describe.one do\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'hostssl' } do\n its('auth_method') { should include 'cert' }\n end\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'hostssl' } do\n its('auth_params') { should match [/clientcert=1.*/] }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72979.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW ssl_crl_file; output should match /^\\w+\\.crl$/","run_time":0.0003394,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^\\w+\\.crl$/\nDiff:\n@@ -1,2 +1,5 @@\n-/^\\w+\\.crl$/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000295701,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"hostssl\" auth_method should include \"cert\"","run_time":0.000162234,"start_time":"2019-04-22T14:20:39+00:00","message":"expected [] to include \"cert\"","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"hostssl\" auth_params should match [/clientcert=1.*/]","run_time":0.000321297,"start_time":"2019-04-22T14:20:39+00:00","message":"expected [] to match [/clientcert=1.*/]\nDiff:\n@@ -1,2 +1,2 @@\n-[/clientcert=1.*/]\n+[]\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72981","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000441-DB-000378","gid":"V-72981","rid":"SV-87633r1_rule","stig_id":"PGS9-00-007200","cci":["CCI-002420"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \"postgres\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-72981\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000441-DB-000378\"\n tag \"gid\": \"V-72981\"\n tag \"rid\": \"SV-87633r1_rule\"\n tag \"stig_id\": \"PGS9-00-007200\"\n tag \"cci\": [\"CCI-002420\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \\\"postgres\\\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72981.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should match /on|true/i","run_time":0.000188677,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-72983","title":"PostgreSQL must provide audit record generation capability \n for CMS-defined auditable events within all DBMS/database \n components.","desc":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing.","descriptions":[{"label":"default","data":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing."},{"label":"fix","data":"Configure PostgreSQL to generate audit records for at \n least the CMS minimum set of events.\n\n Using pgaudit PostgreSQL can be configured to audit these \n requests. See supplementary content APPENDIX-B for documentation \n on installing pgaudit.\n\n To ensure that logging is enabled, review supplementary content \n APPENDIX-C for instructions on enabling logging."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000089-DB-000064","gid":"V-72983","rid":"SV-87635r1_rule","stig_id":"PGS9-00-007400","cci":["CCI-000169"],"nist":["AU-12 a","Rev_4"],"check":"Check PostgreSQL auditing to determine whether\n organization-defined auditable events are being audited by the system.\n If organization-defined auditable events are not being audited, this is a\n finding.","fix":"Configure PostgreSQL to generate audit records for at least the\n DoD minimum set of events.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":"control \"V-72983\" do\n title \"PostgreSQL must provide audit record generation capability for\n DoD-defined auditable events within all DBMS/database components.\"\n desc \"Without the capability to generate audit records, it would be difficult\n to establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n Audit records can be generated from various components within PostgreSQL\n (e.g., process, module). Certain specific application functionalities may be\n audited as well. The list of audited events is the set of events for which\n audits are to be generated. This set of events is typically a subset of the\n list of all events for which the system is capable of generating audit records.\n DoD has defined the list of events for which PostgreSQL will provide an audit\n record generation capability as the following:\n (i) Successful and unsuccessful attempts to access, modify, or delete\n privileges, security objects, security levels, or categories of information\n (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon attempts,\n privileged activities, or other system-level access, starting and ending time\n for user access to the system, concurrent logons from different workstations,\n successful and unsuccessful accesses to objects, all program initiations,\n and all direct access to the information system; and\n (iii) All account creation, modification, disabling, and termination actions.\n Organizations may define additional events requiring continuous or ad hoc\n auditing.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000089-DB-000064\"\n tag \"gid\": \"V-72983\"\n tag \"rid\": \"SV-87635r1_rule\"\n tag \"stig_id\": \"PGS9-00-007400\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"check\": \"Check PostgreSQL auditing to determine whether\n organization-defined auditable events are being audited by the system.\n If organization-defined auditable events are not being audited, this is a\n finding.\"\n tag \"fix\": \"Configure PostgreSQL to generate audit records for at least the\n DoD minimum set of events.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72983.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.397e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72987","title":"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded."}],"impact":0.5,"refs":[],"tags":{"check":"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \"postgres\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.","fix":"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \"postgres\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72987\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.\"\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \\\"postgres\\\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72987.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000416062,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.00035648,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000391219,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%p\"","run_time":0.000343345,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%p\"\nDiff:\n@@ -1,2 +1,5 @@\n-%p\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%r\"","run_time":0.00035647,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%r\"\nDiff:\n@@ -1,2 +1,5 @@\n-%r\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%a\"","run_time":0.000333915,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%a\"\nDiff:\n@@ -1,2 +1,5 @@\n-%a\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72989","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.","desc":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000381","gid":"V-72989","rid":"SV-87641r1_rule","stig_id":"PGS9-00-008000","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72989\" do\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000381\"\n tag \"gid\": \"V-72989\"\n tag \"rid\": \"SV-87641r1_rule\"\n tag \"stig_id\": \"PGS9-00-008000\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72989.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter crypto.fips_enabled value should cmp == 1","run_time":0.025609431,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: 1\n got: 0\n\n(compared using `cmp` matcher)\n"}]},{"id":"V-72991","title":"PostgreSQL must use CMS-approved cryptography to protect \n classified sensitive information in accordance with the data owners \n requirements.","desc":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards."},{"label":"check","data":"If PostgreSQL is not using CMS-approved cryptography \n to protect classified sensitive information in accordance with \n applicable federal laws, Executive Orders, directives, policies, \n regulations, and standards, this is a finding.\n\n To check if PostgreSQL is configured to use SSL, as the database \n administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding."},{"label":"fix","data":"Note: The following instructions use the PGDATA \n environment variable. See supplementary content APPENDIX-F for \n instructions on configuring PGDATA.\n\n To configure PostgreSQL to use SSL, as a database administrator \n (shown here as \"postgres\"), edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameter:\n\n ssl = on\n\n Now, as the system administrator, reload the server with the \n new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n\n For more information on configuring PostgreSQL to use SSL, see \n supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000416-DB-000380","gid":"V-72991","rid":"SV-87643r1_rule","stig_id":"PGS9-00-008100","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"If PostgreSQL is deployed in an unclassified environment, this is\nnot applicable (NA).\n\nIf PostgreSQL is not using NSA-approved cryptography to protect classified\ninformation in accordance with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, and standards, this is a finding.\n\nTo check if PostgreSQL is configured to use SSL, as the database administrator\n(shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf SSL is off, this is a finding.\n\nConsult network administration staff to determine whether the server is protected by\nNSA-approved encrypting devices. If not, this a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo configure PostgreSQL to use SSL, as a database administrator (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nDeploy NSA-approved encrypting devices to protect the server on the network."},"code":"control \"V-72991\" do\n\n title \"PostgreSQL must use NSA-approved cryptography to protect classified\ninformation in accordance with the data owners requirements.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This\nrequirement addresses the compatibility of PostgreSQL with the encryption devices.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000416-DB-000380\"\n tag \"gid\": \"V-72991\"\n tag \"rid\": \"SV-87643r1_rule\"\n tag \"stig_id\": \"PGS9-00-008100\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"If PostgreSQL is deployed in an unclassified environment, this is\nnot applicable (NA).\n\nIf PostgreSQL is not using NSA-approved cryptography to protect classified\ninformation in accordance with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, and standards, this is a finding.\n\nTo check if PostgreSQL is configured to use SSL, as the database administrator\n(shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl\\\"\n\nIf SSL is off, this is a finding.\n\nConsult network administration staff to determine whether the server is protected by\nNSA-approved encrypting devices. If not, this a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo configure PostgreSQL to use SSL, as a database administrator (shown here as\n\\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nDeploy NSA-approved encrypting devices to protect the server on the network.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72991.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should match /on|true/i","run_time":0.000133812,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-72993","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.","desc":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000383","gid":"V-72993","rid":"SV-87645r1_rule","stig_id":"PGS9-00-008200","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72993\" do\n\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000383\"\n tag \"gid\": \"V-72993\"\n tag \"rid\": \"SV-87645r1_rule\"\n tag \"stig_id\": \"PGS9-00-008200\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":26,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72993.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter crypto.fips_enabled value should cmp == 1","run_time":0.000396497,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: 1\n got: 0\n\n(compared using `cmp` matcher)\n"}]},{"id":"V-72995","title":"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.","desc":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.","descriptions":[{"label":"default","data":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000231-DB-000154","gid":"V-72995","rid":"SV-87647r1_rule","stig_id":"PGS9-00-008300","cci":["CCI-001199"],"nist":["SC-28","Rev_4"],"check":"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.","fix":"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));"},"code":"control \"V-72995\" do\n\n title \"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.\"\n desc \"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000231-DB-000154\"\n tag \"gid\": \"V-72995\"\n tag \"rid\": \"SV-87647r1_rule\"\n tag \"stig_id\": \"PGS9-00-008300\"\n tag \"cci\": [\"CCI-001199\"]\n tag \"nist\": [\"SC-28\", \"Rev_4\"]\n\n tag \"check\": \"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.\"\n tag \"fix\": \"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72995.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT * FROM pg_available_extensions where name='pgcrypto' output should not eq \"\"","run_time":0.000141347,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-72999","title":"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.","desc":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.","descriptions":[{"label":"default","data":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000211-DB-000122","gid":"V-72999","rid":"SV-87651r1_rule","stig_id":"PGS9-00-008500","cci":["CCI-001082"],"nist":["SC-2","Rev_4"],"check":"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \"postgres\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf any non-administrative role has the attribute \"Superuser\", \"Create role\",\n\"Create DB\" or \"Bypass RLS\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.","fix":"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;"},"code":"control \"V-72999\" do\n\n title \"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.\"\n desc \"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000211-DB-000122\"\n tag \"gid\": \"V-72999\"\n tag \"rid\": \"SV-87651r1_rule\"\n tag \"stig_id\": \"PGS9-00-008500\"\n tag \"cci\": [\"CCI-001082\"]\n tag \"nist\": [\"SC-2\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \\\"postgres\\\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\\\"\n\nIf any non-administrative role has the attribute \\\"Superuser\\\", \\\"Create role\\\",\n\\\"Create DB\\\" or \\\"Bypass RLS\\\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;\"\n\n privileges = %w(rolcreatedb rolcreaterole rolsuper)\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n privileges.each do |privilege|\n privilege_sql = \"SELECT r.#{privilege} FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(privilege_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72999.rb"},"results":[]},{"id":"V-73001","title":"PostgreSQL must initiate session auditing upon startup.","desc":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.","descriptions":[{"label":"default","data":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000092-DB-000208","gid":"V-73001","rid":"SV-87653r1_rule","stig_id":"PGS9-00-008600","cci":["CCI-001464"],"nist":["AU-14 (1)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \"postgres\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \"SHOW logging_destination\"\n\nIf stderr or syslog are not in the current setting, this is a finding.","fix":"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B."},"code":"control \"V-73001\" do\n title \"PostgreSQL must initiate session auditing upon startup.\"\n desc \"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000092-DB-000208\"\n tag \"gid\": \"V-73001\"\n tag \"rid\": \"SV-87653r1_rule\"\n tag \"stig_id\": \"PGS9-00-008600\"\n tag \"cci\": [\"CCI-001464\"]\n tag \"nist\": [\"AU-14 (1)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \\\"postgres\\\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \\\"SHOW logging_destination\\\"\n\nIf stderr or syslog are not in the current setting, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /stderr|syslog/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73001.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000375061,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_destination; output should match /stderr|syslog/i","run_time":0.000365801,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /stderr|syslog/i\nDiff:\n@@ -1,2 +1,5 @@\n-/stderr|syslog/i\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73003","title":"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000428-DB-000386","gid":"V-73003","rid":"SV-87655r1_rule","stig_id":"PGS9-00-008700","cci":["CCI-002475"],"nist":["SC-28 (1)","Rev_4"],"check":"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73003\" do\n title \"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000428-DB-000386\"\n tag \"gid\": \"V-73003\"\n tag \"rid\": \"SV-87655r1_rule\"\n tag \"stig_id\": \"PGS9-00-008700\"\n tag \"cci\": [\"CCI-002475\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\n\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73003.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT * FROM pg_available_extensions where name='pgcrypto' output should not eq \"\"","run_time":9.3356e-05,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73005","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000098-DB-000042","gid":"V-73005","rid":"SV-87657r1_rule","stig_id":"PGS9-00-008800","cci":["CCI-000133"],"nist":["AU-3","Rev_4"],"check":"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \"log_hostname\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n$ psql -c \"SHOW log_hostname\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73005\" do\n\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000098-DB-000042\"\n tag \"gid\": \"V-73005\"\n tag \"rid\": \"SV-87657r1_rule\"\n tag \"stig_id\": \"PGS9-00-008800\"\n tag \"cci\": [\"CCI-000133\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \\\"log_hostname\\\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n$ psql -c \\\"SHOW log_hostname\\\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_hostname;', [PG_DB]) do\n its('output') { should match /(on|true)/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73005.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000352674,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000363569,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000312238,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%s\"","run_time":0.000361505,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%s\"\nDiff:\n@@ -1,2 +1,5 @@\n-%s\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_hostname; output should match /(on|true)/i","run_time":0.000167758,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73011","title":"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.","desc":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.","descriptions":[{"label":"default","data":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000141-DB-000092","gid":"V-73011","rid":"SV-87663r1_rule","stig_id":"PGS9-00-009200","cci":["CCI-000381"],"nist":["CM-7 a","Rev_4"],"check":"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.","fix":"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove "},"code":"control \"V-73011\" do\n title \"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.\"\n desc \"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000141-DB-000092\"\n tag \"gid\": \"V-73011\"\n tag \"rid\": \"SV-87663r1_rule\"\n tag \"stig_id\": \"PGS9-00-009200\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"check\": \"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.\"\n tag \"fix\": \"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove \"\n\n# @todo how do I identify the packages that are not required for the current OS? need datafile of approved?\n# @todo assume need two tests, one for RHEL/CENT, and one for Debian?\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73011.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.885e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73013","title":"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.","desc":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000313-DB-000309","gid":"V-73013","rid":"SV-87665r1_rule","stig_id":"PGS9-00-009400","cci":["CCI-002263"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \"postgres\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \"\\d+ .\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.","fix":"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-73013\" do\n title \"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.\"\n desc \"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000313-DB-000309\"\n tag \"gid\": \"V-73013\"\n tag \"rid\": \"SV-87665r1_rule\"\n tag \"stig_id\": \"PGS9-00-009400\"\n tag \"cci\": [\"CCI-002263\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\d+ .\\\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73013.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.105e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73015","title":"If passwords are used for authentication, PostgreSQL must store only\nhashed, salted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000171-DB-000074","gid":"V-73015","rid":"SV-87667r1_rule","stig_id":"PGS9-00-009500","cci":["CCI-000196"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"To check if password encryption is enabled, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW password_encryption\"\n\nIf password_encryption is not on, this is a finding.\n\nNext, to identify if any passwords have been stored without being hashed and salted,\nas the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \"SELECT * FROM pg_shadow\"\n\nIf any password is in plaintext, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = on\n\nInstitute a policy of not using the \"WITH UNENCRYPTED PASSWORD\" option with the\nCREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of\nthe password_encryption configuration parameter.)\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":"control \"V-73015\" do\n title \"If passwords are used for authentication, PostgreSQL must store only\nhashed, salted representations of passwords.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not\npossible to employ a PKI certificate, and requires AO approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption,\nor using unsalted hashes would be vulnerable to unauthorized disclosure. Database\npasswords must always be in the form of one-way, salted hashes when stored\ninternally or externally to PostgreSQL.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000171-DB-000074\"\n tag \"gid\": \"V-73015\"\n tag \"rid\": \"SV-87667r1_rule\"\n tag \"stig_id\": \"PGS9-00-009500\"\n tag \"cci\": [\"CCI-000196\"]\n tag \"nist\": [\"IA-5 (1) (c)\", \"Rev_4\"]\n tag \"check\": \"To check if password encryption is enabled, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW password_encryption\\\"\n\nIf password_encryption is not on, this is a finding.\n\nNext, to identify if any passwords have been stored without being hashed and salted,\nas the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \\\"SELECT * FROM pg_shadow\\\"\n\nIf any password is in plaintext, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = on\n\nInstitute a policy of not using the \\\"WITH UNENCRYPTED PASSWORD\\\" option with the\nCREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of\nthe password_encryption configuration parameter.)\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW password_encryption;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\n\n passwords_sql = \"SELECT usename FROM pg_shadow \"\\\n \"WHERE passwd !~ '^md5[0-9a-f]+$';\"\n\n describe sql.query(passwords_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n \nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73015.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW password_encryption; output should match /on|true/i","run_time":8.9696e-05,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT usename FROM pg_shadow WHERE passwd !~ '^md5[0-9a-f]+$'; output should eq \"\"","run_time":0.000304817,"start_time":"2019-04-22T14:20:39+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73017","title":"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).","desc":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.","descriptions":[{"label":"default","data":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000380-DB-000360","gid":"V-73017","rid":"SV-87669r1_rule","stig_id":"PGS9-00-009600","cci":["CCI-001813"],"nist":["CM-5 (1)","Rev_4"],"check":"To list all the permissions of individual roles, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\l\"\n$ psql -c \"\\dn+\"\n\nIf any database or schema has update (\"W\") or create (\"C\") privileges and should\nnot, this is a finding.","fix":"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \"ALTER ROLE NOSUPERUSER\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \"REVOKE ALL PRIVILEGES ON
FROM ;"},"code":"control \"V-73017\" do\n title \"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).\"\n desc \"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000380-DB-000360\"\n tag \"gid\": \"V-73017\"\n tag \"rid\": \"SV-87669r1_rule\"\n tag \"stig_id\": \"PGS9-00-009600\"\n tag \"cci\": [\"CCI-001813\"]\n tag \"nist\": [\"CM-5 (1)\", \"Rev_4\"]\n tag \"check\": \"To list all the permissions of individual roles, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\l\\\"\n$ psql -c \\\"\\\\dn+\\\"\n\nIf any database or schema has update (\\\"W\\\") or create (\\\"C\\\") privileges and should\nnot, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \\\"ALTER ROLE NOSUPERUSER\\\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \\\"REVOKE ALL PRIVILEGES ON
FROM ;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n database_granted_privileges = 'CTc'\n database_public_privileges = 'c'\n database_acl = \"^((((#{owners})=[#{database_granted_privileges}]+|\"\\\n \"=[#{database_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n database_acl_regex = Regexp.new(database_acl)\n\n schema_granted_privileges = 'UC'\n schema_public_privileges = 'U'\n schema_acl = \"^((((#{owners})=[#{schema_granted_privileges}]+|\"\\\n \"=[#{schema_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n schema_acl_regex = Regexp.new(schema_acl)\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n datacl_sql = \"SELECT pg_catalog.array_to_string(datacl, E','), datname \"\\\n \"FROM pg_catalog.pg_database WHERE datname = '#{database}';\"\n\n describe sql.query(datacl_sql, [PG_DB]) do\n its('output') { should match database_acl_regex }\n end\n\n schemas_sql = \"SELECT n.nspname, FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n schemas_query = sql.query(schemas_query, [database])\n # Handle connection disabled on database\n if schemas_query.methods.include?(:output)\n schemas = schemas_query.lines\n\n schemas.each do |schema|\n nspacl_sql = \"SELECT pg_catalog.array_to_string(n.nspacl, E','), \"\\\n \"n.nspname FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname = '#{schema}';\"\n\n describe sql.query(nspacl_sql) do\n its('output') { should match schema_acl_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73017.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.000415412,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000412568,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000418727,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: No such file or directory'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000393979,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running locally and accepting'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000414415,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000374004,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = 'psql: could not connect to server: Connection refused'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.00035147,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000388857,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000450624,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.00035428,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000366125,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000314645,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000331852,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000370623,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000315715,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: Connection refused'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000339128,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000384247,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tTCP/IP connections on port 5432?'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000315735,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.000335006,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000395369,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000344783,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000355837,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000365325,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000341355,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000355246,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000448556,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.00037741,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000328134,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: Connection refused'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000373925,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000319433,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tTCP/IP connections on port 5432?'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.0003115,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = '\tTCP/IP connections on port 5432?'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.000334659,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000322721,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000392199,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000274675,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000286679,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.00031526,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: Connection refused'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000396742,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000335049,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tTCP/IP connections on port 5432?'; output should match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000347816,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^((((Attribute 'pg_superusers' does not have a value. Skipping test.)=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73019","title":"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.","desc":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.","descriptions":[{"label":"default","data":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000080-DB-000063","gid":"V-73019","rid":"SV-87671r1_rule","stig_id":"PGS9-00-009700","cci":["CCI-000166"],"nist":["AU-10","Rev_4"],"check":"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain \"pgaudit\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL."},"code":"control \"V-73019\" do\n title \"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.\"\n desc \"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000080-DB-000063\"\n tag \"gid\": \"V-73019\"\n tag \"rid\": \"SV-87671r1_rule\"\n tag \"stig_id\": \"PGS9-00-009700\"\n tag \"cci\": [\"CCI-000166\"]\n tag \"nist\": [\"AU-10\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain \\\"pgaudit\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73019.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000386737,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000450422,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000309807,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%p\"","run_time":0.000300498,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%p\"\nDiff:\n@@ -1,2 +1,5 @@\n-%p\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%r\"","run_time":0.000384079,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%r\"\nDiff:\n@@ -1,2 +1,5 @@\n-%r\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%a\"","run_time":0.000355083,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%a\"\nDiff:\n@@ -1,2 +1,5 @@\n-%a\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000350623,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73021","title":"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.","desc":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.","descriptions":[{"label":"default","data":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000093-DB-000052","gid":"V-73021","rid":"SV-87673r1_rule","stig_id":"PGS9-00-009800","cci":["CCI-001462"],"nist":["AU-14 (2)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.","fix":"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \"postgres\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73021\" do\n title \"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.\"\n desc \"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000093-DB-000052\"\n tag \"gid\": \"V-73021\"\n tag \"rid\": \"SV-87673r1_rule\"\n tag \"stig_id\": \"PGS9-00-009800\"\n tag \"cci\": [\"CCI-001462\"]\n tag \"nist\": [\"AU-14 (2)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \\\"SHOW pgaudit.log\\\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.\"\n tag \"fix\": \"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \\\"postgres\\\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \\\"postgres\\\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73021.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000315482,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000397531,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000340762,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000352892,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000318322,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should not match /off|false/i","run_time":0.000111289,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should not match /off|false/i","run_time":0.000120983,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73023","title":"The system must provide a warning to appropriate support \n staff when allocated audit record storage volume reaches 80% \n of maximum audit record storage capacity.","desc":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA.","descriptions":[{"label":"default","data":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA."},{"label":"check","data":"Review system configuration.\n\n If no script/tool is monitoring the partition for the PostgreSQL \n log directories, this is a finding.\n\n If appropriate support staff are not notified immediately upon \n storage volume utilization reaching 80%, this is a finding."},{"label":"fix","data":"Configure the system to notify appropriate support \n staff immediately upon storage volume utilization reaching 80%.\n\n PostgreSQL does not monitor storage, however, it is possible to \n monitor storage with a script.\n\n ##### Example Monitoring Script\n\n #!/bin/bash\n\n PGDATA=/var/lib/psql/9.5/data\n CURRENT=$(df ${PGDATA?} | grep / | awk \"{ print $5}\" \n | sed \"s/%//g\")\n THRESHOLD=80\n\n if [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\n mail -s \"Disk Space Alert\" mail@support.com << EOF\n The data directory volume is almost full. Used: $CURRENT\n %EOF\n fi\n\n Schedule this script in cron to run around the clock."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000359-DB-000319","gid":"V-73023","rid":"SV-87675r1_rule","stig_id":"PGS9-00-009900","cci":["CCI-001855"],"nist":["AU-5 (1)","Rev_4"],"check":"Review system configuration.\n\nIf no script/tool is monitoring the partition for the PostgreSQL log directories,\nthis is a finding.\n\nIf appropriate support staff are not notified immediately upon storage volume\nutilization reaching 75%, this is a finding.","fix":"Configure the system to notify appropriate support staff immediately\nupon storage volume utilization reaching 75%.\n\nPostgreSQL does not monitor storage, however, it is possible to monitor storage with\na script.\n\n##### Example Monitoring Script\n\n#!/bin/bash\n\nPGDATA=/var/lib/psql/9.5/data\nCURRENT=$(df ${PGDATA?} | grep / | awk '{ print $5}' | sed 's/%//g')\nTHRESHOLD=75\n\nif [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\nmail -s 'Disk Space Alert' mail@support.com << EOF\nThe data directory volume is almost full. Used: $CURRENT\n%EOF\nfi\n\nSchedule this script in cron to run around the clock."},"code":"control \"V-73023\" do\n title \"The system must provide a warning to appropriate support staff when\nallocated audit record storage volume reaches 75% of maximum audit record storage\ncapacity.\"\n desc \"Organizations are required to use a central log management system, so,\nunder normal conditions, the audit space allocated to PostgreSQL on its own server\nwill not be an issue. However, space will still be required on PostgreSQL server for\naudit records in transit, and, under abnormal conditions, this could fill up. Since\na requirement exists to halt processing upon audit failure, a service outage would\nresult.\n\nIf support personnel are not notified immediately upon storage volume utilization\nreaching 75%, they are unable to plan for storage capacity expansion.\n\nThe appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000359-DB-000319\"\n tag \"gid\": \"V-73023\"\n tag \"rid\": \"SV-87675r1_rule\"\n tag \"stig_id\": \"PGS9-00-009900\"\n tag \"cci\": [\"CCI-001855\"]\n tag \"nist\": [\"AU-5 (1)\", \"Rev_4\"]\n tag \"check\": \"Review system configuration.\n\nIf no script/tool is monitoring the partition for the PostgreSQL log directories,\nthis is a finding.\n\nIf appropriate support staff are not notified immediately upon storage volume\nutilization reaching 75%, this is a finding.\"\n tag \"fix\": \"Configure the system to notify appropriate support staff immediately\nupon storage volume utilization reaching 75%.\n\nPostgreSQL does not monitor storage, however, it is possible to monitor storage with\na script.\n\n##### Example Monitoring Script\n\n#!/bin/bash\n\nPGDATA=/var/lib/psql/9.5/data\nCURRENT=$(df ${PGDATA?} | grep / | awk '{ print $5}' | sed 's/%//g')\nTHRESHOLD=75\n\nif [ \\\"$CURRENT\\\" -gt \\\"$THRESHOLD\\\" ] ; then\nmail -s 'Disk Space Alert' mail@support.com << EOF\nThe data directory volume is almost full. Used: $CURRENT\n%EOF\nfi\n\nSchedule this script in cron to run around the clock.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73023.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.812e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73025","title":"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.","desc":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.","descriptions":[{"label":"default","data":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000353-DB-000324","gid":"V-73025","rid":"SV-87677r1_rule","stig_id":"PGS9-00-010000","cci":["CCI-001914"],"nist":["AU-12 (3)","Rev_4"],"check":"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not present in the result from the query, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \"SELECT password FROM public.stig_audit_example;\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\""},"code":"control \"V-73025\" do\n title \"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.\"\n desc \"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000353-DB-000324\"\n tag \"gid\": \"V-73025\"\n tag \"rid\": \"SV-87677r1_rule\"\n tag \"stig_id\": \"PGS9-00-010000\"\n tag \"cci\": [\"CCI-001914\"]\n tag \"nist\": [\"AU-12 (3)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not present in the result from the query, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \\\"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\\\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT password FROM public.stig_audit_example;\\\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \\\"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\\\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \\\"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73025.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000418654,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73027","title":"PostgreSQL must require users to reauthenticate when organization-defined\ncircumstances or situations require reauthentication.","desc":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes.","descriptions":[{"label":"default","data":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000389-DB-000372","gid":"V-73027","rid":"SV-87679r1_rule","stig_id":"PGS9-00-010100","cci":["CCI-002038"],"nist":["IA-11","Rev_4"],"check":"Determine all situations where a user must re-authenticate. Check if\nthe mechanisms that handle such situations use the following SQL:\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, run the following:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force re-authentication, this is a finding.","fix":"Modify and/or configure PostgreSQL and related applications and tools\nso that users are always required to reauthenticate when changing role or escalating\nprivileges.\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'"},"code":"control \"V-73027\" do\n title \"PostgreSQL must require users to reauthenticate when organization-defined\ncircumstances or situations require reauthentication.\"\n desc \"The DoD standard for authentication of an interactive user is the\npresentation of a Common Access Card (CAC) or other physical token bearing a valid,\ncurrent, DoD-issued Public Key Infrastructure (PKI) certificate, coupled with a\nPersonal Identification Number (PIN) to be entered by the user at the beginning of\neach session and whenever reauthentication is required.\n\nWithout reauthentication, users may access resources or perform tasks for which they\ndo not have authorization.\n\nWhen applications provide the capability to change security roles or escalate the\nfunctional capability of the application, it is critical the user re-authenticate.\n\nIn addition to the reauthentication requirements associated with session locks,\norganizations may require reauthentication of individuals and/or devices in other\nsituations, including (but not limited to) the following circumstances:\n\n(i) When authenticators change;\n(ii) When roles change;\n(iii) When security categorized information systems change;\n(iv) When the execution of privileged functions occurs;\n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DoD, the minimum circumstances requiring reauthentication are privilege\nescalation and role changes.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000389-DB-000372\"\n tag \"gid\": \"V-73027\"\n tag \"rid\": \"SV-87679r1_rule\"\n tag \"stig_id\": \"PGS9-00-010100\"\n tag \"cci\": [\"CCI-002038\"]\n tag \"nist\": [\"IA-11\", \"Rev_4\"]\n tag \"check\": \"Determine all situations where a user must re-authenticate. Check if\nthe mechanisms that handle such situations use the following SQL:\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, run the following:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force re-authentication, this is a finding.\"\n tag \"fix\": \"Modify and/or configure PostgreSQL and related applications and tools\nso that users are always required to reauthenticate when changing role or escalating\nprivileges.\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73027.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":8.708e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73029","title":"PostgreSQL must enforce authorized access to all PKI private keys\nstored/utilized by PostgreSQL.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions."}],"impact":0.7,"refs":[{"ref":[]}],"tags":{"severity":"high","gtitle":"SRG-APP-000176-DB-000068","gid":"V-73029","rid":"SV-87681r1_rule","stig_id":"PGS9-00-010200","cci":["CCI-000186"],"nist":["IA-5 (2) (b)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify the following settings:\n\nNote: If no specific directory given before the name, the files are stored in\nPGDATA.\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n$ psql -c \"SHOW ssl_crl_file\"\n$ psql -c \"SHOW ssl_key_file\"\n\nIf the directory these files are stored in is not protected, this is a finding.","fix":"Store all PostgreSQL PKI private keys in a FIPS 140-2 validated\ncryptographic module. Ensure access to PostgreSQL PKI private keys is restricted to\nonly authenticated and authorized users.\n\nPostgreSQL private key(s) can be stored in $PGDATA directory, which is only\naccessible by the database owner (usually postgres, DBA) user. Do not allow access\nto this system account to unauthorized users.\n\nTo put the keys in a different directory, as the database administrator (shown here\nas \"postgres\"), set the following settings to a protected directory:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nssl_ca_file = \"/some/protected/directory/root.crt\"\nssl_crl_file = \"/some/protected/directory/root.crl\"\nssl_cert_file = \"/some/protected/directory/server.crt\"\nssl_key_file = \"/some/protected/directory/server.key\"\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restartpostgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-73029\" do\n title \"PostgreSQL must enforce authorized access to all PKI private keys\nstored/utilized by PostgreSQL.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates. PKI\ncertificate-based authentication is performed by requiring the certificate holder to\ncryptographically prove possession of the corresponding private key.\n\nIf the private key is stolen, an attacker can use the private key(s) to impersonate\nthe certificate holder. In cases where PostgreSQL-stored private keys are used to\nauthenticate PostgreSQL to the system’s clients, loss of the corresponding private\nkeys would allow an attacker to successfully perform undetected man-in-the-middle\nattacks against PostgreSQL system and its clients.\n\nBoth the holder of a digital certificate and the issuing authority must take careful\nmeasures to protect the corresponding private key. Private keys should always be\ngenerated and protected in FIPS 140-2 validated cryptographic modules.\n\nAll access to the private key(s) of PostgreSQL must be restricted to authorized and\nauthenticated users. If unauthorized users have access to one or more of\nPostgreSQL's private keys, an attacker could gain access to the key(s) and use them\nto impersonate the database on the network or otherwise perform unauthorized\nactions.\"\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000176-DB-000068\"\n tag \"gid\": \"V-73029\"\n tag \"rid\": \"SV-87681r1_rule\"\n tag \"stig_id\": \"PGS9-00-010200\"\n tag \"cci\": [\"CCI-000186\"]\n tag \"nist\": [\"IA-5 (2) (b)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nverify the following settings:\n\nNote: If no specific directory given before the name, the files are stored in\nPGDATA.\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl_ca_file\\\"\n$ psql -c \\\"SHOW ssl_cert_file\\\"\n$ psql -c \\\"SHOW ssl_crl_file\\\"\n$ psql -c \\\"SHOW ssl_key_file\\\"\n\nIf the directory these files are stored in is not protected, this is a finding.\"\n tag \"fix\": \"Store all PostgreSQL PKI private keys in a FIPS 140-2 validated\ncryptographic module. Ensure access to PostgreSQL PKI private keys is restricted to\nonly authenticated and authorized users.\n\nPostgreSQL private key(s) can be stored in $PGDATA directory, which is only\naccessible by the database owner (usually postgres, DBA) user. Do not allow access\nto this system account to unauthorized users.\n\nTo put the keys in a different directory, as the database administrator (shown here\nas \\\"postgres\\\"), set the following settings to a protected directory:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nssl_ca_file = \\\"/some/protected/directory/root.crt\\\"\nssl_crl_file = \\\"/some/protected/directory/root.crl\\\"\nssl_cert_file = \\\"/some/protected/directory/server.crt\\\"\nssl_key_file = \\\"/some/protected/directory/server.key\\\"\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restartpostgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n settings = %w(ssl_cert_file ssl_key_file ssl_ca_file ssl_crl_file)\n\n settings.each do |setting|\n file_query = sql.query(\"SHOW #{setting};\", [PG_DB])\n file = file_query.output\n\n if file.empty?\n name = ''\n ext = ''\n\n case setting\n when /cert/\n name = 'server'\n ext = 'crt'\n when /key/\n name = 'server'\n ext = 'key'\n when /ca/\n name = 'root'\n ext = 'crt'\n when /crl/\n name = 'root'\n ext = 'crl'\n end\n\n file = \"#{PG_DATA_DIR}/#{name}.#{ext}\"\n elsif File.dirname(file) == '.'\n file = \"#{PG_DATA_DIR}/#{file}\"\n end\n\n describe file(file) do\n it { should be_file }\n end\n\n directory = File.dirname(file)\n\n describe directory(directory) do\n its('owner') { should match /root|#{PG_OWNER}/ }\n its('mode') { should cmp '0700' }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb"},"results":[{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000249501,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.00019955,"start_time":"2019-04-22T14:20:39+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000324664,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000221979,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.000159881,"start_time":"2019-04-22T14:20:39+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000214181,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000233758,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.000170959,"start_time":"2019-04-22T14:20:39+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000200542,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000201085,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.000199748,"start_time":"2019-04-22T14:20:39+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000240136,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-73031","title":"PostgreSQL must only accept end entity certificates issued by \n CMS PKI or CMS-approved PKI Certification Authorities (CAs) for \n the establishment of all encrypted sessions.","desc":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet.","descriptions":[{"label":"default","data":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet."},{"label":"fix","data":"Revoke trust in any certificates not issued by a \n CMS-approved certificate authority.\n\n Configure PostgreSQL to accept only CMS and CMS-approved PKI \n end-entity certificates.\n\n To configure PostgreSQL to accept approved CA's, see the \n official PostgreSQL documentation: \n http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\n For more information on configuring PostgreSQL to use SSL, \n see supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000427-DB-000385","gid":"V-73031","rid":"SV-87683r1_rule","stig_id":"PGS9-00-010300","cci":["CCI-002470"],"nist":["SC-23 (5)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe following setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n\nIf the database is not configured to used approved certificates, this is a finding.","fix":"Revoke trust in any certificates not issued by a DoD-approved\ncertificate authority.\n\nConfigure PostgreSQL to accept only DoD and DoD-approved PKI end-entity certificates.\n\nTo configure PostgreSQL to accept approved CA's, see the official PostgreSQL\ndocumentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-73031\" do\n title \"PostgreSQL must only accept end entity certificates issued by DoD PKI or\nDoD-approved PKI Certification Authorities (CAs) for the establishment of all\nencrypted sessions.\"\n desc \"Only DoD-approved external PKIs have been evaluated to ensure that they\nhave security controls and identity vetting procedures in place which are sufficient\nfor DoD systems to rely on the identity asserted in the certificate. PKIs lacking\nsufficient security controls and identity vetting procedures risk being compromised\nand issuing certificates that enable adversaries to impersonate legitimate users.\n\nThe authoritative list of DoD-approved PKIs is published at\nhttp://iase.disa.mil/pki-pke/interoperability.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000427-DB-000385\"\n tag \"gid\": \"V-73031\"\n tag \"rid\": \"SV-87683r1_rule\"\n tag \"stig_id\": \"PGS9-00-010300\"\n tag \"cci\": [\"CCI-002470\"]\n tag \"nist\": [\"SC-23 (5)\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), verify\nthe following setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl_ca_file\\\"\n$ psql -c \\\"SHOW ssl_cert_file\\\"\n\nIf the database is not configured to used approved certificates, this is a finding.\"\n tag \"fix\": \"Revoke trust in any certificates not issued by a DoD-approved\ncertificate authority.\n\nConfigure PostgreSQL to accept only DoD and DoD-approved PKI end-entity certificates.\n\nTo configure PostgreSQL to accept approved CA's, see the official PostgreSQL\ndocumentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl_ca_file;', [PG_DB]) do\n its('output') { should_not eq '' }\n end\n\n describe sql.query('SHOW ssl_cert_file;', [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73031.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl_ca_file; output should not eq \"\"","run_time":9.1021e-05,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl_cert_file; output should not eq \"\"","run_time":0.000161883,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73033","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000095-DB-000039","gid":"V-73033","rid":"SV-87685r1_rule","stig_id":"PGS9-00-010400","cci":["CCI-000130"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf both settings are off, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73033\" do\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000095-DB-000039\"\n tag \"gid\": \"V-73033\"\n tag \"rid\": \"SV-87685r1_rule\"\n tag \"stig_id\": \"PGS9-00-010400\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf both settings are off, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73033.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000360587,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000368932,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000358575,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%s\"","run_time":0.000359308,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%s\"\nDiff:\n@@ -1,2 +1,5 @@\n-%s\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should not match /off|false/i","run_time":0.00011598,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should not match /off|false/i","run_time":0.000105835,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73035","title":"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000429-DB-000387","gid":"V-73035","rid":"SV-87687r1_rule","stig_id":"PGS9-00-010500","cci":["CCI-002476"],"nist":["SC-28 (1)","Rev_4"],"check":"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73035\" do\n title \"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000429-DB-000387\"\n tag \"gid\": \"V-73035\"\n tag \"rid\": \"SV-87687r1_rule\"\n tag \"stig_id\": \"PGS9-00-010500\"\n tag \"cci\": [\"CCI-002476\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n tag \"check\": \"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73035.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT * FROM pg_available_extensions where name='pgcrypto' output should not eq \"\"","run_time":0.000120482,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73037","title":"PostgreSQL must invalidate session identifiers upon user logout or other\nsession termination.","desc":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked.","descriptions":[{"label":"default","data":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000220-DB-000149","gid":"V-73037","rid":"SV-87689r1_rule","stig_id":"PGS9-00-010600","cci":["CCI-001184"],"nist":["SC-23","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run the\nfollowing SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW tcp_keepalives_idle\"\n$ psql -c \"SHOW tcp_keepalives_interval\"\n$ psql -c \"SHOW tcp_keepalives_count\"\n$ psql -c \"SHOW statement_timeout\"\n\nIf these settings are not set, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi $PGDATA/postgresql.conf\n\nSet the following parameters to organizational requirements:\n\nstatement_timeout = 10000 #milliseconds\ntcp_keepalives_idle = 10 # seconds\ntcp_keepalives_interval = 10 # seconds\ntcp_keepalives_count = 10\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":"control \"V-73037\" do\n title \"PostgreSQL must invalidate session identifiers upon user logout or other\nsession termination.\"\n desc \"Captured sessions can be reused in \\\"replay\\\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000220-DB-000149\"\n tag \"gid\": \"V-73037\"\n tag \"rid\": \"SV-87689r1_rule\"\n tag \"stig_id\": \"PGS9-00-010600\"\n tag \"cci\": [\"CCI-001185\"]\n tag \"nist\": [\"SC-23 (1)\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), run the\nfollowing SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW tcp_keepalives_idle\\\"\n$ psql -c \\\"SHOW tcp_keepalives_interval\\\"\n$ psql -c \\\"SHOW tcp_keepalives_count\\\"\n$ psql -c \\\"SHOW statement_timeout\\\"\n\nIf these settings are not set, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi $PGDATA/postgresql.conf\n\nSet the following parameters to organizational requirements:\n\nstatement_timeout = 10000 #milliseconds\ntcp_keepalives_idle = 10 # seconds\ntcp_keepalives_interval = 10 # seconds\ntcp_keepalives_count = 10\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW tcp_keepalives_idle;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\n\n describe sql.query('SHOW tcp_keepalives_interval;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\n\n describe sql.query('SHOW tcp_keepalives_count;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\n\n describe sql.query('SHOW statement_timeout;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73037.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW tcp_keepalives_idle; output should not cmp == 0","run_time":0.000198021,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW tcp_keepalives_interval; output should not cmp == 0","run_time":0.000159249,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW tcp_keepalives_count; output should not cmp == 0","run_time":0.000216461,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW statement_timeout; output should not cmp == 0","run_time":0.000209977,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73041","title":"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000096-DB-000040","gid":"V-73041","rid":"SV-87693r1_rule","stig_id":"PGS9-00-011100","cci":["CCI-000131"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf the query result does not contain \"%m\", this is a finding.","fix":"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73041\" do\n title \"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000096-DB-000040\"\n tag \"gid\": \"V-73041\"\n tag \"rid\": \"SV-87693r1_rule\"\n tag \"stig_id\": \"PGS9-00-011100\"\n tag \"cci\": [\"CCI-000131\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf the query result does not contain \\\"%m\\\", this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = ['%m']\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73041.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.00037377,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73045","title":"PostgreSQL must off-load audit data to a separate log management facility;\nthis must be continuous and in near real time for systems with a network connection\nto the storage facility and weekly or more often for stand-alone systems.","desc":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000515-DB-000318","gid":"V-73045","rid":"SV-87697r1_rule","stig_id":"PGS9-00-011300","cci":["CCI-001848"],"nist":["AU-4","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_destination\"\n\nIf log_destination is not syslog, this is a finding.\n\nNext, as the database administrator, check which log facility is configured by\nrunning the following SQL:\n\n$ psql -c \"SHOW syslog_facility\"\n\nCheck with the organization to see how syslog facilities are defined in their\norganization.\n\nIf the wrong facility is configured, this is a finding.\n\nIf PostgreSQL does not have a continuous network connection to the centralized log\nmanagement system, and PostgreSQL audit records are not transferred to the\ncentralized log management system weekly or more often, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL or deploy and configure software tools to transfer audit\nrecords to a centralized log management system, continuously and in near-real time\nwhere a continuous network connection to the log management system exists, or at\nleast weekly in the absence of such a connection.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nconfigure the follow parameters in postgresql.conf (the example uses the default\nvalues - tailor for environment):\n\nNote: Consult the organization on how syslog facilities are defined in the syslog\ndaemon configuration.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_destination = 'syslog'\nsyslog_facility = 'LOCAL0'\nsyslog_ident = 'postgres'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73045\" do\n title \"PostgreSQL must off-load audit data to a separate log management facility;\nthis must be continuous and in near real time for systems with a network connection\nto the storage facility and weekly or more often for stand-alone systems.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000515-DB-000318\"\n tag \"gid\": \"V-73045\"\n tag \"rid\": \"SV-87697r1_rule\"\n tag \"stig_id\": \"PGS9-00-011300\"\n tag \"cci\": [\"CCI-001851\"]\n tag \"nist\": [\"AU-4 (1)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_destination\\\"\n\nIf log_destination is not syslog, this is a finding.\n\nNext, as the database administrator, check which log facility is configured by\nrunning the following SQL:\n\n$ psql -c \\\"SHOW syslog_facility\\\"\n\nCheck with the organization to see how syslog facilities are defined in their\norganization.\n\nIf the wrong facility is configured, this is a finding.\n\nIf PostgreSQL does not have a continuous network connection to the centralized log\nmanagement system, and PostgreSQL audit records are not transferred to the\ncentralized log management system weekly or more often, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL or deploy and configure software tools to transfer audit\nrecords to a centralized log management system, continuously and in near-real time\nwhere a continuous network connection to the log management system exists, or at\nleast weekly in the absence of such a connection.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \\\"postgres\\\"),\nconfigure the follow parameters in postgresql.conf (the example uses the default\nvalues - tailor for environment):\n\nNote: Consult the organization on how syslog facilities are defined in the syslog\ndaemon configuration.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_destination = 'syslog'\nsyslog_facility = 'LOCAL0'\nsyslog_ident = 'postgres'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73045.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.653e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73047","title":"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.","desc":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.","descriptions":[{"label":"default","data":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000224-DB-000384","gid":"V-73047","rid":"SV-87699r1_rule","stig_id":"PGS9-00-011400","cci":["CCI-001188"],"nist":["SC-23 (3)","Rev_4"],"check":"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf this is not set to `on`, this is a finding.","fix":"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html"},"code":"control \"V-73047\" do\n title \"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.\"\n desc \"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000224-DB-000384\"\n tag \"gid\": \"V-73047\"\n tag \"rid\": \"SV-87699r1_rule\"\n tag \"stig_id\": \"PGS9-00-011400\"\n tag \"cci\": [\"CCI-001188\"]\n tag \"nist\": [\"SC-23 (3)\", \"Rev_4\"]\n tag \"check\": \"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl\\\"\n\nIf this is not set to `on`, this is a finding.\"\n\n tag \"fix\": \"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73047.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should match /on|true/i","run_time":9.9886e-05,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73049","title":"PostgreSQL must uniquely identify and authenticate organizational users (or\nprocesses acting on behalf of organizational users).","desc":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000148-DB-000103","gid":"V-73049","rid":"SV-87701r1_rule","stig_id":"PGS9-00-011500","cci":["CCI-000764"],"nist":["IA-2","Rev_4"],"check":"Review PostgreSQL settings to determine whether organizational users\nare uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as\n\"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf organizational users are not uniquely identified and authenticated, this is a\nfinding.