Removing bundles directory.

bcbeb220 · kcarichner · e58180fc · e58180fc
Commit bcbeb220 authored Jan 27, 2021 by kcarichner
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 862 deletions

bundles/PostgreSQL_v9_Prisma_Bundle_v1.json bundles/PostgreSQL_v9_Prisma_Bundle_v1.json +0 -862

No files found.
--- a/bundles/PostgreSQL_v9_Prisma_Bundle_v1.json
+++ b/bundles/PostgreSQL_v9_Prisma_Bundle_v1.json
-[
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72891",
-  "previousName": "",
-  "_id": 9000,
-  "title": "Without the capability to restrict which roles and individuals can   select which events are audited, unauthorized personnel may be able to prevent   or interfere with the auditing of critical events. (V-72891)",
-  "script": "#!/bin/bash\nPGDATA_FILES=$(ls -la ${PGDATA?}, | grep -v -e postgres)\nQUERY=$(su - postgres bash -c 'psql -c \"\\\\du\"')\n\necho \"V-72891\"\necho \"Check Type - Visual Validation.\"\necho\nif [[ -z $PGDATA_FILES ]]\nthen\n    echo \"All files within \\$PGDATA are owned by user postgres. This part PASSES.\"\nelse\n    echo \"All files within \\$PGDATA are NOT owned by user postgres. This part FAILS.\"\nfi\necho\necho \"Review the following role permissions: \"\necho \"$QUERY\"\necho\necho \"If any role is listed as superuser but should not have that access, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72919",
-  "previousName": "",
-  "_id": 9009,
-  "title": "PostgreSQL must generate audit records when categorized information (e.g., classification levels/security levels) is accessed. (V-72919)",
-  "script": "#!/bin/bash\nQUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nVALUES=$(echo $QUERY | grep -E 'ddl|write|role')\nERROR=$(echo $QUERY | grep ERROR)\n\necho \"V-72919\"\nif [[ -n $ERROR ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72931",
-  "previousName": "",
-  "_id": 9010,
-  "title": "PostgreSQL must generate audit records when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur. (V-72931)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\n\necho \"V-72931\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72949",
-  "previousName": "",
-  "_id": 9011,
-  "title": "PostgreSQL must generate audit records when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur. (V-72949)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\n\necho \"V-72949\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72953",
-  "previousName": "",
-  "_id": 9012,
-  "title": "PostgreSQL must generate audit records for all privileged activities or other system-level access. (V-72953)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\n\necho \"V-72953\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72955",
-  "previousName": "",
-  "_id": 9013,
-  "title": "PostgreSQL must generate audit records when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur. (V-72955)",
-  "script": "#!/bin/bash\nQUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nVALUES=$(echo $QUERY | grep -E 'ddl|write|role')\nERROR=$(echo $QUERY | grep ERROR)\n\necho \"V-72955\"\nif [[ -n $ERROR ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72957",
-  "previousName": "",
-  "_id": 9014,
-  "title": "PostgreSQL must be able to generate audit records when security objects are accessed. (V-72957)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\n\necho \"V-72957\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72959",
-  "previousName": "",
-  "_id": 9015,
-  "title": "PostgreSQL must generate audit records when privileges/permissions are deleted. (V-72959)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\n\necho \"V-72959\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72961",
-  "previousName": "",
-  "_id": 9016,
-  "title": "PostgreSQL must generate audit records when concurrent logons/connections by the same user from different workstations occur. (V-72961)",
-  "script": "#!/bin/bash\nCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_connections\"')\nDISCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_disconnections\"')\nCON_OFF=$(echo $CON_QUERY | grep off)\nDISCON_OFF=$(echo $DISCON_QUERY | grep off)\n\necho \"V-72961\"\nif [[ -n $CON_OFF || -n $DISCON_OFF ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"log_connections and/or log_disconnections is set to 'off'\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"log_connections and log_disconections are set properly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72963",
-  "previousName": "",
-  "_id": 9017,
-  "title": "PostgreSQL must generate audit records when unsuccessful attempts to delete security objects occur. (V-72963)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\n\necho \"V-72963\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72965",
-  "previousName": "",
-  "_id": 9018,
-  "title": "PostgreSQL must generate audit records when privileges/permissions are modified. (V-72965)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep role)\n\necho \"V-72965\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72897",
-  "previousName": "",
-  "_id": 9001,
-  "title": "Database objects (including but not limited to tables, indexes,   storage, trigger procedures, functions, links to software external to   PostgreSQL, etc.) must be owned by database/DBMS principals authorized for  ownership. (V-72897)",
-  "script": "#!/bin/bash\nDN_QUERY=$(su - postgres bash -c 'psql -x -c \"\\\\dn *.*\"' | grep Owner)\nDT_QUERY=$(su - postgres bash -c 'psql -x -c \"\\\\dt *.*\"' | grep Owner)\nDS_QUERY=$(su - postgres bash -c 'psql -x -c \"\\\\ds *.*\"' | grep Owner)\nDV_QUERY=$(su - postgres bash -c 'psql -x -c \"\\\\dv *.*\"' | grep Owner)\nDF_QUERY=$(su - postgres bash -c 'psql -x -c \"\\\\df+ *.*\"' | grep Owner)\n\nALL_QUERY=\"${DN_QUERY}, ${DT_QUERY} ${DS_QUERY} ${DV_QUERY} ${DF_QUERY}\"\nCHECK=$(echo $ALL_QUERY | grep -v -e 'postgres')\necho \"V-72897\"\nif [[ -n $CHECK ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"Objects in the database are not all owned by database administrator (postgres).\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"Objects in the database are owned by database administrator (postgres).\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72971",
-  "previousName": "",
-  "_id": 9019,
-  "title": "PostgreSQL must generate audit records when security objects are modified. (V-72971)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\nLOGCAT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log_catalog\"')\nLOGCAT_VALUE=$(echo $LOGCAT_QUERY | grep -E 'on|On|ON')\n\necho \"V-72971\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelif [[ -z $LOGCAT_VALUE ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT LOG CATALOG is not set to 'on'\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72973",
-  "previousName": "",
-  "_id": 9020,
-  "title": "PostgreSQL must generate audit records when categorized information (e.g., classification levels/security levels) is modified. (V-72973)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"')\nLIB_VALUES=$(echo $LIB_QUERY | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"')\nAUDIT_VALUES=$(echo $AUDIT_QUERY | grep -E 'ddl|write|role|read')\n\necho \"V-72973\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_VALUES ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72979",
