← Back to VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide

V-240278

CAT II (Medium)

The vRA PostgreSQL database must set the log_statement to all.

Rule ID

SV-240278r879561_rule

STIG

VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000172

Discussion

Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.

Check Content

At the command prompt, execute the following command:

# grep '^\s*log_statement\b' /storage/db/pgdata/postgresql.conf

If "log_statement" is not "all", this is a finding.

Fix Text

At the command prompt, execute the following commands:

# /opt/vmware/vpostgres/current/bin/psql -U postgres -c "ALTER SYSTEM SET log_statement TO 'all';"
# /opt/vmware/vpostgres/current/bin/psql -U postgres -c "SELECT pg_reload_conf();"