\n\nNext, as the database administrator (shown here as \"postgres\"), verify the current\npg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication rcmpuirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all\norganizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-createrole.html\n\nFor each role created, the database administrator can specify database\nauthentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 md5\n\nFor more information on pg_hba.conf, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html"},"code":"control \"V-73049\" do\n title \"PostgreSQL must uniquely identify and authenticate organizational users (or\nprocesses acting on behalf of organizational users).\"\n desc \"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000148-DB-000103\"\n tag \"gid\": \"V-73049\"\n tag \"rid\": \"SV-87701r1_rule\"\n tag \"stig_id\": \"PGS9-00-011500\"\n tag \"cci\": [\"CCI-000764\"]\n tag \"nist\": [\"IA-2\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL settings to determine whether organizational users\nare uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as\n\\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\\\"\n\nIf organizational users are not uniquely identified and authenticated, this is a\nfinding.\n\nNext, as the database administrator (shown here as \\\"postgres\\\"), verify the current\npg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication rcmpuirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all\norganizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-createrole.html\n\nFor each role created, the database administrator can specify database\nauthentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 md5\n\nFor more information on pg_hba.conf, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_roles = PG_USERS\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n\n describe sql.query(roles_sql, [PG_DB]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'local' } do\n its('user.uniq') { should cmp PG_OWNER }\n its('auth_method.uniq') { should_not include 'trust'}\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { database == 'replication' } do\n its('type.uniq') { should cmp 'host' }\n its('address.uniq.sort') { should cmp PG_REPLICAS.sort }\n its('user.uniq') { should cmp 'replication' }\n its('auth_method.uniq') { should cmp 'md5' }\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'host' } do\n its('auth_method.uniq') { should cmp 'md5'}\n end\nend\n","source_location":{"line":68,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73049.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT r.rolname FROM pg_catalog.pg_roles r; lines.sort ","run_time":8.7449e-05,"start_time":"2019-04-22T14:20:39+00:00","message":"undefined method `sort' for \"postgres\":String","exception":"NoMethodError","backtrace":["/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73049.rb:153:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"local\"","run_time":6.687e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"local\"","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"},{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\"","run_time":6.56e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\"","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"},{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"host\"","run_time":4.928e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"host\"","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"}]},{"id":"V-73051","title":"PostgreSQL must automatically terminate a user session after\norganization-defined conditions or trigger events requiring session disconnect.","desc":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance.","descriptions":[{"label":"default","data":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000295-DB-000305","gid":"V-73051","rid":"SV-87703r1_rule","stig_id":"PGS9-00-011600","cci":["CCI-002361"],"nist":["AC-12","Rev_4"],"check":"Review system documentation to obtain the organization's definition\nof circumstances requiring automatic session termination. If the documentation\nexplicitly states that such termination is not required or is prohibited, this is\nnot a finding.\n\nIf the documentation requires automatic session termination, but PostgreSQL is not\nconfigured accordingly, this is a finding.","fix":"Configure PostgreSQL to automatically terminate a user session after\norganization-defined conditions or trigger events requiring session termination.\n\nExamples follow.\n\n### Change a role to nologin and disconnect the user\n\nALTER ROLE '' NOLOGIN;\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE username='';\n\n### Disconnecting users during a specific time range\nSee supplementary content APPENDIX-A for a bash script for this example.\n\nThe script found in APPENDIX-A using the -l command can disable all users with\nrolcanlogin=t from logging in. The script keeps track of who it disables in a\n.restore_login file. After the specified time is over, the same script can be run\nwith the -r command to restore all login connections.\n\nThis script would be added to a cron job:\n\n# lock at 5 am every day of the week, month, year at the 0 minute mark.\n0 5 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -l\n# restore at 5 pm every day of the week, month, year at the 0 minute mark.\n0 17 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -r"},"code":"control \"V-73051\" do\n title \"PostgreSQL must automatically terminate a user session after\norganization-defined conditions or trigger events requiring session disconnect.\"\n desc \"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000295-DB-000305\"\n tag \"gid\": \"V-73051\"\n tag \"rid\": \"SV-87703r1_rule\"\n tag \"stig_id\": \"PGS9-00-011600\"\n tag \"cci\": [\"CCI-002361\"]\n tag \"nist\": [\"AC-12\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to obtain the organization's definition\nof circumstances requiring automatic session termination. If the documentation\nexplicitly states that such termination is not required or is prohibited, this is\nnot a finding.\n\nIf the documentation requires automatic session termination, but PostgreSQL is not\nconfigured accordingly, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to automatically terminate a user session after\norganization-defined conditions or trigger events requiring session termination.\n\nExamples follow.\n\n### Change a role to nologin and disconnect the user\n\nALTER ROLE '' NOLOGIN;\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE username='';\n\n### Disconnecting users during a specific time range\nSee supplementary content APPENDIX-A for a bash script for this example.\n\nThe script found in APPENDIX-A using the -l command can disable all users with\nrolcanlogin=t from logging in. The script keeps track of who it disables in a\n.restore_login file. After the specified time is over, the same script can be run\nwith the -r command to restore all login connections.\n\nThis script would be added to a cron job:\n\n# lock at 5 am every day of the week, month, year at the 0 minute mark.\n0 5 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -l\n# restore at 5 pm every day of the week, month, year at the 0 minute mark.\n0 17 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -r\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73051.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.737e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73055","title":"PostgreSQL must map the PKI-authenticated identity to an associated user\naccount.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000177-DB-000069","gid":"V-73055","rid":"SV-87707r1_rule","stig_id":"PGS9-00-011800","cci":["CCI-000187"],"nist":["IA-5 (2) (c)","Rev_4"],"check":"The cn (Common Name) attribute of the certificate will be compared\nto the requested database user name, and if they match the login will be allowed.\n\nTo check the cn of the certificate, using openssl, do the following:\n\n$ openssl x509 -noout -subject -in client_cert\n\nIf the cn does not match the users listed in PostgreSQL and no user mapping is used,\nthis is a finding.\n\nUser name mapping can be used to allow cn to be different from the database user\nname. If User Name Maps are used, run the following as the database administrator\n(shown here as \"postgres\"), to get a list of maps used for authentication:\n\n$ sudo su - postgres\n$ grep \"map\" ${PGDATA?}/pg_hba.conf\n\nWith the names of the maps used, check those maps against the user name mappings in\npg_ident.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_ident.conf\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.\n\nIf the cn and the username mapping do not match, this is a finding.","fix":"Configure PostgreSQL to map authenticated identities directly to\nPostgreSQL user accounts.\n\nFor information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-73055\" do\n title \"PostgreSQL must map the PKI-authenticated identity to an associated user\naccount.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates. Once\na PKI certificate has been validated, it must be mapped to PostgreSQL user account\nfor the authenticated identity to be meaningful to PostgreSQL and useful for\nauthorization decisions.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000177-DB-000069\"\n tag \"gid\": \"V-73055\"\n tag \"rid\": \"SV-87707r1_rule\"\n tag \"stig_id\": \"PGS9-00-011800\"\n tag \"cci\": [\"CCI-000187\"]\n tag \"nist\": [\"IA-5 (2) (c)\", \"Rev_4\"]\n tag \"check\": \"The cn (Common Name) attribute of the certificate will be compared\nto the requested database user name, and if they match the login will be allowed.\n\nTo check the cn of the certificate, using openssl, do the following:\n\n$ openssl x509 -noout -subject -in client_cert\n\nIf the cn does not match the users listed in PostgreSQL and no user mapping is used,\nthis is a finding.\n\nUser name mapping can be used to allow cn to be different from the database user\nname. If User Name Maps are used, run the following as the database administrator\n(shown here as \\\"postgres\\\"), to get a list of maps used for authentication:\n\n$ sudo su - postgres\n$ grep \\\"map\\\" ${PGDATA?}/pg_hba.conf\n\nWith the names of the maps used, check those maps against the user name mappings in\npg_ident.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_ident.conf\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.\n\nIf the cn and the username mapping do not match, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to map authenticated identities directly to\nPostgreSQL user accounts.\n\nFor information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73055.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":7.001e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73057","title":"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.","desc":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.","descriptions":[{"label":"default","data":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000243-DB-000128","gid":"V-73057","rid":"SV-87709r1_rule","stig_id":"PGS9-00-011900","cci":["CCI-001090"],"nist":["SC-4","Rev_4"],"check":"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.","fix":"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations."},"code":"control \"V-73057\" do\n title \"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.\"\n desc \"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000243-DB-000128\"\n tag \"gid\": \"V-73057\"\n tag \"rid\": \"SV-87709r1_rule\"\n tag \"stig_id\": \"PGS9-00-011900\"\n tag \"cci\": [\"CCI-001090\"]\n tag \"nist\": [\"SC-4\", \"Rev_4\"]\n tag \"check\": \"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.\"\n\n tag \"fix\": \"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73057.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":7.663e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73061","title":"PostgreSQL must protect its audit configuration from unauthorized\n modification.","desc":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.","descriptions":[{"label":"default","data":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000122-DB-000203","gid":"V-73061","rid":"SV-87713r1_rule","stig_id":"PGS9-00-012200","cci":["CCI-001494"],"nist":["AU-9","Rev_4"],"check":"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \"postgres\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_file_mode\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.","fix":"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \"postgres\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf"},"code":"control \"V-73061\" do\n title \"PostgreSQL must protect its audit configuration from unauthorized\n modification.\"\n desc \"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000122-DB-000203\"\n tag \"gid\": \"V-73061\"\n tag \"rid\": \"SV-87713r1_rule\"\n tag \"stig_id\": \"PGS9-00-012200\"\n tag \"cci\": [\"CCI-001494\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n\n tag \"check\": \"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_file_mode\\\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.\"\n\n tag \"fix\": \"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \\\"postgres\\\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf\"\n\n describe file(PG_CONF_FILE) do\n it { should be_file }\n its('mode') { should cmp '0600' }\n end\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_destination_query = sql.query('SHOW log_destination;', [PG_DB])\n log_destination = log_destination_query.output\n\n if log_destination =~ /stderr/i\n describe sql.query('SHOW log_file_mode;', [PG_DB]) do\n its('output') { should cmp '0600' }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb"},"results":[{"status":"failed","code_desc":"File /var/lib/pgsql/9.5/data/postgresql.conf should be file","run_time":0.000251711,"start_time":"2019-04-22T14:20:39+00:00","message":"expected `File /var/lib/pgsql/9.5/data/postgresql.conf.file?` to return true, got false"},{"status":"failed","code_desc":"File /var/lib/pgsql/9.5/data/postgresql.conf mode should cmp == \"0600\"","run_time":0.000251169,"start_time":"2019-04-22T14:20:39+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb:124:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-73063","title":"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.","desc":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.","descriptions":[{"label":"default","data":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73063","rid":"SV-87715r1_rule","stig_id":"PGS9-00-012300","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"As the system administrator, run the following:\n\n $ openssl version\n If \"fips\" is not included in the openssl version, this is a finding.","fix":"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-73063\" do\n title \"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.\"\n desc \"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73063\"\n tag \"rid\": \"SV-87715r1_rule\"\n tag \"stig_id\": \"PGS9-00-012300\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"As the system administrator, run the following:\n\n $ openssl version\n If \\\"fips\\\" is not included in the openssl version, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n only_if do\n command('openssl').exist?\n end\n\n describe command('openssl version') do\n its('stdout') { should include 'fips' }\n end\nend\n","source_location":{"line":87,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73063.rb"},"results":[{"status":"passed","code_desc":"Command: `openssl version` stdout should include \"fips\"","run_time":0.027294922,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73065","title":"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000348","gid":"V-73065","rid":"SV-87717r1_rule","stig_id":"PGS9-00-012500","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73065\" do\n title \"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000502-DB-000348\"\n tag \"gid\": \"V-73065\"\n tag \"rid\": \"SV-87717r1_rule\"\n tag \"stig_id\": \"PGS9-00-012500\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73065.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000465368,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000418302,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.00035209,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.00044297,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.00047274,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73067","title":"PostgreSQL must generate audit records when successful accesses to\n objects occur.","desc":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.","descriptions":[{"label":"default","data":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000507-DB-000356","gid":"V-73067","rid":"SV-87719r1_rule","stig_id":"PGS9-00-012600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain read and write, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \"postgres\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73067\" do\n title \"PostgreSQL must generate audit records when successful accesses to\n objects occur.\"\n desc \"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000507-DB-000356\"\n tag \"gid\": \"V-73067\"\n tag \"rid\": \"SV-87719r1_rule\"\n tag \"stig_id\": \"PGS9-00-012600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain read and write, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['read', 'write']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73067.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000404739,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000416987,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000390106,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73069","title":"PostgreSQL must generate audit records for all direct access to the\n database(s).","desc":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.","descriptions":[{"label":"default","data":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000508-DB-000358","gid":"V-73069","rid":"SV-87721r1_rule","stig_id":"PGS9-00-012700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n\n If the output does not contain \"on\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73069\" do\n title \"PostgreSQL must generate audit records for all direct access to the\n database(s).\"\n desc \"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000508-DB-000358\"\n tag \"gid\": \"V-73069\"\n tag \"rid\": \"SV-87721r1_rule\"\n tag \"stig_id\": \"PGS9-00-012700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_connections\\\"\n $ psql -c \\\"SHOW log_disconnections\\\"\n\n If the output does not contain \\\"on\\\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73069.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000470085,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should match /on|true/i","run_time":0.000118693,"start_time":"2019-04-22T14:20:39+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should match /on|true/i","run_time":0.000129386,"start_time":"2019-04-22T14:20:39+00:00"}]},{"id":"V-73071","title":"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.","desc":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.","descriptions":[{"label":"default","data":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73071","rid":"SV-87723r1_rule","stig_id":"PGS9-00-012800","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.","fix":"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS."},"code":"control \"V-73071\" do\n title \"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.\"\n desc \"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73071\"\n tag \"rid\": \"SV-87723r1_rule\"\n tag \"stig_id\": \"PGS9-00-012800\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.\"\n\n # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html\n\n # fips=1 kernel option to the kernel command line during system\n # installation.\n\n # PRELINKING=no option in the /etc/sysconfig/prelink\n # run\n\n # yum install dracut-fips\n # For the CPUs with the AES New Instructions (AES-NI) support, install the\n # vdracut-fips-aesni package as well:\n\n # in the CM:\n # To disable existing prelinking on all system files, use the\n # prelink -u -a command.\n\n tag \"fix\": \"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73071.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.487e-06,"start_time":"2019-04-22T14:20:39+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73123","title":"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000097-DB-000041","gid":"V-73123","rid":"SV-87775r1_rule","stig_id":"PGS9-00-007100","cci":["CCI-000132"],"nist":["AU-3","Rev_4"],"check":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \"postgres\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \"postgres\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73123\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000097-DB-000041\"\n tag \"gid\": \"V-73123\"\n tag \"rid\": \"SV-87775r1_rule\"\n tag \"stig_id\": \"PGS9-00-007100\"\n tag \"cci\": [\"CCI-000132\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \\\"postgres\\\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73123.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000391031,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000445598,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000347764,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%s\"","run_time":0.000359703,"start_time":"2019-04-22T14:20:39+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%s\"\nDiff:\n@@ -1,2 +1,5 @@\n-%s\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]}],"status":"loaded"}],"statistics":{"duration":0.498897564},"version":"3.6.6"} \ No newline at end of file diff --git a/tests/hdf_data/raw_data/postgres_overlay.json b/tests/hdf_data/raw_data/postgres_overlay.json deleted file mode 100644 index 76d86927..00000000 --- a/tests/hdf_data/raw_data/postgres_overlay.json +++ /dev/null @@ -1 +0,0 @@ -{"platform":{"name":"amazon","release":"2"},"profiles":[{"name":"cms-ars-3.1-crunchy-data-postgresql-9-stig-overlay","version":"0.1.0","sha256":"ad33b45c439e6424d30a23ffb2c97ed6d12163959e731a47d8453e811c0dbb11","title":".","maintainer":"CMS InSpec Dev team","summary":".","license":"Apache-2.0","copyright":".","supports":[],"attributes":[],"depends":[{"name":"pgstigcheck-inspec","url":"https://github.com/mitre/aws-rds-crunchy-data-postgresql-9-stig-baseline","status":"loaded"}],"groups":[{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72841.rb","controls":["V-72841"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72845.rb","controls":["V-72845"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72849.rb","controls":["V-72849"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72851.rb","controls":["V-72851"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72857.rb","controls":["V-72857"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72859.rb","controls":["V-72859"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72861.rb","controls":["V-72861"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72863.rb","controls":["V-72863"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb","controls":["V-72865"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72867.rb","controls":["V-72867"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72869.rb","controls":["V-72869"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72871.rb","controls":["V-72871"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72873.rb","controls":["V-72873"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72875.rb","controls":["V-72875"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72877.rb","controls":["V-72877"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72883.rb","controls":["V-72883"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72887.rb","controls":["V-72887"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72891.rb","controls":["V-72891"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72893.rb","controls":["V-72893"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72895.rb","controls":["V-72895"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72897.rb","controls":["V-72897"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72899.rb","controls":["V-72899"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb","controls":["V-72901"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72903.rb","controls":["V-72903"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72905.rb","controls":["V-72905"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72909.rb","controls":["V-72909"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72911.rb","controls":["V-72911"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72917.rb","controls":["V-72917"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72919.rb","controls":["V-72919"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72931.rb","controls":["V-72931"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72949.rb","controls":["V-72949"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72953.rb","controls":["V-72953"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72955.rb","controls":["V-72955"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72957.rb","controls":["V-72957"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72959.rb","controls":["V-72959"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72961.rb","controls":["V-72961"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72963.rb","controls":["V-72963"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72965.rb","controls":["V-72965"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72971.rb","controls":["V-72971"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72973.rb","controls":["V-72973"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72979.rb","controls":["V-72979"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72981.rb","controls":["V-72981"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72983.rb","controls":["V-72983"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72987.rb","controls":["V-72987"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72989.rb","controls":["V-72989"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72991.rb","controls":["V-72991"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72993.rb","controls":["V-72993"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72995.rb","controls":["V-72995"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72999.rb","controls":["V-72999"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73001.rb","controls":["V-73001"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73003.rb","controls":["V-73003"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73005.rb","controls":["V-73005"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73011.rb","controls":["V-73011"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73013.rb","controls":["V-73013"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73015.rb","controls":["V-73015"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73017.rb","controls":["V-73017"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73019.rb","controls":["V-73019"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73021.rb","controls":["V-73021"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73023.rb","controls":["V-73023"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73025.rb","controls":["V-73025"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73027.rb","controls":["V-73027"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb","controls":["V-73029"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73031.rb","controls":["V-73031"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73033.rb","controls":["V-73033"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73035.rb","controls":["V-73035"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73037.rb","controls":["V-73037"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73041.rb","controls":["V-73041"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73045.rb","controls":["V-73045"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73047.rb","controls":["V-73047"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73049.rb","controls":["V-73049"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73051.rb","controls":["V-73051"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73055.rb","controls":["V-73055"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73057.rb","controls":["V-73057"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb","controls":["V-73061"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73063.rb","controls":["V-73063"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73065.rb","controls":["V-73065"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73067.rb","controls":["V-73067"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73069.rb","controls":["V-73069"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73071.rb","controls":["V-73071"]},{"id":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73123.rb","controls":["V-73123"]}],"controls":[{"id":"V-72841","title":"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.","desc":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000142-DB-000094","gid":"V-72841","rid":"SV-87493r1_rule","stig_id":"PGS9-00-000100","cci":["CCI-000382","CCI-001762"],"nist":["CM-7 b","CM-7 (1) (b)","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n $ psql -c \"SHOW port\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \"SHOW port\"\n $ export PGPORT=5432"},"code":"control \"V-72841\" do\n title \"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.\"\n desc \"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.\"\n impact 0.5\n \n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000142-DB-000094\"\n tag \"gid\": \"V-72841\"\n tag \"rid\": \"SV-87493r1_rule\"\n tag \"stig_id\": \"PGS9-00-000100\"\n tag \"cci\": [\"CCI-000382\",\"CCI-001762\"]\n tag \"nist\": [\"CM-7 b\", \"CM-7 (1) (b)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, run the following SQL:\n\n $ psql -c \\\"SHOW port\\\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \\\"SHOW port\\\"\n $ export PGPORT=5432\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW port;', [PG_DB]) do\n its('output') { should eq PG_PORT }\n end\n\n describe port(PG_PORT) do\n it { should be_listening }\n its('processes') { should include 'postgres' }\n end\nend\n","source_location":{"line":48,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72841.rb"},"results":[]},{"id":"V-72845","title":"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).","desc":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).","descriptions":[{"label":"default","data":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs)."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000456-DB-000390","gid":"V-72845","rid":"SV-87497r1_rule","stig_id":"PGS9-00-000300","cci":["CCI-002605"],"nist":["SI-2 c","Rev_4"],"check":"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.","fix":"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed."},"code":" control \"V-72845\" do\n title \"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).\"\n desc \"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).\"\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000456-DB-000390\"\n tag \"gid\": \"V-72845\"\n tag \"rid\": \"SV-87497r1_rule\"\n tag \"stig_id\": \"PGS9-00-000300\"\n tag \"cci\": [\"CCI-002605\"]\n tag \"nist\": [\"SI-2 c\", \"Rev_4\"]\n\n tag \"check\": \"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.\"\n\n tag \"fix\": \"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72845.rb"},"results":[]},{"id":"V-72849","title":"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.","desc":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.","descriptions":[{"label":"default","data":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000023-DB-000001","gid":"V-72849","rid":"SV-87501r1_rule","stig_id":"PGS9-00-000500","cci":["CCI-000015"],"nist":["AC-2 (1)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \"postgres\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \"postgres\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate."},"code":"control \"V-72849\" do\n title \"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.\"\n desc \"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000023-DB-000001\"\n tag \"gid\": \"V-72849\"\n tag \"rid\": \"SV-87501r1_rule\"\n tag \"stig_id\": \"PGS9-00-000500\"\n tag \"cci\": [\"CCI-000015\"]\n tag \"nist\": [\"AC-2 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \\\"postgres\\\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \\\"postgres\\\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72849.rb"},"results":[]},{"id":"V-72851","title":"PostgreSQL must provide non-privileged users with error messages that\n provide information necessary for corrective actions without revealing\n information that could be exploited by adversaries.","desc":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers.","descriptions":[{"label":"default","data":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000266-DB-000162","gid":"V-72851","rid":"SV-87503r1_rule","stig_id":"PGS9-00-000600","cci":["CCI-001312"],"nist":["SI-11 a","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n SELECT current_setting('client_min_messages');\n\n If client_min_messages is *not* set to error, this is a finding.","fix":"As the database administrator, edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n Change the client_min_messages parameter to be error:\n client_min_messages = 'error'\n\n Now reload the server with the new configuration (this just reloads settings\n currently in memory, will not cause an interruption):\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ service postgresql-9.5 reload "},"code":" control \"V-72851\" do\n sql = postgres_session(attribute('pg_dba'), attribute('pg_dba_password'), attribute('pg_host'))\n\n describe sql.query('SHOW client_min_messages;', [attribute('pg_db')]) do\n its('output') { should match /^error$/i }\n end\n end\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72851.rb"},"results":[]},{"id":"V-72857","title":"If passwords are used for authentication, PostgreSQL must transmit only\n encrypted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000172-DB-000075","gid":"V-72857","rid":"SV-87509r1_rule","stig_id":"PGS9-00-000800","cci":["CCI-000197"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. As the database administrator (shown here as \"postgres\"), review\n the authentication entries in pg_hba.conf:\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n If any entries use the auth_method (last column in records) \"password\", this\n is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n As the database administrator (shown here as \"postgres\"), edit\n pg_hba.conf authentication file and change all entries of \"password\" to\n \"md5\":\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n host all all .example.com md5"},"code":" control 'V-72857' do\n desc 'The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database.'\n end\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72857.rb"},"results":[]},{"id":"V-72859","title":"PostgreSQL must enforce approved authorizations for logical access to\n information and system resources in accordance with applicable access\n control policies.","desc":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy.","descriptions":[{"label":"default","data":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000033-DB-000084","gid":"V-72859","rid":"SV-87511r1_rule","stig_id":"PGS9-00-000900","cci":["CCI-000213"],"nist":["AC-3","Rev_4"],"check":"From the system security plan or equivalent documentation,\n determine the appropriate permissions on database objects for each kind\n (group role) of user. If this documentation is missing, this is a finding.\n\n First, as the database administrator (shown here as \"postgres\"),\n check the privileges of all roles in the database by running the\n following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\du'\n\n Review all roles and their associated privileges. If any roles'\n privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured privileges for tables and columns by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\dp'\n\n Review all access privileges and column access privileges list.\n If any roles' privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured authentication settings in pg_hba.conf:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n Review all entries and their associated authentication methods.\n\n If any entries do not have their documented authentication requirements,\n this is a finding.","fix":"Create and/or maintain documentation of each group role's\n appropriate permissions on database objects.\n\n Implement these permissions in the database, and remove any permissions that\n exceed those documented.\n\n The following are examples of how to use role privileges in PostgreSQL to\n enforce access controls. For a complete list of privileges, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\n\n #### Roles Example 1\n The following example demonstrates how to create an admin role with CREATEDB\n and CREATEROLE privileges.\n\n As the database administrator (shown here as \"postgres\"), run the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE admin WITH CREATEDB CREATEROLE\"\n\n #### Roles Example 2\n The following example demonstrates how to create a role with a password that\n expires and makes the role a member of the \"admin\" group.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE joe LOGIN ENCRYPTED PASSWORD 'stig2016!' VALID UNTIL\n'2016-09-20' IN ROLE admin\"\n\n #### Roles Example 3\n The following demonstrates how to revoke privileges from a role using REVOKE.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"REVOKE admin FROM joe\"\n\n #### Roles Example 4\n The following demonstrates how to alter privileges in a role using ALTER.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"ALTER ROLE joe NOLOGIN\"\n\n The following are examples of how to use grant privileges in PostgreSQL to\n enforce access controls on objects. For a complete list of privileges, see the\n official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-grant.html\n\n #### Grant Example 1\n The following example demonstrates how to grant INSERT on a table to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT SELECT ON stig_test TO joe\"\n\n #### Grant Example 2\n The following example demonstrates how to grant ALL PRIVILEGES on a table to a\n role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT ALL PRIVILEGES ON stig_test TO joe\"\n\n #### Grant Example 3\n The following example demonstrates how to grant a role to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT admin TO joe\"\n\n #### Revoke Example 1\n The following example demonstrates how to revoke access from a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"REVOKE admin FROM joe\"\n\n To change authentication requirements for the database, as the database\n administrator (shown here as \"postgres\"), edit pg_hba.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n Edit authentication requirements to the organizational requirements. See the\n official documentation for the complete list of options for authentication:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n After changes to pg_hba.conf, reload the server:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control 'V-72859' do\n desc 'Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy.'\n end\n","source_location":{"line":67,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72859.rb"},"results":[]},{"id":"V-72861","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000314-DB-000310","gid":"V-72861","rid":"SV-87513r1_rule","stig_id":"PGS9-00-001100","cci":["CCI-002264"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72861\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000314-DB-000310\"\n tag \"gid\": \"V-72861\"\n tag \"rid\": \"SV-87513r1_rule\"\n tag \"stig_id\": \"PGS9-00-001100\"\n tag \"cci\": [\"CCI-002264\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72861.rb"},"results":[]},{"id":"V-72863","title":"PostgreSQL must limit the number of concurrent sessions to an\n organization-defined number per user for all accounts and/or account types.","desc":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms..","descriptions":[{"label":"default","data":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms.."},{"label":"caveat","data":"Not applicable for this CMS ARS 3.1 overlay, \n since the related security control is not applied to this \n system categorization in CMS ARS 3.1"}],"impact":0.0,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000001-DB-000031","gid":"V-72863","rid":"SV-87515r1_rule","stig_id":"PGS9-00-001200","cci":["CCI-000054"],"nist":["AC-10","Rev_4"],"check":"To check the total amount of connections allowed by the database,\n as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW max_connections\"\n If the total amount of connections is greater than documented by\n an organization, this is a finding.\n To check the amount of connections allowed for each role, as the\n database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT rolname, rolconnlimit from pg_authid\"\n If any roles have more connections configured than documented,\n this is a finding. A value of -1 indicates Unlimited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To configure the maximum amount of connections allowed to the\n database, as the database administrator (shown here as \"postgres\")\n change the following in postgresql.conf\n\n (the value 10 is an example; set the value to suit local conditions):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n max_connections = 10\n\n Next, restart the database:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\n\n To limit the amount of connections allowed by a specific role,\n as the database administrator, run the following SQL:\n\n $ psql -c \"ALTER ROLE CONNECTION LIMIT 1\";"},"code":" control 'V-72863' do\n impact 'none'\n desc 'caveat', 'Not applicable for this CMS ARS 3.1 overlay, \n since the related security control is not applied to this \n system categorization in CMS ARS 3.1'\n end\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72863.rb"},"results":[]},{"id":"V-72865","title":"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.","desc":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.","descriptions":[{"label":"default","data":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000362","gid":"V-72865","rid":"SV-87517r1_rule","stig_id":"PGS9-00-001300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \"postgres\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"\\dp *.*\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.","fix":"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;"},"code":"control \"V-72865\" do\n # @todo update the title of this control to something sane\n title \"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.\"\n desc \"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000362\"\n tag \"gid\": \"V-72865\"\n tag \"rid\": \"SV-87517r1_rule\"\n tag \"stig_id\": \"PGS9-00-001300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\dp *.*\\\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.\"\n\n tag \"fix\": \"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n object_granted_privileges = 'arwdDxtU'\n object_public_privileges = 'r'\n object_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=[#{object_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n object_acl_regex = Regexp.new(object_acl)\n\n pg_settings_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=rw)\\/\\\\w+,?)+)\\\\|pg_catalog\\\\|pg_settings\\\\|v\"\n pg_settings_acl_regex = Regexp.new(pg_settings_acl)\n\n tested = []\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind \"\\\n \"FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f');\"\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n rows = sql.query(objects_sql, [database])\n if rows.methods.include?(:output) # Handle connection disabled on database\n objects = rows.lines\n\n objects.each do |obj|\n unless tested.include?(obj)\n schema, object, type = obj.split('|')\n relacl_sql = \"SELECT pg_catalog.array_to_string(c.relacl, E','), \"\\\n \"n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE n.nspname = '#{schema}' AND c.relname = '#{object}' \"\\\n \"AND c.relkind = '#{type}';\"\n\n sql_result=sql.query(relacl_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should match object_acl_regex }\n end\n\n describe sql_result do\n its('output') { should match pg_settings_acl_regex }\n end\n end\n # TODO: Add test for column acl\n tested.push(obj)\n end\n end\n end\n end\n\n describe directory(PG_DATA_DIR) do\n it { should be_directory }\n it { should be_owned_by PG_OWNER }\n its('mode') { should cmp '0700' }\n end\nend\n","source_location":{"line":62,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb"},"results":[]},{"id":"V-72867","title":"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).","desc":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.","descriptions":[{"label":"default","data":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000180-DB-000115","gid":"V-72867","rid":"SV-87519r1_rule","stig_id":"PGS9-00-001400","cci":["CCI-000804"],"nist":["IA-8","Rev_4"],"check":"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.","fix":"To drop a role, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"DROP ROLE \"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE LOGIN\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html"},"code":"control \"V-72867\" do\n title \"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).\"\n desc \"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000180-DB-000115\"\n tag \"gid\": \"V-72867\"\n tag \"rid\": \"SV-87519r1_rule\"\n tag \"stig_id\": \"PGS9-00-001400\"\n tag \"cci\": [\"CCI-000804\"]\n tag \"nist\": [\"IA-8\", \"Rev_4\"]\n tag \"check\": \"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"\\\\du\\\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.\"\n tag \"fix\": \"To drop a role, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"DROP ROLE \\\"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE LOGIN\\\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_roles = PG_SUPERUSERS\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r where r.rolsuper;'\n describe sql.query(roles_sql, [PG_DB]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72867.rb"},"results":[]},{"id":"V-72869","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000311-DB-000308","gid":"V-72869","rid":"SV-87521r1_rule","stig_id":"PGS9-00-001700","cci":["CCI-002262"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72869\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000311-DB-000308\"\n tag \"gid\": \"V-72869\"\n tag \"rid\": \"SV-87521r1_rule\"\n tag \"stig_id\": \"PGS9-00-001700\"\n tag \"cci\": [\"CCI-002262\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72869.rb"},"results":[]},{"id":"V-72871","title":"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.","desc":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000160","gid":"V-72871","rid":"SV-87523r1_rule","stig_id":"PGS9-00-001800","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.","fix":"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL."},"code":"control \"V-72871\" do\n title \"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.\"\n desc \"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000160\"\n tag \"gid\": \"V-72871\"\n tag \"rid\": \"SV-87523r1_rule\"\n tag \"stig_id\": \"PGS9-00-001800\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.\"\n\n tag \"fix\": \"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72871.rb"},"results":[]},{"id":"V-72873","title":"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000391","gid":"V-72873","rid":"SV-87525r1_rule","stig_id":"PGS9-00-001900","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.","fix":"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so."},"code":"control \"V-72873\" do\n title \"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000391\"\n tag \"gid\": \"V-72873\"\n tag \"rid\": \"SV-87525r1_rule\"\n tag \"stig_id\": \"PGS9-00-001900\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72873.rb"},"results":[]},{"id":"V-72875","title":"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000392","gid":"V-72875","rid":"SV-87527r1_rule","stig_id":"PGS9-00-002000","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.","fix":"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements)."},"code":"control \"V-72875\" do\n title \"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000392\"\n tag \"gid\": \"V-72875\"\n tag \"rid\": \"SV-87527r1_rule\"\n tag \"stig_id\": \"PGS9-00-002000\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements).\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72875.rb"},"results":[]},{"id":"V-72877","title":"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.","desc":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.","descriptions":[{"label":"default","data":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000357-DB-000316","gid":"V-72877","rid":"SV-87529r1_rule","stig_id":"PGS9-00-002100","cci":["CCI-001849"],"nist":["AU-4","Rev_4"],"check":"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.","fix":"Allocate sufficient audit file/table space to support peak demand."},"code":"control \"V-72877\" do\n title \"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.\"\n desc \"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000357-DB-000316\"\n tag \"gid\": \"V-72877\"\n tag \"rid\": \"SV-87529r1_rule\"\n tag \"stig_id\": \"PGS9-00-002100\"\n tag \"cci\": [\"CCI-001849\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"check\": \"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.\"\n tag \"fix\": \"Allocate sufficient audit file/table space to support peak demand.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72877.rb"},"results":[]},{"id":"V-72883","title":"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.","desc":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.","descriptions":[{"label":"default","data":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000328-DB-000301","gid":"V-72883","rid":"SV-87535r1_rule","stig_id":"PGS9-00-002200","cci":["CCI-002165"],"nist":["AC-3 (4)","Rev_4"],"check":"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \"\\dn *.*\"\n $ psql -c \"\\dt *.*\"\n $ psql -c \"\\ds *.*\"\n $ psql -c \"\\dv *.*\"\n $ psql -c \"\\df+ *.*\"\n If any role is given privileges to objects it should not have, this is a\n finding.","fix":"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test\"\n $ psql -c \"GRANT CREATE ON SCHEMA test TO bob\"\n $ psql -c \"CREATE TABLE test.test_table(id INT)\"\n $ psql -c \"GRANT SELECT ON TABLE test.test_table TO bob\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ psql -c \"REVOKE SELECT ON TABLE test.test_table FROM bob\"\n $ psql -c \"REVOKE CREATE ON SCHEMA test FROM bob\""},"code":"control \"V-72883\" do\n title \"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.\"\n desc \"Discretionary Access Control (DAC) is based on the notion that\n individual users are \\\"owners\\\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000328-DB-000301\"\n tag \"gid\": \"V-72883\"\n tag \"rid\": \"SV-87535r1_rule\"\n tag \"stig_id\": \"PGS9-00-002200\"\n tag \"cci\": [\"CCI-002165\"]\n tag \"nist\": [\"AC-3 (4)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \\\"\\\\dn *.*\\\"\n $ psql -c \\\"\\\\dt *.*\\\"\n $ psql -c \\\"\\\\ds *.*\\\"\n $ psql -c \\\"\\\\dv *.*\\\"\n $ psql -c \\\"\\\\df+ *.*\\\"\n If any role is given privileges to objects it should not have, this is a\n finding.\"\n tag \"fix\": \"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test\\\"\n $ psql -c \\\"GRANT CREATE ON SCHEMA test TO bob\\\"\n $ psql -c \\\"CREATE TABLE test.test_table(id INT)\\\"\n $ psql -c \\\"GRANT SELECT ON TABLE test.test_table TO bob\\\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ psql -c \\\"REVOKE SELECT ON TABLE test.test_table FROM bob\\\"\n $ psql -c \\\"REVOKE CREATE ON SCHEMA test FROM bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n \n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72883.rb"},"results":[]},{"id":"V-72887","title":"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).","desc":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000374-DB-000322","gid":"V-72887","rid":"SV-87539r1_rule","stig_id":"PGS9-00-002400","cci":["CCI-001890"],"nist":["AU-8 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \"postgres\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_timezone\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \"postgres\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart"},"code":"control \"V-72887\" do\n title \"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).\"\n desc \"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000374-DB-000322\"\n tag \"gid\": \"V-72887\"\n tag \"rid\": \"SV-87539r1_rule\"\n tag \"stig_id\": \"PGS9-00-002400\"\n tag \"cci\": [\"CCI-001890\"]\n tag \"nist\": [\"AU-8 b\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \\\"postgres\\\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_timezone\\\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \\\"postgres\\\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_timezone;', [PG_DB]) do\n its('output') { should eq PG_TIMEZONE }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72887.rb"},"results":[]},{"id":"V-72891","title":"PostgreSQL must allow only the ISSM (or individuals or roles appointed\n by the ISSM) to select which auditable events are to be audited.","desc":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000090-DB-000065","gid":"V-72891","rid":"SV-87543r1_rule","stig_id":"PGS9-00-002600","cci":["CCI-000171"],"nist":["AU-12 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Check PostgreSQL settings and documentation to determine whether designated\n personnel are able to select which auditable events are being audited.\n As the database administrator (shown here as \"postgres\"), verify the\n permissions for PGDATA:\n $ ls -la ${PGDATA?}\n If anything in PGDATA is not owned by the database administrator, this is a\n finding.\n Next, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n Review the role permissions, if any role is listed as superuser but should not\n have that access, this is a finding.","fix":"Configure PostgreSQL's settings to allow designated personnel to\n select which auditable events are audited.\n Using pgaudit allows administrators the flexibility to choose what they log.\n For an overview of the capabilities of pgaudit, see\n https://github.com/pgaudit/pgaudit.\n See supplementary content APPENDIX-B for documentation on installing pgaudit.\n See supplementary content APPENDIX-C for instructions on enabling logging.\n Only administrators/superuser can change PostgreSQL configurations. Access to\n the database administrator must be limited to designated personnel only.\n To ensure that postgresql.conf is owned by the database owner:\n $ chown postgres:postgres ${PGDATA?}/postgresql.conf\n $ chmod 600 ${PGDATA?}/postgresql.conf"},"code":" control \"V-72891\" do\n sql = postgres_session(attribute('pg_dba'), attribute('pg_dba_password'), attribute('pg_host'))\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [attribute('pg_db')])\n roles = roles_query.lines\n\n roles.each do |role|\n unless attribute('pg_superusers').include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [attribute('pg_db')]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n end\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72891.rb"},"results":[]},{"id":"V-72893","title":"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.","desc":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000360-DB-000320","gid":"V-72893","rid":"SV-87545r1_rule","stig_id":"PGS9-00-002700","cci":["CCI-001858"],"nist":["AU-5 (2)","Rev_4"],"check":"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.","fix":"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL."},"code":"control \"V-72893\" do\n title \"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \\\"the system\\\" is used to encompass all of these.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000360-DB-000320\"\n tag \"gid\": \"V-72893\"\n tag \"rid\": \"SV-87545r1_rule\"\n tag \"stig_id\": \"PGS9-00-002700\"\n tag \"cci\": [\"CCI-001858\"]\n tag \"nist\": [\"AU-5 (2)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.\"\n tag \"fix\": \"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72893.rb"},"results":[]},{"id":"V-72895","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000442-DB-000379","gid":"V-72895","rid":"SV-87547r1_rule","stig_id":"PGS9-00-003000","cci":["CCI-002422"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.","fix":"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL."},"code":"control \"V-72895\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000442-DB-000379\"\n tag \"gid\": \"V-72895\"\n tag \"rid\": \"SV-87547r1_rule\"\n tag \"stig_id\": \"PGS9-00-003000\"\n tag \"cci\": [\"CCI-002422\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.\"\n\n tag \"fix\": \"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72895.rb"},"results":[]},{"id":"V-72897","title":"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.","desc":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.","descriptions":[{"label":"default","data":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000200","gid":"V-72897","rid":"SV-87549r1_rule","stig_id":"PGS9-00-003100","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \"\\dn *.*\"\n $ psql -x -c \"\\dt *.*\"\n $ psql -x -c \"\\ds *.*\"\n $ psql -x -c \"\\dv *.*\"\n $ psql -x -c \"\\df+ *.*\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.","fix":"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \"ALTER SCHEMA test OWNER TO bob\""},"code":"control \"V-72897\" do\n title \"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.\"\n desc \"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000200\"\n tag \"gid\": \"V-72897\"\n tag \"rid\": \"SV-87549r1_rule\"\n tag \"stig_id\": \"PGS9-00-003100\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dn *.*\\\"\n $ psql -x -c \\\"\\\\dt *.*\\\"\n $ psql -x -c \\\"\\\\ds *.*\\\"\n $ psql -x -c \\\"\\\\dv *.*\\\"\n $ psql -x -c \\\"\\\\df+ *.*\\\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.\"\n tag \"fix\": \"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"ALTER SCHEMA test OWNER TO bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72897.rb"},"results":[]},{"id":"V-72899","title":"The PostgreSQL software installation account must be restricted to\n authorized users.","desc":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000198","gid":"V-72899","rid":"SV-87551r1_rule","stig_id":"PGS9-00-003200","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.","fix":"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account."},"code":"control \"V-72899\" do\n title \"The PostgreSQL software installation account must be restricted to\n authorized users.\"\n desc \"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000198\"\n tag \"gid\": \"V-72899\"\n tag \"rid\": \"SV-87551r1_rule\"\n tag \"stig_id\": \"PGS9-00-003200\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.\"\n tag \"fix\": \"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72899.rb"},"results":[]},{"id":"V-72901","title":"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.","desc":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000199","gid":"V-72901","rid":"SV-87553r1_rule","stig_id":"PGS9-00-003300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.","fix":"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory."},"code":"control \"V-72901\" do\n title \"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.\"\n desc \"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000199\"\n tag \"gid\": \"V-72901\"\n tag \"rid\": \"SV-87553r1_rule\"\n tag \"stig_id\": \"PGS9-00-003300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.\"\n tag \"fix\": \"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory.\"\n\n PG_SHARED_DIRS.each do |dir|\n describe directory(dir) do\n it { should be_directory }\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n its('mode') { should cmp '0755' }\n end\n\n describe command(\"lsof | awk '$9 ~ \\\"#{dir}\\\" {print $1}'\") do\n its('stdout') { should match /^$|postgres|postmaster/ }\n its('stderr') { should eq '' }\n end\n end\nend\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb"},"results":[]},{"id":"V-72903","title":"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000101-DB-000044","gid":"V-72903","rid":"SV-87555r1_rule","stig_id":"PGS9-00-003500","cci":["CCI-000135"],"nist":["AU-3 (1)","Rev_4"],"check":"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.","fix":"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":"control \"V-72903\" do\n title \"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000101-DB-000044\"\n tag \"gid\": \"V-72903\"\n tag \"rid\": \"SV-87555r1_rule\"\n tag \"stig_id\": \"PGS9-00-003500\"\n tag \"cci\": [\"CCI-000135\"]\n tag \"nist\": [\"AU-3 (1)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72903.rb"},"results":[]},{"id":"V-72905","title":"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.","desc":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000342-DB-000302","gid":"V-72905","rid":"SV-87557r1_rule","stig_id":"PGS9-00-003600","cci":["CCI-002233"],"nist":["AC-6 (8)","Rev_4"],"check":"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\"\n In the query results, a prosecdef value of \"t\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.","fix":"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \"postgres\"), run the following SQL: $ sudo su - postgres\n $ psql -c \"ALTER FUNCTION SECURITY INVOKER;\""},"code":"control \"V-72905\" do\n title \"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.\"\n desc \"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000342-DB-000302\"\n tag \"gid\": \"V-72905\"\n tag \"rid\": \"SV-87557r1_rule\"\n tag \"stig_id\": \"PGS9-00-003600\"\n tag \"cci\": [\"CCI-002233\"]\n tag \"nist\": [\"AC-6 (8)\", \"Rev_4\"]\n tag \"check\": \"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\\\"\n In the query results, a prosecdef value of \\\"t\\\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.\"\n tag \"fix\": \"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\\\n $ sudo su - postgres\n $ psql -c \\\"ALTER FUNCTION SECURITY INVOKER;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n security_definer_sql = \"SELECT nspname, proname, prosecdef \"\\\n \"FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid \"\\\n \"JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't';\"\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(security_definer_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72905.rb"},"results":[]},{"id":"V-72909","title":"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.","desc":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.","descriptions":[{"label":"default","data":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000356-DB-000314","gid":"V-72909","rid":"SV-87561r1_rule","stig_id":"PGS9-00-003800","cci":["CCI-001844"],"nist":["AU-3 (2)","Rev_4"],"check":"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \"postgres\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_destination\"\n As the database owner (shown here as \"postgres\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW syslog_facility\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \"postgres\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72909\" do\n title \"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.\"\n desc \"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000356-DB-000314\"\n tag \"gid\": \"V-72909\"\n tag \"rid\": \"SV-87561r1_rule\"\n tag \"stig_id\": \"PGS9-00-003800\"\n tag \"cci\": [\"CCI-001844\"]\n tag \"nist\": [\"AU-3 (2)\", \"Rev_4\"]\n tag \"check\": \"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \\\"postgres\\\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_destination\\\"\n As the database owner (shown here as \\\"postgres\\\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW syslog_facility\\\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \\\"postgres\\\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /syslog/i }\n end\n\n describe sql.query('SHOW syslog_facility;', [PG_DB]) do\n its('output') { should match /local[0-7]/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72909.rb"},"results":[]},{"id":"V-72911","title":"PostgreSQL must isolate security functions from non-security functions.","desc":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000233-DB-000124","gid":"V-72911","rid":"SV-87563r1_rule","stig_id":"PGS9-00-004000","cci":["CCI-001084"],"nist":["SC-3","Rev_4"],"check":"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \"postgres\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \"\\dp pg_catalog.*\"\n $ psql -x -c \"\\dp information_schema.*\"\n Repeat the \\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \"\\df+ pg_catalog.*\"\n $ psql -x -c \"\\df+ information_schema.*\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.","fix":"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval."},"code":"control \"V-72911\" do\n title \"PostgreSQL must isolate security functions from non-security functions.