-  "previousName": "",
-  "_id": 9021,
-  "title": "PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation. (V-72979)",
-  "script": "#!/bin/bash\nCRL_QUERY=$(su - postgres bash -c 'psql -c \"SHOW ssl_crl_file\"')\nCRL_FILE=$(ls -la ${PGDATA?}, | grep -e .crl)\nHOSTSSL_VALUES=$(grep hostssl ${PGDATA?}/postgresql.conf | grep -E 'cert|clientcert=1')\n\necho \"V-72979\"\necho \"Check Type - Visual Validation\"\necho\necho \"Value of ssl_crl_file query: \"\necho\necho \"$CRL_QUERY\"\necho\necho \"If this is not set to a CRL file, this is a finding.\"\necho\nif [[ -z $CRL_FILE && -z $HOSTSSL_VALUES ]]\nthen\n    echo \"CRL_FILE and HOSTSSL_VALUES have FAILED.\"\n    echo \"Either the crl file is not present in PGDATA or HOSTSSL values are not properly set in postgresql.conf.\"\n    exit 1\nelse\n    echo \"CRLFILE and HOSTSSL have PASSED.\"\n    echo \"crl file is present on target and HOSTSSL values are set properly.\"\n    exit 1\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72981",
-  "previousName": "",
-  "_id": 9022,
-  "title": "PostgreSQL must maintain the confidentiality and integrity of information during preparation for transmission. (V-72981)",
-  "script": "#!/bin/bash\nSSL_QUERY=$(su - postgres bash -c 'psql -c \"SHOW ssl\"' | grep -E 'on|ON|On')\n\necho \"V-72981\"\nif [[ -z $SSL_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"SSL is not enabled on target.\"\n    exit 1\nfi ",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72983",
-  "previousName": "",
-  "_id": 9023,
-  "title": "PostgreSQL must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components. (V-72983)",
-  "script": "#!/bin/bash\necho \"V-72983\"\necho \"Check Type - Manual Check\"\necho \"Check: Check PostgreSQL auditing to determine whether\norganization-defined auditable events are being audited by the system.\nIf organization-defined auditable events are not being audited, this is a\nfinding.\"\necho \"Fix: Configure PostgreSQL to generate audit records for at least the\nDoD minimum set of events.\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72987",
-  "previousName": "",
-  "_id": 9024,
-  "title": "PostgreSQL must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event. (V-72987)",
-  "script": "#!/bin/bash\nLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_line_prefix\"' | grep -E '%m|%u|%d|%p|%r|%a')\n\necho \"V-72987\"\nif [[ -z $LOG_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"log_line_prefix does not contain %m, %u, %d, %p, %r, %a.\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"log_line_prefix contains %m, %u, %d, %p, %r, %a.\"\n    exit 0\nfi",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72991",
-  "previousName": "",
-  "_id": 9025,
-  "title": "PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements. (V-72991)",
-  "script": "#!/bin/bash\nSSL_QUERY=$(su - postgres bash -c 'psql -c \"SHOW ssl\"' | grep -E 'on|ON|On')\n\necho \"V-72991\"\nif [[ -z $SSL_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"SSL is not enabled on target.\"\n    exit 1\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72995",
-  "previousName": "",
-  "_id": 9026,
-  "title": "PostgreSQL must protect the confidentiality and integrity of all information at rest. (V-72995)",
-  "script": "#!/bin/bash\nCRYP_QUERY=$(su - postgres bash -c \"psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\")\n\necho \"V-72995\"\necho \"Check Type - Visual Validation\"\necho\necho \"Check if pgcrypto is installed on PostgreSQL: \"\necho\necho \"$CRYP_QUERY\"\necho\necho \"If data in the database requires encryption and pgcrypto is not available, this is a\nfinding. If disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding. If controls do not exist or are not enabled, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72999",
-  "previousName": "",
-  "_id": 9027,
-  "title": "PostgreSQL must separate user functionality (including user interface services) from database management functionality. (V-72999)",
-  "script": "#!/bin/bash\nQUERY=$(su - postgres bash -c 'psql -c \"\\\\du\"')\n\necho \"V-72999\"\necho \"Check Type - Visual Validation\"\necho\necho \"List all roles and permissions for the database:\"\necho\necho \"$QUERY\"\necho\necho \"If any non-administrative role has the attribute \\\"Superuser\\\", \\\"Create role\\\",\n\\\"Create DB\\\" or \\\"Bypass RLS\\\", this is a finding.\nIf administrator and general user functionality are not separated either physically\nor logically, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73001",
-  "previousName": "",
-  "_id": 9028,
-  "title": "PostgreSQL must initiate session auditing upon startup. (V-73001)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"' | grep pgaudit)\nLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW logging_destination\"' | grep -E 'stderr|syslog')\n\necho \"V-73001\"\nif [[ -z $LIB_QUERY || -z $LOG_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"shared_preload_libraries and/or logging_destination are not set properly.\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"shared_preload_libraries and logging_destination are set properly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72899",
-  "previousName": "",
-  "_id": 9002,
-  "title": "The PostgreSQL software installation account must be restricted to  authorized users. (V-72899)",
-  "script": "#!/bin/bash\necho \"V-72899\"\necho \"Check Type - Manual Check\"\necho \"Check: Review procedures for controlling, granting access to, and\ntracking use of the PostgreSQL software installation account(s).\nIf access or use of this account is not restricted to the minimum number of\npersonnel required or if unauthorized access to the account has been granted,\nthis is a finding.\"\necho \"Fix: Develop, document, and implement procedures to restrict and track\nuse of the PostgreSQL software installation account.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73003",
-  "previousName": "",
-  "_id": 9029,
-  "title": "PostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. (V-73003)",
-  "script": "#!/bin/bash\nCRYP_QUERY=$(su - postgres bash -c \"psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\")\n\necho \"V-73003\"\necho \"Check Type - Visual Validation\"\necho\necho \"Check if pgcrypto is installed on PostgreSQL: \"\necho\necho \"$CRYP_QUERY\"\necho\necho \"If data in the database requires encryption and pgcrypto is not available, this is a\nfinding. If disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of disk-level encryption. If this is required and is not found,\nthis is a finding. If controls do not exist or are not enabled, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73005",
-  "previousName": "",
-  "_id": 9030,
-  "title": "PostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events. (V-73005)",
