PostgreSQL Password File Entry
Detects PostgreSQL .pgpass file entries containing hostname, port, database, username, and password in colon-separated format. Mirrors Snaffler rule KeepDbMgtConfigByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- medium
- Confidence justification
- Medium confidence: the five-field colon-separated structure is specific but the character classes are broad enough to match non-credential data. Evidence keyword gating at 75/85 tiers substantially reduces false positive risk by requiring pgpass-contextual terms.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
[^\s:]{1,64}:(?:\d{1,5}|\*):[^\s:]{1,64}:[^\s:]{1,64}:[^\s:]{1,128}Corroborative evidence keywords
pgpass, 5432, localhost, postgres
Proximity: 300 characters
Should match
db.internal.corp:5432:billing:svc_billing:Pg$ecret2024— Real pgpass entry with production hostlocalhost:5432:appdb:appuser:MyP@ssw0rd123— Local postgres connection stringpg.prod.example.com:5432:*:postgres:SuperSecret!— Wildcard database name in pgpassdb.example.com:*:*:postgres:S3cretPg— Wildcard port and database in pgpass entry (Snaffler parity)
Should not match
This is a plain text file with no colon-separated credential fields— Plain text, no colon structureserver host database user password— Space-separated fields, not colon-separated
Known false positives
- Log entries or configuration files using colon-separated fields for non-credential data such as CSV records, IPv6 addresses, or structured logging. Mitigation: Require proximity to pgpass-specific terms (pgpass, postgres, 5432) to limit matches to actual database credential files.
- Time-formatted strings or other five-field colon-separated data that coincidentally matches the pattern structure. Mitigation: Evidence keyword gating at 75/85 tiers ensures only matches near pgpass context are elevated.