\"\n desc \"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000233-DB-000124\"\n tag \"gid\": \"V-72911\"\n tag \"rid\": \"SV-87563r1_rule\"\n tag \"stig_id\": \"PGS9-00-004000\"\n tag \"cci\": [\"CCI-001084\"]\n tag \"nist\": [\"SC-3\", \"Rev_4\"]\n tag \"check\": \"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \\\"postgres\\\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dp pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\dp information_schema.*\\\"\n Repeat the \\\\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\\\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\df+ pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\df+ information_schema.*\\\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\\\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.\"\n tag \"fix\": \"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval.\"\n\n exceptions = \"#{PG_OBJECT_EXCEPTIONS.map { |e| \"'#{e}'\" }.join(',')}\"\n object_acl = \"^(((#{PG_OWNER}=[#{PG_OBJECT_GRANTED_PRIVILEGES}]+|\"\\\n \"=[#{PG_OBJECT_PUBLIC_PRIVILEGES}]+)\\\\/\\\\w+,?)+|)$\"\n schemas = ['pg_catalog', 'information_schema']\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n schemas.each do |schema|\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') \"\\\n \"AND n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.array_to_string(c.relacl, E',') !~ '#{object_acl}' \"\\\n \"AND c.relname NOT IN (#{exceptions});\"\n\n describe sql.query(objects_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n\n describe sql.query(functions_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n end\nend\n","source_location":{"line":70,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72911.rb"},"results":[]},{"id":"V-72917","title":"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.","desc":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.","descriptions":[{"label":"default","data":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000454-DB-000389","gid":"V-72917","rid":"SV-87569r1_rule","stig_id":"PGS9-00-004300","cci":["CCI-002617"],"nist":["SI-2 (6)","Rev_4"],"check":"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.","fix":"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated."},"code":"control \"V-72917\" do\n title \"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.\"\n desc \"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000454-DB-000389\"\n tag \"gid\": \"V-72917\"\n tag \"rid\": \"SV-87569r1_rule\"\n tag \"stig_id\": \"PGS9-00-004300\"\n tag \"cci\": [\"CCI-002617\"]\n tag \"nist\": [\"SI-2 (6)\", \"Rev_4\"]\n tag \"check\": \"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.\"\n tag \"fix\": \"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72917.rb"},"results":[]},{"id":"V-72919","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000344","gid":"V-72919","rid":"SV-87571r1_rule","stig_id":"PGS9-00-004400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72919\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000344\"\n tag \"gid\": \"V-72919\"\n tag \"rid\": \"SV-87571r1_rule\"\n tag \"stig_id\": \"PGS9-00-004400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72919.rb"},"results":[]},{"id":"V-72931","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000349","gid":"V-72931","rid":"SV-87583r1_rule","stig_id":"PGS9-00-005000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72931\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000502-DB-000349\"\n tag \"gid\": \"V-72931\"\n tag \"rid\": \"SV-87583r1_rule\"\n tag \"stig_id\": \"PGS9-00-005000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72931.rb"},"results":[]},{"id":"V-72949","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000347","gid":"V-72949","rid":"SV-87601r1_rule","stig_id":"PGS9-00-005600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72949\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000347\"\n tag \"gid\": \"V-72949\"\n tag \"rid\": \"SV-87601r1_rule\"\n tag \"stig_id\": \"PGS9-00-005600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72949.rb"},"results":[]},{"id":"V-72953","title":"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.","desc":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.","descriptions":[{"label":"default","data":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000504-DB-000354","gid":"V-72953","rid":"SV-87605r1_rule","stig_id":"PGS9-00-005800","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72953\" do\n title \"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.\"\n desc \"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000504-DB-000354\"\n tag \"gid\": \"V-72953\"\n tag \"rid\": \"SV-87605r1_rule\"\n tag \"stig_id\": \"PGS9-00-005800\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72953.rb"},"results":[]},{"id":"V-72955","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000345","gid":"V-72955","rid":"SV-87607r1_rule","stig_id":"PGS9-00-005900","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72955\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000345\"\n tag \"gid\": \"V-72955\"\n tag \"rid\": \"SV-87607r1_rule\"\n tag \"stig_id\": \"PGS9-00-005900\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72955.rb"},"results":[]},{"id":"V-72957","title":"PostgreSQL must be able to generate audit records when security objects\n are accessed.","desc":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.","descriptions":[{"label":"default","data":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000492-DB-000332","gid":"V-72957","rid":"SV-87609r1_rule","stig_id":"PGS9-00-006000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72957\" do\n title \"PostgreSQL must be able to generate audit records when security objects\n are accessed.\"\n desc \"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000492-DB-000332\"\n tag \"gid\": \"V-72957\"\n tag \"rid\": \"SV-87609r1_rule\"\n tag \"stig_id\": \"PGS9-00-006000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72957.rb"},"results":[]},{"id":"V-72959","title":"PostgreSQL must generate audit records when privileges/permissions are\n deleted.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000499-DB-000330","gid":"V-72959","rid":"SV-87611r1_rule","stig_id":"PGS9-00-006100","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72959\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n deleted.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000499-DB-000330\"\n tag \"gid\": \"V-72959\"\n tag \"rid\": \"SV-87611r1_rule\"\n tag \"stig_id\": \"PGS9-00-006100\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72959.rb"},"results":[]},{"id":"V-72961","title":"PostgreSQL must generate audit records when concurrent\n logons/connections by the same user from different workstations occur.","desc":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)","descriptions":[{"label":"default","data":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)"}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000506-DB-000353","gid":"V-72961","rid":"SV-87613r1_rule","stig_id":"PGS9-00-006200","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify that\n log_connections and log_disconnections are enabled by running the following\n SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n If either is off, this is a finding.\n Next, verify that log_line_prefix contains sufficient information by running\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain at least %m %u %d %c, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First, as the database administrator (shown here as \"postgres\"), edit\n postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Edit the following parameters as such:\n log_connections = on\n log_disconnections = on\n log_line_prefix = '< %m %u %d %c: >'\n Where:\n * %m is the time and date\n * %u is the username\n * %d is the database\n * %c is the session ID for the connection\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control 'V-72961' do\n desc 'For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72961.rb"},"results":[]},{"id":"V-72963","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.","desc":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.","descriptions":[{"label":"default","data":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000501-DB-000337","gid":"V-72963","rid":"SV-87615r1_rule","stig_id":"PGS9-00-006300","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72963\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.\"\n desc \"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000501-DB-000337\"\n tag \"gid\": \"V-72963\"\n tag \"rid\": \"SV-87615r1_rule\"\n tag \"stig_id\": \"PGS9-00-006300\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72963.rb"},"results":[]},{"id":"V-72965","title":"PostgreSQL must generate audit records when privileges/permissions are\n modified.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000495-DB-000328","gid":"V-72965","rid":"SV-87617r1_rule","stig_id":"PGS9-00-006400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, this is a finding.","fix":"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72965\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n modified.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000495-DB-000328\"\n tag \"gid\": \"V-72965\"\n tag \"rid\": \"SV-87617r1_rule\"\n tag \"stig_id\": \"PGS9-00-006400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['role']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72965.rb"},"results":[]},{"id":"V-72971","title":"PostgreSQL must generate audit records when security objects are\n modified.","desc":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.","descriptions":[{"label":"default","data":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000496-DB-000334","gid":"V-72971","rid":"SV-87623r1_rule","stig_id":"PGS9-00-006600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \"SHOW pgaudit.log_catalog\"\n If log_catalog is not `on`, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72971\" do\n title \"PostgreSQL must generate audit records when security objects are\n modified.\"\n desc \"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000496-DB-000334\"\n tag \"gid\": \"V-72971\"\n tag \"rid\": \"SV-87623r1_rule\"\n tag \"stig_id\": \"PGS9-00-006600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \\\"SHOW pgaudit.log_catalog\\\"\n If log_catalog is not `on`, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW pgaudit.log_catalog;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72971.rb"},"results":[]},{"id":"V-72973","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000346","gid":"V-72973","rid":"SV-87625r1_rule","stig_id":"PGS9-00-006700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control \"V-72973\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000346\"\n tag \"gid\": \"V-72973\"\n tag \"rid\": \"SV-87625r1_rule\"\n tag \"stig_id\": \"PGS9-00-006700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72973.rb"},"results":[]},{"id":"V-72979","title":"PostgreSQL, when utilizing PKI-based authentication, must validate\n certificates by performing RFC 5280-compliant certification path validation.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000175-DB-000067","gid":"V-72979","rid":"SV-87631r1_rule","stig_id":"PGS9-00-007000","cci":["CCI-000185"],"nist":["IA-5 (2) (a)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To verify that a CRL file exists, as the database administrator (shown here as\n \"postgres\"), run the following:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl_crl_file\" If this is not set to a CRL file, this is a finding.\n Next verify the existence of the CRL file by checking the directory set in\n postgresql.conf in the ssl_crl_file parameter from above:\n Note: If no directory is specified, then the CRL file should be located in the\n same directory as postgresql.conf (PGDATA).\n If the CRL file does not exist, this is a finding.\n Next, verify that hostssl entries in pg_hba.conf have \"cert\" and\n \"clientcert=1\" enabled:\n $ sudo su - postgres\n $ grep hostssl ${PGDATA?}/postgresql.conf\n If hostssl entries does not contain cert or clientcert=1, this is a finding.\n If certificates are not being validated by performing RFC 5280-compliant\n certification path validation, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.\n To generate a Certificate Revocation List, see the official Red Hat\n Documentation:\n https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/\n 2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-\n Administration_Guide-Certification_Revocation_List_CRL.html\n As the database administrator (shown here as \"postgres\"), copy the CRL file\n into the data directory:\n First, as the system administrator, copy the CRL file into the PostgreSQL Data\n Directory:\n $ sudo cp root.crl ${PGDATA?}/root.crl\n As the database administrator (shown here as \"postgres\"), set the\n ssl_crl_file parameter to the filename of the CRL:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n ssl_crl_file = 'root.crl'\n Next, in pg_hba.conf, require ssl authentication:\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n hostssl
cert clientcert=1\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control 'V-72979' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database.'\n end\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72979.rb"},"results":[]},{"id":"V-72981","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000441-DB-000378","gid":"V-72981","rid":"SV-87633r1_rule","stig_id":"PGS9-00-007200","cci":["CCI-002420"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \"postgres\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-72981\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000441-DB-000378\"\n tag \"gid\": \"V-72981\"\n tag \"rid\": \"SV-87633r1_rule\"\n tag \"stig_id\": \"PGS9-00-007200\"\n tag \"cci\": [\"CCI-002420\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \\\"postgres\\\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72981.rb"},"results":[]},{"id":"V-72983","title":"PostgreSQL must provide audit record generation capability \n for CMS-defined auditable events within all DBMS/database \n components.","desc":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing.","descriptions":[{"label":"default","data":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing."},{"label":"fix","data":"Configure PostgreSQL to generate audit records for at \n least the CMS minimum set of events.\n\n Using pgaudit PostgreSQL can be configured to audit these \n requests. See supplementary content APPENDIX-B for documentation \n on installing pgaudit.\n\n To ensure that logging is enabled, review supplementary content \n APPENDIX-C for instructions on enabling logging."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000089-DB-000064","gid":"V-72983","rid":"SV-87635r1_rule","stig_id":"PGS9-00-007400","cci":["CCI-000169"],"nist":["AU-12 a","Rev_4"],"check":"Check PostgreSQL auditing to determine whether\n organization-defined auditable events are being audited by the system.\n If organization-defined auditable events are not being audited, this is a\n finding.","fix":"Configure PostgreSQL to generate audit records for at least the\n DoD minimum set of events.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":" control 'V-72983' do\n title 'PostgreSQL must provide audit record generation capability \n for CMS-defined auditable events within all DBMS/database \n components.'\n desc 'Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing.'\n desc 'fix', 'Configure PostgreSQL to generate audit records for at \n least the CMS minimum set of events.\n\n Using pgaudit PostgreSQL can be configured to audit these \n requests. See supplementary content APPENDIX-B for documentation \n on installing pgaudit.\n\n To ensure that logging is enabled, review supplementary content \n APPENDIX-C for instructions on enabling logging.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72983.rb"},"results":[]},{"id":"V-72987","title":"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded."}],"impact":0.5,"refs":[],"tags":{"check":"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \"postgres\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.","fix":"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \"postgres\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72987\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.\"\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \\\"postgres\\\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72987.rb"},"results":[]},{"id":"V-72989","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.","desc":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000381","gid":"V-72989","rid":"SV-87641r1_rule","stig_id":"PGS9-00-008000","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72989\" do\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000381\"\n tag \"gid\": \"V-72989\"\n tag \"rid\": \"SV-87641r1_rule\"\n tag \"stig_id\": \"PGS9-00-008000\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72989.rb"},"results":[]},{"id":"V-72991","title":"PostgreSQL must use CMS-approved cryptography to protect \n classified sensitive information in accordance with the data owners \n requirements.","desc":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards."},{"label":"check","data":"If PostgreSQL is not using CMS-approved cryptography \n to protect classified sensitive information in accordance with \n applicable federal laws, Executive Orders, directives, policies, \n regulations, and standards, this is a finding.\n\n To check if PostgreSQL is configured to use SSL, as the database \n administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding."},{"label":"fix","data":"Note: The following instructions use the PGDATA \n environment variable. See supplementary content APPENDIX-F for \n instructions on configuring PGDATA.\n\n To configure PostgreSQL to use SSL, as a database administrator \n (shown here as \"postgres\"), edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameter:\n\n ssl = on\n\n Now, as the system administrator, reload the server with the \n new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n\n For more information on configuring PostgreSQL to use SSL, see \n supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000416-DB-000380","gid":"V-72991","rid":"SV-87643r1_rule","stig_id":"PGS9-00-008100","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"If PostgreSQL is deployed in an unclassified environment, this is\nnot applicable (NA).\n\nIf PostgreSQL is not using NSA-approved cryptography to protect classified\ninformation in accordance with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, and standards, this is a finding.\n\nTo check if PostgreSQL is configured to use SSL, as the database administrator\n(shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf SSL is off, this is a finding.\n\nConsult network administration staff to determine whether the server is protected by\nNSA-approved encrypting devices. If not, this a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo configure PostgreSQL to use SSL, as a database administrator (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nDeploy NSA-approved encrypting devices to protect the server on the network."},"code":" control 'V-72991' do\n title 'PostgreSQL must use CMS-approved cryptography to protect \n classified sensitive information in accordance with the data owners \n requirements.'\n desc 'Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards.'\n desc 'check', 'If PostgreSQL is not using CMS-approved cryptography \n to protect classified sensitive information in accordance with \n applicable federal laws, Executive Orders, directives, policies, \n regulations, and standards, this is a finding.\n\n To check if PostgreSQL is configured to use SSL, as the database \n administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding.'\n desc 'fix', 'Note: The following instructions use the PGDATA \n environment variable. See supplementary content APPENDIX-F for \n instructions on configuring PGDATA.\n\n To configure PostgreSQL to use SSL, as a database administrator \n (shown here as \"postgres\"), edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameter:\n\n ssl = on\n\n Now, as the system administrator, reload the server with the \n new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n\n For more information on configuring PostgreSQL to use SSL, see \n supplementary content APPENDIX-G.'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72991.rb"},"results":[]},{"id":"V-72993","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.","desc":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000383","gid":"V-72993","rid":"SV-87645r1_rule","stig_id":"PGS9-00-008200","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72993\" do\n\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000383\"\n tag \"gid\": \"V-72993\"\n tag \"rid\": \"SV-87645r1_rule\"\n tag \"stig_id\": \"PGS9-00-008200\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":26,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72993.rb"},"results":[]},{"id":"V-72995","title":"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.","desc":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.","descriptions":[{"label":"default","data":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000231-DB-000154","gid":"V-72995","rid":"SV-87647r1_rule","stig_id":"PGS9-00-008300","cci":["CCI-001199"],"nist":["SC-28","Rev_4"],"check":"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.","fix":"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));"},"code":"control \"V-72995\" do\n\n title \"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.\"\n desc \"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000231-DB-000154\"\n tag \"gid\": \"V-72995\"\n tag \"rid\": \"SV-87647r1_rule\"\n tag \"stig_id\": \"PGS9-00-008300\"\n tag \"cci\": [\"CCI-001199\"]\n tag \"nist\": [\"SC-28\", \"Rev_4\"]\n\n tag \"check\": \"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.\"\n tag \"fix\": \"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72995.rb"},"results":[]},{"id":"V-72999","title":"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.","desc":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.","descriptions":[{"label":"default","data":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000211-DB-000122","gid":"V-72999","rid":"SV-87651r1_rule","stig_id":"PGS9-00-008500","cci":["CCI-001082"],"nist":["SC-2","Rev_4"],"check":"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \"postgres\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf any non-administrative role has the attribute \"Superuser\", \"Create role\",\n\"Create DB\" or \"Bypass RLS\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.","fix":"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;"},"code":"control \"V-72999\" do\n\n title \"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.\"\n desc \"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000211-DB-000122\"\n tag \"gid\": \"V-72999\"\n tag \"rid\": \"SV-87651r1_rule\"\n tag \"stig_id\": \"PGS9-00-008500\"\n tag \"cci\": [\"CCI-001082\"]\n tag \"nist\": [\"SC-2\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \\\"postgres\\\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\\\"\n\nIf any non-administrative role has the attribute \\\"Superuser\\\", \\\"Create role\\\",\n\\\"Create DB\\\" or \\\"Bypass RLS\\\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;\"\n\n privileges = %w(rolcreatedb rolcreaterole rolsuper)\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n privileges.each do |privilege|\n privilege_sql = \"SELECT r.#{privilege} FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(privilege_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72999.rb"},"results":[]},{"id":"V-73001","title":"PostgreSQL must initiate session auditing upon startup.","desc":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.","descriptions":[{"label":"default","data":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000092-DB-000208","gid":"V-73001","rid":"SV-87653r1_rule","stig_id":"PGS9-00-008600","cci":["CCI-001464"],"nist":["AU-14 (1)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \"postgres\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \"SHOW logging_destination\"\n\nIf stderr or syslog are not in the current setting, this is a finding.","fix":"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B."},"code":"control \"V-73001\" do\n title \"PostgreSQL must initiate session auditing upon startup.\"\n desc \"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000092-DB-000208\"\n tag \"gid\": \"V-73001\"\n tag \"rid\": \"SV-87653r1_rule\"\n tag \"stig_id\": \"PGS9-00-008600\"\n tag \"cci\": [\"CCI-001464\"]\n tag \"nist\": [\"AU-14 (1)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \\\"postgres\\\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \\\"SHOW logging_destination\\\"\n\nIf stderr or syslog are not in the current setting, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /stderr|syslog/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73001.rb"},"results":[]},{"id":"V-73003","title":"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000428-DB-000386","gid":"V-73003","rid":"SV-87655r1_rule","stig_id":"PGS9-00-008700","cci":["CCI-002475"],"nist":["SC-28 (1)","Rev_4"],"check":"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73003\" do\n title \"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000428-DB-000386\"\n tag \"gid\": \"V-73003\"\n tag \"rid\": \"SV-87655r1_rule\"\n tag \"stig_id\": \"PGS9-00-008700\"\n tag \"cci\": [\"CCI-002475\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\n\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73003.rb"},"results":[]},{"id":"V-73005","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000098-DB-000042","gid":"V-73005","rid":"SV-87657r1_rule","stig_id":"PGS9-00-008800","cci":["CCI-000133"],"nist":["AU-3","Rev_4"],"check":"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \"log_hostname\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n$ psql -c \"SHOW log_hostname\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73005\" do\n\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000098-DB-000042\"\n tag \"gid\": \"V-73005\"\n tag \"rid\": \"SV-87657r1_rule\"\n tag \"stig_id\": \"PGS9-00-008800\"\n tag \"cci\": [\"CCI-000133\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \\\"log_hostname\\\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n$ psql -c \\\"SHOW log_hostname\\\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_hostname;', [PG_DB]) do\n its('output') { should match /(on|true)/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73005.rb"},"results":[]},{"id":"V-73011","title":"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.","desc":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.","descriptions":[{"label":"default","data":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000141-DB-000092","gid":"V-73011","rid":"SV-87663r1_rule","stig_id":"PGS9-00-009200","cci":["CCI-000381"],"nist":["CM-7 a","Rev_4"],"check":"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.","fix":"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove "},"code":"control \"V-73011\" do\n title \"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.\"\n desc \"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000141-DB-000092\"\n tag \"gid\": \"V-73011\"\n tag \"rid\": \"SV-87663r1_rule\"\n tag \"stig_id\": \"PGS9-00-009200\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"check\": \"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.\"\n tag \"fix\": \"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove \"\n\n# @todo how do I identify the packages that are not required for the current OS? need datafile of approved?\n# @todo assume need two tests, one for RHEL/CENT, and one for Debian?\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73011.rb"},"results":[]},{"id":"V-73013","title":"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.","desc":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000313-DB-000309","gid":"V-73013","rid":"SV-87665r1_rule","stig_id":"PGS9-00-009400","cci":["CCI-002263"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \"postgres\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \"\\d+ .\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.","fix":"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-73013\" do\n title \"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.\"\n desc \"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000313-DB-000309\"\n tag \"gid\": \"V-73013\"\n tag \"rid\": \"SV-87665r1_rule\"\n tag \"stig_id\": \"PGS9-00-009400\"\n tag \"cci\": [\"CCI-002263\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\d+ .\\\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73013.rb"},"results":[]},{"id":"V-73015","title":"If passwords are used for authentication, PostgreSQL must store only\nhashed, salted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000171-DB-000074","gid":"V-73015","rid":"SV-87667r1_rule","stig_id":"PGS9-00-009500","cci":["CCI-000196"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"To check if password encryption is enabled, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW password_encryption\"\n\nIf password_encryption is not on, this is a finding.\n\nNext, to identify if any passwords have been stored without being hashed and salted,\nas the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \"SELECT * FROM pg_shadow\"\n\nIf any password is in plaintext, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = on\n\nInstitute a policy of not using the \"WITH UNENCRYPTED PASSWORD\" option with the\nCREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of\nthe password_encryption configuration parameter.)\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":" control 'V-73015' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL.'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73015.rb"},"results":[]},{"id":"V-73017","title":"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).","desc":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.","descriptions":[{"label":"default","data":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000380-DB-000360","gid":"V-73017","rid":"SV-87669r1_rule","stig_id":"PGS9-00-009600","cci":["CCI-001813"],"nist":["CM-5 (1)","Rev_4"],"check":"To list all the permissions of individual roles, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\l\"\n$ psql -c \"\\dn+\"\n\nIf any database or schema has update (\"W\") or create (\"C\") privileges and should\nnot, this is a finding.","fix":"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \"ALTER ROLE NOSUPERUSER\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \"REVOKE ALL PRIVILEGES ON
FROM ;"},"code":"control \"V-73017\" do\n title \"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).\"\n desc \"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000380-DB-000360\"\n tag \"gid\": \"V-73017\"\n tag \"rid\": \"SV-87669r1_rule\"\n tag \"stig_id\": \"PGS9-00-009600\"\n tag \"cci\": [\"CCI-001813\"]\n tag \"nist\": [\"CM-5 (1)\", \"Rev_4\"]\n tag \"check\": \"To list all the permissions of individual roles, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\l\\\"\n$ psql -c \\\"\\\\dn+\\\"\n\nIf any database or schema has update (\\\"W\\\") or create (\\\"C\\\") privileges and should\nnot, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \\\"ALTER ROLE NOSUPERUSER\\\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \\\"REVOKE ALL PRIVILEGES ON
FROM ;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n database_granted_privileges = 'CTc'\n database_public_privileges = 'c'\n database_acl = \"^((((#{owners})=[#{database_granted_privileges}]+|\"\\\n \"=[#{database_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n database_acl_regex = Regexp.new(database_acl)\n\n schema_granted_privileges = 'UC'\n schema_public_privileges = 'U'\n schema_acl = \"^((((#{owners})=[#{schema_granted_privileges}]+|\"\\\n \"=[#{schema_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n schema_acl_regex = Regexp.new(schema_acl)\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n datacl_sql = \"SELECT pg_catalog.array_to_string(datacl, E','), datname \"\\\n \"FROM pg_catalog.pg_database WHERE datname = '#{database}';\"\n\n describe sql.query(datacl_sql, [PG_DB]) do\n its('output') { should match database_acl_regex }\n end\n\n schemas_sql = \"SELECT n.nspname, FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n schemas_query = sql.query(schemas_query, [database])\n # Handle connection disabled on database\n if schemas_query.methods.include?(:output)\n schemas = schemas_query.lines\n\n schemas.each do |schema|\n nspacl_sql = \"SELECT pg_catalog.array_to_string(n.nspacl, E','), \"\\\n \"n.nspname FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname = '#{schema}';\"\n\n describe sql.query(nspacl_sql) do\n its('output') { should match schema_acl_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73017.rb"},"results":[]},{"id":"V-73019","title":"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.","desc":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.","descriptions":[{"label":"default","data":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000080-DB-000063","gid":"V-73019","rid":"SV-87671r1_rule","stig_id":"PGS9-00-009700","cci":["CCI-000166"],"nist":["AU-10","Rev_4"],"check":"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain \"pgaudit\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL."},"code":"control \"V-73019\" do\n title \"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.\"\n desc \"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000080-DB-000063\"\n tag \"gid\": \"V-73019\"\n tag \"rid\": \"SV-87671r1_rule\"\n tag \"stig_id\": \"PGS9-00-009700\"\n tag \"cci\": [\"CCI-000166\"]\n tag \"nist\": [\"AU-10\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain \\\"pgaudit\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73019.rb"},"results":[]},{"id":"V-73021","title":"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.","desc":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.","descriptions":[{"label":"default","data":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000093-DB-000052","gid":"V-73021","rid":"SV-87673r1_rule","stig_id":"PGS9-00-009800","cci":["CCI-001462"],"nist":["AU-14 (2)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.","fix":"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \"postgres\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73021\" do\n title \"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.\"\n desc \"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000093-DB-000052\"\n tag \"gid\": \"V-73021\"\n tag \"rid\": \"SV-87673r1_rule\"\n tag \"stig_id\": \"PGS9-00-009800\"\n tag \"cci\": [\"CCI-001462\"]\n tag \"nist\": [\"AU-14 (2)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \\\"SHOW pgaudit.log\\\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.\"\n tag \"fix\": \"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \\\"postgres\\\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \\\"postgres\\\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73021.rb"},"results":[]},{"id":"V-73023","title":"The system must provide a warning to appropriate support \n staff when allocated audit record storage volume reaches 80% \n of maximum audit record storage capacity.","desc":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA.","descriptions":[{"label":"default","data":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA."},{"label":"check","data":"Review system configuration.\n\n If no script/tool is monitoring the partition for the PostgreSQL \n log directories, this is a finding.\n\n If appropriate support staff are not notified immediately upon \n storage volume utilization reaching 80%, this is a finding."},{"label":"fix","data":"Configure the system to notify appropriate support \n staff immediately upon storage volume utilization reaching 80%.\n\n PostgreSQL does not monitor storage, however, it is possible to \n monitor storage with a script.\n\n ##### Example Monitoring Script\n\n #!/bin/bash\n\n PGDATA=/var/lib/psql/9.5/data\n CURRENT=$(df ${PGDATA?} | grep / | awk \"{ print $5}\" \n | sed \"s/%//g\")\n THRESHOLD=80\n\n if [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\n mail -s \"Disk Space Alert\" mail@support.com << EOF\n The data directory volume is almost full. Used: $CURRENT\n %EOF\n fi\n\n Schedule this script in cron to run around the clock."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000359-DB-000319","gid":"V-73023","rid":"SV-87675r1_rule","stig_id":"PGS9-00-009900","cci":["CCI-001855"],"nist":["AU-5 (1)","Rev_4"],"check":"Review system configuration.\n\nIf no script/tool is monitoring the partition for the PostgreSQL log directories,\nthis is a finding.\n\nIf appropriate support staff are not notified immediately upon storage volume\nutilization reaching 75%, this is a finding.","fix":"Configure the system to notify appropriate support staff immediately\nupon storage volume utilization reaching 75%.\n\nPostgreSQL does not monitor storage, however, it is possible to monitor storage with\na script.\n\n##### Example Monitoring Script\n\n#!/bin/bash\n\nPGDATA=/var/lib/psql/9.5/data\nCURRENT=$(df ${PGDATA?} | grep / | awk '{ print $5}' | sed 's/%//g')\nTHRESHOLD=75\n\nif [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\nmail -s 'Disk Space Alert' mail@support.com << EOF\nThe data directory volume is almost full. Used: $CURRENT\n%EOF\nfi\n\nSchedule this script in cron to run around the clock."},"code":" control 'V-73023' do\n title 'The system must provide a warning to appropriate support \n staff when allocated audit record storage volume reaches 80% \n of maximum audit record storage capacity.'\n desc 'Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA.'\n desc 'check', 'Review system configuration.\n\n If no script/tool is monitoring the partition for the PostgreSQL \n log directories, this is a finding.\n\n If appropriate support staff are not notified immediately upon \n storage volume utilization reaching 80%, this is a finding.'\n\n desc 'fix', 'Configure the system to notify appropriate support \n staff immediately upon storage volume utilization reaching 80%.\n\n PostgreSQL does not monitor storage, however, it is possible to \n monitor storage with a script.\n\n ##### Example Monitoring Script\n\n #!/bin/bash\n\n PGDATA=/var/lib/psql/9.5/data\n CURRENT=$(df ${PGDATA?} | grep / | awk \"{ print $5}\" \n | sed \"s/%//g\")\n THRESHOLD=80\n\n if [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\n mail -s \"Disk Space Alert\" mail@support.com << EOF\n The data directory volume is almost full. Used: $CURRENT\n %EOF\n fi\n\n Schedule this script in cron to run around the clock.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73023.rb"},"results":[]},{"id":"V-73025","title":"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.","desc":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.","descriptions":[{"label":"default","data":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000353-DB-000324","gid":"V-73025","rid":"SV-87677r1_rule","stig_id":"PGS9-00-010000","cci":["CCI-001914"],"nist":["AU-12 (3)","Rev_4"],"check":"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not present in the result from the query, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \"SELECT password FROM public.stig_audit_example;\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\""},"code":"control \"V-73025\" do\n title \"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.\"\n desc \"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000353-DB-000324\"\n tag \"gid\": \"V-73025\"\n tag \"rid\": \"SV-87677r1_rule\"\n tag \"stig_id\": \"PGS9-00-010000\"\n tag \"cci\": [\"CCI-001914\"]\n tag \"nist\": [\"AU-12 (3)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not present in the result from the query, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \\\"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\\\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT password FROM public.stig_audit_example;\\\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \\\"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\\\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \\\"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73025.rb"},"results":[]},{"id":"V-73027","title":"PostgreSQL must require users to reauthenticate when organization-defined\ncircumstances or situations require reauthentication.","desc":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes.","descriptions":[{"label":"default","data":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000389-DB-000372","gid":"V-73027","rid":"SV-87679r1_rule","stig_id":"PGS9-00-010100","cci":["CCI-002038"],"nist":["IA-11","Rev_4"],"check":"Determine all situations where a user must re-authenticate. Check if\nthe mechanisms that handle such situations use the following SQL:\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, run the following:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force re-authentication, this is a finding.","fix":"Modify and/or configure PostgreSQL and related applications and tools\nso that users are always required to reauthenticate when changing role or escalating\nprivileges.\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'"},"code":" control 'V-73027' do\n desc 'The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73027.rb"},"results":[]},{"id":"V-73029","title":"PostgreSQL must enforce authorized access to all PKI private keys\nstored/utilized by PostgreSQL.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions."}],"impact":0.7,"refs":[{"ref":[]}],"tags":{"severity":"high","gtitle":"SRG-APP-000176-DB-000068","gid":"V-73029","rid":"SV-87681r1_rule","stig_id":"PGS9-00-010200","cci":["CCI-000186"],"nist":["IA-5 (2) (b)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify the following settings:\n\nNote: If no specific directory given before the name, the files are stored in\nPGDATA.\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n$ psql -c \"SHOW ssl_crl_file\"\n$ psql -c \"SHOW ssl_key_file\"\n\nIf the directory these files are stored in is not protected, this is a finding.","fix":"Store all PostgreSQL PKI private keys in a FIPS 140-2 validated\ncryptographic module. Ensure access to PostgreSQL PKI private keys is restricted to\nonly authenticated and authorized users.\n\nPostgreSQL private key(s) can be stored in $PGDATA directory, which is only\naccessible by the database owner (usually postgres, DBA) user. Do not allow access\nto this system account to unauthorized users.\n\nTo put the keys in a different directory, as the database administrator (shown here\nas \"postgres\"), set the following settings to a protected directory:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nssl_ca_file = \"/some/protected/directory/root.crt\"\nssl_crl_file = \"/some/protected/directory/root.crl\"\nssl_cert_file = \"/some/protected/directory/server.crt\"\nssl_key_file = \"/some/protected/directory/server.key\"\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restartpostgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":" control 'V-73029' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL\\'s private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions.'\n end\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb"},"results":[]},{"id":"V-73031","title":"PostgreSQL must only accept end entity certificates issued by \n CMS PKI or CMS-approved PKI Certification Authorities (CAs) for \n the establishment of all encrypted sessions.","desc":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet.","descriptions":[{"label":"default","data":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet."},{"label":"fix","data":"Revoke trust in any certificates not issued by a \n CMS-approved certificate authority.\n\n Configure PostgreSQL to accept only CMS and CMS-approved PKI \n end-entity certificates.\n\n To configure PostgreSQL to accept approved CA's, see the \n official PostgreSQL documentation: \n http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\n For more information on configuring PostgreSQL to use SSL, \n see supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000427-DB-000385","gid":"V-73031","rid":"SV-87683r1_rule","stig_id":"PGS9-00-010300","cci":["CCI-002470"],"nist":["SC-23 (5)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe following setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n\nIf the database is not configured to used approved certificates, this is a finding.","fix":"Revoke trust in any certificates not issued by a DoD-approved\ncertificate authority.\n\nConfigure PostgreSQL to accept only DoD and DoD-approved PKI end-entity certificates.\n\nTo configure PostgreSQL to accept approved CA's, see the official PostgreSQL\ndocumentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":" control 'V-73031' do\n title 'PostgreSQL must only accept end entity certificates issued by \n CMS PKI or CMS-approved PKI Certification Authorities (CAs) for \n the establishment of all encrypted sessions.'\n \n desc 'Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet.'\n\n desc 'fix', 'Revoke trust in any certificates not issued by a \n CMS-approved certificate authority.\n\n Configure PostgreSQL to accept only CMS and CMS-approved PKI \n end-entity certificates.\n\n To configure PostgreSQL to accept approved CA\\'s, see the \n official PostgreSQL documentation: \n http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\n For more information on configuring PostgreSQL to use SSL, \n see supplementary content APPENDIX-G.'\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73031.rb"},"results":[]},{"id":"V-73033","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000095-DB-000039","gid":"V-73033","rid":"SV-87685r1_rule","stig_id":"PGS9-00-010400","cci":["CCI-000130"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf both settings are off, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73033\" do\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000095-DB-000039\"\n tag \"gid\": \"V-73033\"\n tag \"rid\": \"SV-87685r1_rule\"\n tag \"stig_id\": \"PGS9-00-010400\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf both settings are off, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73033.rb"},"results":[]},{"id":"V-73035","title":"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000429-DB-000387","gid":"V-73035","rid":"SV-87687r1_rule","stig_id":"PGS9-00-010500","cci":["CCI-002476"],"nist":["SC-28 (1)","Rev_4"],"check":"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73035\" do\n title \"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000429-DB-000387\"\n tag \"gid\": \"V-73035\"\n tag \"rid\": \"SV-87687r1_rule\"\n tag \"stig_id\": \"PGS9-00-010500\"\n tag \"cci\": [\"CCI-002476\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n tag \"check\": \"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73035.rb"},"results":[]},{"id":"V-73037","title":"PostgreSQL must invalidate session identifiers upon user logout or other\nsession termination.","desc":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked.","descriptions":[{"label":"default","data":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000220-DB-000149","gid":"V-73037","rid":"SV-87689r1_rule","stig_id":"PGS9-00-010600","cci":["CCI-001184"],"nist":["SC-23","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run the\nfollowing SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW tcp_keepalives_idle\"\n$ psql -c \"SHOW tcp_keepalives_interval\"\n$ psql -c \"SHOW tcp_keepalives_count\"\n$ psql -c \"SHOW statement_timeout\"\n\nIf these settings are not set, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi $PGDATA/postgresql.conf\n\nSet the following parameters to organizational requirements:\n\nstatement_timeout = 10000 #milliseconds\ntcp_keepalives_idle = 10 # seconds\ntcp_keepalives_interval = 10 # seconds\ntcp_keepalives_count = 10\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":" control 'V-73037' do\n tag \"cci\": ['CCI-001184']\n tag \"nist\": ['SC-23', 'Rev_4']\n end\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73037.rb"},"results":[]},{"id":"V-73041","title":"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000096-DB-000040","gid":"V-73041","rid":"SV-87693r1_rule","stig_id":"PGS9-00-011100","cci":["CCI-000131"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf the query result does not contain \"%m\", this is a finding.","fix":"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73041\" do\n title \"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000096-DB-000040\"\n tag \"gid\": \"V-73041\"\n tag \"rid\": \"SV-87693r1_rule\"\n tag \"stig_id\": \"PGS9-00-011100\"\n tag \"cci\": [\"CCI-000131\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf the query result does not contain \\\"%m\\\", this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = ['%m']\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73041.rb"},"results":[]},{"id":"V-73045","title":"PostgreSQL must off-load audit data to a separate log management facility;\nthis must be continuous and in near real time for systems with a network connection\nto the storage facility and weekly or more often for stand-alone systems.","desc":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000515-DB-000318","gid":"V-73045","rid":"SV-87697r1_rule","stig_id":"PGS9-00-011300","cci":["CCI-001848"],"nist":["AU-4","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_destination\"\n\nIf log_destination is not syslog, this is a finding.\n\nNext, as the database administrator, check which log facility is configured by\nrunning the following SQL:\n\n$ psql -c \"SHOW syslog_facility\"\n\nCheck with the organization to see how syslog facilities are defined in their\norganization.\n\nIf the wrong facility is configured, this is a finding.\n\nIf PostgreSQL does not have a continuous network connection to the centralized log\nmanagement system, and PostgreSQL audit records are not transferred to the\ncentralized log management system weekly or more often, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL or deploy and configure software tools to transfer audit\nrecords to a centralized log management system, continuously and in near-real time\nwhere a continuous network connection to the log management system exists, or at\nleast weekly in the absence of such a connection.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nconfigure the follow parameters in postgresql.conf (the example uses the default\nvalues - tailor for environment):\n\nNote: Consult the organization on how syslog facilities are defined in the syslog\ndaemon configuration.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_destination = 'syslog'\nsyslog_facility = 'LOCAL0'\nsyslog_ident = 'postgres'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":" control 'V-73045' do\n tag\t\"cci\": ['CCI-001848']\n tag \"nist\": ['AU-4', 'Rev_4']\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73045.rb"},"results":[]},{"id":"V-73047","title":"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.","desc":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.","descriptions":[{"label":"default","data":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000224-DB-000384","gid":"V-73047","rid":"SV-87699r1_rule","stig_id":"PGS9-00-011400","cci":["CCI-001188"],"nist":["SC-23 (3)","Rev_4"],"check":"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf this is not set to `on`, this is a finding.","fix":"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html"},"code":"control \"V-73047\" do\n title \"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.\"\n desc \"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000224-DB-000384\"\n tag \"gid\": \"V-73047\"\n tag \"rid\": \"SV-87699r1_rule\"\n tag \"stig_id\": \"PGS9-00-011400\"\n tag \"cci\": [\"CCI-001188\"]\n tag \"nist\": [\"SC-23 (3)\", \"Rev_4\"]\n tag \"check\": \"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl\\\"\n\nIf this is not set to `on`, this is a finding.\"\n\n tag \"fix\": \"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73047.rb"},"results":[]},{"id":"V-73049","title":"PostgreSQL must uniquely identify and authenticate organizational users (or\nprocesses acting on behalf of organizational users).","desc":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000148-DB-000103","gid":"V-73049","rid":"SV-87701r1_rule","stig_id":"PGS9-00-011500","cci":["CCI-000764"],"nist":["IA-2","Rev_4"],"check":"Review PostgreSQL settings to determine whether organizational users\nare uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as\n\"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf organizational users are not uniquely identified and authenticated, this is a\nfinding.\n\nNext, as the database administrator (shown here as \"postgres\"), verify the current\npg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication rcmpuirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all\norganizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-createrole.html\n\nFor each role created, the database administrator can specify database\nauthentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 md5\n\nFor more information on pg_hba.conf, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html"},"code":" control \"V-73049\" do\n sql = postgres_session(attribute('pg_dba'), attribute('pg_dba_password'), attribute('pg_host'))\n\n authorized_roles = attribute('pg_users')\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n\n describe sql.query(roles_sql, [attribute('pg_db')]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\n end\n","source_location":{"line":68,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73049.rb"},"results":[]},{"id":"V-73051","title":"PostgreSQL must automatically terminate a user session after\norganization-defined conditions or trigger events requiring session disconnect.","desc":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance.","descriptions":[{"label":"default","data":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000295-DB-000305","gid":"V-73051","rid":"SV-87703r1_rule","stig_id":"PGS9-00-011600","cci":["CCI-002361"],"nist":["AC-12","Rev_4"],"check":"Review system documentation to obtain the organization's definition\nof circumstances requiring automatic session termination. If the documentation\nexplicitly states that such termination is not required or is prohibited, this is\nnot a finding.\n\nIf the documentation requires automatic session termination, but PostgreSQL is not\nconfigured accordingly, this is a finding.","fix":"Configure PostgreSQL to automatically terminate a user session after\norganization-defined conditions or trigger events requiring session termination.\n\nExamples follow.\n\n### Change a role to nologin and disconnect the user\n\nALTER ROLE '' NOLOGIN;\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE username='';\n\n### Disconnecting users during a specific time range\nSee supplementary content APPENDIX-A for a bash script for this example.\n\nThe script found in APPENDIX-A using the -l command can disable all users with\nrolcanlogin=t from logging in. The script keeps track of who it disables in a\n.restore_login file. After the specified time is over, the same script can be run\nwith the -r command to restore all login connections.\n\nThis script would be added to a cron job:\n\n# lock at 5 am every day of the week, month, year at the 0 minute mark.\n0 5 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -l\n# restore at 5 pm every day of the week, month, year at the 0 minute mark.\n0 17 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -r"},"code":" control 'V-73051' do\n describe 'For this CMS ARS 3.1 overlay, this control must be reviewed manually' do \n skip 'For this CMS ARS 3.1 overlay, this control must be reviewed manually'\n end\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73051.rb"},"results":[]},{"id":"V-73055","title":"PostgreSQL must map the PKI-authenticated identity to an associated user\naccount.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000177-DB-000069","gid":"V-73055","rid":"SV-87707r1_rule","stig_id":"PGS9-00-011800","cci":["CCI-000187"],"nist":["IA-5 (2) (c)","Rev_4"],"check":"The cn (Common Name) attribute of the certificate will be compared\nto the requested database user name, and if they match the login will be allowed.\n\nTo check the cn of the certificate, using openssl, do the following:\n\n$ openssl x509 -noout -subject -in client_cert\n\nIf the cn does not match the users listed in PostgreSQL and no user mapping is used,\nthis is a finding.\n\nUser name mapping can be used to allow cn to be different from the database user\nname. If User Name Maps are used, run the following as the database administrator\n(shown here as \"postgres\"), to get a list of maps used for authentication:\n\n$ sudo su - postgres\n$ grep \"map\" ${PGDATA?}/pg_hba.conf\n\nWith the names of the maps used, check those maps against the user name mappings in\npg_ident.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_ident.conf\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.\n\nIf the cn and the username mapping do not match, this is a finding.","fix":"Configure PostgreSQL to map authenticated identities directly to\nPostgreSQL user accounts.\n\nFor information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":" control 'V-73055' do\n desc 'The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions.'\n end\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73055.rb"},"results":[]},{"id":"V-73057","title":"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.","desc":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.","descriptions":[{"label":"default","data":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000243-DB-000128","gid":"V-73057","rid":"SV-87709r1_rule","stig_id":"PGS9-00-011900","cci":["CCI-001090"],"nist":["SC-4","Rev_4"],"check":"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.","fix":"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations."},"code":"control \"V-73057\" do\n title \"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.\"\n desc \"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000243-DB-000128\"\n tag \"gid\": \"V-73057\"\n tag \"rid\": \"SV-87709r1_rule\"\n tag \"stig_id\": \"PGS9-00-011900\"\n tag \"cci\": [\"CCI-001090\"]\n tag \"nist\": [\"SC-4\", \"Rev_4\"]\n tag \"check\": \"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.\"\n\n tag \"fix\": \"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73057.rb"},"results":[]},{"id":"V-73061","title":"PostgreSQL must protect its audit configuration from unauthorized\n modification.","desc":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.","descriptions":[{"label":"default","data":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000122-DB-000203","gid":"V-73061","rid":"SV-87713r1_rule","stig_id":"PGS9-00-012200","cci":["CCI-001494"],"nist":["AU-9","Rev_4"],"check":"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \"postgres\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_file_mode\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.","fix":"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \"postgres\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf"},"code":"control \"V-73061\" do\n title \"PostgreSQL must protect its audit configuration from unauthorized\n modification.\"\n desc \"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000122-DB-000203\"\n tag \"gid\": \"V-73061\"\n tag \"rid\": \"SV-87713r1_rule\"\n tag \"stig_id\": \"PGS9-00-012200\"\n tag \"cci\": [\"CCI-001494\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n\n tag \"check\": \"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_file_mode\\\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.\"\n\n tag \"fix\": \"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \\\"postgres\\\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf\"\n\n describe file(PG_CONF_FILE) do\n it { should be_file }\n its('mode') { should cmp '0600' }\n end\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_destination_query = sql.query('SHOW log_destination;', [PG_DB])\n log_destination = log_destination_query.output\n\n if log_destination =~ /stderr/i\n describe sql.query('SHOW log_file_mode;', [PG_DB]) do\n its('output') { should cmp '0600' }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb"},"results":[]},{"id":"V-73063","title":"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.","desc":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.","descriptions":[{"label":"default","data":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73063","rid":"SV-87715r1_rule","stig_id":"PGS9-00-012300","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"As the system administrator, run the following:\n\n $ openssl version\n If \"fips\" is not included in the openssl version, this is a finding.","fix":"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-73063\" do\n title \"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.\"\n desc \"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73063\"\n tag \"rid\": \"SV-87715r1_rule\"\n tag \"stig_id\": \"PGS9-00-012300\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"As the system administrator, run the following:\n\n $ openssl version\n If \\\"fips\\\" is not included in the openssl version, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n only_if do\n command('openssl').exist?\n end\n\n describe command('openssl version') do\n its('stdout') { should include 'fips' }\n end\nend\n","source_location":{"line":87,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73063.rb"},"results":[]},{"id":"V-73065","title":"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000348","gid":"V-73065","rid":"SV-87717r1_rule","stig_id":"PGS9-00-012500","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73065\" do\n title \"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000502-DB-000348\"\n tag \"gid\": \"V-73065\"\n tag \"rid\": \"SV-87717r1_rule\"\n tag \"stig_id\": \"PGS9-00-012500\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73065.rb"},"results":[]},{"id":"V-73067","title":"PostgreSQL must generate audit records when successful accesses to\n objects occur.","desc":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.","descriptions":[{"label":"default","data":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000507-DB-000356","gid":"V-73067","rid":"SV-87719r1_rule","stig_id":"PGS9-00-012600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain read and write, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \"postgres\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73067\" do\n title \"PostgreSQL must generate audit records when successful accesses to\n objects occur.\"\n desc \"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000507-DB-000356\"\n tag \"gid\": \"V-73067\"\n tag \"rid\": \"SV-87719r1_rule\"\n tag \"stig_id\": \"PGS9-00-012600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain read and write, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['read', 'write']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73067.rb"},"results":[]},{"id":"V-73069","title":"PostgreSQL must generate audit records for all direct access to the\n database(s).","desc":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.","descriptions":[{"label":"default","data":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000508-DB-000358","gid":"V-73069","rid":"SV-87721r1_rule","stig_id":"PGS9-00-012700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n\n If the output does not contain \"on\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73069\" do\n title \"PostgreSQL must generate audit records for all direct access to the\n database(s).\"\n desc \"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000508-DB-000358\"\n tag \"gid\": \"V-73069\"\n tag \"rid\": \"SV-87721r1_rule\"\n tag \"stig_id\": \"PGS9-00-012700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_connections\\\"\n $ psql -c \\\"SHOW log_disconnections\\\"\n\n If the output does not contain \\\"on\\\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73069.rb"},"results":[]},{"id":"V-73071","title":"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.","desc":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.","descriptions":[{"label":"default","data":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73071","rid":"SV-87723r1_rule","stig_id":"PGS9-00-012800","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.","fix":"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS."},"code":"control \"V-73071\" do\n title \"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.\"\n desc \"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73071\"\n tag \"rid\": \"SV-87723r1_rule\"\n tag \"stig_id\": \"PGS9-00-012800\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.\"\n\n # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html\n\n # fips=1 kernel option to the kernel command line during system\n # installation.\n\n # PRELINKING=no option in the /etc/sysconfig/prelink\n # run\n\n # yum install dracut-fips\n # For the CPUs with the AES New Instructions (AES-NI) support, install the\n # vdracut-fips-aesni package as well:\n\n # in the CM:\n # To disable existing prelinking on all system files, use the\n # prelink -u -a command.