-  "script": "#!/bin/bash\nLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_line_prefix\"' | grep -E '%m|%u|%d|%p|%r|%a')\nHOST_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_hostname\"' | grep -E 'on|On|ON')\n\necho \"V-73005\"\nif [[ -z $LOG_QUERY || -z $HOST_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"log_line_prefix does not contain adequate logging parameters.\"\n    echo \"log_hostname is set to 'off'\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"log_line_prefix contains proper parameters and log_hostname is set to 'on'\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73011",
-  "previousName": "",
-  "_id": 9031,
-  "title": "Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled. (V-73011)",
-  "script": "#!/bin/bash\necho \"V-73011\"\necho \"Check Type - Manual Check\"\necho \"Check: To list all installed packages, as the system administrator, run the following:\"\necho \"RHEL/CENT Systems - sudo yum list installed | grep postgres\"\necho \"Debian Systems - dpkg --get-selections | grep postgres\"\necho \"If any packages are installed that are not required, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73013",
-  "previousName": "",
-  "_id": 9032,
-  "title": "PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in process. (V-73013)",
-  "script": "#!/bin/bash\necho \"V-73013\"\necho \"Check Type - Manual Check\"\necho \"Run the following SQL against each table that requires security labels:\"\necho \"su - postgres bash -c 'psql -c \\\"\\\\d+ <schema_name>.<table_name>\\\"'\"\necho \"If security labeling requirements have been specified, but the security labeling is\nnot implemented or does not reliably maintain labels on information in process, this\nis a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73015",
-  "previousName": "",
-  "_id": 9033,
-  "title": "If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords. (V-73015)",
-  "script": "#!/bin/bash\nENCRYP_QUERY=$(su - postgres bash -c 'psql -c \"SHOW password_encryption\"' | grep -E 'on|ON|On')\nSHADOW_QUERY=$(su - postgres bash -c 'psql -x -c \"SELECT * FROM pg_shadow\"' | grep passwd)\n\necho \"V-73015\"\necho \"Check Type - Visual Validation\"\necho\nif [[ -n $ENCRYP_QUERY ]]\nthen\n    echo \"PASSWORD ENCRYPTION is enabled on target.\"\n    echo \"This part of the check PASSES.\"\nelse\n    echo \"PASSWORD ENCRYPTION is NOT enabled on target.\"\n    echo \"This part of the check FAILS.\"\nfi \necho\necho \"Identify if any passwords have been stored without being hashed and salted. Passwords on target: \"\necho\necho \"$SHADOW_QUERY\"\necho\necho \"If any password is in plaintext, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73017",
-  "previousName": "",
-  "_id": 9034,
-  "title": "PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s). (V-73017)",
-  "script": "#!/bin/bash\nUSER_QUERY=$(su - postgres bash -c 'psql -c \"\\\\du\"')\nLIST_QUERY=$(su - postgres bash -c 'psql -c \"\\\\l\"')\nNAME_QUERY=$(su - postgres bash -c 'psql -c \"\\\\dn+\"')\n\necho \"V-73017\"\necho \"Check Type - Visual Validation\"\necho\necho \"List all the permissions of individual roles: \"\necho\necho \"$USER_QUERY\"\necho\necho \"If any role has SUPERUSER that should not, this is a finding.\"\necho\necho \"List all the permissions of databases and schemas: \"\necho\necho \"$LIST_QUERY\"\necho\necho \"$NAME_QUERY\"\necho\necho \"If any database or schema has update (\\\"W\\\") or create (\\\"C\\\") privileges and should\nnot, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73019",
-  "previousName": "",
-  "_id": 9035,
-  "title": "PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions. (V-73019)",
-  "script": "#!/bin/bash\nLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_line_prefix\"' | grep -E '%m|%u|%d|%p|%r|%a')\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"' | grep pgaudit)\n\necho \"V-73019\"\nif [[ -z $LOG_QUERY || -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"log_line_prefix does not contain proper parameters and/or shared_preload_libraries does not contain pgaudit.\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"log_line_prefix contains proper parameters and shared_preload_libraries contains pgaudit.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73021",
-  "previousName": "",
-  "_id": 9036,
-  "title": "PostgreSQL must provide the capability for authorized users to capture, record, and log all content related to a user session. (V-73021)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"' | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"' | grep -E 'ddl|write|role|read')\nCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_connections\"' | grep -E 'off|OFF|Off')\nDISCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_disconnections\"' | grep -E 'off|OFF|Off')\nERROR=0\necho \"V-73021\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"shared_preload_libraries does not contain pgaudit.\"\n    ERROR=1\nfi\nif [[ -n $CON_QUERY || -n $DISCON_QUERY ]]\nthen\n    echo \"log_connections and/or log_disconnections is set to 'off'\"\n    ERROR=1\nfi\nif [[ -z $AUDIT_QUERY ]]\nthen\n    echo \"PGAUDIT.log does not contain ddl, role, read, or write.\"\n    ERROR=1\nfi\nif [[ $ERROR -eq 1 ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"Check above output for reasoning.\"\n    exit 1\nelif [[ $ERROR -eq 0 ]]\nthen\n    echo \"Check PASSED.\"\n    echo \"All queries have passed in this check.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73023",
-  "previousName": "",
-  "_id": 9037,
-  "title": "The system must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity. (V-73023)",
-  "script": "#!/bin/bash\necho \"V-73023\"\necho \"Check Type - Manual Check\"\necho \"Check: If no script/tool is monitoring the partition for the PostgreSQL log directories,\nthis is a finding. If appropriate support staff are not notified immediately upon storage volume\nutilization reaching 75%, this is a finding.\"\necho \"Fix: Configure the system to notify appropriate support staff immediately\nupon storage volume utilization reaching 75%. PostgreSQL does not monitor storage, however, it is possible to monitor storage with\na script. Schedule this script in cron to run around the clock.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73025",
-  "previousName": "",
-  "_id": 9038,
-  "title": "PostgreSQL must provide the means for individuals in authorized roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds. (V-73025)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"' | grep pgaudit)\n\necho \"V-73025\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"shared_preload_libraries does not contain 'pgaudit'.\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"shared_preload_libraries does contain 'pgaudit'.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72901",
-  "previousName": "",
-  "_id": 9003,
-  "title": "Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications. (V-72901)",
