V-261863

SV-261863r1000954_rule

CAT II

PostgreSQL must be able to generate audit records when privileges/permissions are retrieved.

From: Crunchy Data Postgres 16 Security Technical Implementation Guide (V1R2)

Description

<VulnDiscussion>Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. PostgreSQLs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that PostgreSQL continually performs to determine if any and every action on the database is permitted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Note: The following instructions use the PGLOG environment variable. Refer to supplementary content APPENDIX-I for instructions on configuring PGLOG. As the database administrator (shown here as "postgres"), check if pgaudit is enabled by running the following SQL: $ sudo su - postgres $ psql -c "SHOW shared_preload_libraries" If pgaudit is not found in the results, this is a finding. As the database administrator (shown here as "postgres"), list all role memberships for the database: $ sudo su - postgres $ psql -c "\du" Verify the query was logged: $ sudo su - postgres $ cat ${PGLOG?}/<latest_log> This should, as an example, return (among other rows): < 2024-02-01 19:13:38.276 UTC psql postgres postgres [local] 15639 >LOG: duration: 29.932 ms statement: SELECT r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole, r.rolcreatedb, r.rolcanlogin, r.rolconnlimit, r.rolvaliduntil , r.rolreplication , r.rolbypassrls FROM pg_catalog.pg_roles r WHERE r.rolname !~ '^pg_' ORDER BY 1; If audit records are not produced, this is a finding.

Fix Text

Note: The following instructions use the PGDATA and PGVER environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER. PostgreSQL can be configured to audit these requests using pgaudit. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit. With pgaudit installed the following configurations can be made: $ sudo su - postgres $ vi ${PGDATA?}/postgresql.conf Add the following parameters (or edit existing parameters): pgaudit.log_catalog = 'on' pgaudit.log = 'read' Note: For this requirement the pgaudit.log must contain 'read' however APPENDIX-C suggests setting pgaudit.log='ddl, role, read, write' to fulfill all requirements. As the system administrator, reload the server with the new configuration: $ sudo systemctl reload postgresql-${PGVER?}

CCI Reference

CCI-000172

Created: 2026-04-07 20:08:12
Last Updated: 2026-04-07 20:08:12