\n\n tag \"fix\": \"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73071.rb"},"results":[]},{"id":"V-73123","title":"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000097-DB-000041","gid":"V-73123","rid":"SV-87775r1_rule","stig_id":"PGS9-00-007100","cci":["CCI-000132"],"nist":["AU-3","Rev_4"],"check":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \"postgres\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \"postgres\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73123\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000097-DB-000041\"\n tag \"gid\": \"V-73123\"\n tag \"rid\": \"SV-87775r1_rule\"\n tag \"stig_id\": \"PGS9-00-007100\"\n tag \"cci\": [\"CCI-000132\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \\\"postgres\\\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73123.rb"},"results":[]}],"status":"loaded"},{"name":"crunchydata-postgres-stig","version":"1.0.0","sha256":"87cbf5c911e50ee9b609e5476a7e22ae111c8a041a4b2e4dbbf138af7cdfe7dd","title":"Crunchy PostgreSQL 9.5 Security Technical Implementation Guide InSpec profile","maintainer":"Yogesh Sharma , Aaron Lippold ","summary":"The Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Release Date: 2017-01-20 Version: 1 Publisher: DISA Source: STIG.DOD.MIL uri: http://iase.disa.mil","license":"Apache 2.0","copyright":"Crunchy Data","copyright_email":"info@crunchydata.com","supports":[],"attributes":[{"name":"pg_dba","options":{"description":"The postgres DBA user to access the test database"}},{"name":"pg_dba_password","options":{"description":"The password for the postgres DBA user"}},{"name":"pg_db","options":{"description":"The database used for tests"}},{"name":"pg_host","options":{"description":"The hostname or IP address used to connect to the database"}},{"name":"pg_port","options":{"description":"The port used to connect to the database"}},{"name":"pg_data_dir","options":{"description":"The postgres data directory"}},{"name":"pg_conf_file","options":{"description":"The postgres configuration file"}},{"name":"pg_user_defined_conf","options":{"description":"An additional postgres configuration file used to override default values"}},{"name":"pg_hba_conf_file","options":{"description":"The postgres hba configuration file"}},{"name":"pg_owner","options":{"description":"The system user of the postgres process"}},{"name":"pg_superusers","options":{"description":"Authorized superuser accounts"}},{"name":"pg_replicas","options":{"description":"List of postgres replicas in CIDR notation"}},{"name":"pg_max_connections","options":{"description":"The maximum number of connections a user can have open at one time"}},{"name":"pg_group","options":{"description":"The system group of the postgres process"}},{"name":"pg_timezone","options":{"description":"PostgreSQL timezone"}},{"name":"pg_version","options":{"description":"The version of postgres"}},{"name":"pg_shared_dirs","options":{"description":"defines the locations of the postgresql shared library directories"}},{"name":"pg_object_granted_privileges","options":{"description":"Privileges that can be granted to a role for a database object","value":"arwdDxt"}},{"name":"pg_object_public_privileges","options":{"description":"Privileges that can be granted to public for a database object","value":"r"}},{"name":"pg_object_exceptions","options":{"description":"List of database objects that should be excepted from tests","value":["pg_settings"]}},{"name":"pg_users","options":{"description":"Authorized accounts","value":"postgres"}}],"parent_profile":"pgstigcheck-inspec","groups":[{"id":"controls/V-72841.rb","controls":["V-72841"]},{"id":"controls/V-72845.rb","controls":["V-72845"]},{"id":"controls/V-72849.rb","controls":["V-72849"]},{"id":"controls/V-72851.rb","controls":["V-72851"]},{"id":"controls/V-72857.rb","controls":["V-72857"]},{"id":"controls/V-72859.rb","controls":["V-72859"]},{"id":"controls/V-72861.rb","controls":["V-72861"]},{"id":"controls/V-72863.rb","controls":["V-72863"]},{"id":"controls/V-72865.rb","controls":["V-72865"]},{"id":"controls/V-72867.rb","controls":["V-72867"]},{"id":"controls/V-72869.rb","controls":["V-72869"]},{"id":"controls/V-72871.rb","controls":["V-72871"]},{"id":"controls/V-72873.rb","controls":["V-72873"]},{"id":"controls/V-72875.rb","controls":["V-72875"]},{"id":"controls/V-72877.rb","controls":["V-72877"]},{"id":"controls/V-72883.rb","controls":["V-72883"]},{"id":"controls/V-72887.rb","controls":["V-72887"]},{"id":"controls/V-72891.rb","controls":["V-72891"]},{"id":"controls/V-72893.rb","controls":["V-72893"]},{"id":"controls/V-72895.rb","controls":["V-72895"]},{"id":"controls/V-72897.rb","controls":["V-72897"]},{"id":"controls/V-72899.rb","controls":["V-72899"]},{"id":"controls/V-72901.rb","controls":["V-72901"]},{"id":"controls/V-72903.rb","controls":["V-72903"]},{"id":"controls/V-72905.rb","controls":["V-72905"]},{"id":"controls/V-72909.rb","controls":["V-72909"]},{"id":"controls/V-72911.rb","controls":["V-72911"]},{"id":"controls/V-72917.rb","controls":["V-72917"]},{"id":"controls/V-72919.rb","controls":["V-72919"]},{"id":"controls/V-72931.rb","controls":["V-72931"]},{"id":"controls/V-72949.rb","controls":["V-72949"]},{"id":"controls/V-72953.rb","controls":["V-72953"]},{"id":"controls/V-72955.rb","controls":["V-72955"]},{"id":"controls/V-72957.rb","controls":["V-72957"]},{"id":"controls/V-72959.rb","controls":["V-72959"]},{"id":"controls/V-72961.rb","controls":["V-72961"]},{"id":"controls/V-72963.rb","controls":["V-72963"]},{"id":"controls/V-72965.rb","controls":["V-72965"]},{"id":"controls/V-72971.rb","controls":["V-72971"]},{"id":"controls/V-72973.rb","controls":["V-72973"]},{"id":"controls/V-72979.rb","controls":["V-72979"]},{"id":"controls/V-72981.rb","controls":["V-72981"]},{"id":"controls/V-72983.rb","controls":["V-72983"]},{"id":"controls/V-72987.rb","controls":["V-72987"]},{"id":"controls/V-72989.rb","controls":["V-72989"]},{"id":"controls/V-72991.rb","controls":["V-72991"]},{"id":"controls/V-72993.rb","controls":["V-72993"]},{"id":"controls/V-72995.rb","controls":["V-72995"]},{"id":"controls/V-72999.rb","controls":["V-72999"]},{"id":"controls/V-73001.rb","controls":["V-73001"]},{"id":"controls/V-73003.rb","controls":["V-73003"]},{"id":"controls/V-73005.rb","controls":["V-73005"]},{"id":"controls/V-73011.rb","controls":["V-73011"]},{"id":"controls/V-73013.rb","controls":["V-73013"]},{"id":"controls/V-73015.rb","controls":["V-73015"]},{"id":"controls/V-73017.rb","controls":["V-73017"]},{"id":"controls/V-73019.rb","controls":["V-73019"]},{"id":"controls/V-73021.rb","controls":["V-73021"]},{"id":"controls/V-73023.rb","controls":["V-73023"]},{"id":"controls/V-73025.rb","controls":["V-73025"]},{"id":"controls/V-73027.rb","controls":["V-73027"]},{"id":"controls/V-73029.rb","controls":["V-73029"]},{"id":"controls/V-73031.rb","controls":["V-73031"]},{"id":"controls/V-73033.rb","controls":["V-73033"]},{"id":"controls/V-73035.rb","controls":["V-73035"]},{"id":"controls/V-73037.rb","controls":["V-73037"]},{"id":"controls/V-73041.rb","controls":["V-73041"]},{"id":"controls/V-73045.rb","controls":["V-73045"]},{"id":"controls/V-73047.rb","controls":["V-73047"]},{"id":"controls/V-73049.rb","controls":["V-73049"]},{"id":"controls/V-73051.rb","controls":["V-73051"]},{"id":"controls/V-73055.rb","controls":["V-73055"]},{"id":"controls/V-73057.rb","controls":["V-73057"]},{"id":"controls/V-73061.rb","controls":["V-73061"]},{"id":"controls/V-73063.rb","controls":["V-73063"]},{"id":"controls/V-73065.rb","controls":["V-73065"]},{"id":"controls/V-73067.rb","controls":["V-73067"]},{"id":"controls/V-73069.rb","controls":["V-73069"]},{"id":"controls/V-73071.rb","controls":["V-73071"]},{"id":"controls/V-73123.rb","controls":["V-73123"]}],"controls":[{"id":"V-72841","title":"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.","desc":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.","descriptions":[{"label":"default","data":"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000142-DB-000094","gid":"V-72841","rid":"SV-87493r1_rule","stig_id":"PGS9-00-000100","cci":["CCI-000382","CCI-001762"],"nist":["CM-7 b","CM-7 (1) (b)","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n $ psql -c \"SHOW port\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \"SHOW port\"\n $ export PGPORT=5432"},"code":"control \"V-72841\" do\n title \"PostgreSQL must be configured to prohibit or restrict the use of\n organization-defined functions, ports, protocols, and/or services, as\n defined in the PPSM CAL and vulnerability assessments.\"\n desc \"In order to prevent unauthorized connection of devices, unauthorized\n transfer of information, or unauthorized tunneling (i.e., embedding of\n data types within data types), organizations must disable or restrict\n unused or unnecessary physical and logical ports/protocols/services on\n information systems.\n\n Applications are capable of providing a wide variety of functions and\n services. Some of the functions and services provided by default may\n not be necessary to support essential organizational operations.\n Additionally, it is sometimes convenient to provide multiple services\n from a single component (e.g., email and web services); however, doing\n so increases risk over limiting the services provided by any one component.\n\n To support the requirements and principles of least functionality, the\n application must support the organizational requirements providing only\n essential capabilities and limiting the use of ports, protocols, and/or\n services to only those required, authorized, and approved to conduct\n official business or to address authorized quality of life issues.\n\n Database Management Systems using ports, protocols, and services deemed\n unsafe are open to attack through those ports, protocols, and services.\n This can allow unauthorized access to the database and through the\n database to other components of the information system.\"\n impact 0.5\n \n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000142-DB-000094\"\n tag \"gid\": \"V-72841\"\n tag \"rid\": \"SV-87493r1_rule\"\n tag \"stig_id\": \"PGS9-00-000100\"\n tag \"cci\": [\"CCI-000382\",\"CCI-001762\"]\n tag \"nist\": [\"CM-7 b\", \"CM-7 (1) (b)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, run the following SQL:\n\n $ psql -c \\\"SHOW port\\\"\n\n If the currently defined port configuration is deemed prohibited, this is a\n finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To change the listening port of the database, as the database administrator,\n change the following setting in postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n\n Change the port parameter to the desired port.\n\n Next, restart the database:\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ service postgresql-9.5 restart\n\n Note: psql uses the default port 5432 by default. This can be changed by\n specifying the port with psql or by setting the PGPORT environment variable:\n\n $ psql -p 5432 -c \\\"SHOW port\\\"\n $ export PGPORT=5432\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW port;', [PG_DB]) do\n its('output') { should eq PG_PORT }\n end\n\n describe port(PG_PORT) do\n it { should be_listening }\n its('processes') { should include 'postgres' }\n end\nend\n","source_location":{"line":48,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72841.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW port; output should eq \"5432\"","run_time":0.000445739,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"5432\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1,2 +1,5 @@\n-5432\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"Port 5432 should be listening","run_time":0.054056706,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Port 5432.listening?` to return true, got false"},{"status":"failed","code_desc":"Port 5432 processes should include \"postgres\"","run_time":0.000394734,"start_time":"2019-04-22T19:23:23+00:00","message":"expected [] to include \"postgres\""}]},{"id":"V-72845","title":"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).","desc":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).","descriptions":[{"label":"default","data":"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs)."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000456-DB-000390","gid":"V-72845","rid":"SV-87497r1_rule","stig_id":"PGS9-00-000300","cci":["CCI-002605"],"nist":["SI-2 c","Rev_4"],"check":"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.","fix":"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed."},"code":" control \"V-72845\" do\n title \"Security-relevant software updates to PostgreSQL must be installed\n within the time period directed by an authoritative source (e.g., IAVM, CTOs,\n DTMs, and STIGs).\"\n desc \"Security flaws with software applications, including database\n management systems, are discovered daily. Vendors are constantly updating and\n patching their products to address newly discovered security vulnerabilities.\n Organizations (including any contractor to the organization) are required to\n promptly install security-relevant software updates (e.g., patches, service\n packs, and hot fixes). Flaws discovered during security assessments,\n continuous monitoring, incident response activities, or information system\n error handling must also be addressed expeditiously. Organization-defined\n time periods for updating security-relevant software may vary based on a\n variety of factors including, for example, the security category of the\n information system or the criticality of the update (i.e., severity of the\n vulnerability related to the discovered flaw). This requirement will apply\n to software patch management solutions that are used to install patches across\n the enclave and also to applications themselves that are not part of that p\n atch management solution. For example, many browsers today provide the\n capability to install their own patch software. Patch criticality, as well as\n system criticality, will vary. Therefore, the tactical situations regarding\n the patch management process will also vary. This means that the time period\n utilized must be a configurable parameter. Time frames for application of\n security-relevant software updates may be dependent upon the Information\n Assurance Vulnerability Management (IAVM) process. The application will\n be configured to check for and install security-relevant software updates\n within an identified time period from the availability of the update. The\n specific time period will be defined by an authoritative source (e.g., IAVM,\n CTOs, DTMs, and STIGs).\"\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000456-DB-000390\"\n tag \"gid\": \"V-72845\"\n tag \"rid\": \"SV-87497r1_rule\"\n tag \"stig_id\": \"PGS9-00-000300\"\n tag \"cci\": [\"CCI-002605\"]\n tag \"nist\": [\"SI-2 c\", \"Rev_4\"]\n\n tag \"check\": \"If new packages are available for PostgreSQL, they can be\n reviewed in the package manager appropriate for the server operating system:\n To list the version of installed PostgreSQL using psql:\n $ sudo su - postgres\n $ psql -–version\n To list the current version of software for RPM:\n $ rpm -qa | grep postgres\n To list the current version of software for APT:\n $ apt-cache policy postgres\n All versions of PostgreSQL will be listed on:\n http://www.postgresql.org/support/versioning/\n All security-relevant software updates for PostgreSQL will be listed on:\n http://www.postgresql.org/support/security/\n If PostgreSQL is not at the latest version, this is a finding.\n If PostgreSQL is not at the latest version and the evaluated version has CVEs\n (IAVAs), then this is a CAT I finding.\"\n\n tag \"fix\": \"Institute and adhere to policies and procedures to ensure that\n patches are consistently applied to PostgreSQL within the time allowed.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72845.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":1.4693e-05,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72849","title":"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.","desc":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.","descriptions":[{"label":"default","data":"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000023-DB-000001","gid":"V-72849","rid":"SV-87501r1_rule","stig_id":"PGS9-00-000500","cci":["CCI-000015"],"nist":["AC-2 (1)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \"postgres\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \"postgres\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate."},"code":"control \"V-72849\" do\n title \"PostgreSQL must integrate with an organization-level\n authentication/access mechanism providing account management and automation\n for all users, groups, roles, and any other principals.\"\n desc \"Enterprise environments make account management for applications and\n databases challenging and complex. A manual process for account management\n functions adds the risk of a potential oversight or other error. Managing\n accounts for the same person in multiple places is inefficient and prone to\n problems with consistency and synchronization. A comprehensive application\n account management process that includes automation helps to ensure that\n accounts designated as requiring attention are consistently and promptly\n addressed. Examples include, but are not limited to, using automation to take\n action on multiple accounts designated as inactive, suspended, or terminated,\n or by disabling accounts located in non-centralized account stores, such as\n multiple servers. Account management functions can also include: assignment of\n group or role membership; identifying account type; specifying user access\n authorizations (i.e., privileges); account removal, update, or termination;\n and administrative alerts. The use of automated mechanisms can include, for\n example: using email or text messaging to notify account managers when users\n are terminated or transferred; using the information system to monitor account\n usage; and using automated telephone notification to report atypical system\n account usage. PostgreSQL must be configured to automatically utilize\n organization-level account management functions, and these functions must\n immediately enforce the organization's current account policy. Automation may\n be comprised of differing technologies that when placed together contain an\n overall mechanism supporting an organization's automated account management\n requirements.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000023-DB-000001\"\n tag \"gid\": \"V-72849\"\n tag \"rid\": \"SV-87501r1_rule\"\n tag \"stig_id\": \"PGS9-00-000500\"\n tag \"cci\": [\"CCI-000015\"]\n tag \"nist\": [\"AC-2 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. If all accounts are authenticated by the organization-level\n authentication/access mechanism, such as LDAP or Kerberos and not by\n PostgreSQL, this is not a finding. As the database administrator (shown here\n as \\\"postgres\\\"), review pg_hba.conf authentication file settings:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n All records must use an auth-method of gss, sspi, or ldap. For details on the\n specifics of these authentication methods see:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n If there are any records with a different auth-method than gss, sspi, or ldap,\n review the system documentation for justification and approval of these records.\n If there are any records with a different auth-method than gss, sspi, or ldap,\n that are not documented and approved, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. Integrate PostgreSQL security with an organization-level\n authentication/access mechanism providing account management for all users,\n groups, roles, and any other principals. As the database administrator (shown\n here as \\\"postgres\\\"), edit pg_hba.conf authentication file:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n For each PostgreSQL-managed account that is not documented and approved,\n either transfer it to management by the external mechanism, or document the\n need for it and obtain approval, as appropriate.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72849.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":9.497e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72851","title":"PostgreSQL must provide non-privileged users with error messages that\n provide information necessary for corrective actions without revealing\n information that could be exploited by adversaries.","desc":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers.","descriptions":[{"label":"default","data":"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000266-DB-000162","gid":"V-72851","rid":"SV-87503r1_rule","stig_id":"PGS9-00-000600","cci":["CCI-001312"],"nist":["SI-11 a","Rev_4"],"check":"As the database administrator, run the following SQL:\n\n SELECT current_setting('client_min_messages');\n\n If client_min_messages is *not* set to error, this is a finding.","fix":"As the database administrator, edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n Change the client_min_messages parameter to be error:\n client_min_messages = 'error'\n\n Now reload the server with the new configuration (this just reloads settings\n currently in memory, will not cause an interruption):\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ service postgresql-9.5 reload "},"code":"control \"V-72851\" do\n title \"PostgreSQL must provide non-privileged users with error messages that\n provide information necessary for corrective actions without revealing\n information that could be exploited by adversaries.\"\n desc \"Any PostgreSQL or associated application providing too much information\n in error messages on the screen or printout risks compromising the data\n and security of the system. The structure and content of error messages\n need to be carefully considered by the organization and development team.\n\n Databases can inadvertently provide a wealth of information to an\n attacker through improperly handled error messages. In addition to\n sensitive business or personal information, database errors can provide\n host names, IP addresses, user names, and other system information not\n required for troubleshooting but very useful to someone targeting the\n system.\n\n Carefully consider the structure/content of error messages. The extent\n to which information systems are able to identify and handle error\n conditions is guided by organizational policy and operational\n requirements. Information that could be exploited by adversaries\n includes, for example, logon attempts with passwords entered by mistake\n as the username, mission/business information that can be derived from\n (if not stated explicitly by) information recorded, and personal\n information, such as account numbers, social security numbers, and\n credit card numbers.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000266-DB-000162\"\n tag \"gid\": \"V-72851\"\n tag \"rid\": \"SV-87503r1_rule\"\n tag \"stig_id\": \"PGS9-00-000600\"\n tag \"cci\": [\"CCI-001312\"]\n tag \"nist\": [\"SI-11 a\", \"Rev_4\"]\n tag \"check\": \"As the database administrator, run the following SQL:\n\n SELECT current_setting('client_min_messages');\n\n If client_min_messages is *not* set to error, this is a finding.\"\n\n tag \"fix\": \"As the database administrator, edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi $PGDATA/postgresql.conf\n Change the client_min_messages parameter to be error:\n client_min_messages = 'error'\n\n Now reload the server with the new configuration (this just reloads settings\n currently in memory, will not cause an interruption):\n\n $ sudo su - postgres\n # SYSTEMD SERVER ONLY\n $ systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ service postgresql-9.5 reload \"\n\n default = postgres_conf(PG_CONF_FILE)\n override = postgres_conf(PG_USER_DEFINED_CONF)\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW client_min_messages;', [PG_DB]) do\n its('output') { should match /^error$/i }\n end\n\n cmm_conf = override.client_min_messages ? override : default\n describe cmm_conf do\n its('client_min_messages') { should match /^error$/i }\n end\nend\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72851.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW client_min_messages; output should match /^error$/i","run_time":0.000530832,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^error$/i\nDiff:\n@@ -1,2 +1,5 @@\n-/^error$/i\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72857","title":"If passwords are used for authentication, PostgreSQL must transmit only\n encrypted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved \n PKI certificates.\n\n Authentication based on User ID and Password may be \n used only when it is not possible to employ a PKI \n certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all \n times, and encryption is the standard method for \n protecting passwords during transmission.\n\n PostgreSQL passwords sent in clear text format across \n the network are vulnerable to discovery by unauthorized \n users. Disclosure of passwords may easily lead to \n unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000172-DB-000075","gid":"V-72857","rid":"SV-87509r1_rule","stig_id":"PGS9-00-000800","cci":["CCI-000197"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. As the database administrator (shown here as \"postgres\"), review\n the authentication entries in pg_hba.conf:\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n If any entries use the auth_method (last column in records) \"password\", this\n is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n As the database administrator (shown here as \"postgres\"), edit\n pg_hba.conf authentication file and change all entries of \"password\" to\n \"md5\":\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n host all all .example.com md5"},"code":"control \"V-72857\" do\n title \"If passwords are used for authentication, PostgreSQL must transmit only\n encrypted representations of passwords.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates.\n Authentication based on User ID and Password may be used only when it is\n not possible to employ a PKI certificate, and requires AO approval.\n\n In such cases, passwords need to be protected at all times, and\n encryption is the standard method for protecting passwords during\n transmission.\n\n PostgreSQL passwords sent in clear text format across the network are\n vulnerable to discovery by unauthorized users. Disclosure of passwords\n may easily lead to unauthorized access to the database.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000172-DB-000075\"\n tag \"gid\": \"V-72857\"\n tag \"rid\": \"SV-87509r1_rule\"\n tag \"stig_id\": \"PGS9-00-000800\"\n tag \"cci\": [\"CCI-000197\"]\n tag \"nist\": [\"IA-5 (1) (c)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA. As the database administrator (shown here as \\\"postgres\\\"), review\n the authentication entries in pg_hba.conf:\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n If any entries use the auth_method (last column in records) \\\"password\\\", this\n is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n As the database administrator (shown here as \\\"postgres\\\"), edit\n pg_hba.conf authentication file and change all entries of \\\"password\\\" to\n \\\"md5\\\":\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n host all all .example.com md5\"\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE) do\n its('auth_method') { should_not include 'password' }\n end\nend\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72857.rb"},"results":[{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf","run_time":7.38e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"}]},{"id":"V-72859","title":"PostgreSQL must enforce approved authorizations for logical access to\n information and system resources in accordance with applicable access\n control policies.","desc":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy.","descriptions":[{"label":"default","data":"Authentication with a CMS-approved PKI certificate does \n not necessarily imply authorization to access PostgreSQL. \n To mitigate the risk of unauthorized access to sensitive \n information by entities that have been issued certificates \n by CMS-approved PKIs, all CMS systems, including databases, \n must be properly configured to implement access control \n policies.\n\n Successful authentication must not automatically give an \n entity access to an asset or security boundary. \n Authorization procedures and controls must be implemented \n to ensure each authenticated entity also has a validated \n and current authorization. Authorization is the process \n of determining whether an entity, once authenticated, is \n permitted to access a specific asset. Information systems \n use access control policies and enforcement mechanisms to \n implement this requirement.\n\n Access control policies include identity-based policies, \n role-based policies, and attribute-based policies. Access \n enforcement mechanisms include access control lists, \n access control matrices, and cryptography. These policies \n and mechanisms must be employed by the application to \n control access between users (or processes acting on behalf \n of users) and objects (e.g., devices, files, records, \n processes, programs, and domains) in the information system.\n\n This requirement is applicable to access control enforcement \n applications, a category that includes database management \n systems. If PostgreSQL does not follow applicable policy when \n approving access, it may be in conflict with networks or other \n applications in the information system. This may result in \n users either gaining or being denied access inappropriately \n and in conflict with applicable policy."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000033-DB-000084","gid":"V-72859","rid":"SV-87511r1_rule","stig_id":"PGS9-00-000900","cci":["CCI-000213"],"nist":["AC-3","Rev_4"],"check":"From the system security plan or equivalent documentation,\n determine the appropriate permissions on database objects for each kind\n (group role) of user. If this documentation is missing, this is a finding.\n\n First, as the database administrator (shown here as \"postgres\"),\n check the privileges of all roles in the database by running the\n following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\du'\n\n Review all roles and their associated privileges. If any roles'\n privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured privileges for tables and columns by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\dp'\n\n Review all access privileges and column access privileges list.\n If any roles' privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n check the configured authentication settings in pg_hba.conf:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n Review all entries and their associated authentication methods.\n\n If any entries do not have their documented authentication requirements,\n this is a finding.","fix":"Create and/or maintain documentation of each group role's\n appropriate permissions on database objects.\n\n Implement these permissions in the database, and remove any permissions that\n exceed those documented.\n\n The following are examples of how to use role privileges in PostgreSQL to\n enforce access controls. For a complete list of privileges, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\n\n #### Roles Example 1\n The following example demonstrates how to create an admin role with CREATEDB\n and CREATEROLE privileges.\n\n As the database administrator (shown here as \"postgres\"), run the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE admin WITH CREATEDB CREATEROLE\"\n\n #### Roles Example 2\n The following example demonstrates how to create a role with a password that\n expires and makes the role a member of the \"admin\" group.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE joe LOGIN ENCRYPTED PASSWORD 'stig2016!' VALID UNTIL\n'2016-09-20' IN ROLE admin\"\n\n #### Roles Example 3\n The following demonstrates how to revoke privileges from a role using REVOKE.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"REVOKE admin FROM joe\"\n\n #### Roles Example 4\n The following demonstrates how to alter privileges in a role using ALTER.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \"ALTER ROLE joe NOLOGIN\"\n\n The following are examples of how to use grant privileges in PostgreSQL to\n enforce access controls on objects. For a complete list of privileges, see the\n official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-grant.html\n\n #### Grant Example 1\n The following example demonstrates how to grant INSERT on a table to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT SELECT ON stig_test TO joe\"\n\n #### Grant Example 2\n The following example demonstrates how to grant ALL PRIVILEGES on a table to a\n role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT ALL PRIVILEGES ON stig_test TO joe\"\n\n #### Grant Example 3\n The following example demonstrates how to grant a role to a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"GRANT admin TO joe\"\n\n #### Revoke Example 1\n The following example demonstrates how to revoke access from a role.\n\n As the database administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"REVOKE admin FROM joe\"\n\n To change authentication requirements for the database, as the database\n administrator (shown here as \"postgres\"), edit pg_hba.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n Edit authentication requirements to the organizational requirements. See the\n official documentation for the complete list of options for authentication:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n After changes to pg_hba.conf, reload the server:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72859\" do\n title \"PostgreSQL must enforce approved authorizations for logical access to\n information and system resources in accordance with applicable access\n control policies.\"\n desc \"Authentication with a DoD-approved PKI certificate does not necessarily\n imply authorization to access PostgreSQL. To mitigate the risk of\n unauthorized access to sensitive information by entities that have been\n issued certificates by DoD-approved PKIs, all DoD systems, including\n databases, must be properly configured to implement access control\n policies.\n\n Successful authentication must not automatically give an entity access\n to an asset or security boundary. Authorization procedures and controls\n must be implemented to ensure each authenticated entity also has a\n validated and current authorization. Authorization is the process of\n determining whether an entity, once authenticated, is permitted to\n access a specific asset. Information systems use access control policies\n and enforcement mechanisms to implement this requirement.\n\n Access control policies include identity-based policies, role-based\n policies, and attribute-based policies. Access enforcement mechanisms\n include access control lists, access control matrices, and cryptography.\n\n These policies and mechanisms must be employed by the application to\n control access between users (or processes acting on behalf of users)\n and objects (e.g., devices, files, records, processes, programs, and domains)\n in the information system.\n\n This requirement is applicable to access control enforcement applications,\n a category that includes database management systems. If PostgreSQL does\n not follow applicable policy when approving access, it may be in conflict\n with networks or other applications in the information system. This may\n result in users either gaining or being denied access inappropriately and\n in conflict with applicable policy.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000033-DB-000084\"\n tag \"gid\": \"V-72859\"\n tag \"rid\": \"SV-87511r1_rule\"\n tag \"stig_id\": \"PGS9-00-000900\"\n tag \"cci\": [\"CCI-000213\"]\n tag \"nist\": [\"AC-3\", \"Rev_4\"]\n tag \"check\": \"From the system security plan or equivalent documentation,\n determine the appropriate permissions on database objects for each kind\n (group role) of user. If this documentation is missing, this is a finding.\n\n First, as the database administrator (shown here as \\\"postgres\\\"),\n check the privileges of all roles in the database by running the\n following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\\\du'\n\n Review all roles and their associated privileges. If any roles'\n privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n check the configured privileges for tables and columns by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c '\\\\dp'\n\n Review all access privileges and column access privileges list.\n If any roles' privileges exceed those documented, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n check the configured authentication settings in pg_hba.conf:\n\n $ sudo su - postgres\n $ cat ${PGDATA?}/pg_hba.conf\n\n Review all entries and their associated authentication methods.\n\n If any entries do not have their documented authentication requirements,\n this is a finding.\"\n\n tag \"fix\": \"Create and/or maintain documentation of each group role's\n appropriate permissions on database objects.\n\n Implement these permissions in the database, and remove any permissions that\n exceed those documented.\n\n The following are examples of how to use role privileges in PostgreSQL to\n enforce access controls. For a complete list of privileges, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\n\n #### Roles Example 1\n The following example demonstrates how to create an admin role with CREATEDB\n and CREATEROLE privileges.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE admin WITH CREATEDB CREATEROLE\\\"\n\n #### Roles Example 2\n The following example demonstrates how to create a role with a password that\n expires and makes the role a member of the \\\"admin\\\" group.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE joe LOGIN ENCRYPTED PASSWORD 'stig2016!' VALID UNTIL\n'2016-09-20' IN ROLE admin\\\"\n\n #### Roles Example 3\n The following demonstrates how to revoke privileges from a role using REVOKE.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \\\"REVOKE admin FROM joe\\\"\n\n #### Roles Example 4\n The following demonstrates how to alter privileges in a role using ALTER.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n$ psql -c \\\"ALTER ROLE joe NOLOGIN\\\"\n\n The following are examples of how to use grant privileges in PostgreSQL to\n enforce access controls on objects. For a complete list of privileges, see the\n official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-grant.html\n\n #### Grant Example 1\n The following example demonstrates how to grant INSERT on a table to a role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"GRANT SELECT ON stig_test TO joe\\\"\n\n #### Grant Example 2\n The following example demonstrates how to grant ALL PRIVILEGES on a table to a\n role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"GRANT ALL PRIVILEGES ON stig_test TO joe\\\"\n\n #### Grant Example 3\n The following example demonstrates how to grant a role to a role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"GRANT admin TO joe\\\"\n\n #### Revoke Example 1\n The following example demonstrates how to revoke access from a role.\n\n As the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"REVOKE admin FROM joe\\\"\n\n To change authentication requirements for the database, as the database\n administrator (shown here as \\\"postgres\\\"), edit pg_hba.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n\n Edit authentication requirements to the organizational requirements. See the\n official documentation for the complete list of options for authentication:\n http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\n\n After changes to pg_hba.conf, reload the server:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n object_granted_privileges = 'arwdDxtU'\n object_public_privileges = 'r'\n object_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=[#{object_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n object_acl_regex = Regexp.new(object_acl)\n\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind \"\\\n \"FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') \"\\\n \"AND n.nspname !~ '^pg_' AND pg_catalog.pg_table_is_visible(c.oid);\"\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n rows = sql.query(objects_sql, [database])\n if rows.methods.include?(:output) # Handle connection disabled on database\n objects = rows.lines\n\n objects.each do |obj|\n schema, object, type = obj.split('|')\n relacl_sql = \"SELECT pg_catalog.array_to_string(c.relacl, E','), \"\\\n \"n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE n.nspname = '#{schema}' AND c.relname = '#{object}' \"\\\n \"AND c.relkind = '#{type}';\"\n\n describe sql.query(relacl_sql, [database]) do\n its('output') { should match object_acl_regex }\n end\n # TODO: Add test for column acl\n end\n end\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'local' } do\n its('user.uniq') { should cmp PG_OWNER }\n its('auth_method.uniq') { should_not cmp 'trust'}\n end\n\n describe.one do\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { database == 'replication' } do\n its('type.uniq') { should cmp 'host' }\n its('address.uniq.sort') { should cmp PG_REPLICAS.sort }\n its('user.uniq') { should cmp 'replication' }\n its('auth_method.uniq') { should cmp 'md5' }\n end\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { database == 'replication' } do\n its('type.uniq') { should cmp 'hostssl' }\n its('address.uniq.sort') { should cmp PG_REPLICAS.sort }\n its('user.uniq') { should cmp 'replication' }\n its('auth_method.uniq') { should cmp 'md5' }\n end\n end\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'host' } do\n its('auth_method.uniq') { should cmp 'md5'}\n end\nend\n","source_location":{"line":67,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72859.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = ''; output should not eq \"t\"","run_time":0.000196646,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = 'psql: could not connect to server: Connection refused'; output should not eq \"t\"","run_time":0.000162142,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should not eq \"t\"","run_time":0.000101768,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tTCP/IP connections on port 5432?'; output should not eq \"t\"","run_time":9.6714e-05,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000510511,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00042597,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: No such file or directory' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000420143,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running locally and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000384456,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000411879,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000425741,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000551135,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000560403,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000515474,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000434331,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000525645,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000517446,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000421645,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000499793,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000523775,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000580917,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000449786,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000494377,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00048682,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000442291,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000384549,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000408685,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000445202,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00046165,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000431792,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000497911,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000567918,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000459747,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000416799,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000433922,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000395823,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000465551,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000490046,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000367029,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000493709,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000424856,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"local\"","run_time":7.505e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"local\"","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" type.uniq should cmp == \"host\"","run_time":0.000308601,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"host\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" address.uniq.sort should cmp == #","run_time":0.000284263,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: #\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" user.uniq should cmp == \"replication\"","run_time":0.000274893,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"replication\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" auth_method.uniq should cmp == \"md5\"","run_time":0.000235569,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"md5\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" type.uniq should cmp == \"hostssl\"","run_time":0.000240687,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"hostssl\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" address.uniq.sort should cmp == #","run_time":0.000250369,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: #\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" user.uniq should cmp == \"replication\"","run_time":0.000216713,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"replication\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with database == \"replication\" auth_method.uniq should cmp == \"md5\"","run_time":0.000250003,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"md5\"\n got: []\n\n(compared using `cmp` matcher)\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"skipped","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"host\"","run_time":7.361e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"host\"","skip_message":"Can't find file: /var/lib/pgsql/9.5/data/pg_hba.conf"}]},{"id":"V-72861","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000314-DB-000310","gid":"V-72861","rid":"SV-87513r1_rule","stig_id":"PGS9-00-001100","cci":["CCI-002264"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72861\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in\ntransmission.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security\n labels may be assigned manually or during data processing, but, either way,\n it is imperative these assignments are maintained while the data is in storage.\n If the security labels are lost when the data is stored, there is the risk of\n a data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000314-DB-000310\"\n tag \"gid\": \"V-72861\"\n tag \"rid\": \"SV-87513r1_rule\"\n tag \"stig_id\": \"PGS9-00-001100\"\n tag \"cci\": [\"CCI-002264\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n RLS policies can be very different depending on their use case. For one\n example of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72861.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.887e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72863","title":"PostgreSQL must limit the number of concurrent sessions to an\n organization-defined number per user for all accounts and/or account types.","desc":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms..","descriptions":[{"label":"default","data":"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms.."},{"label":"caveat","data":"Not applicable for this CMS ARS 3.1 overlay, \n since the related security control is not applied to this \n system categorization in CMS ARS 3.1"}],"impact":0.0,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000001-DB-000031","gid":"V-72863","rid":"SV-87515r1_rule","stig_id":"PGS9-00-001200","cci":["CCI-000054"],"nist":["AC-10","Rev_4"],"check":"To check the total amount of connections allowed by the database,\n as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW max_connections\"\n If the total amount of connections is greater than documented by\n an organization, this is a finding.\n To check the amount of connections allowed for each role, as the\n database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT rolname, rolconnlimit from pg_authid\"\n If any roles have more connections configured than documented,\n this is a finding. A value of -1 indicates Unlimited, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To configure the maximum amount of connections allowed to the\n database, as the database administrator (shown here as \"postgres\")\n change the following in postgresql.conf\n\n (the value 10 is an example; set the value to suit local conditions):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n max_connections = 10\n\n Next, restart the database:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\n\n To limit the amount of connections allowed by a specific role,\n as the database administrator, run the following SQL:\n\n $ psql -c \"ALTER ROLE CONNECTION LIMIT 1\";"},"code":"control \"V-72863\" do\n title \"PostgreSQL must limit the number of concurrent sessions to an\n organization-defined number per user for all accounts and/or account types.\"\n desc \"Database management includes the ability to control the number of users\n and user sessions utilizing PostgreSQL. Unlimited concurrent connections to\n PostgreSQL could allow a successful Denial of Service (DoS) attack by\n exhausting connection resources; and a system can also fail or be degraded by\n an overload of legitimate users. Limiting the number of concurrent sessions\n per user is helpful in reducing these risks.\n This requirement addresses concurrent session control for a single account.\n It does not address concurrent sessions by a single user via multiple system\n accounts; and it does not deal with the total number of sessions across all\n accounts.\n The capability to limit the number of concurrent sessions per user must be\n configured in or added to PostgreSQL (for example, by use of a logon trigger),\n when this is technically feasible. Note that it is not sufficient to limit\n sessions via a web server or application server alone, because legitimate\n users and adversaries can potentially connect to PostgreSQL by other means.\n The organization will need to define the maximum number of concurrent sessions\n by account type, by account, or a combination thereof. In deciding on the\n appropriate number, it is important to consider the work requirements of the\n various types of users. For example, 2 might be an acceptable limit for\n general users accessing the database via an application; but 10 might be too\n few for a database administrator using a database management GUI tool, where\n each query tab and navigation pane may count as a separate session.\n (Sessions may also be referred to as connections or logons, which for the\n purposes of this requirement are synonyms..\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000001-DB-000031\"\n tag \"gid\": \"V-72863\"\n tag \"rid\": \"SV-87515r1_rule\"\n tag \"stig_id\": \"PGS9-00-001200\"\n tag \"cci\": [\"CCI-000054\"]\n tag \"nist\": [\"AC-10\", \"Rev_4\"]\n tag \"check\": 'To check the total amount of connections allowed by the database,\n as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW max_connections\"\n If the total amount of connections is greater than documented by\n an organization, this is a finding.\n To check the amount of connections allowed for each role, as the\n database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT rolname, rolconnlimit from pg_authid\"\n If any roles have more connections configured than documented,\n this is a finding. A value of -1 indicates Unlimited, this is a\n finding.'\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To configure the maximum amount of connections allowed to the\n database, as the database administrator (shown here as \\\"postgres\\\")\n change the following in postgresql.conf\n\n (the value 10 is an example; set the value to suit local conditions):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n max_connections = 10\n\n Next, restart the database:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\n\n To limit the amount of connections allowed by a specific role,\n as the database administrator, run the following SQL:\n\n $ psql -c \\\"ALTER ROLE CONNECTION LIMIT 1\\\";\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW max_connections;', [PG_DB]) do\n its('output') { should be <= PG_MAX_CONNECTIONS }\n end\n\n describe sql.query('SELECT rolname, rolconnlimit from pg_authid;', [PG_DB]) do\n its('output') { should_not include '-1' }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72863.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW max_connections; output should be <= 100","run_time":0.000159815,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT rolname, rolconnlimit from pg_authid; output should not include \"-1\"","run_time":0.000187387,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72865","title":"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.","desc":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.","descriptions":[{"label":"default","data":"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000362","gid":"V-72865","rid":"SV-87517r1_rule","stig_id":"PGS9-00-001300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \"postgres\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \"\\dp *.*\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \"postgres\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.","fix":"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;"},"code":"control \"V-72865\" do\n # @todo update the title of this control to something sane\n title \"The role(s)/group(s) used to modify database structure (including but\n not necessarily limited to tables, indexes, storage, etc.) and logic\n modules (functions, trigger procedures, links to software external to\n PostgreSQL, etc.) must be restricted to authorized users.\"\n desc \"If PostgreSQL were to allow any user to make changes to database\n structure or logic, those changes might be implemented without\n undergoing the appropriate testing and approvals that are part of a\n robust change management process.\n\n Accordingly, only qualified and authorized individuals must be allowed\n to obtain access to information system components for purposes of\n initiating changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000362\"\n tag \"gid\": \"V-72865\"\n tag \"rid\": \"SV-87517r1_rule\"\n tag \"stig_id\": \"PGS9-00-001300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions\n on configuring PGDATA.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n list all users and their permissions by running the following\n SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\dp *.*\\\"\n\n Verify that all objects have the correct privileges. If they do\n not, this is a finding.\n\n Next, as the database administrator (shown here as \\\"postgres\\\"),\n verify the permissions of the database directory on the\n filesystem:\n\n $ ls -la ${PGDATA?}\n\n If permissions of the database directory are not limited to an\n authorized user account, this is a finding.\"\n\n tag \"fix\": \"As the database administrator, revoke any permissions from a role\n that are deemed unnecessary by running the following SQL:\n\n ALTER ROLE bob NOCREATEDB;\n ALTER ROLE bob NOCREATEROLE;\n ALTER ROLE bob NOSUPERUSER;\n ALTER ROLE bob NOINHERIT;\n REVOKE SELECT ON some_function FROM bob;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n object_granted_privileges = 'arwdDxtU'\n object_public_privileges = 'r'\n object_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=[#{object_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n object_acl_regex = Regexp.new(object_acl)\n\n pg_settings_acl = \"^((((#{owners})=[#{object_granted_privileges}]+|\"\\\n \"=rw)\\/\\\\w+,?)+)\\\\|pg_catalog\\\\|pg_settings\\\\|v\"\n pg_settings_acl_regex = Regexp.new(pg_settings_acl)\n\n tested = []\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind \"\\\n \"FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f');\"\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n rows = sql.query(objects_sql, [database])\n if rows.methods.include?(:output) # Handle connection disabled on database\n objects = rows.lines\n\n objects.each do |obj|\n unless tested.include?(obj)\n schema, object, type = obj.split('|')\n relacl_sql = \"SELECT pg_catalog.array_to_string(c.relacl, E','), \"\\\n \"n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE n.nspname = '#{schema}' AND c.relname = '#{object}' \"\\\n \"AND c.relkind = '#{type}';\"\n\n sql_result=sql.query(relacl_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should match object_acl_regex }\n end\n\n describe sql_result do\n its('output') { should match pg_settings_acl_regex }\n end\n end\n # TODO: Add test for column acl\n tested.push(obj)\n end\n end\n end\n end\n\n describe directory(PG_DATA_DIR) do\n it { should be_directory }\n it { should be_owned_by PG_OWNER }\n its('mode') { should cmp '0700' }\n end\nend\n","source_location":{"line":62,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000331554,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000344967,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000333312,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.00032642,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: No such file or directory' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000335652,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: No such file or directory' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000408991,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running locally and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000357461,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running locally and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000387473,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000340069,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000384907,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,6 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000422892,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000420344,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000482524,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000508549,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000455193,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000422942,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00042504,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000421662,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00052492,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000519699,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000431793,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000423192,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000405946,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000504317,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000522668,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: could not connect to server: Connection refused' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.00044096,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000490375,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000551485,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000460381,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = '\tTCP/IP connections on port 5432?' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000499402,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,12 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00041881,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.00043806,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000423374,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000468692,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.00047757,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000437817,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000531443,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000407861,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000486914,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000466816,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000452663,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000406882,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000469526,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000480162,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,13 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000377544,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000519933,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000417705,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000329224,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/","run_time":0.000371977,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=[r]+)\\/\\w+,?)+|)\\|/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(c.relacl, E','), n.nspname, c.relname, c.relkind FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored' AND c.relname = '' AND c.relkind = ''; output should match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/","run_time":0.000488232,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\nDiff:\n@@ -1,2 +1,9 @@\n-/^(((()=[arwdDxtU]+|=rw)\\/\\w+,?)+)\\|pg_catalog\\|pg_settings\\|v/\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data should be directory","run_time":0.000341766,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /var/lib/pgsql/9.5/data.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data should be owned by \"postgres\"","run_time":0.000307519,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /var/lib/pgsql/9.5/data.owned_by?(\"postgres\")` to return true, got false"},{"status":"failed","code_desc":"Directory /var/lib/pgsql/9.5/data mode should cmp == \"0700\"","run_time":0.000306464,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72865.rb:179:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-72867","title":"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).","desc":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.","descriptions":[{"label":"default","data":"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000180-DB-000115","gid":"V-72867","rid":"SV-87519r1_rule","stig_id":"PGS9-00-001400","cci":["CCI-000804"],"nist":["IA-8","Rev_4"],"check":"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.","fix":"To drop a role, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"DROP ROLE \"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE ROLE LOGIN\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html"},"code":"control \"V-72867\" do\n title \"PostgreSQL must uniquely identify and authenticate non-organizational\n users (or processes acting on behalf of non-organizational users).\"\n desc \"Non-organizational users include all information system users other\n than organizational users, which includes organizational employees or\n individuals the organization deems to have equivalent status of employees\n (e.g., contractors, guest researchers, individuals from allied nations).\n Non-organizational users must be uniquely identified and authenticated for all\n accesses other than those accesses explicitly identified and documented by the\n organization when related to the use of anonymous access, such as accessing a\n web server.\n Accordingly, a risk assessment is used in determining the authentication needs\n of the organization.\n Scalability, practicality, and security are simultaneously considered in\n balancing the need to ensure ease of use for access to federal information and\n information systems with the need to protect and adequately mitigate risk to\n organizational operations, organizational assets, individuals, other\n organizations, and the Nation.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000180-DB-000115\"\n tag \"gid\": \"V-72867\"\n tag \"rid\": \"SV-87519r1_rule\"\n tag \"stig_id\": \"PGS9-00-001400\"\n tag \"cci\": [\"CCI-000804\"]\n tag \"nist\": [\"IA-8\", \"Rev_4\"]\n tag \"check\": \"PostgreSQL uniquely identifies and authenticates PostgreSQL\n users through the use of DBMS roles.\n To list all roles in the database, as the database administrator (shown here\n as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"\\\\du\\\"\n If users are not uniquely identified as per organizational documentation, this\n is a finding.\"\n tag \"fix\": \"To drop a role, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"DROP ROLE \\\"\n To create a role, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE ROLE LOGIN\\\"\n For the complete list of permissions allowed by roles, see the official\n documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_roles = PG_SUPERUSERS\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r where r.rolsuper;'\n describe sql.query(roles_sql, [PG_DB]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72867.