-  "script": "#!/bin/bash\necho \"V-72901\"\necho \"Check Type - Manual Check\"\necho \"Check: Review the PostgreSQL software library directory and any subdirectories.\nIf any non-PostgreSQL software directories exist on the disk directory,\nexamine or investigate their use. If any of the directories are used by other\napplications, including third-party applications that use the PostgreSQL, this is a finding.\nOnly applications that are required for the functioning and administration,\nnot use, of the PostgreSQL should be located in the same disk directory as\nthe PostgreSQL software libraries.\nIf other applications are located in the same directory as PostgreSQL, this is a finding.\"\necho \"Fix: Install all applications on directories separate from the\nPostgreSQL software library directory. Relocate any directories or reinstall\nother application software that currently shares the PostgreSQL software\nlibrary directory.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73027",
-  "previousName": "",
-  "_id": 9039,
-  "title": "PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. (V-73027)",
-  "script": "#!/bin/bash\necho \"V-73027\"\necho \"Check Type - Manual Check\"\necho \"Determine all situations where a user must re-authenticate. Check if\nthe mechanisms that handle such situations use the following SQL:\nTo make a single user re-authenticate, the following must be present:\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user='<username>'\nTo make all users re-authenticate, run the following:\nSELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE user LIKE '%'\nIf the provided SQL does not force re-authentication, this is a finding.\"\necho \"Fix: Modify and/or configure PostgreSQL and related applications and tools\nso that users are always required to reauthenticate when changing role or escalating\nprivileges.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73031",
-  "previousName": "",
-  "_id": 9040,
-  "title": "PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions. (V-73031)",
-  "script": "#!/bin/bash\nSSL_CA_QUERY=$(su - postgres bash -c 'psql -c \"SHOW ssl_ca_file\"')\nSSL_CERT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW ssl_cert_file\"')\n\necho \"V-73031\"\necho \"Check Type - Visual Validation\"\necho\necho \"Target SSL CA FILE: \"\necho \"$SSL_CA_QUERY\"\necho\necho \"Target SSL CERT FILE: \"\necho \"$SSL_CERT_QUERY\"\necho\necho \"If the database is not configured to used approved certificates, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73033",
-  "previousName": "",
-  "_id": 9041,
-  "title": "PostgreSQL must produce audit records containing sufficient information to establish what type of events occurred. (V-73033)",
-  "script": "#!/bin/bash\nLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_line_prefix\"' | grep -E '%m|%u|%d|%p|%r|%a')\nCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_connections\"' | grep -E 'off|OFF|Off')\nDISCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_disconnections\"' | grep -E 'off|OFF|Off')\nERROR=0\necho \"V-73033\"\nif [[ -z $LOG_QUERY ]]\nthen\n    echo \"log_line_prefix does not contain proper parameters.\"\n    ERROR=1\nfi\nif [[ -n $CON_QUERY || -n $DISCON_QUERY ]]\nthen\n    echo \"log_connections and/or log_disconnections is set to 'off'\"\n    ERROR=1\nfi\nif [[ $ERROR -eq 1 ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"Check above output for reasoning.\"\n    exit 1\nelif [[ $ERROR -eq 0 ]]\nthen\n    echo \"Check PASSED.\"\n    echo \"All queries have passed in this check.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73035",
-  "previousName": "",
-  "_id": 9042,
-  "title": "PostgreSQL must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. (V-73035)",
-  "script": "#!/bin/bash\nCRYP_QUERY=$(su - postgres bash -c \"psql -c \\\"SELECT * FROM pg_available_extensions where name='pgcrypto'\\\"\")\n\necho \"V-73035\"\necho \"Check Type - Visual Validation\"\necho\necho \"Check if pgcrypto is installed on PostgreSQL: \"\necho\necho \"$CRYP_QUERY\"\necho\necho \"If data in the database requires encryption and pgcrypto is not available, this is a\nfinding. If a disk or filesystem requires encryption, ask the system owner, DBA, and SA to\ndemonstrate the use of filesystem and/or disk-level encryption. If this is required\nand is not found, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73037",
-  "previousName": "",
-  "_id": 9043,
-  "title": "PostgreSQL must invalidate session identifiers upon user logout or other session termination. (V-73037)",
-  "script": "#!/bin/bash\nTCP_IDLE_QUERY=$(su - postgres bash -c 'psql -c \"SHOW tcp_keepalives_idle\"')\nTCP_INTERVAL_QUERY=$(su - postgres bash -c 'psql -c \"SHOW tcp_keepalives_interval\"')\nTCP_COUNT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW tcp_keepalives_count\"')\nTIMEOUT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW statement_timeout\"')\n\necho \"V-73037\"\necho \"Check Type - Visual Validation\"\necho\necho \"TCP KEEPALIVE IDLE: \"\necho \"$TCP_IDLE_QUERY\"\necho\necho \"TCP KEEPALIVE INTERVAL: \"\necho \"$TCP_INTERVAL_QUERY\"\necho\necho \"TCP KEEPALIVE COUNT: \"\necho \"$TCP_COUNT_QUERY\"\necho\necho \"STATEMENT TIMEOUT: \"\necho \"$TIMEOUT_QUERY\"\necho\necho \"If these settings are not set, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73041",
-  "previousName": "",
-  "_id": 9044,
-  "title": "PostgreSQL must produce audit records containing time stamps to establish when the events occurred. (V-73041)",
-  "script": "#!/bin/bash\nLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_line_prefix\"' | grep -E '%m|%u|%d|%p|%r|%a')\n\necho \"V-73041\"\nif [[ -z $LOG_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"log_line_prefix does not contain '%m'.\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"log_line_prefix does contain '%m'.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73045",
-  "previousName": "",
-  "_id": 9045,
-  "title": "PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems. (V-73045)",
-  "script": "#!/bin/bash\nLOG_DEST_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_destination\"')\nSYSLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW syslog_facility\"')\n\necho \"V-73045\"\necho \"Check Type - Visual Validation\"\necho\necho \"Target LOG DESTINATION: \"\necho\necho \"$LOG_DEST_QUERY\"\necho\necho \"If log_destination is not syslog, this is a finding.\"\necho\necho \"Target SYSLOG_FACILITY: \"\necho\necho \"$SYSLOG_QUERY\"\necho\necho \"Check with the organization to see how syslog facilities are defined in their\norganization. If the wrong facility is configured, this is a finding.\nIf PostgreSQL does not have a continuous network connection to the centralized log\nmanagement system, and PostgreSQL audit records are not transferred to the\ncentralized log management system weekly or more often, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73047",
-  "previousName": "",
-  "_id": 9046,
-  "title": "PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values. (V-73047)",
-  "script": "#!/bin/bash\nSSL_QUERY=$(su - postgres bash -c 'psql -c \"SHOW ssl\"' | grep -E 'on|ON|On')\n\necho \"V-73047\"\nif [[ -z $SSL_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"Target SSL is set to 'off'.\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"Target SSl is set to 'on'.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73049",
-  "previousName": "",
-  "_id": 9047,
-  "title": "PostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). (V-73049)",
