DISA Crunchy Data Postgres 16 STIG v1r2 PostgreSQLDB

Audit Details

Name: DISA Crunchy Data Postgres 16 STIG v1r2 PostgreSQLDB

Updated: 6/30/2026

Authority: DISA STIG

Plugin: PostgreSQLDB

Revision: 1.0

Estimated Item Count: 89

File Details

Filename: DISA_STIG_Crunchy_Data_Postgres_16_v1r2_PostgreSQLDB.audit

Size: 283 kB

MD5: 5e39574d4a93bb9b70a012c73d16aa79
SHA256: 4679e9ac37878de75e2e8824a46807417f29f18e5542c282ec4b23b64f350b58

Audit Items

DescriptionCategories
CD16-00-000100 - PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

ACCESS CONTROL

CD16-00-000200 - PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

ACCESS CONTROL

CD16-00-000300 - PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

ACCESS CONTROL

CD16-00-000400 - PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.

AUDIT AND ACCOUNTABILITY

CD16-00-000500 - PostgreSQL must provide audit record generation capability for DOD-defined auditable events within all DBMS/database components.

AUDIT AND ACCOUNTABILITY

CD16-00-000600 - PostgreSQL must allow only the information system security manager (ISSM), or individuals or roles appointed by the ISSM, to select which events are to be audited.

AUDIT AND ACCOUNTABILITY

CD16-00-000700 - PostgreSQL must be able to generate audit records when privileges/permissions are retrieved.

AUDIT AND ACCOUNTABILITY

CD16-00-000800 - PostgreSQL must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.

AUDIT AND ACCOUNTABILITY

CD16-00-000900 - PostgreSQL must initiate session auditing upon startup.

AUDIT AND ACCOUNTABILITY

CD16-00-001000 - PostgreSQL must produce audit records containing sufficient information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

CD16-00-001100 - PostgreSQL must produce audit records containing time stamps to establish when the events occurred.

AUDIT AND ACCOUNTABILITY

CD16-00-001200 - PostgreSQL must produce audit records containing sufficient information to establish where the events occurred.

AUDIT AND ACCOUNTABILITY

CD16-00-001300 - PostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events.

AUDIT AND ACCOUNTABILITY

CD16-00-001400 - PostgreSQL must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.

AUDIT AND ACCOUNTABILITY

CD16-00-001500 - PostgreSQL must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.

AUDIT AND ACCOUNTABILITY

CD16-00-001600 - PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.

AUDIT AND ACCOUNTABILITY

CD16-00-001700 - PostgreSQL must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

AUDIT AND ACCOUNTABILITY

CD16-00-001800 - PostgreSQL must be configurable to overwrite audit log records, oldest first (first-in-first-out [FIFO]), in the event of unavailability of space for more audit log records.

AUDIT AND ACCOUNTABILITY

CD16-00-002000 - The audit information produced by PostgreSQL must be protected from unauthorized read access.

AUDIT AND ACCOUNTABILITY

CD16-00-002300 - PostgreSQL must protect its audit features from unauthorized access.

AUDIT AND ACCOUNTABILITY

CD16-00-002400 - PostgreSQL must protect its audit configuration from unauthorized modification.

AUDIT AND ACCOUNTABILITY

CD16-00-003200 - Unused database components, PostgreSQL software, and database objects must be removed.

CONFIGURATION MANAGEMENT

CD16-00-003400 - Access to external executables must be disabled or restricted.

CONFIGURATION MANAGEMENT

CD16-00-003500 - PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CONFIGURATION MANAGEMENT

CD16-00-003800 - If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.

IDENTIFICATION AND AUTHENTICATION

CD16-00-004000 - PostgreSQL, when using PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.

IDENTIFICATION AND AUTHENTICATION

CD16-00-004100 - PostgreSQL must enforce authorized access to all PKI private keys stored/used by PostgreSQL.

IDENTIFICATION AND AUTHENTICATION

CD16-00-004500 - PostgreSQL must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).

IDENTIFICATION AND AUTHENTICATION

CD16-00-004600 - PostgreSQL must separate user functionality (including user interface services) from database management functionality.

SYSTEM AND COMMUNICATIONS PROTECTION

CD16-00-004700 - PostgreSQL must invalidate session identifiers upon user logout or other session termination.

SYSTEM AND COMMUNICATIONS PROTECTION

CD16-00-004900 - PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.

SYSTEM AND COMMUNICATIONS PROTECTION

CD16-00-005300 - PostgreSQL must isolate security functions from nonsecurity functions.

SYSTEM AND COMMUNICATIONS PROTECTION

CD16-00-005900 - PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

SYSTEM AND INFORMATION INTEGRITY

CD16-00-006000 - PostgreSQL must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SYSTEM AND INFORMATION INTEGRITY

CD16-00-006100 - PostgreSQL must reveal detailed error messages only to the information system security officer (ISSO), information system security manager (ISSM), system administrator (SA), and database administrator (DBA).

SYSTEM AND INFORMATION INTEGRITY

CD16-00-006200 - PostgreSQL must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

ACCESS CONTROL

CD16-00-006400 - PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage.

ACCESS CONTROL

CD16-00-006500 - PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in process.

ACCESS CONTROL

CD16-00-006600 - PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission.

ACCESS CONTROL

CD16-00-006700 - PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.

ACCESS CONTROL

CD16-00-006800 - PostgreSQL must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

ACCESS CONTROL

CD16-00-006900 - Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.

ACCESS CONTROL

CD16-00-007000 - PostgreSQL must use centralized management of the content captured in audit records generated by all components of PostgreSQL.

AUDIT AND ACCOUNTABILITY

CD16-00-007200 - PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

AUDIT AND ACCOUNTABILITY

CD16-00-007500 - PostgreSQL must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC), formerly Greenwich Mean Time (GMT).

AUDIT AND ACCOUNTABILITY

CD16-00-007600 - PostgreSQL must generate time stamps for audit records and application data with a minimum granularity of one second.

AUDIT AND ACCOUNTABILITY

CD16-00-007700 - PostgreSQL must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

CONFIGURATION MANAGEMENT

CD16-00-007800 - PostgreSQL must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).

CONFIGURATION MANAGEMENT

CD16-00-007900 - PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s).

CONFIGURATION MANAGEMENT

CD16-00-008000 - PostgreSQL must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with the Ports, Protocols, and Services Management (PPSM) guidance.

CONFIGURATION MANAGEMENT