Information
PostgreSQL configuration files within the data cluster's directory tree can be changed by anyone logging into the data cluster as the superuser, i.e. postgres. As a matter of default policy, configuration files such as postgresql.conf, pg_hba.conf, and pg_ident, are placed in the data cluster's directory, $PGDATA. PostgreSQL can be configured to relocate these files to locations outside the data cluster which cannot then be accessed by an ordinary superuser login session.
Consideration should also be given to 'include directives'; these are cluster subdirectories where one can locate files containing additional configuration parameters. Include directives are meant to add more flexibility for unique installs or large network environments while maintaining order and consistent architectural design.
Rationale:
Leaving PostgreSQL configuration files within the data cluster's directory tree increases the changes that they will be inadvertently or intentionally altered.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Follow these steps to remediate the configuration file locations and permissions:
* Determine appropriate locations for relocatable configuration files based on your organization's security policies. If necessary, relocate and/or rename configuration files outside of the data cluster.
* Ensure their file permissions are restricted as much as possible, i.e. only superuser read access.
* Change the settings accordingly in the postgresql.conf configuration file.
* Restart the database cluster for the changes to take effect.
Default Value:
The defaults for PostgreSQL configuration files are listed below.
name | setting -------------------+-----------------------------------------
config_file | /var/lib/pgsql/10/data/postgresql.conf
external_pid_file |
hba_file | /var/lib/pgsql/10/data/pg_hba.conf
ident_file | /var/lib/pgsql/10/data/pg_ident.conf
ssl_ca_file |
ssl_cert_file | server.crt
ssl_crl_file |
ssl_key_file | server.key