-  "script": "#!/bin/bash\nUSER_QUERY=$(su - postgres bash -c 'psql -c \"\\\\du\"')\nPG_HBA=$(cat ${PGDATA?},/pg_hba.conf)\n\necho \"V-73049\"\necho \"Check Type - Visual Validation\"\necho\necho \"List of all roles in the database: \"\necho \"$USER_QUERY\"\necho\necho \"If organizational users are not uniquely identified and authenticated, this is a finding.\"\necho\necho \"Verify the current pg_hba.conf authentication settings: \"\necho \"$PG_HBA\"\necho\necho \"If every role does not have unique authentication rcmpuirements, this is a finding.\nIf accounts are determined to be shared, determine if individuals are first\nindividually authenticated. If individuals are not individually authenticated before\nusing the shared account, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73051",
-  "previousName": "",
-  "_id": 9048,
-  "title": "PostgreSQL must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect. (V-73051)",
-  "script": "#!/bin/bash\necho \"V-73051\"\necho \"Check Type - Manual Check\"\necho \"Review system documentation to obtain the organization's definition\nof circumstances requiring automatic session termination. If the documentation\nexplicitly states that such termination is not required or is prohibited, this is\nnot a finding. If the documentation requires automatic session termination, but PostgreSQL is not\nconfigured accordingly, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72903",
-  "previousName": "",
-  "_id": 9004,
-  "title": "PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject. (V-72903)",
-  "script": "#!/bin/bash\necho \"V-72903\"\necho \"Check Type - Manual Check\"\necho \"Check: Review the system documentation to identify what additional\ninformation the organization has determined necessary.\nCheck PostgreSQL settings and existing audit records to verify that all\norganization-defined additional, more detailed information is in the audit\nrecords for audit events identified by type, location, or subject.\nIf any additional information is defined and is not contained in the audit\nrecords, this is a finding.\"\necho \"Fix: Configure PostgreSQL audit settings to include all\norganization-defined detailed information in the audit records for audit\nevents identified by type, location, or subject.\nUsing pgaudit PostgreSQL can be configured to audit these requests. See\nsupplementary content APPENDIX-B for documentation on installing pgaudit.\nTo ensure that logging is enabled, review supplementary content APPENDIX-C for\ninstructions on enabling logging.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73055",
-  "previousName": "",
-  "_id": 9049,
-  "title": "PostgreSQL must map the PKI-authenticated identity to an associated user account. (V-73055)",
-  "script": "#!/bin/bash\nSSL_CHECK=$(openssl x509 -noout -subject -in client_cert)\nPG_HBA_MAP=$(grep \"map\" ${PGDATA?},/pg_hba.conf)\nPG_IDENT=$(cat ${PGDATA?}/pg_ident.conf)\n\necho \"V-73055\"\necho \"Check Type - Visual Validation\"\necho\necho \"CN of the target Certificate: \"\necho \"$SSL_CHECK\"\necho \"If the cn does not match the users listed in PostgreSQL and no user mapping is used, this is a finding.\"\necho\necho \"List of maps used for authentication: \"\necho \"$PG_HBA_MAP\"\necho\necho \"With the names of the maps used, check those maps against the user name mappings in pg_ident.conf:\"\necho \"$PG_IDENT\"\necho \"If user accounts are not being mapped to authenticated identities, this is a finding.\nIf the cn and the username mapping do not match, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73057",
-  "previousName": "",
-  "_id": 9050,
-  "title": "Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. (V-73057)",
-  "script": "#!/bin/bash\necho \"V-73057\"\necho \"Check Type - Manual Check\"\necho \"Review the procedures for the refreshing of development/test data\nfrom production. Review any scripts or code that exists for the movement of production data to\ndevelopment/test systems, or to any other location or for any other purpose.\nVerify that copies of production data are not left in unprotected locations.\nIf the code that exists for data movement does not comply with the\norganization-defined data transfer policy and/or fails to remove any copies of\nproduction data from unprotected locations, this is a finding.\"\necho \"Fix: Modify any code used for moving data from production to\ndevelopment/test systems to comply with the organization-defined data transfer\npolicy, and to ensure copies of production data are not left in unsecured locations.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73061",
-  "previousName": "",
-  "_id": 9051,
-  "title": "PostgreSQL must protect its audit configuration from unauthorized modification. (V-73061)",
-  "script": "#!/bin/bash\nPGDATA_FILES=$(ls -la ${PGDATA?}, | grep postgresql.conf | grep -v -e 'postgres')\nLOG_FILE_MODE=$(su - postgres bach -c 'psql -c \"SHOW log_file_mode\"' | grep '0600')\nERROR=0\necho \"V-73061\"\nif [[ -n $PGDATA_FILES ]]\nthen\n    echo \"postgresql.conf are not owned by database administrator.\"\n    ERROR=1\nfi \nif [[ -z $LOG_FILE_MODE ]]\nthen\n    echo \"log_file_mode is not set to 0600.\"\n    ERROR=1\nfi \nif [[ $ERROR -eq 1 ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"Check above output for failure causation.\"\n    exit 1\nelif [[ $ERROR -eq 0 ]]\nthen\n    echo \"Check PASSED.\"\n    echo \"postgresql.conf is owned by database admin and log_file_mode is set to 0600.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73065",
-  "previousName": "",
-  "_id": 9052,
-  "title": "Audit records must be generated when categorized information (e.g., classification levels/security levels) is deleted. (V-73065)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"' | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"' | grep -E 'ddl|write|role|read')\n\necho \"V-73065\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain ddl, write, read, or role.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73067",
-  "previousName": "",
-  "_id": 9053,
-  "title": "PostgreSQL must generate audit records when successful accesses to objects occur. (V-73067)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"' | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"' | grep -E 'write|read')\n\necho \"V-73067\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log is not established in postgresql.conf\"\n    exit 1\nelif [[ -z $AUDIT_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"PGAUDIT.log does not contain write or read.\"\n    exit 1\nelse \n    echo \"Check PASSED.\"\n    echo \"PGAUDIT.log is setup correctly.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73069",
-  "previousName": "",
-  "_id": 9054,
-  "title": "PostgreSQL must generate audit records for all direct access to the database(s). (V-73069)",