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT r.rolname FROM pg_catalog.pg_roles r where r.rolsuper; lines.sort should cmp == []","run_time":0.000251992,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: []\n got: [\"\", \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\", \"\\tTCP/IP connections on port 5432?\", \"psql: could not connect to server: Connection refused\"]\n\n(compared using `cmp` matcher)\n"}]},{"id":"V-72869","title":"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.","desc":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000311-DB-000308","gid":"V-72869","rid":"SV-87521r1_rule","stig_id":"PGS9-00-001700","cci":["CCI-002262"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \"postgres\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \"\\d+ .\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.","fix":"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-72869\" do\n title \"PostgreSQL must associate organization-defined types of security labels\n having organization-defined security label values with information in storage.\"\n desc \"Without the association of security labels to information, there is no\n basis for PostgreSQL to make security-related access-control decisions.\n Security labels are abstractions representing the basic properties or\n characteristics of an entity (e.g., subjects and objects) with respect to\n safeguarding information.\n These labels are typically associated with internal data structures (e.g.,\n tables, rows) within the database and are used to enable the implementation of\n access control and flow control policies, reflect special dissemination,\n handling or distribution instructions, or support other aspects of the\n information security policy.\n One example includes marking data as classified or FOUO. These security labels\n may be assigned manually or during data processing, but, either way, it is\n imperative these assignments are maintained while the data is in storage. If\n the security labels are lost when the data is stored, there is the risk of a\n data compromise.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000311-DB-000308\"\n tag \"gid\": \"V-72869\"\n tag \"rid\": \"SV-87521r1_rule\"\n tag \"stig_id\": \"PGS9-00-001700\"\n tag \"cci\": [\"CCI-002262\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), run the\n following SQL against each table that requires security labels:\n\n $ sudo su - postgres\n $ psql -c \\\"\\\\d+ .\\\"\n\n If security labeling is required and the results of the SQL above do not show\n a policy attached to the table, this is a finding.\n\n If security labeling is required and not implemented according to the system\n documentation, such as SSP, this is a finding.\n\n If security labeling requirements have been specified, but the security\n labeling is not implemented or does not reliably maintain labels on\n information in storage, this is a finding.\"\n\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\n GRANT, tables can have row security policies that restrict, on a per-user\n basis, which rows can be returned by normal queries or inserted, updated, or\n deleted by data modification commands. This feature is also known as Row-Level\n Security (RLS).\n\n RLS policies can be very different depending on their use case. For one example\n of using RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72869.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.943e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72871","title":"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.","desc":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000160","gid":"V-72871","rid":"SV-87523r1_rule","stig_id":"PGS9-00-001800","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.","fix":"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL."},"code":"control \"V-72871\" do\n title \"PostgreSQL must check the validity of all data inputs except those\n specifically identified by the organization.\"\n desc \"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to\n process that data. This results in unanticipated application behavior,\n potentially leading to an application or information system compromise.\n Invalid user input is one of the primary methods employed when attempting to\n compromise an application.\n With respect to database management systems, one class of threat is known as\n SQL Injection, or more generally, code injection. It takes advantage of the\n dynamic execution capabilities of various programming languages, including\n dialects of SQL. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n Even when no such hijacking takes place, invalid input that gets recorded in\n the database, whether accidental or malicious, reduces the reliability and\n usability of the system. Available protections include data types, referential\n constraints, uniqueness constraints, range checking, and application-specific\n logic. Application-specific logic can be implemented within the database in\n stored procedures and triggers, where appropriate.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure\n operation of databases that they must not be ignored. At a minimum, the DBA\n must attempt to obtain assurances from the development organization that this\n issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000160\"\n tag \"gid\": \"V-72871\"\n tag \"rid\": \"SV-87523r1_rule\"\n tag \"stig_id\": \"PGS9-00-001800\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL code (trigger procedures, functions),\n application code, settings, column and field definitions, and constraints to\n determine whether the database is protected against invalid input.\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If column/field definitions do not exist in the database, this is a finding.\n If columns/fields do not contain constraints and validity checking where\n required, this is a finding.\n\n Where a column/field is noted in the system documentation as necessarily\n free-form, even though its name and context suggest that it should be strongly\n typed and constrained, the absence of these protections is not a finding.\n Where a column/field is clearly identified by name, caption or context as\n Notes, Comments, Description, Text, etc., the absence of these protections is\n not a finding.\n\n Check application code that interacts with PostgreSQL for the use of prepared\n statements. If prepared statements are not used, this is a finding.\"\n\n tag \"fix\": \"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify the database to contain constraints and validity checking on database\n columns and tables that require them for data integrity.\n\n Use prepared statements when taking user input.\n \n Do not allow general users direct console access to PostgreSQL.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72871.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.339e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72873","title":"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000391","gid":"V-72873","rid":"SV-87525r1_rule","stig_id":"PGS9-00-001900","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.","fix":"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so."},"code":"control \"V-72873\" do\n title \"PostgreSQL and associated applications must reserve the use of dynamic\n code execution for situations that require it.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed\n dynamically, the attacker is then able to craft input strings that subvert the\n intent of the query. Potentially, the attacker can gain unauthorized access to\n data, including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and f\n unctions (and triggers).\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers, and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has\n been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000391\"\n tag \"gid\": \"V-72873\"\n tag \"rid\": \"SV-87525r1_rule\"\n tag \"stig_id\": \"PGS9-00-001900\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code, to identify cases of dynamic code execution. Any\n user input should be handled through prepared statements.\n If dynamic code execution is employed in circumstances where the objective\n could practically be satisfied by static execution with strongly typed\n parameters, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is employed in circumstances where\n the objective could practically be satisfied by static execution with strongly\n typed parameters, modify the code to do so.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72873.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":4.996e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72875","title":"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.","desc":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.","descriptions":[{"label":"default","data":"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000251-DB-000392","gid":"V-72875","rid":"SV-87527r1_rule","stig_id":"PGS9-00-002000","cci":["CCI-001310"],"nist":["SI-10","Rev_4"],"check":"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.","fix":"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements)."},"code":"control \"V-72875\" do\n title \"PostgreSQL and associated applications, when making use of dynamic code\n execution, must scan input data for invalid values that may indicate a code i\n njection attack.\"\n desc \"With respect to database management systems, one class of threat is\n known as SQL Injection, or more generally, code injection. It takes advantage\n of the dynamic execution capabilities of various programming languages,\n including dialects of SQL. In such cases, the attacker deduces the manner in\n which SQL statements are being processed, either from inside knowledge or by\n observing system behavior in response to invalid inputs. When the attacker\n identifies scenarios where SQL queries are being assembled by application code\n (which may be within the database or separate from it) and executed dynamically,\n the attacker is then able to craft input strings that subvert the intent of the\n query. Potentially, the attacker can gain unauthorized access to data,\n including security settings, and severely corrupt or destroy the database.\n The principal protection against code injection is not to use dynamic execution\n except where it provides necessary functionality that cannot be utilized\n otherwise. Use strongly typed data items rather than general-purpose strings\n as input parameters to task-specific, pre-compiled stored procedures and\n functions (and triggers).When dynamic execution is necessary, ways to mitigate\n the risk include the following, which should be implemented both in the\n on-screen application and at the database level, in the stored procedures:\n -- Allow strings as input only when necessary.\n -- Rely on data typing to validate numbers, dates, etc. Do not accept invalid\n values. If substituting other values for them, think carefully about whether\n this could be subverted.\n -- Limit the size of input strings to what is truly necessary.\n -- If single quotes/apostrophes, double quotes, semicolons, equals signs,\n angle brackets, or square brackets will never be valid as input, reject them.\n -- If comment markers will never be valid as input, reject them. In SQL, these\n are -- or /* */\n -- If HTML and XML tags, entities, comments, etc., will never be valid,\n reject them.\n -- If wildcards are present, reject them unless truly necessary. In SQL these\n are the underscore and the percentage sign, and the word ESCAPE is also a clue\n that wildcards are in use.\n -- If SQL key words, such as SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER,\n DROP, ESCAPE, UNION, GRANT, REVOKE, DENY, MODIFY will never be valid, reject\n them. Use case-insensitive comparisons when searching for these. Bear in mind\n that some of these words, particularly Grant (as a person's name), could also\n be valid input.\n -- If there are range limits on the values that may be entered, enforce those\n limits.\n -- Institute procedures for inspection of programs for correct use of dynamic\n coding, by a party other than the developer.\n -- Conduct rigorous testing of program modules that use dynamic coding,\n searching for ways to subvert the intended use.\n -- Record the inspection and testing in the system documentation.\n -- Bear in mind that all this applies not only to screen input, but also to\n the values in an incoming message to a web service or to a stored procedure\n called by a software component that has not itself been hardened in these ways.\n Not only can the caller be subject to such vulnerabilities; it may itself be\n the attacker.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000251-DB-000392\"\n tag \"gid\": \"V-72875\"\n tag \"rid\": \"SV-87527r1_rule\"\n tag \"stig_id\": \"PGS9-00-002000\"\n tag \"cci\": [\"CCI-001310\"]\n tag \"nist\": [\"SI-10\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL source code (trigger procedures, functions)\n and application source code to identify cases of dynamic code execution.\n If dynamic code execution is employed without protective measures against code\n injection, this is a finding.\"\n tag \"fix\": \"Where dynamic code execution is used, modify the code to implement\n protections against code injection (IE: prepared statements).\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72875.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":1.7904e-05,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72877","title":"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.","desc":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.","descriptions":[{"label":"default","data":"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000357-DB-000316","gid":"V-72877","rid":"SV-87529r1_rule","stig_id":"PGS9-00-002100","cci":["CCI-001849"],"nist":["AU-4","Rev_4"],"check":"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.","fix":"Allocate sufficient audit file/table space to support peak demand."},"code":"control \"V-72877\" do\n title \"PostgreSQL must allocate audit record storage capacity in accordance\n with organization-defined audit record storage requirements.\"\n desc \"In order to ensure sufficient storage capacity for the audit logs,\n PostgreSQL must be able to allocate audit record storage capacity. Although\n another requirement (SRG-APP-000515-DB-000318) mandates that audit data be\n off-loaded to a centralized log management system, it remains necessary to\n provide space on the database server to serve as a buffer against outages and\n capacity limits of the off-loading mechanism.\n The task of allocating audit record storage capacity is usually performed\n during initial installation of PostgreSQL and is closely associated with the\n DBA and system administrator roles. The DBA or system administrator will\n usually coordinate the allocation of physical drive space with the application\n owner/installer and the application will prompt the installer to provide the\n capacity information, the physical location of the disk, or both.\n In determining the capacity requirements, consider such factors as: total\n number of users; expected number of concurrent users during busy periods;\n number and type of events being monitored; types and amounts of data being\n captured; the frequency/speed with which audit records are off-loaded to the\n central log management system; and any limitations that exist on PostgreSQL's\n ability to reuse the space formerly occupied by off-loaded records.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000357-DB-000316\"\n tag \"gid\": \"V-72877\"\n tag \"rid\": \"SV-87529r1_rule\"\n tag \"stig_id\": \"PGS9-00-002100\"\n tag \"cci\": [\"CCI-001849\"]\n tag \"nist\": [\"AU-4\", \"Rev_4\"]\n tag \"check\": \"Investigate whether there have been any incidents where\n PostgreSQL ran out of audit log space since the last time the space was\n allocated or other corrective measures were taken.\n If there have been incidents where PostgreSQL ran out of audit log space,\n this is a finding.\"\n tag \"fix\": \"Allocate sufficient audit file/table space to support peak demand.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72877.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":4.949e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72883","title":"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.","desc":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.","descriptions":[{"label":"default","data":"Discretionary Access Control (DAC) is based on the notion that\n individual users are \"owners\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000328-DB-000301","gid":"V-72883","rid":"SV-87535r1_rule","stig_id":"PGS9-00-002200","cci":["CCI-002165"],"nist":["AC-3 (4)","Rev_4"],"check":"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \"\\dn *.*\"\n $ psql -c \"\\dt *.*\"\n $ psql -c \"\\ds *.*\"\n $ psql -c \"\\dv *.*\"\n $ psql -c \"\\df+ *.*\"\n If any role is given privileges to objects it should not have, this is a\n finding.","fix":"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test\"\n $ psql -c \"GRANT CREATE ON SCHEMA test TO bob\"\n $ psql -c \"CREATE TABLE test.test_table(id INT)\"\n $ psql -c \"GRANT SELECT ON TABLE test.test_table TO bob\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \"postgres\"), run statements like the following examples:\n $ psql -c \"REVOKE SELECT ON TABLE test.test_table FROM bob\"\n $ psql -c \"REVOKE CREATE ON SCHEMA test FROM bob\""},"code":"control \"V-72883\" do\n title \"PostgreSQL must enforce discretionary access control policies, as\n defined by the data owner, over defined subjects and objects.\"\n desc \"Discretionary Access Control (DAC) is based on the notion that\n individual users are \\\"owners\\\" of objects and therefore have discretion over\n who should be authorized to access the object and in which mode (e.g., read or\n write). Ownership is usually acquired as a consequence of creating the object\n or via specified ownership assignment. DAC allows the owner to determine who\n will have access to objects they control. An example of DAC includes\n user-controlled table permissions.\n When discretionary access control policies are implemented, subjects are not\n constrained with regard to what actions they can take with information for\n which they have already been granted access. Thus, subjects that have been\n granted access to information are not prevented from passing (i.e., the\n subjects have the discretion to pass) the information to other subjects or\n objects.\n A subject that is constrained in its operation by Mandatory Access Control\n policies is still able to operate under the less rigorous constraints of this\n requirement. Thus, while Mandatory Access Control imposes constraints\n preventing a subject from passing information to another subject operating at\n a different sensitivity level, this requirement permits the subject to pass\n the information to any subject at the same sensitivity level.\n The policy is bounded by the information system boundary. Once the information\n is passed outside of the control of the information system, additional means\n may be required to ensure the constraints remain in effect. While the older,\n more traditional definitions of discretionary access control require i\n dentity-based access control, that limitation is not required for this use of\n discretionary access control.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000328-DB-000301\"\n tag \"gid\": \"V-72883\"\n tag \"rid\": \"SV-87535r1_rule\"\n tag \"stig_id\": \"PGS9-00-002200\"\n tag \"cci\": [\"CCI-002165\"]\n tag \"nist\": [\"AC-3 (4)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify the required\n discretionary access control (DAC).\n\n Review the security configuration of the database and PostgreSQL. If\n applicable, review the security configuration of the application(s) using the\n database.\n\n If the discretionary access control defined in the documentation is not\n implemented in the security configuration, this is a finding.\n\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n\n To check the ownership of objects in the database, as the database\n administrator, run the following:\n $ sudo su - postgres\n $ psql -c \\\"\\\\dn *.*\\\"\n $ psql -c \\\"\\\\dt *.*\\\"\n $ psql -c \\\"\\\\ds *.*\\\"\n $ psql -c \\\"\\\\dv *.*\\\"\n $ psql -c \\\"\\\\df+ *.*\\\"\n If any role is given privileges to objects it should not have, this is a\n finding.\"\n tag \"fix\": \"Implement the organization's DAC policy in the security\n configuration of the database and PostgreSQL, and, if applicable, the security\n configuration of the application(s) using the database.\n To GRANT privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test\\\"\n $ psql -c \\\"GRANT CREATE ON SCHEMA test TO bob\\\"\n $ psql -c \\\"CREATE TABLE test.test_table(id INT)\\\"\n $ psql -c \\\"GRANT SELECT ON TABLE test.test_table TO bob\\\"\n To REVOKE privileges to roles, as the database administrator (shown here as\n \\\"postgres\\\"), run statements like the following examples:\n $ psql -c \\\"REVOKE SELECT ON TABLE test.test_table FROM bob\\\"\n $ psql -c \\\"REVOKE CREATE ON SCHEMA test FROM bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n \n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72883.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000322267,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000723242,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000336526,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.00067869,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000352746,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000742207,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000364659,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.00073809,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000312546,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000618711,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000375152,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000701119,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000469172,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.001054598,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.00061739,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.001067573,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000453466,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000834228,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000421157,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000972639,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000462214,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.001049916,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000401523,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.00090887,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000542736,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000981339,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000509546,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000816256,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000369401,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000711019,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000287163,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000577817,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000323683,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000625541,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000328947,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000687689,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000348586,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.00061736,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.00028767,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000612196,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72887","title":"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).","desc":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.","descriptions":[{"label":"default","data":"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000374-DB-000322","gid":"V-72887","rid":"SV-87539r1_rule","stig_id":"PGS9-00-002400","cci":["CCI-001890"],"nist":["AU-8 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \"postgres\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_timezone\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \"postgres\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart"},"code":"control \"V-72887\" do\n title \"PostgreSQL must record time stamps, in audit records and application\n data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).\"\n desc \"If time stamps are not consistently applied and there is no common time\n reference, it is difficult to perform forensic analysis.\n Time stamps generated by PostgreSQL must include date and time. Time is\n commonly expressed in Coordinated Universal Time (UTC), a modern continuation\n of Greenwich Mean Time (GMT), or local time with an offset from UTC.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000374-DB-000322\"\n tag \"gid\": \"V-72887\"\n tag \"rid\": \"SV-87539r1_rule\"\n tag \"stig_id\": \"PGS9-00-002400\"\n tag \"cci\": [\"CCI-001890\"]\n tag \"nist\": [\"AU-8 b\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n When a PostgreSQL cluster is initialized using initdb, the PostgreSQL cluster\n will be configured to use the same time zone as the target server.\n As the database administrator (shown here as \\\"postgres\\\"), check the current\n log_timezone setting by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_timezone\\\"\n log_timezone\n --------------\n UTC\n (1 row)\n If log_timezone is not set to the desired time zone, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To change log_timezone in postgresql.conf to use a different time zone for\n logs, as the database administrator (shown here as \\\"postgres\\\"), run the\n following:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_timezone='UTC'\n Next, restart the database:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl restart postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_timezone;', [PG_DB]) do\n its('output') { should eq PG_TIMEZONE }\n end\nend\n","source_location":{"line":47,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72887.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_timezone; output should eq \"\"","run_time":0.000297003,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72891","title":"PostgreSQL must allow only the ISSM (or individuals or roles appointed\n by the ISSM) to select which auditable events are to be audited.","desc":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.","descriptions":[{"label":"default","data":"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000090-DB-000065","gid":"V-72891","rid":"SV-87543r1_rule","stig_id":"PGS9-00-002600","cci":["CCI-000171"],"nist":["AU-12 b","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Check PostgreSQL settings and documentation to determine whether designated\n personnel are able to select which auditable events are being audited.\n As the database administrator (shown here as \"postgres\"), verify the\n permissions for PGDATA:\n $ ls -la ${PGDATA?}\n If anything in PGDATA is not owned by the database administrator, this is a\n finding.\n Next, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"\\du\"\n Review the role permissions, if any role is listed as superuser but should not\n have that access, this is a finding.","fix":"Configure PostgreSQL's settings to allow designated personnel to\n select which auditable events are audited.\n Using pgaudit allows administrators the flexibility to choose what they log.\n For an overview of the capabilities of pgaudit, see\n https://github.com/pgaudit/pgaudit.\n See supplementary content APPENDIX-B for documentation on installing pgaudit.\n See supplementary content APPENDIX-C for instructions on enabling logging.\n Only administrators/superuser can change PostgreSQL configurations. Access to\n the database administrator must be limited to designated personnel only.\n To ensure that postgresql.conf is owned by the database owner:\n $ chown postgres:postgres ${PGDATA?}/postgresql.conf\n $ chmod 600 ${PGDATA?}/postgresql.conf"},"code":"control \"V-72891\" do\n\n title \"PostgreSQL must allow only the ISSM (or individuals or roles appointed\n by the ISSM) to select which auditable events are to be audited.\"\n desc \"Without the capability to restrict which roles and individuals can\n select which events are audited, unauthorized personnel may be able to prevent\n or interfere with the auditing of critical events.\n\n Suppression of auditing could permit an adversary to evade detection.\n\n Misconfigured audits can degrade the system's performance by overwhelming the\n audit log. Misconfigured audits may also make it more difficult to establish,\n correlate, and investigate the events relating to an incident or identify those\n responsible for one.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000090-DB-000065\"\n tag \"gid\": \"V-72891\"\n tag \"rid\": \"SV-87543r1_rule\"\n tag \"stig_id\": \"PGS9-00-002600\"\n tag \"cci\": [\"CCI-000171\"]\n tag \"nist\": [\"AU-12 b\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Check PostgreSQL settings and documentation to determine whether designated\n personnel are able to select which auditable events are being audited.\n As the database administrator (shown here as \\\"postgres\\\"), verify the\n permissions for PGDATA:\n $ ls -la ${PGDATA?}\n If anything in PGDATA is not owned by the database administrator, this is a\n finding.\n Next, as the database administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"\\\\du\\\"\n Review the role permissions, if any role is listed as superuser but should not\n have that access, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL's settings to allow designated personnel to\n select which auditable events are audited.\n Using pgaudit allows administrators the flexibility to choose what they log.\n For an overview of the capabilities of pgaudit, see\n https://github.com/pgaudit/pgaudit.\n See supplementary content APPENDIX-B for documentation on installing pgaudit.\n See supplementary content APPENDIX-C for instructions on enabling logging.\n Only administrators/superuser can change PostgreSQL configurations. Access to\n the database administrator must be limited to designated personnel only.\n To ensure that postgresql.conf is owned by the database owner:\n $ chown postgres:postgres ${PGDATA?}/postgresql.conf\n $ chmod 600 ${PGDATA?}/postgresql.conf\"\n\n describe directory(PG_DATA_DIR) do\n it { should be_directory }\n it { should be_owned_by PG_OWNER }\n its('mode') { should cmp '0700' }\n end\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\nend\n","source_location":{"line":57,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72891.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = ''; output should not eq \"t\"","run_time":0.000101209,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = 'psql: could not connect to server: Connection refused'; output should not eq \"t\"","run_time":0.000125904,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should not eq \"t\"","run_time":0.000134212,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tTCP/IP connections on port 5432?'; output should not eq \"t\"","run_time":8.7993e-05,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72893","title":"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.","desc":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these.","descriptions":[{"label":"default","data":"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \"the system\" is used to encompass all of these."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000360-DB-000320","gid":"V-72893","rid":"SV-87545r1_rule","stig_id":"PGS9-00-002700","cci":["CCI-001858"],"nist":["AU-5 (2)","Rev_4"],"check":"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.","fix":"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL."},"code":"control \"V-72893\" do\n title \"PostgreSQL must provide an immediate real-time alert to appropriate\n support staff of all audit failure events requiring real-time alerts.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Without a real-time\n alert, security personnel may be unaware of an impending failure of the audit\n capability, and system operation may be adversely affected.\n The appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\n Alerts provide organizations with urgent messages. Real-time alerts provide\n these messages immediately (i.e., the time from event detection to alert o\n ccurs in seconds or less).\n The necessary monitoring and alerts may be implemented using features of\n PostgreSQL, the OS, third-party software, custom code, or a combination of\n these. The term \\\"the system\\\" is used to encompass all of these.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000360-DB-000320\"\n tag \"gid\": \"V-72893\"\n tag \"rid\": \"SV-87545r1_rule\"\n tag \"stig_id\": \"PGS9-00-002700\"\n tag \"cci\": [\"CCI-001858\"]\n tag \"nist\": [\"AU-5 (2)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to determine which audit failure\n events require real-time alerts.\n Review the system settings and code. If the real-time alerting that is\n specified in the documentation is not enabled, this is a finding.\"\n tag \"fix\": \"Configure the system to provide an immediate real-time alert to\n appropriate support staff when a specified audit failure occurs.\n It is possible to create scripts or implement third-party tools to enable\n real-time alerting for audit failures in PostgreSQL.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72893.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":4.988e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72895","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000442-DB-000379","gid":"V-72895","rid":"SV-87547r1_rule","stig_id":"PGS9-00-003000","cci":["CCI-002422"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.","fix":"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL."},"code":"control \"V-72895\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during reception.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during reception, including, for example, during aggregation, at\n protocol transformation points, and during packing/unpacking. These\n unauthorized disclosures or modifications compromise the confidentiality or\n integrity of the information.\n This requirement applies only to those applications that are either\n distributed or can allow access to data nonlocally. Use of this requirement\n will be limited to situations where the data owner has a strict requirement\n for ensuring data integrity and confidentiality is maintained at every step of\n the data transfer and handling process.\n When receiving data, PostgreSQL, associated applications, and infrastructure\n must leverage protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c; while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000442-DB-000379\"\n tag \"gid\": \"V-72895\"\n tag \"rid\": \"SV-87547r1_rule\"\n tag \"stig_id\": \"PGS9-00-003000\"\n tag \"cci\": [\"CCI-002422\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for\n ensuring data integrity and confidentiality is maintained at every step of the\n data transfer and handling process, this is not a finding.\n\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled in postgresql.conf by:\n\n First, open the postgresql.conf file and ensure the ssl paramater is set to on:\n\n $ vi /postgresql.conf\n $ ssl = 'on'\n\n is set and not commented out with a '#'.\n\n Second, run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n\n If SSL is off, this is a finding.\n\n If PostgreSQL, associated applications, and infrastructure do not employ\n protective measures against unauthorized disclosure and modification during\n reception, this is a finding.\"\n\n tag \"fix\": \"Implement protective measures against unauthorized disclosure and\n modification during reception.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G for\n instructions on enabling SSL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72895.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should not match /off|false/i","run_time":0.00010661,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72897","title":"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.","desc":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.","descriptions":[{"label":"default","data":"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000200","gid":"V-72897","rid":"SV-87549r1_rule","stig_id":"PGS9-00-003100","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \"\\dn *.*\"\n $ psql -x -c \"\\dt *.*\"\n $ psql -x -c \"\\ds *.*\"\n $ psql -x -c \"\\dv *.*\"\n $ psql -x -c \"\\df+ *.*\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.","fix":"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \"ALTER SCHEMA test OWNER TO bob\""},"code":"control \"V-72897\" do\n title \"Database objects (including but not limited to tables, indexes,\n storage, trigger procedures, functions, links to software external to\n PostgreSQL, etc.) must be owned by database/DBMS principals authorized for\n ownership.\"\n desc \"Within the database, object ownership implies full privileges to the\n owned object, including the privilege to assign access to the owned objects\n to other subjects. Database functions and procedures can be coded using\n definer's rights. This allows anyone who utilizes the object to perform the\n actions if they were the owner. If not properly managed, this can lead to\n privileged actions being taken by unauthorized individuals.\n Conversely, if critical tables or other objects rely on unauthorized owner\n accounts, these objects may be lost when an account is removed.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000200\"\n tag \"gid\": \"V-72897\"\n tag \"rid\": \"SV-87549r1_rule\"\n tag \"stig_id\": \"PGS9-00-003100\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to identify accounts authorized to\n own database objects. Review accounts that own objects in the database(s).\n If any database objects are found to be owned by users not authorized to own\n database objects, this is a finding.\n To check the ownership of objects in the database, as the database\n administrator, run the following SQL:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dn *.*\\\"\n $ psql -x -c \\\"\\\\dt *.*\\\"\n $ psql -x -c \\\"\\\\ds *.*\\\"\n $ psql -x -c \\\"\\\\dv *.*\\\"\n $ psql -x -c \\\"\\\\df+ *.*\\\"\n If any object is not owned by an authorized role for ownership, this is a\n finding.\"\n tag \"fix\": \"Assign ownership of authorized objects to authorized object owner\n accounts.\n #### Schema Owner\n To create a schema owned by the user bob, run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"CREATE SCHEMA test AUTHORIZATION bob\n To alter the ownership of an existing object to be owned by the user bob,\n run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"ALTER SCHEMA test OWNER TO bob\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_owners = PG_SUPERUSERS\n\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n types = %w(t s v) # tables, sequences views\n\n databases.each do |database|\n schemas_sql = ''\n functions_sql = ''\n\n if database == 'postgres'\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n else\n schemas_sql = \"SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_namespace n \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n end\n\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(schemas_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n sql_result=sql.query(functions_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n\n types.each do |type|\n objects_sql = ''\n\n if database == 'postgres'\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}' \"\n \"AND n.nspname !~ '^pg_toast';\"\n else\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('#{type}','s','') \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) \"\\\n \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n \" AND n.nspname !~ '^pg_toast';\"\n end\n\n sql_result=sql.query(objects_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72897.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.00029358,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000583429,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000314607,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.00058984,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000298515,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000555608,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000273646,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000613534,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000282263,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000599358,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: could not connect to server: No such file or directory\\n\" +\n+ \"\\tIs the server running locally and accepting\\n\" +\n+ \"\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000397095,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000692893,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000328166,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000689561,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.0003372,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000669558,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000340552,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000681832,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000303723,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000673184,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"could\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"not\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connect\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"to\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server:\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"Connection\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"refused\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000332367,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.00074439,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000362395,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.00071778,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000309469,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000643465,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000299359,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000714632,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000430982,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000660312,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"the\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"server\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"running\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"host\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"and\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"accepting\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000269107,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_namespace n WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000550188,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; output should eq \"\"","run_time":0.000256549,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000638732,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000264014,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('t','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000620782,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.00033567,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('s','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000599717,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; output should eq \"\"","run_time":0.000317148,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('v','s','') AND pg_catalog.pg_get_userbyid(n.nspowner) NOT IN () AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.000610322,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\"> to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+# 'pg_catalog' AND n.nspname <> 'information_schema' AND n.nspname !~ '^pg_toast';\",\n+ @output=\n+ \"\\n\" +\n+ \"psql: warning: extra command-line argument \\\"connections\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"on\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"port\\\" ignored\\n\" +\n+ \"psql: warning: extra command-line argument \\\"5432?\\\" ignored\\n\" +\n+ \"psql: could not connect to server: Connection refused\\n\" +\n+ \"\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\" +\n+ \"\\tTCP/IP connections on port 5432?\\n\">\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72899","title":"The PostgreSQL software installation account must be restricted to\n authorized users.","desc":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000198","gid":"V-72899","rid":"SV-87551r1_rule","stig_id":"PGS9-00-003200","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.","fix":"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account."},"code":"control \"V-72899\" do\n title \"The PostgreSQL software installation account must be restricted to\n authorized users.\"\n desc \"When dealing with change control issues, it should be noted any changes\n to the hardware, software, and/or firmware components of the information\n system and/or application can have significant effects on the overall security\n of the system.\n If the system were to allow any user to make changes to software libraries,\n those changes might be implemented without undergoing the appropriate testing\n and approvals that are part of a robust change management process.\n Accordingly, only qualified and authorized individuals must be allowed access\n to information system components for purposes of initiating changes, including\n upgrades and modifications.\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a great impact on database\n security and operation. It is especially important to grant privileged access\n to only those persons who are qualified and authorized to use them.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000198\"\n tag \"gid\": \"V-72899\"\n tag \"rid\": \"SV-87551r1_rule\"\n tag \"stig_id\": \"PGS9-00-003200\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review procedures for controlling, granting access to, and\n tracking use of the PostgreSQL software installation account(s).\n If access or use of this account is not restricted to the minimum number of\n personnel required or if unauthorized access to the account has been granted,\n this is a finding.\"\n tag \"fix\": \"Develop, document, and implement procedures to restrict and track\n use of the PostgreSQL software installation account.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72899.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.185e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72901","title":"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.","desc":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.","descriptions":[{"label":"default","data":"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000133-DB-000199","gid":"V-72901","rid":"SV-87553r1_rule","stig_id":"PGS9-00-003300","cci":["CCI-001499"],"nist":["CM-5 (6)","Rev_4"],"check":"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.","fix":"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory."},"code":"control \"V-72901\" do\n title \"Database software, including PostgreSQL configuration files, must be\n stored in dedicated directories separate from the host OS and other\n applications.\"\n desc \"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in\n the protection between applications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000133-DB-000199\"\n tag \"gid\": \"V-72901\"\n tag \"rid\": \"SV-87553r1_rule\"\n tag \"stig_id\": \"PGS9-00-003300\"\n tag \"cci\": [\"CCI-001499\"]\n tag \"nist\": [\"CM-5 (6)\", \"Rev_4\"]\n tag \"check\": \"Review the PostgreSQL software library directory and any\n subdirectories.\n If any non-PostgreSQL software directories exist on the disk directory,\n examine or investigate their use. If any of the directories are used by other\n applications, including third-party applications that use the PostgreSQL, this\n is a finding.\n Only applications that are required for the functioning and administration,\n not use, of the PostgreSQL should be located in the same disk directory as\n the PostgreSQL software libraries.\n If other applications are located in the same directory as PostgreSQL, this\n is a finding.\"\n tag \"fix\": \"Install all applications on directories separate from the\n PostgreSQL software library directory. Relocate any directories or reinstall\n other application software that currently shares the PostgreSQL software\n library directory.\"\n\n PG_SHARED_DIRS.each do |dir|\n describe directory(dir) do\n it { should be_directory }\n it { should be_owned_by 'root' }\n it { should be_grouped_into 'root' }\n its('mode') { should cmp '0755' }\n end\n\n describe command(\"lsof | awk '$9 ~ \\\"#{dir}\\\" {print $1}'\") do\n its('stdout') { should match /^$|postgres|postmaster/ }\n its('stderr') { should eq '' }\n end\n end\nend\n","source_location":{"line":32,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb"},"results":[{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} should be directory","run_time":0.000220683,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} should be owned by \"root\"","run_time":0.000236899,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} should be grouped into \"root\"","run_time":0.000208487,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver} mode should cmp == \"0755\"","run_time":0.0002347,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.027054394,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}\" {print $1}'` stderr should eq \"\"","run_time":0.000162712,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin should be directory","run_time":0.000340493,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/bin.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin should be owned by \"root\"","run_time":0.000317175,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/bin.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin should be grouped into \"root\"","run_time":0.000296834,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/bin.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/bin mode should cmp == \"0755\"","run_time":0.000303374,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/bin\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.025814732,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/bin\" {print $1}'` stderr should eq \"\"","run_time":0.000212479,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include should be directory","run_time":0.000300059,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/include.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include should be owned by \"root\"","run_time":0.000278895,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/include.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include should be grouped into \"root\"","run_time":0.000247546,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/include.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/include mode should cmp == \"0755\"","run_time":0.000332824,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/include\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.026537185,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/include\" {print $1}'` stderr should eq \"\"","run_time":0.000152449,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib should be directory","run_time":0.000327588,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/lib.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib should be owned by \"root\"","run_time":0.000247851,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/lib.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib should be grouped into \"root\"","run_time":0.000221444,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/lib.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/lib mode should cmp == \"0755\"","run_time":0.000353193,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/lib\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.027065814,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/lib\" {print $1}'` stderr should eq \"\"","run_time":0.00029592,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share should be directory","run_time":0.000364812,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/share.directory?` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share should be owned by \"root\"","run_time":0.000295858,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/share.owned_by?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share should be grouped into \"root\"","run_time":0.000274462,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `Directory /usr/pgsql-${pg_ver}/share.grouped_into?(\"root\")` to return true, got false"},{"status":"failed","code_desc":"Directory /usr/pgsql-${pg_ver}/share mode should cmp == \"0755\"","run_time":0.00032824,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72901.rb:80:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/share\" {print $1}'` stdout should match /^$|postgres|postmaster/","run_time":0.027309491,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"Command: `lsof | awk '$9 ~ \"/usr/pgsql-${pg_ver}/share\" {print $1}'` stderr should eq \"\"","run_time":0.000198918,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72903","title":"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000101-DB-000044","gid":"V-72903","rid":"SV-87555r1_rule","stig_id":"PGS9-00-003500","cci":["CCI-000135"],"nist":["AU-3 (1)","Rev_4"],"check":"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.","fix":"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":"control \"V-72903\" do\n title \"PostgreSQL must include additional, more detailed, organization-defined\n information in the audit records for audit events identified by type,\n location, or subject.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Reconstruction of harmful events or forensic analysis is\n not possible if audit records do not contain enough information. To support\n analysis, some types of events will need information to be logged that\n exceeds the basic requirements of event type, time stamps, location, source,\n outcome, and user identity. If additional information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n The organization must determine what additional information is required for\n complete analysis of the audited events. The additional information required\n is dependent on the type of information (e.g., sensitivity of the data and\n the environment within which it resides). At a minimum, the organization\n must employ either full-text recording of privileged commands or the\n individual identities of users of shared accounts, or both. The organization\n must maintain audit trails in sufficient detail to reconstruct events to\n determine the cause and impact of compromise.\n Examples of detailed information the organization may require in audit\n records are full-text recording of privileged commands or the individual\n identities of shared account users.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000101-DB-000044\"\n tag \"gid\": \"V-72903\"\n tag \"rid\": \"SV-87555r1_rule\"\n tag \"stig_id\": \"PGS9-00-003500\"\n tag \"cci\": [\"CCI-000135\"]\n tag \"nist\": [\"AU-3 (1)\", \"Rev_4\"]\n tag \"check\": \"Review the system documentation to identify what additional\n information the organization has determined necessary.\n Check PostgreSQL settings and existing audit records to verify that all\n organization-defined additional, more detailed information is in the audit\n records for audit events identified by type, location, or subject.\n If any additional information is defined and is not contained in the audit\n records, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL audit settings to include all\n organization-defined detailed information in the audit records for audit\n events identified by type, location, or subject.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72903.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":1.0266e-05,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72905","title":"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.","desc":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.","descriptions":[{"label":"default","data":"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000342-DB-000302","gid":"V-72905","rid":"SV-87557r1_rule","stig_id":"PGS9-00-003600","cci":["CCI-002233"],"nist":["AC-6 (8)","Rev_4"],"check":"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\"\n In the query results, a prosecdef value of \"t\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.","fix":"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \"postgres\"), run the following SQL: $ sudo su - postgres\n $ psql -c \"ALTER FUNCTION SECURITY INVOKER;\""},"code":"control \"V-72905\" do\n title \"Execution of software modules (to include functions and trigger\n procedures) with elevated privileges must be restricted to necessary cases\n only.\"\n desc \"In certain situations, to provide required functionality, PostgreSQL\n needs to execute internal logic (stored procedures, functions, triggers, etc.)\n and/or external code modules with elevated privileges. However, if the\n privileges required for execution are at a higher level than the privileges\n assigned to organizational users invoking the functionality\n applications/programs, those users are indirectly provided with greater\n privileges than assigned by organizations.\n Privilege elevation must be utilized only where necessary and protected\n from misuse.\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in\n many cases, the database administrator (DBA) is organizationally separate\n from the application developers, and may have limited, if any, access to\n source code. Nevertheless, protections of this type are so important to the\n secure operation of databases that they must not be ignored. At a minimum,\n the DBA must attempt to obtain assurances from the development organization\n that this issue has been addressed, and must document what has been discovered.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000342-DB-000302\"\n tag \"gid\": \"V-72905\"\n tag \"rid\": \"SV-87557r1_rule\"\n tag \"stig_id\": \"PGS9-00-003600\"\n tag \"cci\": [\"CCI-002233\"]\n tag \"nist\": [\"AC-6 (8)\", \"Rev_4\"]\n tag \"check\": \"Functions in PostgreSQL can be created with the SECURITY\n DEFINER option. When SECURITY DEFINER functions are executed by a user, said\n function is run with the privileges of the user who created it.\n To list all functions that have SECURITY DEFINER, as, the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SELECT nspname, proname, proargtypes, prosecdef, rolname,\n proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN\n pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\\\"\n In the query results, a prosecdef value of \\\"t\\\" on a row indicates that that\n function uses privilege elevation.\n If elevation of PostgreSQL privileges is utilized but not documented, this is\n a finding.\n If elevation of PostgreSQL privileges is documented, but not implemented as\n described in the documentation, this is a finding.\n If the privilege-elevation logic can be invoked in ways other than intended,\n or in contexts other than intended, or by subjects/principals other than\n intended, this is a finding.\"\n tag \"fix\": \"Determine where, when, how, and by what principals/subjects\n elevated privilege is needed.\n To change a SECURITY DEFINER function to SECURITY INVOKER, as the database\n administrator (shown here as \\\"postgres\\\"), run the following SQL:\\\n $ sudo su - postgres\n $ psql -c \\\"ALTER FUNCTION SECURITY INVOKER;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n security_definer_sql = \"SELECT nspname, proname, prosecdef \"\\\n \"FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid \"\\\n \"JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't';\"\n\n databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{PG_DB}';\"\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n \"accepting connections\"\n connection_error_regex = Regexp.new(connection_error)\n\n sql_result=sql.query(security_definer_sql, [database])\n\n describe.one do\n describe sql_result do\n its('output') { should eq '' }\n end\n\n describe sql_result do\n it { should match connection_error_regex }\n end\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72905.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.000571178,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"127.0.0.1\\\" ignored\\npsql: could not connect to serve...locally and accepting\\n\\tconnections on Unix domain socket \\\"/var/run/postgresql/.s.PGSQL.5432\\\"?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,6 @@\n+\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: could not connect to server: No such file or directory\n+\tIs the server running locally and accepting\n+\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"\" is not currently accepting connections/","run_time":0.000855349,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # to match /FATAL:\\s+database \"\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,10 @@\n-/FATAL:\\s+database \"\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.000563064,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"could\\\" ignored\\npsql: warning: extra command-line ar...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,12 @@\n+\n+psql: warning: extra command-line argument \"could\" ignored\n+psql: warning: extra command-line argument \"not\" ignored\n+psql: warning: extra command-line argument \"connect\" ignored\n+psql: warning: extra command-line argument \"to\" ignored\n+psql: warning: extra command-line argument \"server:\" ignored\n+psql: warning: extra command-line argument \"Connection\" ignored\n+psql: warning: extra command-line argument \"refused\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/","run_time":0.000939949,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # to match /FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,16 @@\n-/FATAL:\\s+database \"psql: could not connect to server: Connection refused\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.00047062,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"the\\\" ignored\\npsql: warning: extra command-line argu...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,13 @@\n+\n+psql: warning: extra command-line argument \"the\" ignored\n+psql: warning: extra command-line argument \"server\" ignored\n+psql: warning: extra command-line argument \"running\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"host\" ignored\n+psql: warning: extra command-line argument \"127.0.0.1\" ignored\n+psql: warning: extra command-line argument \"and\" ignored\n+psql: warning: extra command-line argument \"accepting\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/","run_time":0.000875123,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # to match /FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,17 @@\n-/FATAL:\\s+database \"\tIs the server running on host \"127.0.0.1\" and accepting\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; output should eq \"\"","run_time":0.000368958,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: warning: extra command-line argument \\\"connections\\\" ignored\\npsql: warning: extra command-l...\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,9 @@\n+\n+psql: warning: extra command-line argument \"connections\" ignored\n+psql: warning: extra command-line argument \"on\" ignored\n+psql: warning: extra command-line argument \"port\" ignored\n+psql: warning: extra command-line argument \"5432?\" ignored\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT nspname, proname, prosecdef FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef = 't'; should match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/","run_time":0.00082279,"start_time":"2019-04-22T19:23:23+00:00","message":"expected # to match /FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\nDiff:\n@@ -1,2 +1,13 @@\n-/FATAL:\\s+database \"\tTCP\\/IP connections on port 5432?\" is not currently accepting connections/\n+#\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72909","title":"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.","desc":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.","descriptions":[{"label":"default","data":"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000356-DB-000314","gid":"V-72909","rid":"SV-87561r1_rule","stig_id":"PGS9-00-003800","cci":["CCI-001844"],"nist":["AU-3 (2)","Rev_4"],"check":"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \"postgres\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_destination\"\n As the database owner (shown here as \"postgres\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW syslog_facility\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \"postgres\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72909\" do\n title \"PostgreSQL must utilize centralized management of the content captured\n in audit records generated by all components of PostgreSQL.