TickYouOff
Sign in
Back
🔒

EnterpriseDB Postgres Advanced Server (EPAS) STIG Hardening Checklist

Hard 15 items · 3 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist summarizes key actions to harden EnterpriseDB Postgres Advanced Server (EPAS) to the DISA STIG baseline. It’s designed for DBAs and sysadmins preparing systems for DoD or high-security environments and for anyone performing EPAS security reviews.

Source: https://ncp.nist.gov/checklist/680

Progress
0 / 15
  1. Verify EPAS version and STIG applicability — Confirm product version and applicable STIG release before changes.
  2. Install latest EPAS patches and updates — Apply vendor-supplied security patches and required updates.
  3. Enable FIPS-compliant cryptography on the OS and libraries — Ensure OS is FIPS-enabled or use FIPS 140-2-certified OpenSSL libs.
  4. Configure PostgreSQL authentication methods to use SCRAM or stronger — Avoid MD5; prefer SCRAM-SHA-256 or equivalent.
  5. Configure password policy — Implement and enforce password complexity and lifecycle policies.
  6. Set minimum password length to 12 characters — Require at least 12 chars to reduce brute-force risk.
  7. Set password expiration to 90 days — Enforce periodic password changes per STIG guidance.
  8. Restrict superuser access and review roles — Limit superuser accounts and audit role assignments regularly.
  9. Enable and configure logging and audit settings — Capture authentication, DDL, and privilege changes in logs.
  10. Set log level to capture security-relevant events — Adjust logging to record failed logins, role changes, and DDL.
  11. Harden network access: restrict listen_addresses and update pg_hba.conf — Allow only required hosts, use CIDR restrictions and strong auth methods.
  12. Disable or remove unnecessary extensions and features — Uninstall or disable extensions not required for operations.
  13. Implement regular backups and verify restore process — Schedule backups and test restores to validate recoverability.
  14. Apply OS-level hardening and set permissions for data directories — Harden host OS, restrict filesystem permissions for PG data and config files.
  15. Document configuration and generate STIG compliance report — Record changes, rationale, and produce evidence for audits.
Sign in to save
📝 My Notes