-  "script": "#!/bin/bash\nLIB_QUERY=$(su - postgres bash -c 'psql -c \"SHOW shared_preload_libraries\"' | grep pgaudit)\nAUDIT_QUERY=$(su - postgres bash -c 'psql -c \"SHOW pgaudit.log\"' | grep -E 'write|role|ddl|read')\nCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_connections\"' | grep -E 'off|OFF|Off')\nDISCON_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_disconnections\"' | grep -E 'off|OFF|Off')\nERROR=0\n\necho \"V-73069\"\nif [[ -z $LIB_QUERY ]]\nthen\n    echo \"shared_preload_libraries does not contain 'pgaudit'.\"\n    ERROR=1\nfi\nif [[ -z $AUDIT_QUERY ]]\nthen\n    echo \"PGAUDIT.log does not contain ddl, read, role, or write.\"\n    ERROR=1\nfi\nif [[ -n $CON_QUERY || -n $DISCON_QUERY ]]\nthen\n    echo \"log_connections and/or log_disconnections is set to 'off'.\"\n    ERROR=1\nfi\nif [[ $ERROR -eq 1 ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"Check above output for failure causation.\"\n    exit 1\nelif [[ $ERROR -eq 0 ]]\nthen\n    echo \"Check PASSED.\"\n    echo \"shared_preload_libraries contains 'pgaudit'. PGAUDIT.log contains ddl, read, role or write. log_connections/log_disconnections are set to 'on'.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73071",
-  "previousName": "",
-  "_id": 9055,
-  "title": "The DBMS must be configured on a platform that has a NIST certified FIPS 140-2 installation of OpenSSL. (V-73071)",
-  "script": "#!/bin/bash\necho \"V-73071\"\necho \"Check Type - Manual Check\"\necho \"Check: If the deployment incorporates a custom build of the operating\nsystem and Postgres guaranteeing the use of FIPS 140-2 compliant OpenSSL,\nthis is not a finding. If PostgreSQL is not installed on Red Hat Enterprise Linux (RHEL), this is a finding.\nIf FIPS encryption is not enabled, this is a finding.\"\necho \"Fix: Install Postgres with FIPS-compliant cryptography enabled on RHEL;\nor by other means ensure that FIPS 140-2 certified OpenSSL libraries are used by the DBMS.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73123",
-  "previousName": "",
-  "_id": 9056,
-  "title": "PostgreSQL must produce audit records containing sufficient information to establish where the events occurred. (V-73123)",
-  "script": "#!/bin/bash\nLOG_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_line_prefix\"' | grep -E '%m|%u|%d|%p|%r|%a')\n\necho \"V-73123\"\nif [[ -z $LOG_QUERY ]]\nthen\n    echo \"Check FAILED.\"\n    echo \"log_line_prefix does not contain proper parameters.\"\n    exit 1\nelse\n    echo \"Check PASSED.\"\n    echo \"log_line_prefix does contain proper parameters.\"\n    exit 0\nfi",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72871",
-  "previousName": "",
-  "_id": 9057,
-  "title": "PostgreSQL must check the validity of all data inputs except those specifically identified by the organization. (V-72871)",
-  "script": "#!/bin/bash\necho \"Review PostgreSQL code (trigger procedures, functions), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72859",
-  "previousName": "",
-  "_id": 9066,
-  "title": "PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. (V-72859)",
-  "script": "#!/bin/bash\necho \"Create and maintain documentation of each group role's appropriate permissions on database objects.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72905",
-  "previousName": "",
-  "_id": 9005,
-  "title": "Execution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only. (V-72905)",
-  "script": "#!/bin/bash\nQUERY=$(su - postgres bash -c 'psql -c \"SELECT nspname, proname, proargtypes, prosecdef, rolname, proconfig FROM pg_proc p JOIN pg_namespace n ON p.pronamespace = n.oid JOIN pg_authid a ON a.oid = p.proowner WHERE prosecdef OR NOT proconfig IS NULL;\"')\n\necho \"V-72905\"\necho \"Check Type - Visual Validation\"\necho\necho \"Check: In the query results, a prosecdef value of \\\"t\\\" on a row indicates that that\nfunction uses privilege elevation.\"\necho\necho \"$QUERY\"\necho\necho \"If elevation of PostgreSQL privileges is utilized but not documented, this is a finding.\nIf elevation of PostgreSQL privileges is documented, but not implemented as\ndescribed in the documentation, this is a finding.\nIf the privilege-elevation logic can be invoked in ways other than intended,\nor in contexts other than intended, or by subjects/principals other than\nintended, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72885",
-  "previousName": "",
-  "_id": 9067,
-  "title": "The audit information produced by PostgreSQL must be protected from unauthorized deletion. (V-72885)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n   filename=$(find / -name postgresql.conf 2>/dev/null)\n   pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n   filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n   file_mode=$(grep -i log_file_mode \"$filename\" | grep 0600)\n   if [ -z \"$file_mode\" ] || [ \"$file_mode\" != \"0600\" ]\n   then\n      echo \"log_file_mode is not set to 0600 in $filename.\"\n      exit 1 \n   fi \n\n   log_dir=$(grep -i log_directory \"$filename\" | cut -d \"=\" -f 2 | tr -d ' ' | tr -d \"'\" | tr '\"')\n   full_log_dir=\"$pgdata\\\\$log_dir\"\n   if [ -f \"$full_log_dir\" ]\n   then\n      whoami=$(whoami)\n      owner=$(ls -l \"$full_log_dir\" | cut -d \" \" -f 3)\n      if [ \"$whoami\" != \"$owner\" ] \n      then\n         echo \"Owner of $full_log_dir not set to $whoami.\"\n         exit 1\n      fi\n   else\n      echo \"Log directory, $full_log_dir, does not exist.\"\n      exit 1\n   fi\nelse\n   echo \"postgresql.conf not found.\"\n   exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72989",
-  "previousName": "",
-  "_id": 9068,
-  "title": "PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes. (V-72989)",
-  "script": "#!/bin/bash\nfips_enabled=`cat /proc/sys/crypto/fips_enabled`\n\nif [ $fips_enabled != \"1\" ]\nthen\n   echo \"FIPS is not enabled.\"\n   exit 1\nfi\nexit 0",
-  "severity": "critical"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72861",
-  "previousName": "",
-  "_id": 9069,
-  "title": "PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission. (V-72861)",
-  "script": "#!/bin/bash\necho \"If security labeling is required, validate that it is enabled.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72887",
-  "previousName": "",
-  "_id": 9070,
-  "title": "PostgreSQL must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT). (V-72887)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  log_timezone=$(grep -i log_timezone \"$filename\" | grep -i utc)\n  if [ -z \"$log_timezone\" ]\n  then\n    echo \"log_timezone is not set to UTC.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72863",
-  "previousName": "",
-  "_id": 9071,
-  "title": "PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types. (V-72863)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  max_connections=$(grep -i max_connections \"$filename\" | cut -d \"=\" -f 2 | tr -d ' ')\n  if [ -z \"$max_connections\" ] || [ \"$max_connections\" -gt 10 ]\n  then\n    echo \"max_connections is either not defined or is set greater than 10.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72889",
-  "previousName": "",
-  "_id": 9072,
-  "title": "PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA and DBA. (V-72889)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  client_min_messages=$(grep -i client_min_messages \"$filename\" | grep -i notice)\n  if [ -z \"$client_min_messages\" ]\n  then\n    echo \"client_min_messages is not set to notice.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72845",
