← Back to VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide

V-239775

CAT II (Medium)

The vROps PostgreSQL DB must be able to generate audit records when privileges/permissions are retrieved.

Rule ID

SV-239775r879561_rule

STIG

VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000172

Discussion

Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.

Check Content

At the command prompt, execute the following command:

# grep '^\s*log_statement\b' /storage/db/vcops/vpostgres/data/postgresql.conf

If log_statement is not set to "all", this is a finding.

Fix Text

At the command prompt, execute the following commands:

# /opt/vmware/vpostgres/current/bin/psql -U postgres -c "ALTER SYSTEM SET log_statement TO 'all';"
# /opt/vmware/vpostgres/current/bin/psql -U postgres -c "SELECT pg_reload_conf();"