Detections
Analytics

5.1 Ensure login via 'local' UNIX Domain Socket is configured correctly

Information

A remote host login, via ssh, is arguably the most secure means of remotely accessing and administering the PostgreSQL server. Connecting with the psql client, via UNIX DOMAIN SOCKETS, using the peer authentication method is the most secure mechanism available for local connections. Provided a database user account of the same name of the UNIX account has already been defined in the database, even ordinary user accounts can access the cluster in a similarly highly secure manner.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Creation of a database account that matches the local account allows PEER authentication:
$ psql -c 'CREATE ROLE user1 WITH LOGIN;'
CREATE ROLE
Execute the following as the UNIX user account, the default authentication rules should now permit the login:
$ su - user1
$ whoami
user1
$ psql -d postgres
psql (9.6.10)
Type 'help' for help.

postgres=>
As per the host-based authentication rules in $PGDATA/pg_hba.conf, all login attempts via UNIX DOMAIN SOCKETS are processed on the line beginning with local.
This is the minimal rule that must be in place allowing PEER connections:
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
More traditionally, a rule like the following would be used to allow any local PEER connection:
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
Once edited, the server process must reload the authentication file before it can take effect. Improperly configured rules cannot update i.e. the old rules remain in place. The PostgreSQL logs will report the outcome of the SIGHUP:
postgres=# select pg_reload_conf();
 pg_reload_conf
----------------
 t
(1 row)
The following examples illustrate other possible configurations. The resultant 'rule' of success/failure depends upon the first matching line:
# allow postgres user logins
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
# allow all local users
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
# allow all local users only if they are connecting to a db named the same as their username
# e.g. if user 'bob' is connecting to a db named 'bob'
# TYPE DATABASE USER METHOD
local samerole all peer
# allow only local users who are members of the 'rw' role in the db
# TYPE DATABASE USER ADDRESS METHOD
local all +rw peer

See Also

https://workbench.cisecurity.org/files/2235

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv6|3.4, CSCv7|4.5

Plugin: Unix

Control ID: 40795e843a46552e75655731354d36a6e6a4e46418fa488c3d35900781a0d8a4