-  "previousName": "",
-  "_id": 9073,
-  "title": "Security-relevant software updates to PostgreSQL must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). (V-72845)",
-  "script": "#!/bin/bash\npsqlVersion=$(psql --version)\necho \"Institue policies and procedures to ensure patches are consistently applied. PostgreSQL version is $psqlVersion.\"\nexit 1",
-  "severity": "critical"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72865",
-  "previousName": "",
-  "_id": 9074,
-  "title": "The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users. (V-72865)",
-  "script": "#!/bin/bash\npgdata=`echo $PGDATA`\n\nif [ -z \"$pgdata\" ]\nthen\n   echo \"PGDATA is not set.\"\n   exit 1\nfi\n\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72893",
-  "previousName": "",
-  "_id": 9075,
-  "title": "PostgreSQL must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts. (V-72893)",
-  "script": "#!/bin/bash\necho \"Review the system documentation to determine which audit failure events require real-time alerts.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72855",
-  "previousName": "",
-  "_id": 9058,
-  "title": "PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL. (V-72855)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  whoami=$(whoami)\n  owner=$(ls -l \"$filename\" | cut -d \" \" -f 3)\n  if [ \"$owner\" != \"$whoami\" ] || [ \"$owner\" == \"root\" ]\n  then\n    echo \"Owner is not set correctly on postgresql.con.\"\n    exit 1\n  fi\n\n  groups=$(id | cut -d \" \" -f 2 | cut -d \"(\" -f 2 | cut -d \")\" -f 1)\n  group=$(ls -l \"$filename\" | cut -d \" \" -f 4)\n  if [ \"$groups\" != \"$group\" ] || [ \"$group\" == \"root\" ]\n  then\n    echo \"Group is not set correctly on postgresql.conf.\"\n    exit 1\n  fi\n\n  mode=$(ls -l $filename | cut -d \" \" -f 1)\n  if [ \"$mode\" != \"-rw-------.\" ]\n  then\n    echo \"File permissions on postgresql.conf are not set to 0600.\"\n    exit 1\n  fi\nelse\n  echo \"postgresql.conf file not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72909",
-  "previousName": "",
-  "_id": 9006,
-  "title": "PostgreSQL must utilize centralized management of the content captured in audit records generated by all components of PostgreSQL. (V-72909)",
-  "script": "#!/bin/bash\nLOG_DEST_QUERY=$(su - postgres bash -c 'psql -c \"SHOW log_destination\"')\nLOG_FAC_QUERY=$(su - postgres bash -c 'psql -c \"SHOW syslog_facility\"')\n\necho \"V-72909\"\necho \"Check Type - Visual Validation\"\necho\necho \"PostgreSQL Log Destination: \"\necho\necho \"$LOG_DEST_QUERY\"\necho\necho \"PostgreSQL Syslog Facility: \"\necho\necho \"$LOG_FAC_QUERY\"\necho\necho \"Check: Check with the organization to see how syslog facilities are defined in their organization.\nIf PostgreSQL audit records are not written directly to or systematically\ntransferred to a centralized log management system, this is a finding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72841",
-  "previousName": "",
-  "_id": 9079,
-  "title": "PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. (V-72841)((UPDATED))",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -iname postgresql.conf 2>/dev/null)\nelse\n  filename=\"/var/lib/postgresql/data/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  port=$(grep -i port \"$filename\")\n  if [ -z \"$port\" ]\n  then\n    echo \"Port not set in postgresql.conf.\"\n    exit 1\n  else\n    echo \"Port is set to $port. Please verify this is the proper configuration.\"\n    exit 1\n  fi\nelse\n  echo \"postgresql.conf file not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72867",
-  "previousName": "",
-  "_id": 9080,
-  "title": "PostgreSQL must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). (V-72867)",
-  "script": "#!/bin/bash\npsqlDBroles=$(su postgres -c 'psql -c \"\\du\"')\necho \"Validate users are uniquely identified as per organizational documentation. Current DB Roles are $psqlDBroles.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72895",
-  "previousName": "",
-  "_id": 9083,
-  "title": "PostgreSQL must maintain the confidentiality and integrity of information during reception. (V-72895)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n   filename=$(find / -name postgresql.conf 2>/dev/null)\n   pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n   filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n   ca=\"$pgdata/ca.crt\"\n   server_key=\"$pgdata/server.key\"\n   server_crt=\"$pgdata/server.crt\"\n   \n   if [ -f \"$ca\" ] || [ -f \"$server_key\" ] || [ -f \"$server_crt\" ]\n   then\n      ssl_enabled=$(grep -i ssl \"$filename\" | grep -i true)\n      if [ -z \"$ssl_enabled\" ]\n      then\n         echo \"SSL is not enabled in $filename.\"\n         exit 1\n      fi\n      ssl_cert=$(grep -i ssl_cert_file \"$filename\" | grep -i server.crt)\n      ssl_key=$(grep -i ssl_key_file \"$filename\" | grep -i server.key)\n      ssl_ca=$(grep -i ssl_ca_file \"$filename\" | grep -i ca.crt)\n      \n      if [ -z \"$ssl_cert\" ] || [ -z \"$ssl_key\" ] || [ -z \"$ssl_ca\" ]\n      then\n         echo \"Certificates and Keys not set in $filename.\"\n         exit 1\n      fi\n   else\n      echo \"Certificates don't exist.\"\n      exit 1\n   fi\nelse\n   echo \"postgresql.conf not found.\"\n   exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72869",
-  "previousName": "",
-  "_id": 9084,
-  "title": "PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage. (V-72869)",
-  "script": "#!/bin/bash\necho \"Validate security labeling is in use if required.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72993",
-  "previousName": "",
-  "_id": 9085,
-  "title": "PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements. (V-72993)",
-  "script": "#!/bin/bash\nfips_enabled=`cat /proc/sys/crypto/fips_enabled`\n\nif [ $fips_enabled != \"1\" ] \nthen\n   echo \"FIPS is not enabled.\"\n   exit 1\nfi\nexit 0",
-  "severity": "critical"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72853",
-  "previousName": "",
-  "_id": 9059,
-  "title": "Privileges to change PostgreSQL software modules must be limited. (V-72853)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  whoami=$(whoami)\n  owner=$(ls -l $filename | cut -d \" \" -f 3)\n  if [ \"$owner\" != \"$whoami\" ] || [ \"$owner\" == \"root\" ]\n  then\n    echo \"Owner is not set correctly on postgresql.conf.\"\n    exit 1\n  fi\n\n  groups=$(id | cut -d \" \" -f 2 | cut -d \"(\" -f 2 | cut -d \")\" -f 1)\n  group=$(ls -l $filename | cut -d \" \" -f 4)\n  if [ \"$groups\" != \"$group\" ] || [ \"$group\" == \"root\" ]\n  then\n    echo \"Group is not set correctly on postgresql.conf\"\n    exit 1\n  fi\n\n  mode=$(ls -l $filename | cut -d \" \" -f 1)\n  if [ \"$mode\" != \"-rw-------.\" ]\n  then\n    echo \"File permissions on postgresql.conf are not set to 0600.\"\n    exit 1\n  fi\nelse\n  echo \"postgresql.conf file not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73053",
-  "previousName": "",
-  "_id": 9086,
-  "title": "PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures. (V-73053)",
