← Back to EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide

V-224173

CAT II (Medium)

The EDB Postgres Advanced Server password file must not be used.

Rule ID

SV-224173r961863_rule

STIG

EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-000366

Discussion

The EDB Postgres password file can contain passwords to be used if the connection allows a password (and no password has been specified otherwise). This file contain lines of the following format: hostname:port:database:username:password It is critically important to system security that use of a password file be avoided as it stores passwords in plain text. Any user with access to these could potentially compromise the security of the database.

Check Content

Check DBMS settings to determine whether a password file is being used.

On Windows the default file name and location is:
%APPDATA%\postgresql\pgpass.conf (where %APPDATA% refers to the Application Data subdirectory in the user's profile). 
Alternatively, a password file can be specified using the connection parameter passfile or the environment variable PGPASSFILE.

If a password file exists, this is a finding.
If a password file is not in use, this is not a finding.

Fix Text

Remove any password files present on the server and implement a  more secure form of authentication.

The DoD standard for authentication is DoD-approved PKI certificates.