Detections
Analytics

8.1 Ensure PostgreSQL configuration files are outside the data cluster

Information

PostgreSQL configuration files within the data cluster's directory tree can be changed by anyone logging into the data cluster as the superuser, i.e. postgres. As a matter of default policy, configuration files such as postgresql.conf, pg_hba.conf, and pg_ident, are placed in the data cluster's directory, $PGDATA. PostgreSQL can be configured to relocate these files to locations outside the data cluster which cannot then be accessed by an ordinary superuser login session.

 Consideration should also be given to 'include directives'; these are cluster subdirectories where one can locate files containing additional configuration parameters. Include directives are meant to add more flexibility for unique installs or large network environments while maintaining order and consistent architectural design.

 Rationale:

 Leaving PostgreSQL configuration files within the data cluster's directory tree increases the changes that they will be inadvertently or intentionally altered.

 NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Follow these steps to remediate the configuration file locations and permissions:

 Determine appropriate locations for relocatable configuration files based on your organization's security policies. If necessary, relocate and/or rename configuration files outside of the data cluster.

 Ensure their file permissions are restricted as much as possible, i.e. only superuser read access.

 Change the settings accordingly in the postgresql.conf configuration file.

 Restart the database cluster for the changes to take effect.

 Default Value:

 The defaults for PostgreSQL configuration files are listed below.

 name | setting

 ----------------------+----------------------------------------

 config_file | /var/lib/pgsql/12/data/postgresql.conf

 external_pid_file |

 hba_file | /var/lib/pgsql/12/data/pg_hba.conf

 ident_file | /var/lib/pgsql/12/data/pg_ident.conf

 promote_trigger_file |

 ssl_ca_file |

 ssl_cert_file | server.crt

 ssl_crl_file |

 ssl_dh_params_file |

 ssl_key_file | server.key

 (10 rows)

 References:

 https://www.postgresql.org/docs/12/static/runtime-config-file-locations.html

 https://www.postgresql.org/docs/12/static/runtime-config-connection.html

 https://www.postgresql.org/docs/12/static/config-setting.html#CONFIG-INCLUDES

See Also

https://workbench.cisecurity.org/files/2536

Item Details

References: CSCv6|18.7, CSCv7|18.11

Plugin: PostgreSQLDB

Control ID: fdf54628fdbfde63ccebd40a9cf0a73a3e3c3ba770938776184341b8a6b79174