Detections
Analytics

3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled - audit.log

Information

The PostgreSQL Audit Extension (pgAudit) provides detailed session and/or object audit logging via the standard PostgreSQL logging facility. The goal of pgAudit is to provide PostgreSQL users with the capability to produce audit logs often required to comply with government, financial, or ISO certifications.
Rationale:
Basic statement logging can be provided by the standard logging facility with log_statement = all. This is acceptable for monitoring and other uses but does not provide the level of detail generally required for an audit. It is not enough to have a list of all the operations performed against the database, it must also be possible to find particular statements that are of interest to an auditor. The standard logging facility shows what the user requested, while pgAudit focuses on the details of what happened while the database was satisfying the request.
When logging SELECT and DML statements, pgAudit can be configured to log a separate entry for each relation referenced in a statement. No parsing is required to find all statements that touch a particular table. In fact, the goal is that the statement text is provided primarily for deep forensics and should not be required for an audit.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To install and enable pgAudit, simply install the appropriate rpm from the PGDG repo:
$ yum -y install pgaudit_95
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirror.vtti.vt.edu
 * extras: mirror.cogentco.com
 * updates: bay.uchicago.edu
Resolving Dependencies
--> Running transaction check
---> Package pgaudit_95.x86_64 0:1.0.4-1.rhel6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package Arch Version Repository Size
================================================================================
Installing:
 pgaudit_95 x86_64 1.0.4-1.rhel6 pgdg95 18 k
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 18 k
Installed size: 41 k
Downloading Packages:
pgaudit_95-1.0.4-1.rhel6.x86_64.rpm | 18 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
 Installing : pgaudit_95-1.0.4-1.rhel6.x86_64 1/1
 Verifying : pgaudit_95-1.0.4-1.rhel6.x86_64 1/1
Installed:
 pgaudit_95.x86_64 0:1.0.4-1.rhel6
Complete!
pgAudit is now installed and ready to be configured. Next, we need to alter the postgresql.conf configuration file to:
 enable pgAudit as an extension in the shared_preload_libraries parameter
 indicate which classes of statements we want to log via the pgaudit.log parameter
and, finally, restart the PostgreSQL service:
$ vi ${PGDATA}/postgresql.conf
Find the shared_preload_libraries entry, and add 'pgaudit' to it (preserving any existing entries):
shared_preload_libraries = 'pgaudit'
OR
shared_preload_libraries = 'pgaudit,somethingelse'
Now, add a new pgaudit-specific entry:
pgaudit.log='ddl,write'
Restart the PostgreSQL server for changes to take affect:
$ whoami
root
$ service postgresql-9.5 restart
Stopping postgresql-9.5 service: [ OK ]
Starting postgresql-9.5 service: [ OK ]
Impact:
Depending on settings, it is possible for pgAudit to generate an enormous volume of logging. Be careful to determine exactly what needs to be audit logged in your environment to avoid logging too much.

See Also

https://workbench.cisecurity.org/files/2234

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv6|6, CSCv7|6.2

Plugin: PostgreSQLDB

Control ID: 2d823a3dcbb6cd31b51ecda234adcf973f7a1b6d4a894bd408ec4f8821d85284