TickYouOff
Sign in
Back
🔒

Crunchy Data Postgres 16 STIG Compliance Checklist

Medium 21 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist distills the Crunchy Data Postgres 16 STIG into practical, actionable steps to harden Postgres 16 deployments. It’s for DBAs, security engineers, and administrators implementing DISA/STIG controls and tracking compliance.

Source: https://ncp.nist.gov/checklist/1246

Progress
0 / 21
  1. Download the official Crunchy Data Postgres 16 STIG — Get the XCCDF/STIG from DISA or Public Cyber.mil.
  2. Apply latest Postgres 16 patches and updates — Install vendor security updates for all Postgres 16 hosts.
  3. Implement host OS STIG controls on the database server — Apply RHEL/OS STIGs and network STIGs relevant to the host.
  4. Configure strong authentication and password policies — Enforce complexity, expiration, and lockout for DB accounts.
  5. Set password complexity and expiration — Require length, complexity, and periodic rotation.
  6. Enforce account lockout and password reuse controls — Configure lockout thresholds and prevent reuse of recent passwords.
  7. Restrict superuser and administrative access — Limit postgres/superuser roles to approved administrators.
  8. Audit and limit superuser login activity — Enable logging for superuser sessions and review privileges.
  9. Enable TLS for client-server connections — Require encrypted connections to protect data in transit.
  10. Install and manage valid server certificates; require SSL — Use CA-signed certs and enforce sslmode=require where applicable.
  11. Configure and enable database auditing and logging — Enable sufficient logging (connections, DDL, privileged actions).
  12. Set log retention, rotation, and secure log storage — Rotate logs and protect them from tampering or unauthorized access.
  13. Review audit logs regularly — Schedule periodic reviews for suspicious or privileged activity.
  14. Secure database data directory and config file permissions — Restrict filesystem ACLs to the DB service account only.
  15. Remove sample/demo databases and unused extensions — Drop example DBs and disable unneeded modules to reduce attack surface.
  16. Restrict network access to authorized hosts and ports — Use firewalls and ACLs to limit DB access to known clients.
  17. Implement role-based access control and least privilege — Define roles for app, admin, and read-only users; avoid shared accounts.
  18. Schedule regular backups and test restore procedures — Automate backups and perform restore drills to validate recoverability.
  19. Schedule regular vulnerability scans and remediate findings — Scan Postgres hosts and extensions; track and fix CVEs promptly.
  20. Integrate monitoring and alerting for suspicious activity — Alert on failed logins, priv escalation, schema changes, and high-risk events.
  21. Document exceptions and submit change requests to DISA — Record deviations and email DISA per STIG instructions when required.
Sign in to save
📝 My Notes