\"\n desc \"Without the ability to centrally manage the content captured in the\n audit records, identification, troubleshooting, and correlation of suspicious\n behavior would be difficult and could lead to a delayed or incomplete analysis\n of an ongoing attack.\n The content captured in audit records must be managed from a central location\n (necessitating automation). Centralized management of audit records and logs\n provides for efficiency in maintenance and management of records, as well as\n the backup and archiving of those records.\n PostgreSQL may write audit records to database tables, to files in the file\n system, to other kinds of local repository, or directly to a centralized log\n management system. Whatever the method used, it must be compatible with\n off-loading the records to the centralized system.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000356-DB-000314\"\n tag \"gid\": \"V-72909\"\n tag \"rid\": \"SV-87561r1_rule\"\n tag \"stig_id\": \"PGS9-00-003800\"\n tag \"cci\": [\"CCI-001844\"]\n tag \"nist\": [\"AU-3 (2)\", \"Rev_4\"]\n tag \"check\": \"On UNIX systems, PostgreSQL can be configured to use stderr,\n csvlog and syslog. To send logs to a centralized location, syslog should be\n used.\n As the database owner (shown here as \\\"postgres\\\"), ensure PostgreSQL uses\n syslog by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_destination\\\"\n As the database owner (shown here as \\\"postgres\\\"), check which log facility\n PostgreSQL is configured by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW syslog_facility\\\"\n Check with the organization to see how syslog facilities are defined in their\n organization.\n If PostgreSQL audit records are not written directly to or systematically\n transferred to a centralized log management system, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n With logging enabled, as the database owner (shown here as \\\"postgres\\\"),\n configure the follow parameters in postgresql.conf:\n Note: Consult the organization on how syslog facilities are defined in the\n syslog daemon configuration.\n $ sudo su - postgres\n $ vi 'log_destination' ${PGDATA?}/postgresql.conf\n log_destination = 'syslog'\n syslog_facility = 'LOCAL0'\n syslog_ident = 'postgres'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /syslog/i }\n end\n\n describe sql.query('SHOW syslog_facility;', [PG_DB]) do\n its('output') { should match /local[0-7]/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72909.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_destination; output should match /syslog/i","run_time":0.000397446,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /syslog/i\nDiff:\n@@ -1,2 +1,5 @@\n-/syslog/i\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW syslog_facility; output should match /local[0-7]/i","run_time":0.000325214,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /local[0-7]/i\nDiff:\n@@ -1,2 +1,5 @@\n-/local[0-7]/i\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72911","title":"PostgreSQL must isolate security functions from non-security functions.","desc":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.","descriptions":[{"label":"default","data":"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000233-DB-000124","gid":"V-72911","rid":"SV-87563r1_rule","stig_id":"PGS9-00-004000","cci":["CCI-001084"],"nist":["SC-3","Rev_4"],"check":"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \"postgres\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \"\\dp pg_catalog.*\"\n $ psql -x -c \"\\dp information_schema.*\"\n Repeat the \\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \"\\df+ pg_catalog.*\"\n $ psql -x -c \"\\df+ information_schema.*\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.","fix":"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval."},"code":"control \"V-72911\" do\n title \"PostgreSQL must isolate security functions from non-security functions.\"\n desc \"An isolation boundary provides access control and protects the integrity\n of the hardware, software, and firmware that perform security functions.\n Security functions are the hardware, software, and/or firmware of the\n information system responsible for enforcing the system security policy and\n supporting the isolation of code and data on which the protection is based.\n Developers and implementers can increase the assurance in security functions\n by employing well-defined security policy models; structured, disciplined, and\n rigorous hardware and software development techniques; and sound system/security\n engineering principles.\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality should not be commingled with\n objects or code implementing application logic. When security and non-security\n functionality are commingled, users who have access to non-security\n functionality may be able to access security functionality.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000233-DB-000124\"\n tag \"gid\": \"V-72911\"\n tag \"rid\": \"SV-87563r1_rule\"\n tag \"stig_id\": \"PGS9-00-004000\"\n tag \"cci\": [\"CCI-001084\"]\n tag \"nist\": [\"SC-3\", \"Rev_4\"]\n tag \"check\": \"Check PostgreSQL settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n By default, all objects in pg_catalog and information_schema are owned by the\n database administrator.\n To check the access controls for those schemas, as the database administrator\n (shown here as \\\"postgres\\\"), run the following commands to review the access\n privileges granted on the data dictionary and security tables, views,\n sequences, functions and trigger procedures:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\dp pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\dp information_schema.*\\\"\n Repeat the \\\\dp statements for any additional schemas that contain locally\n defined security objects.\n\nRepeat using \\\\df+*.* to review ownership of\n PostgreSQL functions:\n $ sudo su - postgres\n $ psql -x -c \\\"\\\\df+ pg_catalog.*\\\"\n $ psql -x -c \\\"\\\\df+ information_schema.*\\\"\n Refer to the PostgreSQL online documentation for GRANT for help in\n interpreting the Access Privileges column in the output from \\\\du. Note that\n an entry starting with an equals sign indicates privileges granted to Public\n (all users). By default, most of the tables and views in the pg_catalog and\n information_schema schemas can be read by Public.\n If any user besides the database administrator(s) is listed in access\n privileges and not documented, this is a finding.\n If security-related database objects or code are not kept separate, this is a\n finding.\"\n tag \"fix\": \"Do not locate security-related database objects with application\n tables or schema.\n Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\n Do not grant access to pg_catalog or information_schema to anyone but the\n database administrator(s). Access to the database administrator account(s)\n must not be granted to anyone without official approval.\"\n\n exceptions = \"#{PG_OBJECT_EXCEPTIONS.map { |e| \"'#{e}'\" }.join(',')}\"\n object_acl = \"^(((#{PG_OWNER}=[#{PG_OBJECT_GRANTED_PRIVILEGES}]+|\"\\\n \"=[#{PG_OBJECT_PUBLIC_PRIVILEGES}]+)\\\\/\\\\w+,?)+|)$\"\n schemas = ['pg_catalog', 'information_schema']\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n schemas.each do |schema|\n objects_sql = \"SELECT n.nspname, c.relname, c.relkind, \"\\\n \"pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace \"\\\n \"WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') \"\\\n \"AND n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.array_to_string(c.relacl, E',') !~ '#{object_acl}' \"\\\n \"AND c.relname NOT IN (#{exceptions});\"\n\n describe sql.query(objects_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n\n functions_sql = \"SELECT n.nspname, p.proname, \"\\\n \"pg_catalog.pg_get_userbyid(n.nspowner) \"\\\n \"FROM pg_catalog.pg_proc p \"\\\n \"LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace \"\\\n \"WHERE n.nspname ~ '^(#{schema})$' \"\\\n \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{PG_OWNER}';\"\n\n describe sql.query(functions_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n end\nend\n","source_location":{"line":70,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72911.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') AND n.nspname ~ '^(pg_catalog)$' AND pg_catalog.array_to_string(c.relacl, E',') !~ '^(((postgres=[arwdDxt]+|=[r]+)\\/\\w+,?)+|)$' AND c.relname NOT IN ('pg_settings'); output should eq \"\"","run_time":0.000385551,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE n.nspname ~ '^(pg_catalog)$' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'postgres'; output should eq \"\"","run_time":0.000346306,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, c.relname, c.relkind, pg_catalog.array_to_string(c.relacl, E',') FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r', 'v', 'm', 'S', 'f') AND n.nspname ~ '^(information_schema)$' AND pg_catalog.array_to_string(c.relacl, E',') !~ '^(((postgres=[arwdDxt]+|=[r]+)\\/\\w+,?)+|)$' AND c.relname NOT IN ('pg_settings'); output should eq \"\"","run_time":0.000306723,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT n.nspname, p.proname, pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_proc p LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace WHERE n.nspname ~ '^(information_schema)$' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'postgres'; output should eq \"\"","run_time":0.000251515,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72917","title":"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.","desc":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.","descriptions":[{"label":"default","data":"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000454-DB-000389","gid":"V-72917","rid":"SV-87569r1_rule","stig_id":"PGS9-00-004300","cci":["CCI-002617"],"nist":["SI-2 (6)","Rev_4"],"check":"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.","fix":"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated."},"code":"control \"V-72917\" do\n title \"When updates are applied to PostgreSQL software, any software\n components that have been replaced or made unnecessary must be removed.\"\n desc \"Previous versions of PostgreSQL components that are not removed from\n the information system after updates have been installed may be exploited\n by adversaries.\n Some PostgreSQL installation tools may remove older versions of software\n automatically from the information system. In other cases, manual review and\n removal will be required. In planning installations and upgrades,\n organizations must include steps (automated, manual, or both) to identify and\n remove the outdated modules.\n A transition period may be necessary when both the old and the new software\n are required. This should be taken into account in the planning.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000454-DB-000389\"\n tag \"gid\": \"V-72917\"\n tag \"rid\": \"SV-87569r1_rule\"\n tag \"stig_id\": \"PGS9-00-004300\"\n tag \"cci\": [\"CCI-002617\"]\n tag \"nist\": [\"SI-2 (6)\", \"Rev_4\"]\n tag \"check\": \"To check software installed by packages, as the system\n administrator, run the following command:\n # RHEL/CENT Systems\n $ sudo rpm -qa | grep postgres\n If multiple versions of postgres are installed but are unused, this is a\n finding.\"\n tag \"fix\": \"Use package managers (RPM or apt-get) for installing PostgreSQL.\n Unused software is removed when updated.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72917.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.799e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72919","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000344","gid":"V-72919","rid":"SV-87571r1_rule","stig_id":"PGS9-00-004400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72919\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is accessed.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000344\"\n tag \"gid\": \"V-72919\"\n tag \"rid\": \"SV-87571r1_rule\"\n tag \"stig_id\": \"PGS9-00-004400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), run\n the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72919.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000381581,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000359033,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.00040479,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72931","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000349","gid":"V-72931","rid":"SV-87583r1_rule","stig_id":"PGS9-00-005000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72931\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS Publication\n 199, Standards for Security Categorization of Federal Information and\n Information Systems, and FIPS Publication 200, Minimum Security Requirements\n for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000502-DB-000349\"\n tag \"gid\": \"V-72931\"\n tag \"rid\": \"SV-87583r1_rule\"\n tag \"stig_id\": \"PGS9-00-005000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72931.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000396058,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000398661,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000449858,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000391119,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.00044703,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72949","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000347","gid":"V-72949","rid":"SV-87601r1_rule","stig_id":"PGS9-00-005600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain \"pgaudit\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72949\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n modify categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000347\"\n tag \"gid\": \"V-72949\"\n tag \"rid\": \"SV-87601r1_rule\"\n tag \"stig_id\": \"PGS9-00-005600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to modify categories of information.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging. All denials are logged when logging is enabled.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72949.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000414755,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000408304,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000383782,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000387615,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000388519,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72953","title":"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.","desc":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.","descriptions":[{"label":"default","data":"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000504-DB-000354","gid":"V-72953","rid":"SV-87605r1_rule","stig_id":"PGS9-00-005800","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72953\" do\n title \"PostgreSQL must generate audit records for all privileged activities or\n other system-level access.\"\n desc \"Without tracking privileged activity, it would be difficult to\n establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n System documentation should include a definition of the functionality\n considered privileged.\n A privileged function in this context is any operation that modifies the\n structure of the database, its built-in logic, or its security settings.\n This would include all Data Definition Language (DDL) statements and all\n security-related statements. In an SQL environment, it encompasses, but is not\n necessarily limited to:\n CREATE\n ALTER\n DROP\n GRANT\n REVOKE\n There may also be Data Manipulation Language (DML) statements that, subject to\n context, should be regarded as privileged. Possible examples in SQL include:\n TRUNCATE TABLE;DELETE, or DELETE affecting more than n rows, for some n, or\n DELETE without a WHERE clause;\n UPDATE or UPDATE affecting more than n rows, for some n, or UPDATE without a\n WHERE clause;\n any SELECT, INSERT, UPDATE, or DELETE to an application-defined security table\n executed by other than a security principal.\n Depending on the capabilities of PostgreSQL and the design of the database and\n associated applications, audit logging may be achieved by means of DBMS\n auditing features, database triggers, other mechanisms, or a combination of\n these.\n Note: That it is particularly important to audit, and tightly control, any\n action that weakens the implementation of this requirement itself, since the\n objective is to have a complete audit trail of all administrative activity.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000504-DB-000354\"\n tag \"gid\": \"V-72953\"\n tag \"rid\": \"SV-87605r1_rule\"\n tag \"stig_id\": \"PGS9-00-005800\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n shared_preload_libraries = ‘pgaudit’\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72953.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000369112,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.00037226,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000357531,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000364557,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000305605,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72955","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000494-DB-000345","gid":"V-72955","rid":"SV-87607r1_rule","stig_id":"PGS9-00-005900","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator (shown here as\n \"postgres\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW pgaudit.log\"\n If pgaudit.log does not contain, \"ddl, write, role\", this is a finding.","fix":"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72955\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n access categorized information (e.g., classification levels/security levels)\n occur.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000494-DB-000345\"\n tag \"gid\": \"V-72955\"\n tag \"rid\": \"SV-87607r1_rule\"\n tag \"stig_id\": \"PGS9-00-005900\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as\n \\\"postgres\\\"), run the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If pgaudit.log does not contain, \\\"ddl, write, role\\\", this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to produce audit records when unsuccessful\n attempts to access categories of information.\n All denials are logged if logging is enabled. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n With `pgaudit` installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'ddl, write, role'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-$9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgaudit_types = %w(ddl role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72955.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000371187,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000353868,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000390549,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72957","title":"PostgreSQL must be able to generate audit records when security objects\n are accessed.","desc":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.","descriptions":[{"label":"default","data":"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000492-DB-000332","gid":"V-72957","rid":"SV-87609r1_rule","stig_id":"PGS9-00-006000","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72957\" do\n title \"PostgreSQL must be able to generate audit records when security objects\n are accessed.\"\n desc \"Changes to the security configuration must be tracked.\n This requirement applies to situations where security data is retrieved or\n modified via data manipulation operations, as opposed to via specialized\n security functionality.\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n CREATE\n SELECT\n INSERT\n UPDATE\n DELETE\n PREPARE\n EXECUTE\n ALTER\n DRO.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000492-DB-000332\"\n tag \"gid\": \"V-72957\"\n tag \"rid\": \"SV-87609r1_rule\"\n tag \"stig_id\": \"PGS9-00-006000\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72957.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000396799,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.00038872,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000413898,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000374769,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000395351,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72959","title":"PostgreSQL must generate audit records when privileges/permissions are\n deleted.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000499-DB-000330","gid":"V-72959","rid":"SV-87611r1_rule","stig_id":"PGS9-00-006100","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72959\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n deleted.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, deleting permissions is typically done via the REVOKE\n command.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000499-DB-000330\"\n tag \"gid\": \"V-72959\"\n tag \"rid\": \"SV-87611r1_rule\"\n tag \"stig_id\": \"PGS9-00-006100\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log = 'role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72959.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000424957,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000353249,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000366196,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000405969,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000347135,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72961","title":"PostgreSQL must generate audit records when concurrent\n logons/connections by the same user from different workstations occur.","desc":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)","descriptions":[{"label":"default","data":"For completeness of forensic analysis, it is necessary to \n track who logs on to PostgreSQL.\n\n Concurrent connections by the same user from multiple \n workstations may be valid use of the system; or such \n connections may be due to improper circumvention of the \n requirement to use the CAC/PIV for authentication; or they may \n indicate unauthorized account sharing; or they may be because \n an account has been compromised.\n\n (If the fact of multiple, concurrent logons by a given user \n can be reliably reconstructed from the log entries for other \n events (logons/connections; voluntary and involuntary \n disconnections), then it is not mandatory to create additional \n log entries specifically for this.)"}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000506-DB-000353","gid":"V-72961","rid":"SV-87613r1_rule","stig_id":"PGS9-00-006200","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify that\n log_connections and log_disconnections are enabled by running the following\n SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n If either is off, this is a finding.\n Next, verify that log_line_prefix contains sufficient information by running\n the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain at least %m %u %d %c, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First, as the database administrator (shown here as \"postgres\"), edit\n postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Edit the following parameters as such:\n log_connections = on\n log_disconnections = on\n log_line_prefix = '< %m %u %d %c: >'\n Where:\n * %m is the time and date\n * %u is the username\n * %d is the database\n * %c is the session ID for the connection\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72961\" do\n title \"PostgreSQL must generate audit records when concurrent\n logons/connections by the same user from different workstations occur.\"\n desc \"For completeness of forensic analysis, it is necessary to track who\n logs on to PostgreSQL.\n Concurrent connections by the same user from multiple workstations may be\n valid use of the system; or such connections may be due to improper\n circumvention of the requirement to use the CAC for authentication; or they\n may indicate unauthorized account sharing; or they may be because an account\n has been compromised.\n (If the fact of multiple, concurrent logons by a given user can be reliably\n reconstructed from the log entries for other events (logons/connections;\n voluntary and involuntary disconnections), then it is not mandatory to create\n additional log entries specifically for this..\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000506-DB-000353\"\n tag \"gid\": \"V-72961\"\n tag \"rid\": \"SV-87613r1_rule\"\n tag \"stig_id\": \"PGS9-00-006200\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify that\n log_connections and log_disconnections are enabled by running the following\n SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_connections\\\"\n $ psql -c \\\"SHOW log_disconnections\\\"\n If either is off, this is a finding.\n Next, verify that log_line_prefix contains sufficient information by running\n the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n If log_line_prefix does not contain at least %m %u %d %c, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First, as the database administrator (shown here as \\\"postgres\\\"), edit\n postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Edit the following parameters as such:\n log_connections = on\n log_disconnections = on\n log_line_prefix = '< %m %u %d %c: >'\n Where:\n * %m is the time and date\n * %u is the username\n * %d is the database\n * %c is the session ID for the connection\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n log_line_prefix_escapes = %w(%m %u %d %c)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72961.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should not match /off|false/i","run_time":0.00010285,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should not match /off|false/i","run_time":0.000105956,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.00041465,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000360297,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000370582,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%c\"","run_time":0.000389451,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%c\"\nDiff:\n@@ -1,2 +1,5 @@\n-%c\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72963","title":"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.","desc":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.","descriptions":[{"label":"default","data":"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000501-DB-000337","gid":"V-72963","rid":"SV-87615r1_rule","stig_id":"PGS9-00-006300","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72963\" do\n title \"PostgreSQL must generate audit records when unsuccessful attempts to\n delete security objects occur.\"\n desc \"The removal of security objects from the database/PostgreSQL would\n seriously degrade a system's information assurance posture. If such an action\n is attempted, it must be logged.\n To aid in diagnosis, it is necessary to keep track of failed attempts in\n addition to the successful ones.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000501-DB-000337\"\n tag \"gid\": \"V-72963\"\n tag \"rid\": \"SV-87615r1_rule\"\n tag \"stig_id\": \"PGS9-00-006300\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Configure PostgreSQL to produce audit records when unsuccessful attempts to\n delete security objects occur.\n All errors and denials are logged if logging is enabled. To ensure that\n logging is enabled, review supplementary content APPENDIX-C for instructions\n on enabling logging.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72963.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000363256,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000359129,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000349938,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000350446,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000392654,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72965","title":"PostgreSQL must generate audit records when privileges/permissions are\n modified.","desc":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.","descriptions":[{"label":"default","data":"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000495-DB-000328","gid":"V-72965","rid":"SV-87617r1_rule","stig_id":"PGS9-00-006400","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, this is a finding.","fix":"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72965\" do\n title \"PostgreSQL must generate audit records when privileges/permissions are\n modified.\"\n desc \"Changes in the permissions, privileges, and roles granted to users and\n roles must be tracked. Without an audit trail, unauthorized elevation or\n restriction of privileges could go undetected. Elevated privileges give users\n access to information and functionality that they should not have; restricted\n privileges wrongly deny access to authorized users.\n In an SQL environment, modifying permissions is typically done via the GRANT\n and REVOKE commands.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000495-DB-000328\"\n tag \"gid\": \"V-72965\"\n tag \"rid\": \"SV-87617r1_rule\"\n tag \"stig_id\": \"PGS9-00-006400\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role is enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment v\n ariable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='role'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['role']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72965.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.0003992,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000328475,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72971","title":"PostgreSQL must generate audit records when security objects are\n modified.","desc":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.","descriptions":[{"label":"default","data":"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000496-DB-000334","gid":"V-72971","rid":"SV-87623r1_rule","stig_id":"PGS9-00-006600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \"SHOW pgaudit.log_catalog\"\n If log_catalog is not `on`, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72971\" do\n title \"PostgreSQL must generate audit records when security objects are\n modified.\"\n desc \"Changes in the database objects (tables, views, procedures, functions)\n that record and control permissions, privileges, and roles granted to users\n and roles must be tracked. Without an audit trail, unauthorized changes to the\n security subsystem could go undetected. The database could be severely\n compromised or rendered inoperative.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000496-DB-000334\"\n tag \"gid\": \"V-72971\"\n tag \"rid\": \"SV-87623r1_rule\"\n tag \"stig_id\": \"PGS9-00-006600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, verify pgaudit is enabled\n by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the results does not contain `pgaudit`, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain `role`, `read`, `write`, and `ddl`, this is a\n finding.\n Next, verify that accessing the catalog is audited by running the following\n SQL:\n $ psql -c \\\"SHOW pgaudit.log_catalog\\\"\n If log_catalog is not `on`, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using `pgaudit` the DBMS (PostgreSQL) can be configured to audit these\n requests. See supplementary content `APPENDIX-B` for documentation on\n installing `pgaudit`.With `pgaudit` installed the following configurat\n ions can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log_catalog = 'on'\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new\n configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW pgaudit.log_catalog;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72971.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000347271,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000294892,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000400759,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000333333,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000318506,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log_catalog; output should match /on|true/i","run_time":0.000165472,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72973","title":"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000498-DB-000346","gid":"V-72973","rid":"SV-87625r1_rule","stig_id":"PGS9-00-006700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \"SHOW pgaudit.log\"\n If the output does not contain role, read, write, and ddl, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":" control \"V-72973\" do\n title \"PostgreSQL must generate audit records when categorized information\n (e.g., classification levels/security levels) is modified.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal Information\n and Information Systems, and FIPS Publication 200, Minimum Security\n Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000498-DB-000346\"\n tag \"gid\": \"V-72973\"\n tag \"rid\": \"SV-87625r1_rule\"\n tag \"stig_id\": \"PGS9-00-006700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n tag \"check\": \"If category tracking is not required in the database, this is\n not applicable.\n First, as the database administrator, verify pgaudit is enabled by running the\n following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n If the output does not contain pgaudit, this is a finding.\n Next, verify that role, read, write, and ddl auditing are enabled:\n $ psql -c \\\"SHOW pgaudit.log\\\"\n If the output does not contain role, read, write, and ddl, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring P\n GDATA.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n With pgaudit installed the following configurations can be made:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameters (or edit existing parameters):\n pgaudit.log='ddl, role, read, write'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72973.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000411248,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000306459,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000357115,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000388345,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000409366,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72979","title":"PostgreSQL, when utilizing PKI-based authentication, must validate\n certificates by performing RFC 5280-compliant certification path validation.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n\n A certificate certification path is the path from the end \n entity certificate to a trusted root certification authority \n (CA). Certification path validation is necessary for a relying \n party to make an informed decision regarding acceptance of an \n end entity certificate. Certification path validation includes \n checks such as certificate issuer trust, time validity and \n revocation status for each certificate in the certification \n path. Revocation status information for CA and subject \n certificates in a certification path is commonly provided via \n certificate revocation lists (CRLs) or online certificate \n status protocol (OCSP) responses.\n\n Database Management Systems that do not validate certificates \n by performing RFC 5280-compliant certification path validation \n are in danger of accepting certificates that are invalid and/or \n counterfeit. This could allow unauthorized access to the database."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000175-DB-000067","gid":"V-72979","rid":"SV-87631r1_rule","stig_id":"PGS9-00-007000","cci":["CCI-000185"],"nist":["IA-5 (2) (a)","Rev_4"],"check":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To verify that a CRL file exists, as the database administrator (shown here as\n \"postgres\"), run the following:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl_crl_file\" If this is not set to a CRL file, this is a finding.\n Next verify the existence of the CRL file by checking the directory set in\n postgresql.conf in the ssl_crl_file parameter from above:\n Note: If no directory is specified, then the CRL file should be located in the\n same directory as postgresql.conf (PGDATA).\n If the CRL file does not exist, this is a finding.\n Next, verify that hostssl entries in pg_hba.conf have \"cert\" and\n \"clientcert=1\" enabled:\n $ sudo su - postgres\n $ grep hostssl ${PGDATA?}/postgresql.conf\n If hostssl entries does not contain cert or clientcert=1, this is a finding.\n If certificates are not being validated by performing RFC 5280-compliant\n certification path validation, this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.\n To generate a Certificate Revocation List, see the official Red Hat\n Documentation:\n https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/\n 2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-\n Administration_Guide-Certification_Revocation_List_CRL.html\n As the database administrator (shown here as \"postgres\"), copy the CRL file\n into the data directory:\n First, as the system administrator, copy the CRL file into the PostgreSQL Data\n Directory:\n $ sudo cp root.crl ${PGDATA?}/root.crl\n As the database administrator (shown here as \"postgres\"), set the\n ssl_crl_file parameter to the filename of the CRL:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n ssl_crl_file = 'root.crl'\n Next, in pg_hba.conf, require ssl authentication:\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n hostssl
cert clientcert=1\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72979\" do\n title \"PostgreSQL, when utilizing PKI-based authentication, must validate\n certificates by performing RFC 5280-compliant certification path validation.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates.\n A certificate’s certification path is the path from the end entity certificate\n to a trusted root certification authority (CA). Certification path validation\n is necessary for a relying party to make an informed decision regarding\n acceptance of an end entity certificate. Certification path validation\n includes checks such as certificate issuer trust, time validity and revocation\n status for each certificate in the certification path. Revocation status\n information for CA and subject certificates in a certification path is\n commonly provided via certificate revocation lists (CRLs) or online\n certificate status protocol (OCSP) responses.\n Database Management Systems that do not validate certificates by performing\n RFC 5280-compliant certification path validation are in danger of accepting\n certificates that are invalid and/or counterfeit. This could allow unauthorized\n access to the database.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000175-DB-000067\"\n tag \"gid\": \"V-72979\"\n tag \"rid\": \"SV-87631r1_rule\"\n tag \"stig_id\": \"PGS9-00-007000\"\n tag \"cci\": [\"CCI-000185\"]\n tag \"nist\": [\"IA-5 (2) (a)\", \"Rev_4\"]\n tag \"check\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To verify that a CRL file exists, as the database administrator (shown here as\n \\\"postgres\\\"), run the following:\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl_crl_file\\\" If this is not set to a CRL file, this is a finding.\n Next verify the existence of the CRL file by checking the directory set in\n postgresql.conf in the ssl_crl_file parameter from above:\n Note: If no directory is specified, then the CRL file should be located in the\n same directory as postgresql.conf (PGDATA).\n If the CRL file does not exist, this is a finding.\n Next, verify that hostssl entries in pg_hba.conf have \\\"cert\\\" and\n \\\"clientcert=1\\\" enabled:\n $ sudo su - postgres\n $ grep hostssl ${PGDATA?}/postgresql.conf\n If hostssl entries does not contain cert or clientcert=1, this is a finding.\n If certificates are not being validated by performing RFC 5280-compliant\n certification path validation, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n To configure PostgreSQL to use SSL, see supplementary content APPENDIX-G.\n To generate a Certificate Revocation List, see the official Red Hat\n Documentation:\n https://access.redhat.com/documentation/en-US/Red_Hat_Update_Infrastructure/\n 2.1/html/Administration_Guide/chap-Red_Hat_Update_Infrastructure-\n Administration_Guide-Certification_Revocation_List_CRL.html\n As the database administrator (shown here as \\\"postgres\\\"), copy the CRL file\n into the data directory:\n First, as the system administrator, copy the CRL file into the PostgreSQL Data\n Directory:\n $ sudo cp root.crl ${PGDATA?}/root.crl\n As the database administrator (shown here as \\\"postgres\\\"), set the\n ssl_crl_file parameter to the filename of the CRL:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n ssl_crl_file = 'root.crl'\n Next, in pg_hba.conf, require ssl authentication:\n $ sudo su - postgres\n $ vi ${PGDATA?}/pg_hba.conf\n hostssl
cert clientcert=1\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n ssl_crl_file_query = sql.query('SHOW ssl_crl_file;', [PG_DB])\n\n describe ssl_crl_file_query do\n its('output') { should match /^\\w+\\.crl$/ }\n end\n\n ssl_crl_file = ssl_crl_file_query.output\n\n if ssl_crl_file.empty?\n ssl_crl_file = \"#{PG_DATA_DIR}/root.crl\"\n elsif File.dirname(ssl_crl_file) == '.'\n ssl_crl_file = \"#{PG_DATA_DIR}/#{ssl_crl_file}\"\n end\n\n describe file(ssl_crl_file) do\n it { should be_file }\n end\n\n describe.one do\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'hostssl' } do\n its('auth_method') { should include 'cert' }\n end\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'hostssl' } do\n its('auth_params') { should match [/clientcert=1.*/] }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72979.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW ssl_crl_file; output should match /^\\w+\\.crl$/","run_time":0.000350833,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^\\w+\\.crl$/\nDiff:\n@@ -1,2 +1,5 @@\n-/^\\w+\\.crl$/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000271192,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"hostssl\" auth_method should include \"cert\"","run_time":0.000203039,"start_time":"2019-04-22T19:23:23+00:00","message":"expected [] to include \"cert\"","exception":"RSpec::Core::MultipleExceptionError"},{"status":"failed","code_desc":"Postgres Hba Config /var/lib/pgsql/9.5/data/pg_hba.conf with type == \"hostssl\" auth_params should match [/clientcert=1.*/]","run_time":0.000340161,"start_time":"2019-04-22T19:23:23+00:00","message":"expected [] to match [/clientcert=1.*/]\nDiff:\n@@ -1,2 +1,2 @@\n-[/clientcert=1.*/]\n+[]\n","exception":"RSpec::Core::MultipleExceptionError"}]},{"id":"V-72981","title":"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.","desc":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.","descriptions":[{"label":"default","data":"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000441-DB-000378","gid":"V-72981","rid":"SV-87633r1_rule","stig_id":"PGS9-00-007200","cci":["CCI-002420"],"nist":["SC-8 (2)","Rev_4"],"check":"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \"postgres\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \"postgres\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-72981\" do\n title \"PostgreSQL must maintain the confidentiality and integrity of\n information during preparation for transmission.\"\n desc \"Information can be either unintentionally or maliciously disclosed or\n modified during preparation for transmission, including, for example, during\n aggregation, at protocol transformation points, and during packing/unpacking.\n These unauthorized disclosures or modifications compromise the confidentiality\n or integrity of the information.\n Use of this requirement will be limited to situations where the data owner has\n a strict requirement for ensuring data integrity and confidentiality is\n maintained at every step of the data transfer and handling process.\n When transmitting data, PostgreSQL, associated applications, and\n infrastructure must leverage transmission protection mechanisms.\n PostgreSQL uses OpenSSL SSLv23_method() in fe-secure-openssl.c, while the name\n is misleading, this function enables only TLS encryption methods, not SSL.\n See OpenSSL: https://mta.openssl.org/pipermail/openssl-dev/2015-May/001449.htm.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000441-DB-000378\"\n tag \"gid\": \"V-72981\"\n tag \"rid\": \"SV-87633r1_rule\"\n tag \"stig_id\": \"PGS9-00-007200\"\n tag \"cci\": [\"CCI-002420\"]\n tag \"nist\": [\"SC-8 (2)\", \"Rev_4\"]\n tag \"check\": \"If the data owner does not have a strict requirement for ensuring\n data integrity and confidentiality is maintained at every step of the data\n transfer and handling process, this is not a finding.\n As the database administrator (shown here as \\\"postgres\\\"), verify SSL is\n enabled by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW ssl\\\"\n If SSL is not enabled, this is a finding.\n If PostgreSQL does not employ protective measures against unauthorized\n disclosure and modification during preparation for transmission, this is a\n finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n Implement protective measures against unauthorized disclosure and modification\n during preparation for transmission.\n To configure PostgreSQL to use SSL, as a database administrator (shown here as\n \\\"postgres\\\"), edit postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n Add the following parameter:\n ssl = on\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72981.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should match /on|true/i","run_time":0.000111748,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72983","title":"PostgreSQL must provide audit record generation capability \n for CMS-defined auditable events within all DBMS/database \n components.","desc":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing.","descriptions":[{"label":"default","data":"Without the capability to generate audit records, it would \n be difficult to establish, correlate, and investigate the events \n relating to an incident or identify those responsible for one. \n\n Audit records can be generated from various components within \n PostgreSQL (e.g., process, module). Certain specific application \n functionalities may be audited as well. The list of audited events \n is the set of events for which audits are to be generated. This \n set of events is typically a subset of the list of all events for \n which the system is capable of generating audit records.\n\n CMS has defined the list of events for which PostgreSQL will \n provide an audit record generation capability as the following: \n\n (i) Successful and unsuccessful attempts to access, modify, or \n delete privileges, security objects, security levels, or categories \n of information (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon \n attempts, privileged activities, or other system-level access, \n starting and ending time for user access to the system, concurrent \n logons from different workstations, successful and unsuccessful \n accesses to objects, all program initiations, and all direct \n access to the information system; and\n (iii) All account creation, modification, disabling, and \n termination actions.\n\n Organizations may define additional events requiring continuous \n or ad hoc auditing."},{"label":"fix","data":"Configure PostgreSQL to generate audit records for at \n least the CMS minimum set of events.\n\n Using pgaudit PostgreSQL can be configured to audit these \n requests. See supplementary content APPENDIX-B for documentation \n on installing pgaudit.\n\n To ensure that logging is enabled, review supplementary content \n APPENDIX-C for instructions on enabling logging."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000089-DB-000064","gid":"V-72983","rid":"SV-87635r1_rule","stig_id":"PGS9-00-007400","cci":["CCI-000169"],"nist":["AU-12 a","Rev_4"],"check":"Check PostgreSQL auditing to determine whether\n organization-defined auditable events are being audited by the system.\n If organization-defined auditable events are not being audited, this is a\n finding.","fix":"Configure PostgreSQL to generate audit records for at least the\n DoD minimum set of events.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging."},"code":"control \"V-72983\" do\n title \"PostgreSQL must provide audit record generation capability for\n DoD-defined auditable events within all DBMS/database components.\"\n desc \"Without the capability to generate audit records, it would be difficult\n to establish, correlate, and investigate the events relating to an incident or\n identify those responsible for one.\n Audit records can be generated from various components within PostgreSQL\n (e.g., process, module). Certain specific application functionalities may be\n audited as well. The list of audited events is the set of events for which\n audits are to be generated. This set of events is typically a subset of the\n list of all events for which the system is capable of generating audit records.\n DoD has defined the list of events for which PostgreSQL will provide an audit\n record generation capability as the following:\n (i) Successful and unsuccessful attempts to access, modify, or delete\n privileges, security objects, security levels, or categories of information\n (e.g., classification levels);\n (ii) Access actions, such as successful and unsuccessful logon attempts,\n privileged activities, or other system-level access, starting and ending time\n for user access to the system, concurrent logons from different workstations,\n successful and unsuccessful accesses to objects, all program initiations,\n and all direct access to the information system; and\n (iii) All account creation, modification, disabling, and termination actions.\n Organizations may define additional events requiring continuous or ad hoc\n auditing.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000089-DB-000064\"\n tag \"gid\": \"V-72983\"\n tag \"rid\": \"SV-87635r1_rule\"\n tag \"stig_id\": \"PGS9-00-007400\"\n tag \"cci\": [\"CCI-000169\"]\n tag \"nist\": [\"AU-12 a\", \"Rev_4\"]\n tag \"check\": \"Check PostgreSQL auditing to determine whether\n organization-defined auditable events are being audited by the system.\n If organization-defined auditable events are not being audited, this is a\n finding.\"\n tag \"fix\": \"Configure PostgreSQL to generate audit records for at least the\n DoD minimum set of events.\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n To ensure that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72983.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":7.203e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-72987","title":"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.","desc":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded."}],"impact":0.5,"refs":[],"tags":{"check":"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \"postgres\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.","fix":"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \"postgres\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-72987\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish the identity of any user/subject or process associated with the\n event.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Without information that establishes the identity of the\n subjects (i.e., users or processes acting on behalf of users) associated with\n the events, security personnel cannot determine responsibility for the\n potentially harmful event.\n Identifiers (if authenticated or otherwise known) include, but are not limited\n to, user database tables, primary key values, user names, or process identifiers.\n 1) Linux's sudo and su feature enables a user (with sufficient OS privileges)\n to emulate another user, and it is the identity of the emulated user that is\n seen by PostgreSQL and logged in the audit trail. Therefore, care must be\n taken (outside of Postgresql) to restrict sudo/su to the minimum set of users\n necessary.\n 2) PostgreSQL's SET ROLE feature enables a user (with sufficient PostgreSQL\n privileges) to emulate another user running statements under the permission\n set of the emulated user. In this case, it is the emulating user's identity,\n and not that of the emulated user, that gets logged in the audit trail.\n While this is definitely better than the other way around, ideally, both\n identities would be recorded.\"\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify a\n user name associated with the event is being captured and stored with the\n audit records. If audit records exist without specific user information, this\n is a finding.\n First, as the database administrator (shown here as \\\"postgres\\\"), verify the\n current setting of log_line_prefix by running the following SQL:\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture the identity of any\n user/subject or process associated with an event. To ensure that logging is\n enabled, review supplementary content APPENDIX-C for instructions on enabling\n logging.\n To enable username, database name, process ID, remote host/port and\n application name in logging, as the database administrator (shown here as\n \\\"postgres\\\"), edit the following in postgresql.conf:\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_line_prefix = '< %m %u %d %p %r %a >'\n Now, as the system administrator, reload the server with the new configuration:\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72987.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000391173,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000345609,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000353415,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%p\"","run_time":0.000341362,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%p\"\nDiff:\n@@ -1,2 +1,5 @@\n-%p\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%r\"","run_time":0.000312862,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%r\"\nDiff:\n@@ -1,2 +1,5 @@\n-%r\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%a\"","run_time":0.000317394,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%a\"\nDiff:\n@@ -1,2 +1,5 @@\n-%a\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-72989","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.","desc":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000381","gid":"V-72989","rid":"SV-87641r1_rule","stig_id":"PGS9-00-008000","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72989\" do\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic\n modules to generate and validate cryptographic hashes.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes\n of utilizing encryption to protect data. The application must implement\n cryptographic modules adhering to the higher standards approved by the federal\n government since this provides assurance they have been tested and validated.\n For detailed information, refer to NIST FIPS Publication 140-2, Security\n Requirements For Cryptographic Modules. Note that the product's cryptographic\n modules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000381\"\n tag \"gid\": \"V-72989\"\n tag \"rid\": \"SV-87641r1_rule\"\n tag \"stig_id\": \"PGS9-00-008000\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72989.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter crypto.fips_enabled value should cmp == 1","run_time":0.025889752,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: 1\n got: 0\n\n(compared using `cmp` matcher)\n"}]},{"id":"V-72991","title":"PostgreSQL must use CMS-approved cryptography to protect \n classified sensitive information in accordance with the data owners \n requirements.","desc":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the \n purposes of utilizing encryption to protect data. The application \n must implement cryptographic modules adhering to the higher standards \n approved by the federal government since this provides assurance \n they have been tested and validated.\n\n It is the responsibility of the data owner to assess the cryptography \n requirements in light of applicable federal laws, Executive Orders, \n directives, policies, regulations, and standards."},{"label":"check","data":"If PostgreSQL is not using CMS-approved cryptography \n to protect classified sensitive information in accordance with \n applicable federal laws, Executive Orders, directives, policies, \n regulations, and standards, this is a finding.\n\n To check if PostgreSQL is configured to use SSL, as the database \n administrator (shown here as \"postgres\"), run the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW ssl\"\n\n If SSL is off, this is a finding."},{"label":"fix","data":"Note: The following instructions use the PGDATA \n environment variable. See supplementary content APPENDIX-F for \n instructions on configuring PGDATA.\n\n To configure PostgreSQL to use SSL, as a database administrator \n (shown here as \"postgres\"), edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameter:\n\n ssl = on\n\n Now, as the system administrator, reload the server with the \n new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\n\n For more information on configuring PostgreSQL to use SSL, see \n supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000416-DB-000380","gid":"V-72991","rid":"SV-87643r1_rule","stig_id":"PGS9-00-008100","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"If PostgreSQL is deployed in an unclassified environment, this is\nnot applicable (NA).\n\nIf PostgreSQL is not using NSA-approved cryptography to protect classified\ninformation in accordance with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, and standards, this is a finding.\n\nTo check if PostgreSQL is configured to use SSL, as the database administrator\n(shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf SSL is off, this is a finding.\n\nConsult network administration staff to determine whether the server is protected by\nNSA-approved encrypting devices. If not, this a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo configure PostgreSQL to use SSL, as a database administrator (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nDeploy NSA-approved encrypting devices to protect the server on the network."},"code":"control \"V-72991\" do\n\n title \"PostgreSQL must use NSA-approved cryptography to protect classified\ninformation in accordance with the data owners requirements.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This\nrequirement addresses the compatibility of PostgreSQL with the encryption devices.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000416-DB-000380\"\n tag \"gid\": \"V-72991\"\n tag \"rid\": \"SV-87643r1_rule\"\n tag \"stig_id\": \"PGS9-00-008100\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"If PostgreSQL is deployed in an unclassified environment, this is\nnot applicable (NA).\n\nIf PostgreSQL is not using NSA-approved cryptography to protect classified\ninformation in accordance with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, and standards, this is a finding.\n\nTo check if PostgreSQL is configured to use SSL, as the database administrator\n(shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl\\\"\n\nIf SSL is off, this is a finding.\n\nConsult network administration staff to determine whether the server is protected by\nNSA-approved encrypting devices. If not, this a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo configure PostgreSQL to use SSL, as a database administrator (shown here as\n\\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nDeploy NSA-approved encrypting devices to protect the server on the network.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72991.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should match /on|true/i","run_time":0.00016511,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72993","title":"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.","desc":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.","descriptions":[{"label":"default","data":"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000514-DB-000383","gid":"V-72993","rid":"SV-87645r1_rule","stig_id":"PGS9-00-008200","cci":["CCI-002450"],"nist":["SC-13","Rev_4"],"check":"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fix":"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-72993\" do\n\n title \"PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules\nto protect unclassified information requiring confidentiality and cryptographic\nprotection, in accordance with the data owners requirements.\"\n desc \"Use of weak or untested encryption algorithms undermines the purposes of\nutilizing encryption to protect data. The application must implement cryptographic\nmodules adhering to the higher standards approved by the federal government since\nthis provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements\nin light of applicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2, Security\nRequirements For Cryptographic Modules. Note that the product's cryptographic\nmodules must be validated and certified by NIST as FIPS-compliant.\"\n\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000514-DB-000383\"\n tag \"gid\": \"V-72993\"\n tag \"rid\": \"SV-87645r1_rule\"\n tag \"stig_id\": \"PGS9-00-008200\"\n tag \"cci\": [\"CCI-002450\"]\n tag \"nist\": [\"SC-13\", \"Rev_4\"]\n\n tag \"check\": \"First, as the system administrator, run the following to see if FIPS\nis enabled:\n\n$ cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to be FIPS compliant.\n\nPostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS\n140-2 compliant, see the official RHEL Documentation:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Securit\ny_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Pro\ncessing_Standard.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n describe kernel_parameter('crypto.fips_enabled') do\n its('value') { should cmp 1 }\n end\nend\n","source_location":{"line":26,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72993.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter crypto.fips_enabled value should cmp == 1","run_time":0.000428231,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: 1\n got: 0\n\n(compared using `cmp` matcher)\n"}]},{"id":"V-72995","title":"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.","desc":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.","descriptions":[{"label":"default","data":"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000231-DB-000154","gid":"V-72995","rid":"SV-87647r1_rule","stig_id":"PGS9-00-008300","cci":["CCI-001199"],"nist":["SC-28","Rev_4"],"check":"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.","fix":"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));"},"code":"control \"V-72995\" do\n\n title \"PostgreSQL must protect the confidentiality and integrity of all\ninformation at rest.\"\n desc \"This control is intended to address the confidentiality and integrity of\ninformation at rest in non-mobile devices and covers user information and system\ninformation. Information at rest refers to the state of information when it is\nlocated on a secondary storage device (e.g., disk drive, tape drive) within an\norganizational information system. Applications and application users generate\ninformation throughout the course of their application use.\n\nUser data generated, as well as application-specific configuration data, needs to be\nprotected. Organizations may choose to employ different mechanisms to achieve\nconfidentiality and integrity protections, as appropriate.\n\nIf the confidentiality and integrity of application data is not protected, the data\nwill be open to compromise and unauthorized modification.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000231-DB-000154\"\n tag \"gid\": \"V-72995\"\n tag \"rid\": \"SV-87647r1_rule\"\n tag \"stig_id\": \"PGS9-00-008300\"\n tag \"cci\": [\"CCI-001199\"]\n tag \"nist\": [\"SC-28\", \"Rev_4\"]\n\n tag \"check\": \"One possible way to encrypt data within PostgreSQL is to use the\npgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding.\n\nIf controls do not exist or are not enabled, this is a finding.\"\n tag \"fix\": \"Apply appropriate controls to protect the confidentiality and\nintegrity of data at rest in the database.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('xdes')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72995.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT * FROM pg_available_extensions where name='pgcrypto' output should not eq \"\"","run_time":0.000141754,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-72999","title":"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.","desc":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.","descriptions":[{"label":"default","data":"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000211-DB-000122","gid":"V-72999","rid":"SV-87651r1_rule","stig_id":"PGS9-00-008500","cci":["CCI-001082"],"nist":["SC-2","Rev_4"],"check":"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \"postgres\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf any non-administrative role has the attribute \"Superuser\", \"Create role\",\n\"Create DB\" or \"Bypass RLS\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.","fix":"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;"},"code":"control \"V-72999\" do\n\n title \"PostgreSQL must separate user functionality (including user interface\nservices) from database management functionality.