| 3.1.2 Ensure the log destinations are set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.3 Ensure the logging collector is enabled | AUDIT AND ACCOUNTABILITY |
| 3.1.4 Ensure the log file destination directory is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.5 Ensure the filename pattern for log files is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.6 Ensure the log file permissions are set correctly | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.7 Ensure 'log_truncate_on_rotation' is enabled | AUDIT AND ACCOUNTABILITY |
| 3.1.8 Ensure the maximum log file lifetime is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.9 Ensure the maximum log file size is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.10 Ensure the correct syslog facility is selected | AUDIT AND ACCOUNTABILITY |
| 3.1.11 Ensure syslog messages are not suppressed | AUDIT AND ACCOUNTABILITY |
| 3.1.12 Ensure syslog messages are not lost due to size | AUDIT AND ACCOUNTABILITY |
| 3.1.13 Ensure the program name for PostgreSQL syslog messages is correct | AUDIT AND ACCOUNTABILITY |
| 3.1.14 Ensure the correct messages are written to the server log | AUDIT AND ACCOUNTABILITY |
| 3.1.15 Ensure the correct SQL statements generating errors are recorded | AUDIT AND ACCOUNTABILITY |
| 3.1.16 Ensure 'debug_print_parse' is disabled - debug_print_parse is disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.17 Ensure 'debug_print_rewritten' is disabled - debug_print_rewritten is disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.18 Ensure 'debug_print_plan' is disabled - debug_print_plan is disabled | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.19 Ensure 'debug_pretty_print' is enabled - debug_pretty_print is enabled | AUDIT AND ACCOUNTABILITY |
| 3.1.20 Ensure 'log_connections' is enabled - log_connections is enabled | AUDIT AND ACCOUNTABILITY |
| 3.1.21 Ensure 'log_disconnections' is enabled - log_disconnections is enabled | AUDIT AND ACCOUNTABILITY |
| 3.1.22 Ensure 'log_error_verbosity' is set correctly - log_error_verbosity is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.23 Ensure 'log_hostname' is set correctly - log_hostname is set correctly | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1.24 Ensure 'log_line_prefix' is set correctly - log_line_prefix is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.25 Ensure 'log_statement' is set correctly - log_statement is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.1.26 Ensure 'log_timezone' is set correctly - log_timezone is set correctly | AUDIT AND ACCOUNTABILITY |
| 3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled - pgaudit installed | AUDIT AND ACCOUNTABILITY |
| 3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled - show pgaudit.log | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure excessive administrative privileges are revoked | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.3 Ensure excessive function privileges are revoked | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.4 Ensure excessive DML privileges are revoked | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.5 Ensure Row Level Security (RLS) is configured correctly - RLS is configured correctly | ACCESS CONTROL, MEDIA PROTECTION |
| 4.6 Ensure the set_user extension is installed | ACCESS CONTROL |
| 4.7 Make use of predefined roles | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 6.1 Understanding attack vectors and runtime parameters | CONFIGURATION MANAGEMENT |
| 6.2 Ensure 'backend' runtime parameters are configured correctly - ignore_system_indexes | CONFIGURATION MANAGEMENT |
| 6.2 Ensure 'backend' runtime parameters are configured correctly - jit_debugging_support | CONFIGURATION MANAGEMENT |
| 6.2 Ensure 'backend' runtime parameters are configured correctly - jit_profiling_support | CONFIGURATION MANAGEMENT |
| 6.2 Ensure 'backend' runtime parameters are configured correctly - log_connections | CONFIGURATION MANAGEMENT |
| 6.2 Ensure 'backend' runtime parameters are configured correctly - log_disconnections | CONFIGURATION MANAGEMENT |
| 6.2 Ensure 'backend' runtime parameters are configured correctly - post_auth_delay | CONFIGURATION MANAGEMENT |
| 6.3 Ensure 'Postmaster' Runtime Parameters are Configured | CONFIGURATION MANAGEMENT |
| 6.4 Ensure 'SIGHUP' Runtime Parameters are Configured | CONFIGURATION MANAGEMENT |
| 6.5 Ensure 'Superuser' Runtime Parameters are Configured | CONFIGURATION MANAGEMENT |
| 6.6 Ensure 'User' Runtime Parameters are Configured | CONFIGURATION MANAGEMENT |
| 6.8 Ensure TLS is enabled and configured correctly | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.9 Ensure the pgcrypto extension is installed and configured correctly | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Ensure a replication-only user is created and used for streaming replication | ACCESS CONTROL |
| 7.2 Ensure logging of replication commands is configured | ACCESS CONTROL |
| 7.3 Ensure base backups are configured and functional | CONTINGENCY PLANNING |
| 7.4 Ensure WAL archiving is configured and functional - archive_command | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
