V-233596 Update #21
V-233596 Update #21
Conversation
Signed-off-by: Emily Rodriguez <[email protected]>
| @@ -57,7 +57,7 @@ | |||
| sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port')) | |||
|
|
|||
| describe sql.query('SHOW password_encryption;', [input('pg_db')]) do | |||
| its('output') { should match /on|true|scram-sha-256/i } | |||
| its('output') { should match /scram-sha-256/i } | |||
| end | |||
|
|
|||
| passwords_sql = 'SELECT usename FROM pg_shadow '\ | |||
There was a problem hiding this comment.
Should the line below be checking for scram-sha-256 instead of md5 hashes? @aaronlippold
There was a problem hiding this comment.
Yeah, the describe block was perhaps adapting legacy postgres 9 ideas https://github.com/mitre/pgstigcheck-inspec/blob/a6faeb2eaff1d351d29629b7e53af6f7351cd9b4/controls/V-73015.rb#L69 without regard to what "on" means today in 10+ versions. https://access.crunchydata.com/documentation/postgresql13/13.3/runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION discusses current setting interpretation:
password_encryption ( enum )
When a password is specified in CREATE ROLE or ALTER ROLE , this parameter determines the algorithm to use to encrypt the password. The default value is md5 , which stores the password as an MD5 hash ( on is also accepted, as alias for md5 ). Setting this parameter to scram-sha-256 will encrypt the password with SCRAM-SHA-256.
Note that older clients might lack support for the SCRAM authentication mechanism, and hence not work with passwords encrypted with SCRAM-SHA-256. See Section 20.5 for more details.
add to only support what is in listed in the guidance