\"\n desc \"Information system management functionality includes functions necessary to\nadminister databases, network components, workstations, or servers and typically\nrequires privileged user access.\n\nThe separation of user functionality from information system management\nfunctionality is either physical or logical and is accomplished by using different\ncomputers, different central processing units, different instances of the operating\nsystem, different network addresses, combinations of these methods, or other\nmethods, as appropriate.\n\nAn example of this type of separation is observed in web administrative interfaces\nthat use separate authentication methods for users of any other information system\nresources.\n\nThis may include isolating the administrative interface on a different domain and\nwith additional access controls.\n\nIf administrative functionality or information regarding PostgreSQL management is\npresented on an interface available for users, information on DBMS settings may be\ninadvertently made available to the user.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000211-DB-000122\"\n tag \"gid\": \"V-72999\"\n tag \"rid\": \"SV-87651r1_rule\"\n tag \"stig_id\": \"PGS9-00-008500\"\n tag \"cci\": [\"CCI-001082\"]\n tag \"nist\": [\"SC-2\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and vendor documentation to verify that\nadministrative functionality is separate from user functionality.\n\nAs the database administrator (shown here as \\\"postgres\\\"), list all roles and\npermissions for the database:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\\\"\n\nIf any non-administrative role has the attribute \\\"Superuser\\\", \\\"Create role\\\",\n\\\"Create DB\\\" or \\\"Bypass RLS\\\", this is a finding.\n\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to separate database administration and general\nuser functionality.\n\nDo not grant superuser, create role, create db or bypass rls role attributes to\nusers that do not require it.\n\nTo remove privileges, see the following example:\n\nALTER ROLE NOSUPERUSER NOCREATEDB NOCREATEROLE NOBYPASSRLS;\"\n\n privileges = %w(rolcreatedb rolcreaterole rolsuper)\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n privileges.each do |privilege|\n privilege_sql = \"SELECT r.#{privilege} FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(privilege_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-72999.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreatedb FROM pg_catalog.pg_roles r WHERE r.rolname = ''; output should not eq \"t\"","run_time":0.000121569,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreaterole FROM pg_catalog.pg_roles r WHERE r.rolname = ''; output should not eq \"t\"","run_time":0.000145063,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = ''; output should not eq \"t\"","run_time":0.000158716,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreatedb FROM pg_catalog.pg_roles r WHERE r.rolname = 'psql: could not connect to server: Connection refused'; output should not eq \"t\"","run_time":0.000136443,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreaterole FROM pg_catalog.pg_roles r WHERE r.rolname = 'psql: could not connect to server: Connection refused'; output should not eq \"t\"","run_time":0.000117038,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = 'psql: could not connect to server: Connection refused'; output should not eq \"t\"","run_time":0.000160058,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreatedb FROM pg_catalog.pg_roles r WHERE r.rolname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should not eq \"t\"","run_time":0.000173744,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreaterole FROM pg_catalog.pg_roles r WHERE r.rolname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should not eq \"t\"","run_time":0.000124059,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should not eq \"t\"","run_time":0.000131788,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreatedb FROM pg_catalog.pg_roles r WHERE r.rolname = '\tTCP/IP connections on port 5432?'; output should not eq \"t\"","run_time":0.000143078,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolcreaterole FROM pg_catalog.pg_roles r WHERE r.rolname = '\tTCP/IP connections on port 5432?'; output should not eq \"t\"","run_time":0.000149604,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tTCP/IP connections on port 5432?'; output should not eq \"t\"","run_time":0.00013788,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73001","title":"PostgreSQL must initiate session auditing upon startup.","desc":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.","descriptions":[{"label":"default","data":"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000092-DB-000208","gid":"V-73001","rid":"SV-87653r1_rule","stig_id":"PGS9-00-008600","cci":["CCI-001464"],"nist":["AU-14 (1)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \"postgres\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \"SHOW logging_destination\"\n\nIf stderr or syslog are not in the current setting, this is a finding.","fix":"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B."},"code":"control \"V-73001\" do\n title \"PostgreSQL must initiate session auditing upon startup.\"\n desc \"Session auditing is for use when a user's activities are under\n investigation. To be sure of capturing all activity during those periods when\n session auditing is in use, it needs to be in operation for the whole time\n PostgreSQL is running.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000092-DB-000208\"\n tag \"gid\": \"V-73001\"\n tag \"rid\": \"SV-87653r1_rule\"\n tag \"stig_id\": \"PGS9-00-008600\"\n tag \"cci\": [\"CCI-001464\"]\n tag \"nist\": [\"AU-14 (1)\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), check\nthe current settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not in the current setting, this is a finding.\n\nAs the database administrator (shown here as \\\"postgres\\\"), check the current\nsettings by running the following SQL:\n\n$ psql -c \\\"SHOW logging_destination\\\"\n\nIf stderr or syslog are not in the current setting, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enable auditing.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor session logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_destination;', [PG_DB]) do\n its('output') { should match /stderr|syslog/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73001.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000565433,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_destination; output should match /stderr|syslog/i","run_time":0.000477756,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /stderr|syslog/i\nDiff:\n@@ -1,2 +1,5 @@\n-/stderr|syslog/i\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73003","title":"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000428-DB-000386","gid":"V-73003","rid":"SV-87655r1_rule","stig_id":"PGS9-00-008700","cci":["CCI-002475"],"nist":["SC-28 (1)","Rev_4"],"check":"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73003\" do\n title \"PostgreSQL must implement cryptographic mechanisms to prevent unauthorized\nmodification of organization-defined information at rest (to include, at a minimum,\nPII and classified information) on organization-defined information system\ncomponents.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000428-DB-000386\"\n tag \"gid\": \"V-73003\"\n tag \"rid\": \"SV-87655r1_rule\"\n tag \"stig_id\": \"PGS9-00-008700\"\n tag \"cci\": [\"CCI-002475\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n\n tag \"check\": \"Review the system documentation to determine whether the\norganization has defined the information at rest that is to be protected from\nmodification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nReview the configuration of PostgreSQL, operating system/file system, and additional\nsoftware as relevant.\n\nIf any of the information defined as requiring cryptographic protection from\nmodification is not encrypted in a manner that provides the required level of\nprotection, this is a finding.\n\nOne possible way to encrypt data within PostgreSQL is to use pgcrypto extension.\n\nTo check if pgcrypto is installed on PostgreSQL, as a database administrator (shown\nhere as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate filesystem or disk level encryption.\n\nIf this is required and is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it's possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\n\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73003.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT * FROM pg_available_extensions where name='pgcrypto' output should not eq \"\"","run_time":0.000163524,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73005","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000098-DB-000042","gid":"V-73005","rid":"SV-87657r1_rule","stig_id":"PGS9-00-008800","cci":["CCI-000133"],"nist":["AU-3","Rev_4"],"check":"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \"log_hostname\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n$ psql -c \"SHOW log_hostname\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73005\" do\n\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish the sources (origins) of the events.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing the source of the event, it is impossible to\nestablish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know where events occurred, such as application\ncomponents, modules, session identifiers, filenames, host names, and functionality.\n\nIn addition to logging where events occur within the application, the application\nmust also produce audit records that identify the application itself as the source\nof the event.\n\nAssociating information about the source of the event within the application\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000098-DB-000042\"\n tag \"gid\": \"V-73005\"\n tag \"rid\": \"SV-87657r1_rule\"\n tag \"stig_id\": \"PGS9-00-008800\"\n tag \"cci\": [\"CCI-000133\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Check PostgreSQL settings and existing audit records to verify\ninformation specific to the source (origin) of the event is being captured and\nstored with audit records.\n\nAs the database administrator (usually postgres, check the current log_line_prefix\nand \\\"log_hostname\\\" setting by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n$ psql -c \\\"SHOW log_hostname\\\"\n\nFor a complete list of extra information that can be added to log_line_prefix, see\nthe official documentation:\nhttps://www.postgresql.org/docs/current/static/runtime-config-logging.html#GUC-LOG-LI\nNE-PREFIX\n\nIf the current settings do not provide enough information regarding the source of\nthe event, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations can be made to log the source of\nan event.\n\nFirst, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\n###### Log Line Prefix\n\nExtra parameters can be added to the setting log_line_prefix to log source of event:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %p = process ID\n# %m = timestamp with milliseconds\n\nFor example:\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\n###### Log Hostname\n\nBy default only IP address is logged. To also log the hostname the following\nparameter can also be set in postgresql.conf:\n\nlog_hostname = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_hostname;', [PG_DB]) do\n its('output') { should match /(on|true)/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73005.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000409791,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000427984,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000426714,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%s\"","run_time":0.00045054,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%s\"\nDiff:\n@@ -1,2 +1,5 @@\n-%s\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_hostname; output should match /(on|true)/i","run_time":0.000167653,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73011","title":"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.","desc":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.","descriptions":[{"label":"default","data":"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000141-DB-000092","gid":"V-73011","rid":"SV-87663r1_rule","stig_id":"PGS9-00-009200","cci":["CCI-000381"],"nist":["CM-7 a","Rev_4"],"check":"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.","fix":"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove "},"code":"control \"V-73011\" do\n title \"Unused database components which are integrated in PostgreSQL and cannot be\nuninstalled must be disabled.\"\n desc \"Information systems are capable of providing a wide variety of functions\nand services. Some of the functions and services, provided by default, may not be\nnecessary to support essential organizational operations (e.g., key missions,\nfunctions).\n\nIt is detrimental for software products to provide, or install by default,\nfunctionality exceeding requirements or mission objectives.\n\nPostgreSQLs must adhere to the principles of least functionality by providing only\nessential capabilities.\n\nUnused, unnecessary PostgreSQL components increase the attack vector for PostgreSQL\nby introducing additional targets for attack. By minimizing the services and\napplications installed on the system, the number of potential vulnerabilities is\nreduced. Components of the system that are unused and cannot be uninstalled must be\ndisabled. The techniques available for disabling components will vary by DBMS\nproduct, OS and the nature of the component and may include DBMS configuration\nsettings, OS service settings, OS file access security, and DBMS user/role\npermissions.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000141-DB-000092\"\n tag \"gid\": \"V-73011\"\n tag \"rid\": \"SV-87663r1_rule\"\n tag \"stig_id\": \"PGS9-00-009200\"\n tag \"cci\": [\"CCI-000381\"]\n tag \"nist\": [\"CM-7 a\", \"Rev_4\"]\n tag \"check\": \"To list all installed packages, as the system administrator, run the\nfollowing:\n\n# RHEL/CENT Systems\n$ sudo yum list installed | grep postgres\n\n# Debian Systems\n$ dpkg --get-selections | grep postgres\n\nIf any packages are installed that are not required, this is a finding.\"\n tag \"fix\": \"To remove any unneeded executables, as the system administrator, run\nthe following:\n\n# RHEL/CENT Systems\n$ sudo yum erase \n\n# Debian Systems\n$ sudo apt-get remove \"\n\n# @todo how do I identify the packages that are not required for the current OS? need datafile of approved?\n# @todo assume need two tests, one for RHEL/CENT, and one for Debian?\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73011.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":8.001e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73013","title":"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.","desc":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.","descriptions":[{"label":"default","data":"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000313-DB-000309","gid":"V-73013","rid":"SV-87665r1_rule","stig_id":"PGS9-00-009400","cci":["CCI-002263"],"nist":["AC-16 a","Rev_4"],"check":"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \"postgres\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \"\\d+ .\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.","fix":"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D."},"code":"control \"V-73013\" do\n title \"PostgreSQL must associate organization-defined types of security labels\nhaving organization-defined security label values with information in process.\"\n desc \"Without the association of security labels to information, there is no\nbasis for PostgreSQL to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or\ncharacteristics of an entity (e.g., subjects and objects) with respect to\nsafeguarding information.\n\nThese labels are typically associated with internal data structures (e.g., tables,\nrows) within the database and are used to enable the implementation of access\ncontrol and flow control policies, reflect special dissemination, handling or\ndistribution instructions, or support other aspects of the information security\npolicy.\n\nOne example includes marking data as classified or FOUO. These security labels may\nbe assigned manually or during data processing, but, either way, it is imperative\nthese assignments are maintained while the data is in storage. If the security\nlabels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be the sepgsql feature of\nPostgreSQL, a third-party product, or custom application code.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000313-DB-000309\"\n tag \"gid\": \"V-73013\"\n tag \"rid\": \"SV-87665r1_rule\"\n tag \"stig_id\": \"PGS9-00-009400\"\n tag \"cci\": [\"CCI-002263\"]\n tag \"nist\": [\"AC-16 a\", \"Rev_4\"]\n tag \"check\": \"If security labeling is not required, this is not a finding.\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), run the following\nSQL against each table that requires security labels:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\d+ .\\\"\n\nIf security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.\"\n tag \"fix\": \"In addition to the SQL-standard privilege system available through\nGRANT, tables can have row security policies that restrict, on a per-user basis,\nwhich rows can be returned by normal queries or inserted, updated, or deleted by\ndata modification commands. This feature is also known as Row-Level Security (RLS).\n\nRLS policies can be very different depending on their use case. For one example of\nusing RLS for Security Labels, see supplementary content APPENDIX-D.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73013.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.125e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73015","title":"If passwords are used for authentication, PostgreSQL must store only\nhashed, salted representations of passwords.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates.\n \n Authentication based on User ID and Password may be used only \n when it is not possible to employ a PKI certificate, and \n requires AO approval.\n\n In such cases, database passwords stored in clear text, using \n reversible encryption, or using unsalted hashes would be \n vulnerable to unauthorized disclosure. Database passwords must \n always be in the form of one-way, salted hashes when stored \n internally or externally to PostgreSQL."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000171-DB-000074","gid":"V-73015","rid":"SV-87667r1_rule","stig_id":"PGS9-00-009500","cci":["CCI-000196"],"nist":["IA-5 (1) (c)","Rev_4"],"check":"To check if password encryption is enabled, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW password_encryption\"\n\nIf password_encryption is not on, this is a finding.\n\nNext, to identify if any passwords have been stored without being hashed and salted,\nas the database administrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \"SELECT * FROM pg_shadow\"\n\nIf any password is in plaintext, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = on\n\nInstitute a policy of not using the \"WITH UNENCRYPTED PASSWORD\" option with the\nCREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of\nthe password_encryption configuration parameter.)\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":"control \"V-73015\" do\n title \"If passwords are used for authentication, PostgreSQL must store only\nhashed, salted representations of passwords.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not\npossible to employ a PKI certificate, and requires AO approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption,\nor using unsalted hashes would be vulnerable to unauthorized disclosure. Database\npasswords must always be in the form of one-way, salted hashes when stored\ninternally or externally to PostgreSQL.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000171-DB-000074\"\n tag \"gid\": \"V-73015\"\n tag \"rid\": \"SV-87667r1_rule\"\n tag \"stig_id\": \"PGS9-00-009500\"\n tag \"cci\": [\"CCI-000196\"]\n tag \"nist\": [\"IA-5 (1) (c)\", \"Rev_4\"]\n tag \"check\": \"To check if password encryption is enabled, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW password_encryption\\\"\n\nIf password_encryption is not on, this is a finding.\n\nNext, to identify if any passwords have been stored without being hashed and salted,\nas the database administrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \\\"SELECT * FROM pg_shadow\\\"\n\nIf any password is in plaintext, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = on\n\nInstitute a policy of not using the \\\"WITH UNENCRYPTED PASSWORD\\\" option with the\nCREATE ROLE/USER and ALTER ROLE/USER commands. (This option overrides the setting of\nthe password_encryption configuration parameter.)\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW password_encryption;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\n\n passwords_sql = \"SELECT usename FROM pg_shadow \"\\\n \"WHERE passwd !~ '^md5[0-9a-f]+$';\"\n\n describe sql.query(passwords_sql, [PG_DB]) do\n its('output') { should eq '' }\n end\n \nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73015.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW password_encryption; output should match /on|true/i","run_time":0.000120907,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT usename FROM pg_shadow WHERE passwd !~ '^md5[0-9a-f]+$'; output should eq \"\"","run_time":0.000364308,"start_time":"2019-04-22T19:23:23+00:00","message":"\nexpected: \"\"\n got: \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\"\n\n(compared using ==)\n\nDiff:\n@@ -1 +1,5 @@\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73017","title":"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).","desc":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.","descriptions":[{"label":"default","data":"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000380-DB-000360","gid":"V-73017","rid":"SV-87669r1_rule","stig_id":"PGS9-00-009600","cci":["CCI-001813"],"nist":["CM-5 (1)","Rev_4"],"check":"To list all the permissions of individual roles, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\l\"\n$ psql -c \"\\dn+\"\n\nIf any database or schema has update (\"W\") or create (\"C\") privileges and should\nnot, this is a finding.","fix":"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \"ALTER ROLE NOSUPERUSER\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \"REVOKE ALL PRIVILEGES ON
FROM ;"},"code":"control \"V-73017\" do\n title \"PostgreSQL must enforce access restrictions associated with changes to the\nconfiguration of PostgreSQL or database(s).\"\n desc \"Failure to provide logical access restrictions associated with changes to\nconfiguration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be\nnoted that any changes to the hardware, software, and/or firmware components of the\ninformation system can potentially have significant effects on the overall security\nof the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain\naccess to system components for the purposes of initiating changes, including\nupgrades and modifications.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000380-DB-000360\"\n tag \"gid\": \"V-73017\"\n tag \"rid\": \"SV-87669r1_rule\"\n tag \"stig_id\": \"PGS9-00-009600\"\n tag \"cci\": [\"CCI-001813\"]\n tag \"nist\": [\"CM-5 (1)\", \"Rev_4\"]\n tag \"check\": \"To list all the permissions of individual roles, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\n\nIf any role has SUPERUSER that should not, this is a finding.\n\nNext, list all the permissions of databases and schemas by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\l\\\"\n$ psql -c \\\"\\\\dn+\\\"\n\nIf any database or schema has update (\\\"W\\\") or create (\\\"C\\\") privileges and should\nnot, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to enforce access restrictions associated with\nchanges to the configuration of PostgreSQL or database(s).\n\nUse ALTER ROLE to remove accesses from roles:\n\n$ psql -c \\\"ALTER ROLE NOSUPERUSER\\\"\n\nUse REVOKE to remove privileges from databases and schemas:\n\n$ psql -c \\\"REVOKE ALL PRIVILEGES ON
FROM ;\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n roles_query = sql.query(roles_sql, [PG_DB])\n roles = roles_query.lines\n\n roles.each do |role|\n unless PG_SUPERUSERS.include?(role)\n superuser_sql = \"SELECT r.rolsuper FROM pg_catalog.pg_roles r \"\\\n \"WHERE r.rolname = '#{role}';\"\n\n describe sql.query(superuser_sql, [PG_DB]) do\n its('output') { should_not eq 't' }\n end\n end\n end\n\n authorized_owners = PG_SUPERUSERS\n owners = authorized_owners.join('|')\n\n database_granted_privileges = 'CTc'\n database_public_privileges = 'c'\n database_acl = \"^((((#{owners})=[#{database_granted_privileges}]+|\"\\\n \"=[#{database_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n database_acl_regex = Regexp.new(database_acl)\n\n schema_granted_privileges = 'UC'\n schema_public_privileges = 'U'\n schema_acl = \"^((((#{owners})=[#{schema_granted_privileges}]+|\"\\\n \"=[#{schema_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n schema_acl_regex = Regexp.new(schema_acl)\n\n databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate;'\n databases_query = sql.query(databases_sql, [PG_DB])\n databases = databases_query.lines\n\n databases.each do |database|\n datacl_sql = \"SELECT pg_catalog.array_to_string(datacl, E','), datname \"\\\n \"FROM pg_catalog.pg_database WHERE datname = '#{database}';\"\n\n describe sql.query(datacl_sql, [PG_DB]) do\n its('output') { should match database_acl_regex }\n end\n\n schemas_sql = \"SELECT n.nspname, FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n schemas_query = sql.query(schemas_query, [database])\n # Handle connection disabled on database\n if schemas_query.methods.include?(:output)\n schemas = schemas_query.lines\n\n schemas.each do |schema|\n nspacl_sql = \"SELECT pg_catalog.array_to_string(n.nspacl, E','), \"\\\n \"n.nspname FROM pg_catalog.pg_namespace n \"\\\n \"WHERE n.nspname = '#{schema}';\"\n\n describe sql.query(nspacl_sql) do\n its('output') { should match schema_acl_regex }\n end\n end\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73017.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = ''; output should not eq \"t\"","run_time":0.000190841,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = 'psql: could not connect to server: Connection refused'; output should not eq \"t\"","run_time":0.00012479,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should not eq \"t\"","run_time":0.000129124,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT r.rolsuper FROM pg_catalog.pg_roles r WHERE r.rolname = '\tTCP/IP connections on port 5432?'; output should not eq \"t\"","run_time":0.000132021,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = ''; output should match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.000473819,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000442343,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.00038072,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: No such file or directory'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000335323,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running locally and accepting'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000331548,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tconnections on Unix domain socket \"/var/run/postgresql/.s.PGSQL.5432\"?'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000405551,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = 'psql: could not connect to server: Connection refused'; output should match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.000362607,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000376003,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"could\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000352704,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"not\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000443862,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"connect\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000449077,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"to\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000522575,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"server:\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000475262,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"Connection\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000522108,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"refused\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000400575,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: Connection refused'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000363013,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000431195,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tTCP/IP connections on port 5432?'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000379917,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.000375565,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000387101,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"the\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000389377,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"server\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000505936,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"running\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000446154,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000490581,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"host\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000380844,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"127.0.0.1\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000361296,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"and\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000353839,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"accepting\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000410962,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: Connection refused'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000384498,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000414704,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tTCP/IP connections on port 5432?'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000423385,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(datacl, E','), datname FROM pg_catalog.pg_database WHERE datname = '\tTCP/IP connections on port 5432?'; output should match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/","run_time":0.006405805,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[CTc]+|=[c]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = ''; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000329491,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"connections\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000334815,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"on\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000323334,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"port\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000316874,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: warning: extra command-line argument \"5432?\" ignored'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000381865,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = 'psql: could not connect to server: Connection refused'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000277479,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tIs the server running on host \"127.0.0.1\" and accepting'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000290418,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT pg_catalog.array_to_string(n.nspacl, E','), n.nspname FROM pg_catalog.pg_namespace n WHERE n.nspname = '\tTCP/IP connections on port 5432?'; output should match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/","run_time":0.000297957,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to match /^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\nDiff:\n@@ -1,2 +1,5 @@\n-/^(((()=[UC]+|=[U]+)\\/\\w+,?)+|)\\|/\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73019","title":"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.","desc":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.","descriptions":[{"label":"default","data":"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000080-DB-000063","gid":"V-73019","rid":"SV-87671r1_rule","stig_id":"PGS9-00-009700","cci":["CCI-000166"],"nist":["AU-10","Rev_4"],"check":"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain \"pgaudit\", this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL."},"code":"control \"V-73019\" do\n title \"PostgreSQL must protect against a user falsely repudiating having performed\norganization-defined actions.\"\n desc \"Non-repudiation of actions taken is required in order to maintain data\nintegrity. Examples of particular actions taken by individuals include creating\ninformation, sending a message, approving information (e.g., indicating concurrence\nor signing a contract), and receiving a message.\n\nNon-repudiation protects against later claims by a user of not having created,\nmodified, or deleted a particular data item or collection of data in the database.\n\nIn designing a database, the organization must define the types of data and the user\nactions that must be protected from repudiation. The implementation must then\ninclude building audit features into the application data tables, and configuring\nPostgreSQL' audit tools to capture the necessary audit trail. Design and\nimplementation also must ensure that applications pass individual user\nidentification to PostgreSQL, even where the application connects to PostgreSQL with\na standard, shared account.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000080-DB-000063\"\n tag \"gid\": \"V-73019\"\n tag \"rid\": \"SV-87671r1_rule\"\n tag \"stig_id\": \"PGS9-00-009700\"\n tag \"cci\": [\"CCI-000166\"]\n tag \"nist\": [\"AU-10\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, review the current\nlog_line_prefix settings by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a\nfinding.\n\nNext, review the current shared_preload_libraries' settings by running the following\nSQL:\n\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain \\\"pgaudit\\\", this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure the database to supply additional auditing information to protect against\na user falsely repudiating having performed organization-defined actions.\n\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nModify the configuration of audit logs to include details identifying the individual\nuser:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nExtra parameters can be added to the setting log_line_prefix to identify the user:\n\nlog_line_prefix = '< %m %a %u %d %r %p %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nUse accounts assigned to individual users. Where the application connects to\nPostgreSQL using a standard, shared account, ensure that it also captures the\nindividual user identification and passes it to PostgreSQL.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %p %r %a)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73019.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.00044862,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000394454,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000328309,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%p\"","run_time":0.000376358,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%p\"\nDiff:\n@@ -1,2 +1,5 @@\n-%p\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%r\"","run_time":0.00038145,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%r\"\nDiff:\n@@ -1,2 +1,5 @@\n-%r\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%a\"","run_time":0.000375555,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%a\"\nDiff:\n@@ -1,2 +1,5 @@\n-%a\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000333042,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73021","title":"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.","desc":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.","descriptions":[{"label":"default","data":"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000093-DB-000052","gid":"V-73021","rid":"SV-87673r1_rule","stig_id":"PGS9-00-009800","cci":["CCI-001462"],"nist":["AU-14 (2)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \"SHOW pgaudit.log\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.","fix":"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \"postgres\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73021\" do\n title \"PostgreSQL must provide the capability for authorized users to capture,\nrecord, and log all content related to a user session.\"\n desc \"Without the capability to capture, record, and log all content related to a\nuser session, investigations into suspicious user activity would be hampered.\n\nTypically, this PostgreSQL capability would be used in conjunction with comparable\nmonitoring of a user's online session, involving other software components such as\noperating systems, web servers and front-end user applications. The current\nrequirement, however, deals specifically with PostgreSQL.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000093-DB-000052\"\n tag \"gid\": \"V-73021\"\n tag \"rid\": \"SV-87673r1_rule\"\n tag \"stig_id\": \"PGS9-00-009800\"\n tag \"cci\": [\"CCI-001462\"]\n tag \"nist\": [\"AU-14 (2)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nverify pgaudit is installed by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf shared_preload_libraries does not contain pgaudit, this is a finding.\n\nNext, to verify connections and disconnections are logged, run the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf log_connections and log_disconnections are off, this is a finding.\n\nNow, to verify that pgaudit is configured to log, run the following SQL:\n\n$ psql -c \\\"SHOW pgaudit.log\\\"\n\nIf pgaudit.log does not contain ddl, role, read, write, this is a finding.\"\n tag \"fix\": \"Configure the database capture, record, and log all content related to\na user session.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \\\"postgres\\\"),\nenable log_connections and log_disconnections:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_connections = on\nlog_disconnections = on\n\nUsing pgaudit PostgreSQL can be configured to audit activity. See supplementary\ncontent APPENDIX-B for documentation on installing pgaudit.\n\nWith pgaudit installed, as a database administrator (shown here as \\\"postgres\\\"),\nenable which objects required for auditing a user's session:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npgaudit.log = 'write, ddl, role, read, function';\npgaudit.log_relation = on;\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73021.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000303307,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000299069,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000347143,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000370382,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000325551,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should not match /off|false/i","run_time":0.000123517,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should not match /off|false/i","run_time":9.4196e-05,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73023","title":"The system must provide a warning to appropriate support \n staff when allocated audit record storage volume reaches 80% \n of maximum audit record storage capacity.","desc":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA.","descriptions":[{"label":"default","data":"Organizations are required to use a central log management system, \n so, under normal conditions, the audit space allocated to \n PostgreSQL on its own server will not be an issue. However, \n space will still be required on PostgreSQL server for audit \n records in transit, and, under abnormal conditions, this could \n fill up. Since a requirement exists to halt processing upon \n audit failure, a service outage would result.\n\n If support personnel are not notified immediately upon storage \n volume utilization reaching 80%, they are unable to plan for \n storage capacity expansion. \n\n The appropriate support staff include, at a minimum, the ISSO \n and the DBA/SA."},{"label":"check","data":"Review system configuration.\n\n If no script/tool is monitoring the partition for the PostgreSQL \n log directories, this is a finding.\n\n If appropriate support staff are not notified immediately upon \n storage volume utilization reaching 80%, this is a finding."},{"label":"fix","data":"Configure the system to notify appropriate support \n staff immediately upon storage volume utilization reaching 80%.\n\n PostgreSQL does not monitor storage, however, it is possible to \n monitor storage with a script.\n\n ##### Example Monitoring Script\n\n #!/bin/bash\n\n PGDATA=/var/lib/psql/9.5/data\n CURRENT=$(df ${PGDATA?} | grep / | awk \"{ print $5}\" \n | sed \"s/%//g\")\n THRESHOLD=80\n\n if [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\n mail -s \"Disk Space Alert\" mail@support.com << EOF\n The data directory volume is almost full. Used: $CURRENT\n %EOF\n fi\n\n Schedule this script in cron to run around the clock."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000359-DB-000319","gid":"V-73023","rid":"SV-87675r1_rule","stig_id":"PGS9-00-009900","cci":["CCI-001855"],"nist":["AU-5 (1)","Rev_4"],"check":"Review system configuration.\n\nIf no script/tool is monitoring the partition for the PostgreSQL log directories,\nthis is a finding.\n\nIf appropriate support staff are not notified immediately upon storage volume\nutilization reaching 75%, this is a finding.","fix":"Configure the system to notify appropriate support staff immediately\nupon storage volume utilization reaching 75%.\n\nPostgreSQL does not monitor storage, however, it is possible to monitor storage with\na script.\n\n##### Example Monitoring Script\n\n#!/bin/bash\n\nPGDATA=/var/lib/psql/9.5/data\nCURRENT=$(df ${PGDATA?} | grep / | awk '{ print $5}' | sed 's/%//g')\nTHRESHOLD=75\n\nif [ \"$CURRENT\" -gt \"$THRESHOLD\" ] ; then\nmail -s 'Disk Space Alert' mail@support.com << EOF\nThe data directory volume is almost full. Used: $CURRENT\n%EOF\nfi\n\nSchedule this script in cron to run around the clock."},"code":"control \"V-73023\" do\n title \"The system must provide a warning to appropriate support staff when\nallocated audit record storage volume reaches 75% of maximum audit record storage\ncapacity.\"\n desc \"Organizations are required to use a central log management system, so,\nunder normal conditions, the audit space allocated to PostgreSQL on its own server\nwill not be an issue. However, space will still be required on PostgreSQL server for\naudit records in transit, and, under abnormal conditions, this could fill up. Since\na requirement exists to halt processing upon audit failure, a service outage would\nresult.\n\nIf support personnel are not notified immediately upon storage volume utilization\nreaching 75%, they are unable to plan for storage capacity expansion.\n\nThe appropriate support staff include, at a minimum, the ISSO and the DBA/SA.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000359-DB-000319\"\n tag \"gid\": \"V-73023\"\n tag \"rid\": \"SV-87675r1_rule\"\n tag \"stig_id\": \"PGS9-00-009900\"\n tag \"cci\": [\"CCI-001855\"]\n tag \"nist\": [\"AU-5 (1)\", \"Rev_4\"]\n tag \"check\": \"Review system configuration.\n\nIf no script/tool is monitoring the partition for the PostgreSQL log directories,\nthis is a finding.\n\nIf appropriate support staff are not notified immediately upon storage volume\nutilization reaching 75%, this is a finding.\"\n tag \"fix\": \"Configure the system to notify appropriate support staff immediately\nupon storage volume utilization reaching 75%.\n\nPostgreSQL does not monitor storage, however, it is possible to monitor storage with\na script.\n\n##### Example Monitoring Script\n\n#!/bin/bash\n\nPGDATA=/var/lib/psql/9.5/data\nCURRENT=$(df ${PGDATA?} | grep / | awk '{ print $5}' | sed 's/%//g')\nTHRESHOLD=75\n\nif [ \\\"$CURRENT\\\" -gt \\\"$THRESHOLD\\\" ] ; then\nmail -s 'Disk Space Alert' mail@support.com << EOF\nThe data directory volume is almost full. Used: $CURRENT\n%EOF\nfi\n\nSchedule this script in cron to run around the clock.\"\n\n only_if { false }\n \nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73023.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":7.258e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73025","title":"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.","desc":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.","descriptions":[{"label":"default","data":"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000353-DB-000324","gid":"V-73025","rid":"SV-87677r1_rule","stig_id":"PGS9-00-010000","cci":["CCI-001914"],"nist":["AU-12 (3)","Rev_4"],"check":"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \"SHOW shared_preload_libraries\"\n\nIf pgaudit is not present in the result from the query, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \"SELECT password FROM public.stig_audit_example;\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\""},"code":"control \"V-73025\" do\n title \"PostgreSQL must provide the means for individuals in authorized roles to\nchange the auditing to be performed on all application components, based on all\nselectable event criteria within organization-defined time thresholds.\"\n desc \"If authorized individuals do not have the ability to modify auditing\nparameters in response to a changing threat environment, the organization may not be\nable to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to\nmeet organizational requirements. Auditing that is limited to conserve information\nsystem resources may be extended to address certain threat situations. In addition,\nauditing may be limited to a specific set of events to facilitate audit reduction,\nanalysis, and reporting. Organizations can establish time thresholds in which audit\nactions are changed, for example, near real time, within minutes, or within hours.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000353-DB-000324\"\n tag \"gid\": \"V-73025\"\n tag \"rid\": \"SV-87677r1_rule\"\n tag \"stig_id\": \"PGS9-00-010000\"\n tag \"cci\": [\"CCI-001914\"]\n tag \"nist\": [\"AU-12 (3)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator, check if pgaudit is present in\nshared_preload_libraries:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW shared_preload_libraries\\\"\n\nIf pgaudit is not present in the result from the query, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nFor audit logging we suggest using pgaudit. For instructions on how to setup\npgaudit, see supplementary content APPENDIX-B.\n\nAs a superuser (postgres), any pgaudit parameter can be changed in postgresql.conf.\nConfigurations can only be changed by a superuser.\n\n### Example: Change Auditing To Log Any ROLE Statements\n\nNote: This will override any setting already configured.\n\nAlter the configuration to do role-based logging:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.log = 'role'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\n### Example: Set An Auditing Role And Grant Privileges\n\nAn audit role can be configured and granted privileges to specific tables and\ncolumns that need logging.\n\n##### Create Test Table\n\n$ sudo su - postgres\n$ psql -c \\\"CREATE TABLE public.stig_audit_example(id INT, name TEXT, password\nTEXT);\\\"\n\n##### Define Auditing Role\n\nAs PostgreSQL superuser (such as postgres), add the following to postgresql.conf or\nany included configuration files.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameters (or edit existing parameters):\n\npgaudit.role = 'auditor'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nNext in PostgreSQL create a new role:\n\npostgres=# CREATE ROLE auditor;\npostgres=# GRANT select(password) ON public.stig_audit_example TO auditor;\n\nNote: This role is created with NOLOGIN privileges by default.\n\nNow any SELECT on the column password will be logged:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT password FROM public.stig_audit_example;\\\"\n$ cat ${PGDATA?}/pg_log/\n< 2016-01-28 16:46:09.038 UTC bob postgres: >LOG: AUDIT:\nOBJECT,6,1,READ,SELECT,TABLE,public.stig_audit_example,SELECT password FROM\nstig_audit_example;,\n\n## Change Configurations During A Specific Timeframe\n\nDeploy PostgreSQL that allows audit configuration changes to take effect within the\ntimeframe required by the application owner and without involving actions or events\nthat the application owner rules unacceptable.\n\nCrontab can be used to do this.\n\nFor a specific audit role:\n\n# Grant specific audit privileges to an auditing role at 5 PM every day of the week,\nmonth, year at the 0 minute mark.\n0 5 * * * postgres /usr/bin/psql -c \\\"GRANT select(password) ON\npublic.stig_audit_example TO auditor;\\\"\n# Revoke specific audit privileges to an auditing role at 5 PM every day of the\nweek, month, year at the 0 minute mark.\n0 17 * * * postgres /usr/bin/psql -c \\\"REVOKE select(password) ON\npublic.stig_audit_example FROM auditor;\\\"\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73025.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.00033626,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73027","title":"PostgreSQL must require users to reauthenticate when organization-defined\ncircumstances or situations require reauthentication.","desc":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes.","descriptions":[{"label":"default","data":"The CMS standard for authentication of an interactive user \n is the presentation of a Personal Identity Verification (PIV) \n Card or other physical token bearing a valid, current, \n CMS-issued Public Key Infrastructure (PKI) certificate, coupled \n with a Personal Identification Number (PIN) to be entered by \n the user at the beginning of each session and whenever \n reauthentication is required.\n\n Without reauthentication, users may access resources or perform \n tasks for which they do not have authorization.\n\n When applications provide the capability to change security \n roles or escalate the functional capability of the application, \n it is critical the user re-authenticate.\n\n In addition to the reauthentication requirements associated with \n session locks, organizations may require reauthentication of \n individuals and/or devices in other situations, including (but \n not limited to) the following circumstances:\n\n (i) When authenticators change;\n (ii) When roles change;\n (iii) When security categorized information systems change;\n (iv) When the execution of privileged functions occurs;\n (v) After a fixed period of time; or\n (vi) Periodically.\n\n Within CMS, the minimum circumstances requiring reauthentication \n are privilege escalation and role changes."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000389-DB-000372","gid":"V-73027","rid":"SV-87679r1_rule","stig_id":"PGS9-00-010100","cci":["CCI-002038"],"nist":["IA-11","Rev_4"],"check":"Determine all situations where a user must re-authenticate. Check if\nthe mechanisms that handle such situations use the following SQL:\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, run the following:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force re-authentication, this is a finding.","fix":"Modify and/or configure PostgreSQL and related applications and tools\nso that users are always required to reauthenticate when changing role or escalating\nprivileges.\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'"},"code":"control \"V-73027\" do\n title \"PostgreSQL must require users to reauthenticate when organization-defined\ncircumstances or situations require reauthentication.\"\n desc \"The DoD standard for authentication of an interactive user is the\npresentation of a Common Access Card (CAC) or other physical token bearing a valid,\ncurrent, DoD-issued Public Key Infrastructure (PKI) certificate, coupled with a\nPersonal Identification Number (PIN) to be entered by the user at the beginning of\neach session and whenever reauthentication is required.\n\nWithout reauthentication, users may access resources or perform tasks for which they\ndo not have authorization.\n\nWhen applications provide the capability to change security roles or escalate the\nfunctional capability of the application, it is critical the user re-authenticate.\n\nIn addition to the reauthentication requirements associated with session locks,\norganizations may require reauthentication of individuals and/or devices in other\nsituations, including (but not limited to) the following circumstances:\n\n(i) When authenticators change;\n(ii) When roles change;\n(iii) When security categorized information systems change;\n(iv) When the execution of privileged functions occurs;\n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DoD, the minimum circumstances requiring reauthentication are privilege\nescalation and role changes.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000389-DB-000372\"\n tag \"gid\": \"V-73027\"\n tag \"rid\": \"SV-87679r1_rule\"\n tag \"stig_id\": \"PGS9-00-010100\"\n tag \"cci\": [\"CCI-002038\"]\n tag \"nist\": [\"IA-11\", \"Rev_4\"]\n tag \"check\": \"Determine all situations where a user must re-authenticate. Check if\nthe mechanisms that handle such situations use the following SQL:\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, run the following:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\n\nIf the provided SQL does not force re-authentication, this is a finding.\"\n tag \"fix\": \"Modify and/or configure PostgreSQL and related applications and tools\nso that users are always required to reauthenticate when changing role or escalating\nprivileges.\n\nTo make a single user re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user=''\n\nTo make all users re-authenticate, the following must be present:\n\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73027.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":4.333e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73029","title":"PostgreSQL must enforce authorized access to all PKI private keys\nstored/utilized by PostgreSQL.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. PKI certificate-based authentication is performed \n by requiring the certificate holder to cryptographically prove \n possession of the corresponding private key.\n\n If the private key is stolen, an attacker can use the private \n key(s) to impersonate the certificate holder. In cases where \n PostgreSQL-stored private keys are used to authenticate PostgreSQL \n to the system, clients, loss of the corresponding private keys \n would allow an attacker to successfully perform undetected \n man-in-the-middle attacks against PostgreSQL system and its \n clients.\n\n Both the holder of a digital certificate and the issuing authority \n must take careful measures to protect the corresponding private \n key. Private keys should always be generated and protected in \n FIPS 140-2 validated cryptographic modules.\n\n All access to the private key(s) of PostgreSQL must be restricted \n to authorized and authenticated users. If unauthorized users have \n access to one or more of PostgreSQL's private keys, an attacker \n could gain access to the key(s) and use them to impersonate the \n database on the network or otherwise perform unauthorized actions."}],"impact":0.7,"refs":[{"ref":[]}],"tags":{"severity":"high","gtitle":"SRG-APP-000176-DB-000068","gid":"V-73029","rid":"SV-87681r1_rule","stig_id":"PGS9-00-010200","cci":["CCI-000186"],"nist":["IA-5 (2) (b)","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nverify the following settings:\n\nNote: If no specific directory given before the name, the files are stored in\nPGDATA.\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n$ psql -c \"SHOW ssl_crl_file\"\n$ psql -c \"SHOW ssl_key_file\"\n\nIf the directory these files are stored in is not protected, this is a finding.","fix":"Store all PostgreSQL PKI private keys in a FIPS 140-2 validated\ncryptographic module. Ensure access to PostgreSQL PKI private keys is restricted to\nonly authenticated and authorized users.\n\nPostgreSQL private key(s) can be stored in $PGDATA directory, which is only\naccessible by the database owner (usually postgres, DBA) user. Do not allow access\nto this system account to unauthorized users.\n\nTo put the keys in a different directory, as the database administrator (shown here\nas \"postgres\"), set the following settings to a protected directory:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nssl_ca_file = \"/some/protected/directory/root.crt\"\nssl_crl_file = \"/some/protected/directory/root.crl\"\nssl_cert_file = \"/some/protected/directory/server.crt\"\nssl_key_file = \"/some/protected/directory/server.key\"\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restartpostgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-73029\" do\n title \"PostgreSQL must enforce authorized access to all PKI private keys\nstored/utilized by PostgreSQL.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates. PKI\ncertificate-based authentication is performed by requiring the certificate holder to\ncryptographically prove possession of the corresponding private key.\n\nIf the private key is stolen, an attacker can use the private key(s) to impersonate\nthe certificate holder. In cases where PostgreSQL-stored private keys are used to\nauthenticate PostgreSQL to the system’s clients, loss of the corresponding private\nkeys would allow an attacker to successfully perform undetected man-in-the-middle\nattacks against PostgreSQL system and its clients.\n\nBoth the holder of a digital certificate and the issuing authority must take careful\nmeasures to protect the corresponding private key. Private keys should always be\ngenerated and protected in FIPS 140-2 validated cryptographic modules.\n\nAll access to the private key(s) of PostgreSQL must be restricted to authorized and\nauthenticated users. If unauthorized users have access to one or more of\nPostgreSQL's private keys, an attacker could gain access to the key(s) and use them\nto impersonate the database on the network or otherwise perform unauthorized\nactions.\"\n impact 0.7\n tag \"severity\": \"high\"\n tag \"gtitle\": \"SRG-APP-000176-DB-000068\"\n tag \"gid\": \"V-73029\"\n tag \"rid\": \"SV-87681r1_rule\"\n tag \"stig_id\": \"PGS9-00-010200\"\n tag \"cci\": [\"CCI-000186\"]\n tag \"nist\": [\"IA-5 (2) (b)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nverify the following settings:\n\nNote: If no specific directory given before the name, the files are stored in\nPGDATA.\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl_ca_file\\\"\n$ psql -c \\\"SHOW ssl_cert_file\\\"\n$ psql -c \\\"SHOW ssl_crl_file\\\"\n$ psql -c \\\"SHOW ssl_key_file\\\"\n\nIf the directory these files are stored in is not protected, this is a finding.\"\n tag \"fix\": \"Store all PostgreSQL PKI private keys in a FIPS 140-2 validated\ncryptographic module. Ensure access to PostgreSQL PKI private keys is restricted to\nonly authenticated and authorized users.\n\nPostgreSQL private key(s) can be stored in $PGDATA directory, which is only\naccessible by the database owner (usually postgres, DBA) user. Do not allow access\nto this system account to unauthorized users.\n\nTo put the keys in a different directory, as the database administrator (shown here\nas \\\"postgres\\\"), set the following settings to a protected directory:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nssl_ca_file = \\\"/some/protected/directory/root.crt\\\"\nssl_crl_file = \\\"/some/protected/directory/root.crl\\\"\nssl_cert_file = \\\"/some/protected/directory/server.crt\\\"\nssl_key_file = \\\"/some/protected/directory/server.key\\\"\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restartpostgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n settings = %w(ssl_cert_file ssl_key_file ssl_ca_file ssl_crl_file)\n\n settings.each do |setting|\n file_query = sql.query(\"SHOW #{setting};\", [PG_DB])\n file = file_query.output\n\n if file.empty?\n name = ''\n ext = ''\n\n case setting\n when /cert/\n name = 'server'\n ext = 'crt'\n when /key/\n name = 'server'\n ext = 'key'\n when /ca/\n name = 'root'\n ext = 'crt'\n when /crl/\n name = 'root'\n ext = 'crl'\n end\n\n file = \"#{PG_DATA_DIR}/#{name}.#{ext}\"\n elsif File.dirname(file) == '.'\n file = \"#{PG_DATA_DIR}/#{file}\"\n end\n\n describe file(file) do\n it { should be_file }\n end\n\n directory = File.dirname(file)\n\n describe directory(directory) do\n its('owner') { should match /root|#{PG_OWNER}/ }\n its('mode') { should cmp '0700' }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb"},"results":[{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000230738,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.000239477,"start_time":"2019-04-22T19:23:23+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000257529,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000211306,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.000168922,"start_time":"2019-04-22T19:23:23+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000212791,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000216837,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.000185047,"start_time":"2019-04-22T19:23:23+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000255345,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]},{"status":"failed","code_desc":"File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n should be file","run_time":0.000204321,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `File \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n.file?` to return true, got false"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP owner should match /root|postgres/","run_time":0.000186866,"start_time":"2019-04-22T19:23:23+00:00","message":"expected nil to match /root|postgres/"},{"status":"failed","code_desc":"Directory \npsql: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP mode should cmp == \"0700\"","run_time":0.000229075,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73029.rb:164:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-73031","title":"PostgreSQL must only accept end entity certificates issued by \n CMS PKI or CMS-approved PKI Certification Authorities (CAs) for \n the establishment of all encrypted sessions.","desc":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet.","descriptions":[{"label":"default","data":"Only CMS-approved external PKIs have been evaluated to ensure \n that they have security controls and identity vetting procedures \n in place which are sufficient for CMS systems to rely on the \n identity asserted in the certificate. PKIs lacking sufficient \n security controls and identity vetting procedures risk being \n compromised and issuing certificates that enable adversaries to \n impersonate legitimate users. \n\n The authoritative list of CMS-approved PKIs is published at \n http://iase.disa.mil/pki-pke/interoperability.\n\n This requirement focuses on communications protection for \n PostgreSQL session rather than for the network packet."},{"label":"fix","data":"Revoke trust in any certificates not issued by a \n CMS-approved certificate authority.\n\n Configure PostgreSQL to accept only CMS and CMS-approved PKI \n end-entity certificates.\n\n To configure PostgreSQL to accept approved CA's, see the \n official PostgreSQL documentation: \n http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\n For more information on configuring PostgreSQL to use SSL, \n see supplementary content APPENDIX-G."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000427-DB-000385","gid":"V-73031","rid":"SV-87683r1_rule","stig_id":"PGS9-00-010300","cci":["CCI-002470"],"nist":["SC-23 (5)","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe following setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl_ca_file\"\n$ psql -c \"SHOW ssl_cert_file\"\n\nIf the database is not configured to used approved certificates, this is a finding.","fix":"Revoke trust in any certificates not issued by a DoD-approved\ncertificate authority.\n\nConfigure PostgreSQL to accept only DoD and DoD-approved PKI end-entity certificates.\n\nTo configure PostgreSQL to accept approved CA's, see the official PostgreSQL\ndocumentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-73031\" do\n title \"PostgreSQL must only accept end entity certificates issued by DoD PKI or\nDoD-approved PKI Certification Authorities (CAs) for the establishment of all\nencrypted sessions.\"\n desc \"Only DoD-approved external PKIs have been evaluated to ensure that they\nhave security controls and identity vetting procedures in place which are sufficient\nfor DoD systems to rely on the identity asserted in the certificate. PKIs lacking\nsufficient security controls and identity vetting procedures risk being compromised\nand issuing certificates that enable adversaries to impersonate legitimate users.