-  "script": "#!/bin/bash\necho \"Configure PostgreSQL security to protect all privileged functionality. \"\nexit 1",
-  "severity": "critical"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73063",
-  "previousName": "",
-  "_id": 9087,
-  "title": "PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations. (V-73063)",
-  "script": "#!/bin/bash\nwhich_openssl=`which openssl | grep -i \"no openssl\"`\nif [ -z \"$which_openssl\" ]\nthen\n   echo \"OpenSSL is not installed.\"\n   exit 1\nelse\n   fips=`openssl version | grep -i fips`\n   if [ -z \"$fips\" ]\n   then\n      echo \"FIPS not included in ssl version.\"\n      exit 1\n   fi\nfi   \nexit 0",
-  "severity": "critical"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72883",
-  "previousName": "",
-  "_id": 9088,
-  "title": "PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. (V-72883)",
-  "script": "#!/bin/bash\necho \"Review system documentation to identify the required discretionary access control (DAC). \"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-73029",
-  "previousName": "",
-  "_id": 9089,
-  "title": "PostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL. (V-73029)",
-  "script": "#!/bin/bash\npgdata=`echo $PGDATA`\nif [ -z \"$pgdata\" ]\nthen\n   filename=`find / -name postgresql.conf 2>/dev/null`\n   pgdata=`echo $filename |  sed -r 's/(postgresql.conf)+$//'`\nelse\n   filename=\"$pgdata/postgresql.conf\"\nfi\n\nssl_ca=`grep -i ssl_ca_file $filename | grep -i $pgdata`\nssl_crl=`grep -i ssl_crl_file $filename | grep -i $pgdata`\nssl_cert=`grep -i ssl_cert_file $filename | grep -i $pgdata`\nssl_key=`grep -i ssl_key_file $filename | grep -i $pgdata`\n\nif [ -z \"$ssl_ca\" ] && [ -z \"$ssl_crl\" ] && [ -z \"$ssl_cert\" ] && [ -z \"$ssl_key\" ]\nthen\n   exit 0\nelse\n   exit 1\nfi",
-  "severity": "critical"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72911",
-  "previousName": "",
-  "_id": 9007,
-  "title": "PostgreSQL must isolate security functions from non-security functions. (V-72911)",
-  "script": "#!/bin/bash\necho \"V-72911\"\necho \"Check Type - Manual Check\"\necho \"Check PostgreSQL settings to determine whether objects or code\nimplementing security functionality are located in a separate security domain,\nsuch as a separate database or schema created specifically for security\nfunctionality.\nBy default, all objects in pg_catalog and information_schema are owned by the\ndatabase administrator.\nTo check the access controls for those schemas, as the database administrator\n(shown here as \\\"postgres\\\"), run the following commands to review the access\nprivileges granted on the data dictionary and security tables, views,\nsequences, functions and trigger procedures:\n$ sudo su - postgres\n$ psql -x -c \\\"\\\\dp pg_catalog.*\\\"\n$ psql -x -c \\\"\\\\dp information_schema.*\\\"\nRepeat the \\\\dp statements for any additional schemas that contain locally\ndefined security objects.\"\necho \"Repeat using \\\\df+*.* to review ownership of\nPostgreSQL functions:\n$ sudo su - postgres\n$ psql -x -c \\\"\\\\df+ pg_catalog.*\\\"\n$ psql -x -c \\\"\\\\df+ information_schema.*\\\"\nRefer to the PostgreSQL online documentation for GRANT for help in\ninterpreting the Access Privileges column in the output from \\\\du. Note that\nan entry starting with an equals sign indicates privileges granted to Public\n(all users). By default, most of the tables and views in the pg_catalog and\ninformation_schema schemas can be read by Public.\nIf any user besides the database administrator(s) is listed in access\nprivileges and not documented, this is a finding.\nIf security-related database objects or code are not kept separate, this is a\nfinding.\"\nexit 1",
-  "severity": "medium"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72857",
-  "previousName": "",
-  "_id": 9090,
-  "title": "If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords. (V-72857)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name pg_hba.conf 2>/dev/null)\nelse\n  filename=\"$pgdata/pg_hba.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  method=$(grep -i host \"$filename\" | grep -i md5)\n  if [ -z \"$method\" ]\n  then\n    echo \"MD5 authentication not found.\"\n    exit 1\n  fi\nelse\n  echo \"pg_hba.conf file not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72873",
-  "previousName": "",
-  "_id": 9060,
-  "title": "PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it. (V-72873)",
-  "script": "#!/bin/bash\necho \"Review PostgreSQL source code (trigger procedures, functions) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72851",
-  "previousName": "",
-  "_id": 9061,
-  "title": "PostgreSQL must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. (V-72851)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  min_messages=$(grep -i client_min_messages \"$filename\" | grep -i error)\n  if [ -z \"$min_messages\" ] || [ \"$min_messages\" != \"error\" ]\n  then\n    echo \"client_min_messages is not set or is set incorrectly in postgresql.conf.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72847",
-  "previousName": "",
-  "_id": 9062,
-  "title": "The audit information produced by PostgreSQL must be protected from unauthorized modification. (V-72847)",
-  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -iname postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  file_mode=$(grep -i log_file_mode \"$filename\" | grep 0600)\n  if [ -z \"$file_mode\" ] || [ \"$file_mode\" != \"0600\" ]\n  then\n    echo \"log_file_mode is not set to 0600 in postgresql.conf.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72875",
-  "previousName": "",
-  "_id": 9063,
-  "title": "PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack. (V-72875)",
-  "script": "#!/bin/bash\necho \"Review PostgreSQL source code (trigger procedures, functions) and application source code to identify cases of dynamic code execution. \"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72849",
-  "previousName": "",
-  "_id": 9064,
-  "title": "PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. (V-72849)",
-  "script": "#!/bin/bash\necho \"Integrate PostgreSQL security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72877",
-  "previousName": "",
-  "_id": 9065,
-  "title": "PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. (V-72877)",
-  "script": "#!/bin/bash\necho \"Investigate if there have been any incidents where audit log space has been depleted.\"\nexit 1",
-  "severity": "high"
-},
-{
-  "modified": "2020-10-08T11:45:00Z",
-  "owner": "admin",
-  "name": "PostgreSQL v9 V-72917",
-  "previousName": "",
-  "_id": 9008,
-  "title": "When updates are applied to PostgreSQL software, any software components that have been replaced or made unnecessary must be removed. (V-72917)",
-  "script": "#!/bin/bash\necho \"V-72917\"\necho \"Check Type - Manual Check\"\necho \"To check software installed by packages, as the system administrator, run the following command:\nRHEL/CENT Systems: sudo rpm -qa | grep postgres\"\necho \"If multiple versions of postgres are installed but are unused, this is a finding.\"\nexit 1",
-  "severity": "medium"
-}
-]