8.1 Ensure PostgreSQL subdirectory locations are outside the data cluster

Information

The PostgreSQL cluster is organized to carry out specific tasks in subdirectories. For the purposes of performance, reliability, and security some of these subdirectories should be relocated outside the data cluster.

Rationale:

Some subdirectories contain information, such as logs, which can be of value to others such as developers. Other subdirectories can gain a performance benefit when placed on fast storage devices. Other subdirectories contain temporary files created and used during processing. Finally, relocating a subdirectory to a separate and distinct partition mitigates denial of service and involuntary server shutdown when excessive writes fill the data cluster's partition, e.g. pg_wal, pg_log, and temp_tablespaces.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following steps to remediate the subdirectory locations and permissions:

Determine appropriate data, log, and tablespace directories and locations based on your organization's security policies. If necessary, relocate all listed directories outside the data cluster.

If not relocating temp_tablespaces, the temp_file_limit parameter must be changed from its default value.

Ensure file permissions are restricted as much as possible, i.e. only superuser read access.

When directories are relocated to other partitions, ensure that they are of sufficient size to mitigate against excessive space utilization.

Lastly, change the settings accordingly in the postgresql.conf configuration file and restart the database cluster for changes to take effect.

To relocate temp_tablespaces to an existing mount point outside the data cluster is accomplished by:

postgres=# CREATE TABLESPACE temp_tablespc LOCATION '/path/to/existing/desired/mount/point';
postgres=# ALTER SYSTEM SET temp_tablespaces = 'temp_tablespc';
postgres=# SELECT pg_reload_conf();

Default Value:

The default for data_directory is ConfigDir and the default for log_directory is log (based on absolute path of data_directory). The defaults for tablespace settings are null, or not set, upon cluster creation.

See Also

https://workbench.cisecurity.org/benchmarks/11861

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|18.11

Plugin: PostgreSQLDB

Control ID: f6edf9a4efdbd2951923b113f94d274b57c2c22d36fccdb633fa551d17b6b22c