\n\nThe authoritative list of DoD-approved PKIs is published at\nhttp://iase.disa.mil/pki-pke/interoperability.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000427-DB-000385\"\n tag \"gid\": \"V-73031\"\n tag \"rid\": \"SV-87683r1_rule\"\n tag \"stig_id\": \"PGS9-00-010300\"\n tag \"cci\": [\"CCI-002470\"]\n tag \"nist\": [\"SC-23 (5)\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), verify\nthe following setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl_ca_file\\\"\n$ psql -c \\\"SHOW ssl_cert_file\\\"\n\nIf the database is not configured to used approved certificates, this is a finding.\"\n tag \"fix\": \"Revoke trust in any certificates not issued by a DoD-approved\ncertificate authority.\n\nConfigure PostgreSQL to accept only DoD and DoD-approved PKI end-entity certificates.\n\nTo configure PostgreSQL to accept approved CA's, see the official PostgreSQL\ndocumentation: http://www.postgresql.org/docs/current/static/ssl-tcp.html\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl_ca_file;', [PG_DB]) do\n its('output') { should_not eq '' }\n end\n\n describe sql.query('SHOW ssl_cert_file;', [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73031.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl_ca_file; output should not eq \"\"","run_time":0.000128237,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl_cert_file; output should not eq \"\"","run_time":9.1e-05,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73033","title":"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000095-DB-000039","gid":"V-73033","rid":"SV-87685r1_rule","stig_id":"PGS9-00-010400","cci":["CCI-000130"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \"SHOW log_connections\"\n$ psql -c \"SHOW log_disconnections\"\n\nIf both settings are off, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73033\" do\n title \"PostgreSQL must produce audit records containing sufficient information to\nestablish what type of events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing what type of event occurred, it would be difficult to\nestablish, correlate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit record content that may be necessary to satisfy the requirement of this policy\nincludes, for example, time stamps, user/process identifiers, event descriptions,\nsuccess/fail indications, filenames involved, and access control or flow control\nrules invoked.\n\nAssociating event types with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly what\nactions were performed. This requires specific information regarding the event type\nan audit record is referring to. If event type information is not recorded and\nstored with the audit record, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000095-DB-000039\"\n tag \"gid\": \"V-73033\"\n tag \"rid\": \"SV-87685r1_rule\"\n tag \"stig_id\": \"PGS9-00-010400\"\n tag \"cci\": [\"CCI-000130\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), verify\nthe current log_line_prefix setting in postgresql.conf:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nVerify that the current settings are appropriate for the organization.\n\nThe following is what is possible for logged information:\n\n# %a = application name\n# %u = user name\n# %d = database name\n# %r = remote host and port\n# %h = remote host\n# %p = process ID\n# %t = timestamp without milliseconds\n# %m = timestamp with milliseconds\n# %i = command tag\n# %e = SQL state\n# %c = session ID\n# %l = session line number\n# %s = session start timestamp\n# %v = virtual transaction ID\n# %x = transaction ID (0 if none)\n# %q = stop here in non-session\n# processes\n\nIf the audit record does not log events required by the organization, this is a\nfinding.\n\nNext, verify the current settings of log_connections and log_disconnections by\nrunning the following SQL:\n\n$ psql -c \\\"SHOW log_connections\\\"\n$ psql -c \\\"SHOW log_disconnections\\\"\n\nIf both settings are off, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nIf logging is enabled the following configurations must be made to log connections,\ndate/time, username and session identifier.\n\nFirst, edit the postgresql.conf file as a privileged user:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nEdit the following parameters based on the organization's needs (minimum\nrequirements are as follows):\n\nlog_connections = on\nlog_disconnections = on\nlog_line_prefix = '< %m %u %d %c: >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should_not match /off|false/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73033.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000313779,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000318479,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000303376,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%s\"","run_time":0.000313319,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%s\"\nDiff:\n@@ -1,2 +1,5 @@\n-%s\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should not match /off|false/i","run_time":0.000123677,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should not match /off|false/i","run_time":0.000113185,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73035","title":"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.","desc":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.","descriptions":[{"label":"default","data":"PostgreSQLs handling data requiring \"data at rest\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000429-DB-000387","gid":"V-73035","rid":"SV-87687r1_rule","stig_id":"PGS9-00-010500","cci":["CCI-002476"],"nist":["SC-28 (1)","Rev_4"],"check":"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \"postgres\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.","fix":"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));"},"code":"control \"V-73035\" do\n title \"PostgreSQL must implement cryptographic mechanisms preventing the\nunauthorized disclosure of organization-defined information at rest on\norganization-defined information system components.\"\n desc \"PostgreSQLs handling data requiring \\\"data at rest\\\" protections must\nemploy cryptographic mechanisms to prevent unauthorized disclosure and modification\nof the information at rest. These cryptographic mechanisms may be native to\nPostgreSQL or implemented via additional software or operating system/file system\nsettings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity\nof organizational information. The strength of the mechanism is commensurate with\nthe security category and/or classification of the information. Organizations have\nthe flexibility to either encrypt all information on storage devices (i.e., full\ndisk encryption) or encrypt specific data structures (e.g., files, records, or\nfields).\n\nThe decision whether and what to encrypt rests with the data owner and is also\ninfluenced by the physical measures taken to secure the equipment and media on which\nthe information resides.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000429-DB-000387\"\n tag \"gid\": \"V-73035\"\n tag \"rid\": \"SV-87687r1_rule\"\n tag \"stig_id\": \"PGS9-00-010500\"\n tag \"cci\": [\"CCI-002476\"]\n tag \"nist\": [\"SC-28 (1)\", \"Rev_4\"]\n tag \"check\": \"To check if pgcrypto is installed on PostgreSQL, as a database\nadministrator (shown here as \\\"postgres\\\"), run the following command:\n\n$ sudo su - postgres\n$ psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\n\nIf data in the database requires encryption and pgcrypto is not available, this is a\nfinding.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL, operating system/file system, and additional\nsoftware as relevant, to provide the required level of cryptographic protection for\ninformation requiring cryptographic protection against disclosure.\n\nSecure the premises, equipment, and media to provide the required level of physical\nprotection.\n\nThe pgcrypto module provides cryptographic functions for PostgreSQL. See\nsupplementary content APPENDIX-E for documentation on installing pgcrypto.\n\nWith pgcrypto installed, it is possible to insert encrypted data into the database:\n\nINSERT INTO accounts(username, password) VALUES ('bob', crypt('a_secure_password',\ngen_salt('md5')));\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n pgcrypto_sql = \"SELECT * FROM pg_available_extensions where name='pgcrypto'\"\n\n describe sql.query(pgcrypto_sql, [PG_DB]) do\n its('output') { should_not eq '' }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73035.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SELECT * FROM pg_available_extensions where name='pgcrypto' output should not eq \"\"","run_time":0.00011022,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73037","title":"PostgreSQL must invalidate session identifiers upon user logout or other\nsession termination.","desc":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked.","descriptions":[{"label":"default","data":"Captured sessions can be reused in \"replay\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000220-DB-000149","gid":"V-73037","rid":"SV-87689r1_rule","stig_id":"PGS9-00-010600","cci":["CCI-001184"],"nist":["SC-23","Rev_4"],"check":"As the database administrator (shown here as \"postgres\"), run the\nfollowing SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW tcp_keepalives_idle\"\n$ psql -c \"SHOW tcp_keepalives_interval\"\n$ psql -c \"SHOW tcp_keepalives_count\"\n$ psql -c \"SHOW statement_timeout\"\n\nIf these settings are not set, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi $PGDATA/postgresql.conf\n\nSet the following parameters to organizational requirements:\n\nstatement_timeout = 10000 #milliseconds\ntcp_keepalives_idle = 10 # seconds\ntcp_keepalives_interval = 10 # seconds\ntcp_keepalives_count = 10\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart"},"code":"control \"V-73037\" do\n title \"PostgreSQL must invalidate session identifiers upon user logout or other\nsession termination.\"\n desc \"Captured sessions can be reused in \\\"replay\\\" attacks. This requirement\nlimits the ability of adversaries to capture and continue to employ previously valid\nsession IDs.\n\nThis requirement focuses on communications protection for PostgreSQL session rather\nthan for the network packet. The intent of this control is to establish grounds for\nconfidence at each end of a communications session in the ongoing identity of the\nother party and in the validity of the information being transmitted.\n\nSession IDs are tokens generated by PostgreSQLs to uniquely identify a user's (or\nprocess's) session. DBMSs will make access decisions and execute logic based on the\nsession ID.\n\nUnique session IDs help to reduce predictability of said identifiers. Unique session\nIDs address man-in-the-middle attacks, including session hijacking or insertion of.\ninformation into a session. If the attacker is unable to identify or guess the\nsession information related to pending application traffic, they will have more\ndifficulty in hijacking the session or otherwise manipulating valid sessions.\n\nWhen a user logs out, or when any other session termination event occurs, PostgreSQL\nmust terminate the user session(s) to minimize the potential for sessions to be\nhijacked.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000220-DB-000149\"\n tag \"gid\": \"V-73037\"\n tag \"rid\": \"SV-87689r1_rule\"\n tag \"stig_id\": \"PGS9-00-010600\"\n tag \"cci\": [\"CCI-001185\"]\n tag \"nist\": [\"SC-23 (1)\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (shown here as \\\"postgres\\\"), run the\nfollowing SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW tcp_keepalives_idle\\\"\n$ psql -c \\\"SHOW tcp_keepalives_interval\\\"\n$ psql -c \\\"SHOW tcp_keepalives_count\\\"\n$ psql -c \\\"SHOW statement_timeout\\\"\n\nIf these settings are not set, this is a finding.\"\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nAs the database administrator (shown here as \\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi $PGDATA/postgresql.conf\n\nSet the following parameters to organizational requirements:\n\nstatement_timeout = 10000 #milliseconds\ntcp_keepalives_idle = 10 # seconds\ntcp_keepalives_interval = 10 # seconds\ntcp_keepalives_count = 10\n\nNow, as the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 restart\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW tcp_keepalives_idle;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\n\n describe sql.query('SHOW tcp_keepalives_interval;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\n\n describe sql.query('SHOW tcp_keepalives_count;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\n\n describe sql.query('SHOW statement_timeout;', [PG_DB]) do\n its('output') { should_not cmp 0 }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73037.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW tcp_keepalives_idle; output should not cmp == 0","run_time":0.000167568,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW tcp_keepalives_interval; output should not cmp == 0","run_time":0.000151241,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW tcp_keepalives_count; output should not cmp == 0","run_time":0.000160803,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW statement_timeout; output should not cmp == 0","run_time":0.000177751,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73041","title":"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000096-DB-000040","gid":"V-73041","rid":"SV-87693r1_rule","stig_id":"PGS9-00-011100","cci":["CCI-000131"],"nist":["AU-3","Rev_4"],"check":"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_line_prefix\"\n\nIf the query result does not contain \"%m\", this is a finding.","fix":"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \"postgres\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73041\" do\n title \"PostgreSQL must produce audit records containing time stamps to establish\nwhen the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\nanalysis. Without establishing when events occurred, it is impossible to establish,\ncorrelate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is\nessential for security personnel to know the date and time when events occurred.\n\nAssociating the date and time with detected events in the application and audit logs\nprovides a means of investigating an attack; recognizing resource utilization or\ncapacity thresholds; or identifying an improperly configured application.\n\nDatabase software is capable of a range of actions on data stored within the\ndatabase. It is important, for accurate forensic analysis, to know exactly when\nspecific actions were performed. This requires the date and time an audit record is\nreferring to. If date and time information is not recorded and stored with the audit\nrecord, the record itself is of very limited use.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000096-DB-000040\"\n tag \"gid\": \"V-73041\"\n tag \"rid\": \"SV-87693r1_rule\"\n tag \"stig_id\": \"PGS9-00-011100\"\n tag \"cci\": [\"CCI-000131\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n tag \"check\": \"As the database administrator (usually postgres, run the following\nSQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_line_prefix\\\"\n\nIf the query result does not contain \\\"%m\\\", this is a finding.\"\n tag \"fix\": \"Logging must be enabled in order to capture timestamps. To ensure that\nlogging is enabled, review supplementary content APPENDIX-C for instructions on\nenabling logging.\n\nIf logging is enabled the following configurations must be made to log events with\ntimestamps:\n\nFirst, as the database administrator (shown here as \\\"postgres\\\"), edit\npostgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd %m to log_line_prefix to enable timestamps with milliseconds:\n\nlog_line_prefix = '< %m >'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = ['%m']\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73041.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000358467,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73045","title":"PostgreSQL must off-load audit data to a separate log management facility;\nthis must be continuous and in near real time for systems with a network connection\nto the storage facility and weekly or more often for stand-alone systems.","desc":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system.","descriptions":[{"label":"default","data":"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000515-DB-000318","gid":"V-73045","rid":"SV-87697r1_rule","stig_id":"PGS9-00-011300","cci":["CCI-001848"],"nist":["AU-4","Rev_4"],"check":"First, as the database administrator (shown here as \"postgres\"),\nensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW log_destination\"\n\nIf log_destination is not syslog, this is a finding.\n\nNext, as the database administrator, check which log facility is configured by\nrunning the following SQL:\n\n$ psql -c \"SHOW syslog_facility\"\n\nCheck with the organization to see how syslog facilities are defined in their\norganization.\n\nIf the wrong facility is configured, this is a finding.\n\nIf PostgreSQL does not have a continuous network connection to the centralized log\nmanagement system, and PostgreSQL audit records are not transferred to the\ncentralized log management system weekly or more often, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL or deploy and configure software tools to transfer audit\nrecords to a centralized log management system, continuously and in near-real time\nwhere a continuous network connection to the log management system exists, or at\nleast weekly in the absence of such a connection.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \"postgres\"),\nconfigure the follow parameters in postgresql.conf (the example uses the default\nvalues - tailor for environment):\n\nNote: Consult the organization on how syslog facilities are defined in the syslog\ndaemon configuration.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_destination = 'syslog'\nsyslog_facility = 'LOCAL0'\nsyslog_ident = 'postgres'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload"},"code":"control \"V-73045\" do\n title \"PostgreSQL must off-load audit data to a separate log management facility;\nthis must be continuous and in near real time for systems with a network connection\nto the storage facility and weekly or more often for stand-alone systems.\"\n desc \"Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage\ncapacity.\n\nPostgreSQL may write audit records to database tables, to files in the file system,\nto other kinds of local repository, or directly to a centralized log management\nsystem. Whatever the method used, it must be compatible with off-loading the records\nto the centralized system.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000515-DB-000318\"\n tag \"gid\": \"V-73045\"\n tag \"rid\": \"SV-87697r1_rule\"\n tag \"stig_id\": \"PGS9-00-011300\"\n tag \"cci\": [\"CCI-001851\"]\n tag \"nist\": [\"AU-4 (1)\", \"Rev_4\"]\n tag \"check\": \"First, as the database administrator (shown here as \\\"postgres\\\"),\nensure PostgreSQL uses syslog by running the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW log_destination\\\"\n\nIf log_destination is not syslog, this is a finding.\n\nNext, as the database administrator, check which log facility is configured by\nrunning the following SQL:\n\n$ psql -c \\\"SHOW syslog_facility\\\"\n\nCheck with the organization to see how syslog facilities are defined in their\norganization.\n\nIf the wrong facility is configured, this is a finding.\n\nIf PostgreSQL does not have a continuous network connection to the centralized log\nmanagement system, and PostgreSQL audit records are not transferred to the\ncentralized log management system weekly or more often, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL or deploy and configure software tools to transfer audit\nrecords to a centralized log management system, continuously and in near-real time\nwhere a continuous network connection to the log management system exists, or at\nleast weekly in the absence of such a connection.\n\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\n\nWith logging enabled, as the database administrator (shown here as \\\"postgres\\\"),\nconfigure the follow parameters in postgresql.conf (the example uses the default\nvalues - tailor for environment):\n\nNote: Consult the organization on how syslog facilities are defined in the syslog\ndaemon configuration.\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\nlog_destination = 'syslog'\nsyslog_facility = 'LOCAL0'\nsyslog_ident = 'postgres'\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73045.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.139e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73047","title":"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.","desc":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.","descriptions":[{"label":"default","data":"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000224-DB-000384","gid":"V-73047","rid":"SV-87699r1_rule","stig_id":"PGS9-00-011400","cci":["CCI-001188"],"nist":["SC-23 (3)","Rev_4"],"check":"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW ssl\"\n\nIf this is not set to `on`, this is a finding.","fix":"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\"postgres\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html"},"code":"control \"V-73047\" do\n title \"PostgreSQL must maintain the authenticity of communications sessions by\nguarding against man-in-the-middle attacks that guess at Session ID values.\"\n desc \"One class of man-in-the-middle, or session hijacking, attack involves the\nadversary guessing at valid session identifiers based on patterns in identifiers\nalready known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of\nunique session identifiers using a FIPS 140-2 approved random number generator.\n\nHowever, it is recognized that available PostgreSQL products do not all implement\nthe preferred technique yet may have other protections against session hijacking.\nTherefore, other techniques are acceptable, provided they are demonstrated to be\neffective.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000224-DB-000384\"\n tag \"gid\": \"V-73047\"\n tag \"rid\": \"SV-87699r1_rule\"\n tag \"stig_id\": \"PGS9-00-011400\"\n tag \"cci\": [\"CCI-001188\"]\n tag \"nist\": [\"SC-23 (3)\", \"Rev_4\"]\n tag \"check\": \"To check if PostgreSQL is configured to use ssl, as the database\nadministrator (shown here as \\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"SHOW ssl\\\"\n\nIf this is not set to `on`, this is a finding.\"\n\n tag \"fix\": \"To configure PostgreSQL to use SSL, as a database owner (shown here as\n\\\"postgres\\\"), edit postgresql.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\n\nAdd the following parameter:\n\nssl = on\n\nNow, as the system administrator, reload the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl reload postgresql-9.5\n\n# INITD SERVER ONLY\n$ sudo service postgresql-9.5 reload\n\nFor more information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\n\nFor further SSL configurations, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/ssl-tcp.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW ssl;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73047.rb"},"results":[{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW ssl; output should match /on|true/i","run_time":0.000102318,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73049","title":"PostgreSQL must uniquely identify and authenticate organizational users (or\nprocesses acting on behalf of organizational users).","desc":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity.","descriptions":[{"label":"default","data":"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000148-DB-000103","gid":"V-73049","rid":"SV-87701r1_rule","stig_id":"PGS9-00-011500","cci":["CCI-000764"],"nist":["IA-2","Rev_4"],"check":"Review PostgreSQL settings to determine whether organizational users\nare uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as\n\"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \"\\du\"\n\nIf organizational users are not uniquely identified and authenticated, this is a\nfinding.\n\nNext, as the database administrator (shown here as \"postgres\"), verify the current\npg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication rcmpuirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all\norganizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-createrole.html\n\nFor each role created, the database administrator can specify database\nauthentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 md5\n\nFor more information on pg_hba.conf, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html"},"code":"control \"V-73049\" do\n title \"PostgreSQL must uniquely identify and authenticate organizational users (or\nprocesses acting on behalf of organizational users).\"\n desc \"To assure accountability and prevent unauthenticated access, organizational\nusers must be identified and authenticated to prevent potential misuse and\ncompromise of the system.\n\nOrganizational users include organizational employees or individuals the\norganization deems to have cmpuivalent status of employees (e.g., contractors).\nOrganizational users (and any processes acting on behalf of users) must be uniquely\nidentified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations\ndocument specific user actions that can be performed on the information system\nwithout identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without\nindividual authentication. Organizations may rcmpuire unique identification of\nindividuals using shared accounts, for detailed accountability of individual\nactivity.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000148-DB-000103\"\n tag \"gid\": \"V-73049\"\n tag \"rid\": \"SV-87701r1_rule\"\n tag \"stig_id\": \"PGS9-00-011500\"\n tag \"cci\": [\"CCI-000764\"]\n tag \"nist\": [\"IA-2\", \"Rev_4\"]\n tag \"check\": \"Review PostgreSQL settings to determine whether organizational users\nare uniquely identified and authenticated when logging on/connecting to the system.\n\nTo list all roles in the database, as the database administrator (shown here as\n\\\"postgres\\\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -c \\\"\\\\du\\\"\n\nIf organizational users are not uniquely identified and authenticated, this is a\nfinding.\n\nNext, as the database administrator (shown here as \\\"postgres\\\"), verify the current\npg_hba.conf authentication settings:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_hba.conf\n\nIf every role does not have unique authentication rcmpuirements, this is a finding.\n\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\nSee supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\nConfigure PostgreSQL settings to uniquely identify and authenticate all\norganizational users who log on/connect to the system.\n\nTo create roles, use the following SQL:\n\nCREATE ROLE [OPTIONS]\n\nFor more information on CREATE ROLE, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/sql-createrole.html\n\nFor each role created, the database administrator can specify database\nauthentication by editing pg_hba.conf:\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/pg_hba.conf\n\nAn example pg_hba entry looks like this:\n\n# TYPE DATABASE USER ADDRESS METHOD\nhost test_db bob 192.168.0.0/16 md5\n\nFor more information on pg_hba.conf, see the official documentation:\nhttps://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n authorized_roles = PG_USERS\n\n roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n\n describe sql.query(roles_sql, [PG_DB]) do\n its('lines.sort') { should cmp authorized_roles.sort }\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'local' } do\n its('user.uniq') { should cmp PG_OWNER }\n its('auth_method.uniq') { should_not include 'trust'}\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { database == 'replication' } do\n its('type.uniq') { should cmp 'host' }\n its('address.uniq.sort') { should cmp PG_REPLICAS.sort }\n its('user.uniq') { should cmp 'replication' }\n its('auth_method.uniq') { should cmp 'md5' }\n end\n\n describe postgres_hba_conf(PG_HBA_CONF_FILE).where { type == 'host' } do\n its('auth_method.uniq') { should cmp 'md5'}\n end\nend\n","source_location":{"line":68,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73049.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SELECT r.rolname FROM pg_catalog.pg_roles r; lines.sort ","run_time":7.8646e-05,"start_time":"2019-04-22T19:23:23+00:00","message":"undefined method `sort' for \"postgres\":String","exception":"NoMethodError","backtrace":["cms-ars-3.1-moderate-crunchy-data-postgresql-9-stig-overlay-master/controls/overlay.rb:403:in `block (4 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-73051","title":"PostgreSQL must automatically terminate a user session after\norganization-defined conditions or trigger events requiring session disconnect.","desc":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance.","descriptions":[{"label":"default","data":"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000295-DB-000305","gid":"V-73051","rid":"SV-87703r1_rule","stig_id":"PGS9-00-011600","cci":["CCI-002361"],"nist":["AC-12","Rev_4"],"check":"Review system documentation to obtain the organization's definition\nof circumstances requiring automatic session termination. If the documentation\nexplicitly states that such termination is not required or is prohibited, this is\nnot a finding.\n\nIf the documentation requires automatic session termination, but PostgreSQL is not\nconfigured accordingly, this is a finding.","fix":"Configure PostgreSQL to automatically terminate a user session after\norganization-defined conditions or trigger events requiring session termination.\n\nExamples follow.\n\n### Change a role to nologin and disconnect the user\n\nALTER ROLE '' NOLOGIN;\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE username='';\n\n### Disconnecting users during a specific time range\nSee supplementary content APPENDIX-A for a bash script for this example.\n\nThe script found in APPENDIX-A using the -l command can disable all users with\nrolcanlogin=t from logging in. The script keeps track of who it disables in a\n.restore_login file. After the specified time is over, the same script can be run\nwith the -r command to restore all login connections.\n\nThis script would be added to a cron job:\n\n# lock at 5 am every day of the week, month, year at the 0 minute mark.\n0 5 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -l\n# restore at 5 pm every day of the week, month, year at the 0 minute mark.\n0 17 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -r"},"code":"control \"V-73051\" do\n title \"PostgreSQL must automatically terminate a user session after\norganization-defined conditions or trigger events requiring session disconnect.\"\n desc \"This addresses the termination of user-initiated logical sessions in\ncontrast to the termination of network connections that are associated with\ncommunications sessions (i.e., network disconnect). A logical session (for local,\nnetwork, and remote access) is initiated whenever a user (or process acting on\nbehalf of a user) accesses an organizational information system. Such user sessions\ncan be terminated (and thus terminate user access) without terminating network\nsessions.\n\nSession termination ends all processes associated with a user's logical session\nexcept those batch processes/jobs that are specifically created by the user (i.e.,\nsession owner) to continue after the session is terminated.\n\nConditions or trigger events requiring automatic session termination can include,\nfor example, organization-defined periods of user inactivity, targeted responses to\ncertain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner,\ndata owner, or organization requires additional assurance.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000295-DB-000305\"\n tag \"gid\": \"V-73051\"\n tag \"rid\": \"SV-87703r1_rule\"\n tag \"stig_id\": \"PGS9-00-011600\"\n tag \"cci\": [\"CCI-002361\"]\n tag \"nist\": [\"AC-12\", \"Rev_4\"]\n tag \"check\": \"Review system documentation to obtain the organization's definition\nof circumstances requiring automatic session termination. If the documentation\nexplicitly states that such termination is not required or is prohibited, this is\nnot a finding.\n\nIf the documentation requires automatic session termination, but PostgreSQL is not\nconfigured accordingly, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to automatically terminate a user session after\norganization-defined conditions or trigger events requiring session termination.\n\nExamples follow.\n\n### Change a role to nologin and disconnect the user\n\nALTER ROLE '' NOLOGIN;\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE username='';\n\n### Disconnecting users during a specific time range\nSee supplementary content APPENDIX-A for a bash script for this example.\n\nThe script found in APPENDIX-A using the -l command can disable all users with\nrolcanlogin=t from logging in. The script keeps track of who it disables in a\n.restore_login file. After the specified time is over, the same script can be run\nwith the -r command to restore all login connections.\n\nThis script would be added to a cron job:\n\n# lock at 5 am every day of the week, month, year at the 0 minute mark.\n0 5 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -l\n# restore at 5 pm every day of the week, month, year at the 0 minute mark.\n0 17 * * * postgres /var/lib/pgsql/no_login.sh -d postgres -r\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73051.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":6.567e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73055","title":"PostgreSQL must map the PKI-authenticated identity to an associated user\naccount.","desc":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions.","descriptions":[{"label":"default","data":"The CMS standard for authentication is CMS-approved PKI \n certificates. Once a PKI certificate has been validated, it \n must be mapped to PostgreSQL user account for the authenticated \n identity to be meaningful to PostgreSQL and useful for \n authorization decisions."}],"impact":0.5,"refs":[{"ref":[]}],"tags":{"severity":"medium","gtitle":"SRG-APP-000177-DB-000069","gid":"V-73055","rid":"SV-87707r1_rule","stig_id":"PGS9-00-011800","cci":["CCI-000187"],"nist":["IA-5 (2) (c)","Rev_4"],"check":"The cn (Common Name) attribute of the certificate will be compared\nto the requested database user name, and if they match the login will be allowed.\n\nTo check the cn of the certificate, using openssl, do the following:\n\n$ openssl x509 -noout -subject -in client_cert\n\nIf the cn does not match the users listed in PostgreSQL and no user mapping is used,\nthis is a finding.\n\nUser name mapping can be used to allow cn to be different from the database user\nname. If User Name Maps are used, run the following as the database administrator\n(shown here as \"postgres\"), to get a list of maps used for authentication:\n\n$ sudo su - postgres\n$ grep \"map\" ${PGDATA?}/pg_hba.conf\n\nWith the names of the maps used, check those maps against the user name mappings in\npg_ident.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_ident.conf\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.\n\nIf the cn and the username mapping do not match, this is a finding.","fix":"Configure PostgreSQL to map authenticated identities directly to\nPostgreSQL user accounts.\n\nFor information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G."},"code":"control \"V-73055\" do\n title \"PostgreSQL must map the PKI-authenticated identity to an associated user\naccount.\"\n desc \"The DoD standard for authentication is DoD-approved PKI certificates. Once\na PKI certificate has been validated, it must be mapped to PostgreSQL user account\nfor the authenticated identity to be meaningful to PostgreSQL and useful for\nauthorization decisions.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000177-DB-000069\"\n tag \"gid\": \"V-73055\"\n tag \"rid\": \"SV-87707r1_rule\"\n tag \"stig_id\": \"PGS9-00-011800\"\n tag \"cci\": [\"CCI-000187\"]\n tag \"nist\": [\"IA-5 (2) (c)\", \"Rev_4\"]\n tag \"check\": \"The cn (Common Name) attribute of the certificate will be compared\nto the requested database user name, and if they match the login will be allowed.\n\nTo check the cn of the certificate, using openssl, do the following:\n\n$ openssl x509 -noout -subject -in client_cert\n\nIf the cn does not match the users listed in PostgreSQL and no user mapping is used,\nthis is a finding.\n\nUser name mapping can be used to allow cn to be different from the database user\nname. If User Name Maps are used, run the following as the database administrator\n(shown here as \\\"postgres\\\"), to get a list of maps used for authentication:\n\n$ sudo su - postgres\n$ grep \\\"map\\\" ${PGDATA?}/pg_hba.conf\n\nWith the names of the maps used, check those maps against the user name mappings in\npg_ident.conf:\n\n$ sudo su - postgres\n$ cat ${PGDATA?}/pg_ident.conf\n\nIf user accounts are not being mapped to authenticated identities, this is a finding.\n\nIf the cn and the username mapping do not match, this is a finding.\"\n tag \"fix\": \"Configure PostgreSQL to map authenticated identities directly to\nPostgreSQL user accounts.\n\nFor information on configuring PostgreSQL to use SSL, see supplementary content\nAPPENDIX-G.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73055.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":1.7185e-05,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73057","title":"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.","desc":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.","descriptions":[{"label":"default","data":"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000243-DB-000128","gid":"V-73057","rid":"SV-87709r1_rule","stig_id":"PGS9-00-011900","cci":["CCI-001090"],"nist":["SC-4","Rev_4"],"check":"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.","fix":"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations."},"code":"control \"V-73057\" do\n title \"Database contents must be protected from unauthorized and unintended\ninformation transfer by enforcement of a data-transfer policy.\"\n desc \"Applications, including PostgreSQLs, must prevent unauthorized and\nunintended information transfer via shared system resources.\n\nData used for the development and testing of applications often involves copying\ndata from production. It is important that specific procedures exist for this\nprocess, to include the conditions under which such transfer may take place, where\nthe copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location\nwithout the proper controls.\"\n impact 0.5\n tag \"severity\": \"medium\"\n tag \"gtitle\": \"SRG-APP-000243-DB-000128\"\n tag \"gid\": \"V-73057\"\n tag \"rid\": \"SV-87709r1_rule\"\n tag \"stig_id\": \"PGS9-00-011900\"\n tag \"cci\": [\"CCI-001090\"]\n tag \"nist\": [\"SC-4\", \"Rev_4\"]\n tag \"check\": \"Review the procedures for the refreshing of development/test data\nfrom production.\n\nReview any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations.\n\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.\"\n\n tag \"fix\": \"Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73057.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":5.255e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73061","title":"PostgreSQL must protect its audit configuration from unauthorized\n modification.","desc":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.","descriptions":[{"label":"default","data":"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000122-DB-000203","gid":"V-73061","rid":"SV-87713r1_rule","stig_id":"PGS9-00-012200","cci":["CCI-001494"],"nist":["AU-9","Rev_4"],"check":"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \"postgres\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_file_mode\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.","fix":"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \"postgres\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf"},"code":"control \"V-73061\" do\n title \"PostgreSQL must protect its audit configuration from unauthorized\n modification.\"\n desc \"Protecting audit data also includes identifying and protecting the tools\n used to view and manipulate log data. Therefore, protecting audit tools\n is necessary to prevent unauthorized operation on audit data.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and\n the corresponding rights the user enjoys in order make access decisions\n regarding the modification of audit tools.\n\n Audit tools include, but are not limited to, vendor-provided and open source\n audit tools needed to successfully view and manipulate audit information\n system activity and records. Audit tools include custom queries and\n report generators.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000122-DB-000203\"\n tag \"gid\": \"V-73061\"\n tag \"rid\": \"SV-87713r1_rule\"\n tag \"stig_id\": \"PGS9-00-012200\"\n tag \"cci\": [\"CCI-001494\"]\n tag \"nist\": [\"AU-9\", \"Rev_4\"]\n\n tag \"check\": \"All configurations for auditing and logging can be found in the\n postgresql.conf configuration file. By default, this file is owned by the\n database administrator account.\n\n To check that the permissions of the postgresql.conf are owned by the database\n administrator with permissions of 0600, run the following as the database\n administrator (shown here as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ ls -la ${PGDATA?}\n\n If postgresql.conf is not owned by the database administrator or does not\n have 0600 permissions, this is a finding.\n\n #### stderr Logging\n\n To check that logs are created with 0600 permissions, check the\n postgresql.conf file for the following setting:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_file_mode\\\"\n\n If permissions are not 0600, this is a finding.\n\n #### syslog Logging\n\n If PostgreSQL is configured to use syslog, verify that the logs are owned\n by root and have 0600 permissions. If they are not, this is a finding.\"\n\n tag \"fix\": \"Apply or modify access controls and permissions (both within PostgreSQL\n and in the file system/operating system) to tools used to view or modify\n audit log data. Tools must be configurable by authorized personnel only.\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n log_file_mode = 0600\n\n Next, as the database administrator (shown here as \\\"postgres\\\"), change\n the ownership and permissions of configuration files in PGDATA:\n\n $ sudo su - postgres\n $ chown postgres:postgres ${PGDATA?}/*.conf\n $ chmod 0600 ${PGDATA?}/*.conf\"\n\n describe file(PG_CONF_FILE) do\n it { should be_file }\n its('mode') { should cmp '0600' }\n end\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_destination_query = sql.query('SHOW log_destination;', [PG_DB])\n log_destination = log_destination_query.output\n\n if log_destination =~ /stderr/i\n describe sql.query('SHOW log_file_mode;', [PG_DB]) do\n its('output') { should cmp '0600' }\n end\n end\nend\n","source_location":{"line":52,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb"},"results":[{"status":"failed","code_desc":"File /var/lib/pgsql/9.5/data/postgresql.conf should be file","run_time":0.000237994,"start_time":"2019-04-22T19:23:23+00:00","message":"expected `File /var/lib/pgsql/9.5/data/postgresql.conf.file?` to return true, got false"},{"status":"failed","code_desc":"File /var/lib/pgsql/9.5/data/postgresql.conf mode should cmp == \"0600\"","run_time":0.000241626,"start_time":"2019-04-22T19:23:23+00:00","message":"wrong number of arguments (given 1, expected 0)","exception":"ArgumentError","backtrace":["/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `to_s'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/matchers/matchers.rb:297:in `block (2 levels) in '","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/matchers/dsl.rb:338:in `block in define_user_override'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:35:in `handle_failure'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:50:in `block in handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:27:in `with_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-expectations-3.8.2/lib/rspec/expectations/handler.rb:48:in `handle_matcher'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-its-1.2.0/lib/rspec/its.rb:126:in `should'","/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73061.rb:124:in `block (3 levels) in load_with_context'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `instance_exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:254:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `block in with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `block in with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:602:in `run_around_example_hooks_for'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/hooks.rb:464:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:457:in `with_around_example_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:500:in `with_around_and_singleton_context_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example.rb:251:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:629:in `block in run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:625:in `run_examples'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:591:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `block in run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:592:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (3 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `map'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:116:in `block (2 levels) in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/configuration.rb:1989:in `with_suite_hooks'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:111:in `block in run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/reporter.rb:74:in `report'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/rspec-core-3.8.0/lib/rspec/core/runner.rb:110:in `run_specs'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner_rspec.rb:77:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:140:in `run_tests'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/runner.rb:111:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/lib/inspec/cli.rb:265:in `exec'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'","/opt/chefdk/embedded/lib/ruby/gems/2.5.0/gems/inspec-3.6.6/bin/inspec:12:in `'","/usr/bin/inspec:306:in `load'","/usr/bin/inspec:306:in `
'"]}]},{"id":"V-73063","title":"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.","desc":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.","descriptions":[{"label":"default","data":"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73063","rid":"SV-87715r1_rule","stig_id":"PGS9-00-012300","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"As the system administrator, run the following:\n\n $ openssl version\n If \"fips\" is not included in the openssl version, this is a finding.","fix":"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G."},"code":"control \"V-73063\" do\n title \"PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for\n cryptographic operations.\"\n desc \"Use of weak or not validated cryptographic algorithms undermines the\n purposes of utilizing encryption and digital signatures to protect data.\n Weak algorithms can be easily broken and not validated cryptographic\n modules may not implement algorithms correctly. Unapproved cryptographic\n modules or algorithms should not be relied on for authentication,\n confidentiality or integrity. Weak cryptography could allow an attacker\n to gain access to and modify data stored in the database as well as the\n administration settings of the DBMS.\n\n Applications, including DBMSs, utilizing cryptography are required to use\n approved NIST FIPS 140-2 validated cryptographic modules that meet the\n requirements of applicable federal laws, Executive Orders, directives,\n policies, regulations, standards, and guidance.\n\n The security functions validated as part of FIPS 140-2 for cryptographic\n modules are described in FIPS 140-2 Annex A.\n\n NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based\n encryption modules.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73063\"\n tag \"rid\": \"SV-87715r1_rule\"\n tag \"stig_id\": \"PGS9-00-012300\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"As the system administrator, run the following:\n\n $ openssl version\n If \\\"fips\\\" is not included in the openssl version, this is a finding.\"\n\n tag \"fix\": \"Configure OpenSSL to meet FIPS Compliance using the following\n documentation in section 9.1:\n\n http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf\n\n For more information on configuring PostgreSQL to use SSL, see supplementary\n content APPENDIX-G.\"\n\n only_if do\n command('openssl').exist?\n end\n\n describe command('openssl version') do\n its('stdout') { should include 'fips' }\n end\nend\n","source_location":{"line":87,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73063.rb"},"results":[{"status":"passed","code_desc":"Command: `openssl version` stdout should include \"fips\"","run_time":0.027339604,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73065","title":"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.","desc":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.","descriptions":[{"label":"default","data":"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000502-DB-000348","gid":"V-73065","rid":"SV-87717r1_rule","stig_id":"PGS9-00-012500","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73065\" do\n title \"Audit records must be generated when categorized information (e.g.,\n classification levels/security levels) is deleted.\"\n desc \"Changes in categorized information must be tracked. Without an audit\n trail, unauthorized access to protected data could go undetected.\n\n For detailed information on categorizing information, refer to FIPS\n Publication 199, Standards for Security Categorization of Federal\n Information and Information Systems, and FIPS Publication 200, Minimum\n Security Requirements for Federal Information and Information Systems.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000502-DB-000348\"\n tag \"gid\": \"V-73065\"\n tag \"rid\": \"SV-87717r1_rule\"\n tag \"stig_id\": \"PGS9-00-012500\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain role, read, write, and ddl,\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring\n PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations can be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = %w(ddl read role write)\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73065.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000465654,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"ddl\"","run_time":0.000462544,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"ddl\"\nDiff:\n@@ -1,2 +1,5 @@\n-ddl\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000385091,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"role\"","run_time":0.000459023,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"role\"\nDiff:\n@@ -1,2 +1,5 @@\n-role\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.000376015,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73067","title":"PostgreSQL must generate audit records when successful accesses to\n objects occur.","desc":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.","descriptions":[{"label":"default","data":"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000507-DB-000356","gid":"V-73067","rid":"SV-87719r1_rule","stig_id":"PGS9-00-012600","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \"SHOW pgaudit.log\"\n\n If the output does not contain read and write, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \"postgres\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73067\" do\n title \"PostgreSQL must generate audit records when successful accesses to\n objects occur.\"\n desc \"Without tracking all or selected types of access to all or selected\n objects (tables, views, procedures, functions, etc.), it would be\n difficult to establish, correlate, and investigate the events relating\n to an incident, or identify those responsible for one.\n\n In an SQL environment, types of access include, but are not necessarily\n limited to:\n\n SELECT\n INSERT\n UPDATE\n DELETE\n EXECUT.\"\n\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000507-DB-000356\"\n tag \"gid\": \"V-73067\"\n tag \"rid\": \"SV-87719r1_rule\"\n tag \"stig_id\": \"PGS9-00-012600\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that role, read, write, and ddl auditing are enabled:\n\n $ psql -c \\\"SHOW pgaudit.log\\\"\n\n If the output does not contain read and write, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n If logging is enabled the following configurations must be made to log\n unsuccessful connections, date/time, username and session identifier.\n\n As the database administrator (shown here as \\\"postgres\\\"),\n edit postgresql.conf:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Edit the following parameters:\n\n log_connections = on\n log_line_prefix = '< %m %u %c: >'\n pgaudit.log = 'read, write'\n\n Where:\n * %m is the time and date\n * %u is the username\n * %c is the session ID for the connection\n\n Now, as the system administrator, reload the server with the new\n configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n pgaudit_types = ['read', 'write']\n\n pgaudit_types.each do |type|\n describe sql.query('SHOW pgaudit.log;', [PG_DB]) do\n its('output') { should include type }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73067.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000376293,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"read\"","run_time":0.000371361,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"read\"\nDiff:\n@@ -1,2 +1,5 @@\n-read\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW pgaudit.log; output should include \"write\"","run_time":0.00035008,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"write\"\nDiff:\n@@ -1,2 +1,5 @@\n-write\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]},{"id":"V-73069","title":"PostgreSQL must generate audit records for all direct access to the\n database(s).","desc":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.","descriptions":[{"label":"default","data":"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000508-DB-000358","gid":"V-73069","rid":"SV-87721r1_rule","stig_id":"PGS9-00-012700","cci":["CCI-000172"],"nist":["AU-12 c","Rev_4"],"check":"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW shared_preload_libraries\"\n\n If the output does not contain \"pgaudit\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_connections\"\n $ psql -c \"SHOW log_disconnections\"\n\n If the output does not contain \"on\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.","fix":"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73069\" do\n title \"PostgreSQL must generate audit records for all direct access to the\n database(s).\"\n desc \"In this context, direct access is any query, command, or call to the\n DBMS that comes from any source other than the application(s) that it\n supports. Examples would be the command line or a database management\n utility program. The intent is to capture all activity from administrative\n and non-standard sources.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000508-DB-000358\"\n tag \"gid\": \"V-73069\"\n tag \"rid\": \"SV-87721r1_rule\"\n tag \"stig_id\": \"PGS9-00-012700\"\n tag \"cci\": [\"CCI-000172\"]\n tag \"nist\": [\"AU-12 c\", \"Rev_4\"]\n\n tag \"check\": \"As the database administrator, verify pgaudit is enabled by running\n the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW shared_preload_libraries\\\"\n\n If the output does not contain \\\"pgaudit\\\", this is a finding.\n\n Verify that connections and disconnections are being logged by\n running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_connections\\\"\n $ psql -c \\\"SHOW log_disconnections\\\"\n\n If the output does not contain \\\"on\\\",\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment\n variable. See supplementary content APPENDIX-F for instructions on\n configuring PGDATA.\n\n To ensure that logging is enabled, review supplementary content APPENDIX-C\n for instructions on enabling logging.\n\n Using pgaudit PostgreSQL can be configured to audit these requests. See\n supplementary content APPENDIX-B for documentation on installing pgaudit.\n\n With pgaudit installed the following configurations should be made:\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Add the following parameters (or edit existing parameters):\n\n pgaudit.log='ddl, role, read, write'\n log_connections='on'\n log_disconnections='on'\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n describe sql.query('SHOW shared_preload_libraries;', [PG_DB]) do\n its('output') { should include 'pgaudit' }\n end\n\n describe sql.query('SHOW log_connections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\n\n describe sql.query('SHOW log_disconnections;', [PG_DB]) do\n its('output') { should match /on|true/i }\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73069.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW shared_preload_libraries; output should include \"pgaudit\"","run_time":0.000347176,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"pgaudit\"\nDiff:\n@@ -1,2 +1,5 @@\n-pgaudit\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_connections; output should match /on|true/i","run_time":0.000112513,"start_time":"2019-04-22T19:23:23+00:00"},{"status":"passed","code_desc":"PostgreSQL query with errors: SHOW log_disconnections; output should match /on|true/i","run_time":0.000148856,"start_time":"2019-04-22T19:23:23+00:00"}]},{"id":"V-73071","title":"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.","desc":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.","descriptions":[{"label":"default","data":"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries."}],"impact":0.7,"refs":[],"tags":{"severity":"high","gtitle":"SRG-APP-000179-DB-000114","gid":"V-73071","rid":"SV-87723r1_rule","stig_id":"PGS9-00-012800","cci":["CCI-000803"],"nist":["IA-7","Rev_4"],"check":"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.","fix":"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS."},"code":"control \"V-73071\" do\n title \"The DBMS must be configured on a platform that has a NIST certified\n FIPS 140-2 installation of OpenSSL.\"\n desc \"Postgres uses OpenSSL for the underlying encryption layer. Currently only\n Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of\n OpenSSL. For other operating systems, users must obtain or build their\n own FIPS 140-2 OpenSSL libraries.\"\n impact 0.7\n tag \"severity\": \"high\"\n\n tag \"gtitle\": \"SRG-APP-000179-DB-000114\"\n tag \"gid\": \"V-73071\"\n tag \"rid\": \"SV-87723r1_rule\"\n tag \"stig_id\": \"PGS9-00-012800\"\n tag \"cci\": [\"CCI-000803\"]\n tag \"nist\": [\"IA-7\", \"Rev_4\"]\n\n tag \"check\": \"If the deployment incorporates a custom build of the operating\n system and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\n this is not a finding.\n\n If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL),\n this is a finding.\n\n If FIPS encryption is not enabled, this is a finding.\"\n\n # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html\n\n # fips=1 kernel option to the kernel command line during system\n # installation.\n\n # PRELINKING=no option in the /etc/sysconfig/prelink\n # run\n\n # yum install dracut-fips\n # For the CPUs with the AES New Instructions (AES-NI) support, install the\n # vdracut-fips-aesni package as well:\n\n # in the CM:\n # To disable existing prelinking on all system files, use the\n # prelink -u -a command.\n\n tag \"fix\": \"Install Postgres with FIPS-compliant cryptography enabled on RHEL;\n or by other means ensure that FIPS 140-2 certified OpenSSL libraries are\n used by the DBMS.\"\n\n only_if { false }\n\nend\n","source_location":{"line":23,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73071.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":7.82e-06,"start_time":"2019-04-22T19:23:23+00:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"V-73123","title":"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.","desc":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.","descriptions":[{"label":"default","data":"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application."}],"impact":0.5,"refs":[],"tags":{"severity":"medium","gtitle":"SRG-APP-000097-DB-000041","gid":"V-73123","rid":"SV-87775r1_rule","stig_id":"PGS9-00-007100","cci":["CCI-000132"],"nist":["AU-3","Rev_4"],"check":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \"postgres\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \"SHOW log_line_prefix\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.","fix":"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \"postgres\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload"},"code":"control \"V-73123\" do\n title \"PostgreSQL must produce audit records containing sufficient information\n to establish where the events occurred.\"\n desc \"Information system auditing capability is critical for accurate forensic\n analysis. Without establishing where events occurred, it is impossible to\n establish, correlate, and investigate the events relating to an incident.\n In order to compile an accurate risk assessment and provide forensic analysis,\n it is essential for security personnel to know where events occurred, such as\n application components, modules, session identifiers, filenames, host names,\n and functionality.\n Associating information about where the event occurred within the application\n provides a means of investigating an attack; recognizing resource utilization\n or capacity thresholds; or identifying an improperly configured application.\"\n impact 0.5\n tag \"severity\": \"medium\"\n\n tag \"gtitle\": \"SRG-APP-000097-DB-000041\"\n tag \"gid\": \"V-73123\"\n tag \"rid\": \"SV-87775r1_rule\"\n tag \"stig_id\": \"PGS9-00-007100\"\n tag \"cci\": [\"CCI-000132\"]\n tag \"nist\": [\"AU-3\", \"Rev_4\"]\n\n tag \"check\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n First, as the database administrator (shown here as \\\"postgres\\\"), check the\n current log_line_prefix setting by running the following SQL:\n\n $ sudo su - postgres\n $ psql -c \\\"SHOW log_line_prefix\\\"\n\n If log_line_prefix does not contain %m %u %d %s, this is a finding.\"\n\n tag \"fix\": \"Note: The following instructions use the PGDATA environment variable.\n See supplementary content APPENDIX-F for instructions on configuring PGDATA.\n To check that logging is enabled, review supplementary content APPENDIX-C for\n instructions on enabling logging.\n First edit the postgresql.conf file as the database administrator (shown here\n as \\\"postgres\\\"):\n\n $ sudo su - postgres\n $ vi ${PGDATA?}/postgresql.conf\n\n Extra parameters can be added to the setting log_line_prefix to log application\n related information:\n\n # %a = application name\n # %u = user name\n # %d = database name\n # %r = remote host and port\n # %p = process ID\n # %m = timestamp with milliseconds\n # %i = command tag\n # %s = session startup\n # %e = SQL state\n\n For example:\n log_line_prefix = '<%m %a %u %d %r %p %i %e %s>’\n\n Now, as the system administrator, reload the server with the new configuration:\n\n # SYSTEMD SERVER ONLY\n $ sudo systemctl reload postgresql-9.5\n # INITD SERVER ONLY\n $ sudo service postgresql-9.5 reload\"\n\n sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)\n\n log_line_prefix_escapes = %w(%m %u %d %s)\n\n log_line_prefix_escapes.each do |escape|\n describe sql.query('SHOW log_line_prefix;', [PG_DB]) do\n its('output') { should include escape }\n end\n end\nend\n","source_location":{"line":42,"ref":"/home/ec2-user/.inspec/cache/96e6b8877a3a240490c08879e504472ff3102500/controls/V-73123.rb"},"results":[{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%m\"","run_time":0.000341145,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%m\"\nDiff:\n@@ -1,2 +1,5 @@\n-%m\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%u\"","run_time":0.000350368,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%u\"\nDiff:\n@@ -1,2 +1,5 @@\n-%u\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%d\"","run_time":0.000433247,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%d\"\nDiff:\n@@ -1,2 +1,5 @@\n-%d\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"},{"status":"failed","code_desc":"PostgreSQL query with errors: SHOW log_line_prefix; output should include \"%s\"","run_time":0.000393182,"start_time":"2019-04-22T19:23:23+00:00","message":"expected \"\\npsql: could not connect to server: Connection refused\\n\\tIs the server running on host \\\"127.0.0.1\\\" and accepting\\n\\tTCP/IP connections on port 5432?\\n\" to include \"%s\"\nDiff:\n@@ -1,2 +1,5 @@\n-%s\n+\n+psql: could not connect to server: Connection refused\n+\tIs the server running on host \"127.0.0.1\" and accepting\n+\tTCP/IP connections on port 5432?\n"}]}],"status":"loaded"}],"statistics":{"duration":0.504726758},"version":"3.6.6"} \ No newline at end of file