Crunchy Blog

Announcing the PostgreSQL STIG

March 27, 2017 / In PostgreSQL / by Joe Conway

Crunchy Data recently announced the publication of the PostgreSQL Security Technical Implementation Guide (STIG) by the United States Defense Information Systems Agency (DISA), making PostgreSQL the first open source database to provide a published STIG.

While the STIG was authored for the benefit of the U.S. Government, the DISA PostgreSQL STIG offers security-conscious enterprises a comprehensive guide for the configuration and operation of open source PostgreSQL. Enterprises can refer to the STIG as for guidance on PostgreSQL security best practices they consider open source PostgreSQL as an alternative to proprietary, closed source, database software.

Importantly, compliance with the STIG guidance requires only open source software and documentation. The PostgreSQL STIG is based on open source, unmodified PostgreSQL 9.x used in conjunction with certain open source PostgreSQL extensions – most notably, pgaudit.

In order to help PostgreSQL users benefit from the guidance provided in the DISA STIG, we wanted to provide some background information for getting started.

What is a DISA STIG?

Security Technical Implementation Guide (STIG) are the configuration standards for United States Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA). Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the STIGs. The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

Is the PostgreSQL STIG US Government Specific?

The PostgreSQL STIG is from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4 and related documents.  While the DISA STIG is intended to provide technical guidance to “lock down” information systems/software used within the DoD, generally speaking the guidance provided it is not specific to the DoD and Crunchy Data believes the guidance provided is generally applicable to security conscious enterprises.

What Does the PostgreSQL STIG Cover?

PostgreSQL STIG provides guidance on the configuration of PostgreSQL to address requirements associated with:

  • Auditing
  • Logging
  • Data Encryption at Rest
  • Data Encryption Over the Wire
  • Access Controls
  • Administration
  • Authentication
  • Protecting against SQL Injection

How Does the PostgreSQL STIG Work?

The PostgreSQL STIG provides a series of “Requirements”, “Checks” and “Fixes” where:

  • Requirements” are provided as a series of security requirements for an operating environment.
  • Checks” are provided as a series of instructions or commands for verifying compliance with the stated requirement.
  • Fixes” are provided as remediation steps to the extent the Check determines that the system is not in fact in compliance with the stated Requirement.

Conclusion

Crunchy Data views the PostgreSQL STIG as yet another validation of the comprehensive security functionality of PostgreSQL and significant accomplishment of the PostgreSQL Global Development Community.

The PostgreSQL STIG represents the first open source software database STIG published by DISA, demonstrating that open source PostgreSQL is capable of meeting the exacting security requirements of the DoD.

We are proud to be part of the team that developed the STIG for PostgreSQL and look forward to working with all of the organizations who have been anxiously waiting for a PostgreSQL STIG to be approved for a supported quality open source relational database.

Additional Resources

PostgreSQL 9.x Security Technical Implementation Guide

Supplement to PostgreSQL 9.x Security Technical Implementation Guide 

 

 

 

2 replies