Detections
Analytics
EPAS-00-001200 - The EDB Postgres Advanced Server must generate audit records when privileges/permissions are retrieved.
Information
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions.This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.
Solution
Execute the following SQL as the 'enterprisedb' operating system user:> psql edb -c 'ALTER SYSTEM SET edb_audit_statement = 'all''
> psql edb -c 'SELECT pg_reload_conf()'
or
Update the system documentation to note the organizationally approved setting and corresponding justification of the setting for this requirement.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EPAS_V2R1_STIG.zip
Item Details
Audit Name: EnterpriseDB PostgreSQL Advanced Server DB v2r1
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-259216r960885_rule, STIG-ID|EPAS-00-001200, Vuln-ID|V-259216
Plugin: PostgreSQLDB
Control ID: 891dd1ebd66d989e7f486b8a5f78a85af1b4eebaa216cf244ceb4c8c1b5bea3e