Detections
Analytics

5.1 Ensure login via 'local' UNIX Domain Socket is configured correctly

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

A remote host login, via ssh, is arguably the most secure means of remotely accessing and administrating the Postgres server. Connecting with the psql CLI, via UNIX DOMAIN SOCKETS, using the peer METHOD is the most secure mechanism available for local connections. Provided a database user account of the same name of the UNIX account has already been defined in the database, even ordinary user accounts can access the cluster in a similarly highly secure manner.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Creation of a database account that matches the local account allows PEER authentication:
$ psql -c 'create role user1 with login password 'mypassword';'
CREATE ROLE
Execute the following as the UNIX user account, the default authentication rules should now permit the login:
$ su - user1
$ psql postgres
psql (9.5.10)
Type "help" for help.

postgres=#
As per the host-based authentication rules in $PGDATA/pg_hba.conf, all login attempts via UNIX DOMAIN SOCKETS are processed on the line beginning with local.
This is the minimal rule that must be in place allowing PEER connections:
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
More traditionally, a rule like the following would be used to allow any local PEER connection:
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
Once edited, the server process must reload the authentication file before it can take effect. Improperly configured rules cannot update i.e. the old rules remain in place. The Postgres logs will report the outcome of the SIGHUP:
[root@localhost ~]# service postgresql-9.5 reload
The following examples illustrate other possible configurations. The resultant "rule" of success/failure depends upon the first matching line:
# allow postgres user logins
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
# allow all local users
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
# allow all local users only if they are connecting to a db named the same as their username
# TYPE DATABASE USER METHOD
local samerole all peer
# allow only local users who are members of the 'rw' role in the db
# TYPE DATABASE USER ADDRESS METHOD
local all +rw peer

See Also

https://workbench.cisecurity.org/files/2063

Item Details

References: CSCv6|3.4

Plugin: Unix

Control ID: 20a62e83d69df3c4b3511c20e6ec945616df4c66ccbb7bc32d264055da332181