As part of 10.1.1 release, the following PostgreSQL STIG hardening issues have been addressed in NCM.

V-72909: log_destination has updated as 'syslog' and syslog_facility as 'LOCAL0' in postgres.conf to capture the log messages in /var/log/messages.

V-72925: log_connections and log_disconnections set as 'on' in postgres.conf file to log connections, date/time, username, and session identifier.

V-72929: pgaudit.log is set as 'role' in postgres.conf file to log the changes in the permissions, privileges, and roles granted to users and roles.

V-72939: pgaudit.log is set as 'ddl' in postgres.conf file to audit the removal of security objects from the database.

V-72987: The appropriate log_line_prefix is set in postgres.conf to capture the identity of any user/subject or process associated with an event.

V-73005: log_hostname is set as 'on' in postgres.conf to log the hostname.

V-73015: password_encryption is set as 'on' in postgres.conf to identify if any passwords have been stored without being hashed and salted.

V-73023: The script $VOYENCE_HOME/tools/ is available to monitor the disk space in the database server. This script needs to be edited to replace [email protected] with the user's email id to get the email notification. Use this script, to schedule a cron job to run around the clock.

V-73033: log_connections, log_disconnections, log_line_prefix are set as on in postgres.conf to verify the audit record does not log events required by the organization.

V-73037: statement_timeout,tcp_keepalives_idle,tcp_keepalives_interval are set as 10s in postgres.conf file to invalidate session upon user logout or other session termination.

V-73045: PostgreSQL uses syslog to transfer audit records to a centralized log management system.

V-73047: In postgres.conf file SSL is set as on to maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks.
Note: To fix STIG V-73047 in Remote Database Server, Please follow the below instructions after the complete installation of Database and Application servers.
  1. Copy $VOYENCE_HOME/conf/server.crt and $VOYENCE_HOME/conf/server.key from Application Server to Database Server.
  2. Run the Perl script $VOYENCE_HOME/tools/ by providing the copied server.crt and server.key with the location details as the input in the Database Server.

    For example:

    perl $VOYENCE_HOME/tools/ /server.crt /server.key

  3. In Application Server, restart vcmaster services to connect with SSL configured Database.

    systemctl restart vcmaster

V-73061: log_file_mode set as 0600 in postgres.conf file and postgresql.conf file permission is set as 0600.

V-73123: The appropriate log_line_prefix set in posgres.conf file to produce audit records containing sufficient information to establish where the events occurred.

STIG V-2265: .java and .jpp files has been removed from the web server, except for the below sample files.

There are some .java sample files which are present in the below directories. These sample files can be moved to a different loation or zipped.

There wont be any functionality impact.