Documentation - V-261859

Title

PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Description

<VulnDiscussion>Authentication with a DOD-approved PKI certificate does not necessarily imply authorization to access PostgreSQL. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems, including databases, must be properly configured to implement access control policies. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedur...

Fix Text (Documentation Requirement)

Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA. Create and/or maintain documentation of each group role's appropriate permissions on database objects. Implement these permissions in the database and remove any permissions that exceed those documented. The following are examples of how to use role privileges in PostgreSQL to enforce access controls. For a complete list of privileges, refer to the official documentation: https://www.postgresql.org/docs/current/static/sql-createrole.html. #### Roles Example 1 The following example demonstrates how to create an admin role with CREATEDB and CREATEROLE privileges. As the database administrator (shown here as "postgres"), run the following SQL: $ sudo su ...