8.4 Ensure miscellaneous configuration settings are correct

Information

This recommendation covers non-regular, special files, and dynamic libraries.
PostgreSQL permits local logins via the UNIX DOMAIN SOCKET and, for the most part, anyone with a legitimate Unix login account can make the attempt. Limiting PostgreSQL login attempts can be made by relocating the UNIX DOMAIN SOCKET to a subdirectory with restricted permissions.
The creation and implementation of user-defined dynamic libraries is an extraordinary powerful capability. In the hands of an experienced DBA/programmer, it can significantly enhance the power and flexibility of the RDBMS. But new and unexpected behavior can also be assigned to the RDBMS, resulting in a very dangerous environment in what should otherwise be trusted.


NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Follow these steps to remediate the configuration:
* Determine permissions based on your organization's security policies.
* Relocate all files and ensure their permissions are restricted as much as possible, i.e. only superuser read access.
* Ensure all directories where these files are located have restricted permissions such that the superuser can read but not write.
* Lastly, change the settings accordingly in the postgresql.conf configuration file and restart the database cluster for changes to take effect.

Default Value:

The dynamic_library_path default is $libdir and unix_socket_directories default is /var/run/postgresql, /tmp. The default for external_pid_file and all library parameters are initially null, or not set, upon cluster creation.

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv6|18.7, CSCv7|18.11

Plugin: PostgreSQLDB

Control ID: bccc5a263b4009ddf5fe57df498f0c6a67a29ac21651f72b2d447854e276a7d5