6.3 Ensure 'Postmaster' Runtime Parameters are Configured

Information

PostgreSQL runtime parameters that are executed by the postmaster process.

Rationale:

The postmaster process is the supervisory process that assigns a backend process to an incoming client connection. The postmaster manages key runtime parameters that are either shared by all backend connections or needed by the postmaster process itself to run.

Impact:

All changes made on this level will affect the overall behavior of the server. These changes can be effected by editing the PostgreSQL configuration files and by either executing a server SIGHUP from the command line or, as superuser postgres, executing the SQL command select pg_reload_conf(). A denial of service is possible by the over-allocating of limited resources, such as RAM. Data can be corrupted by allowing damaged pages to load or by changing parameters to reinterpret values in an unexpected fashion, e.g. changing the time zone. Client messages can be altered in such a way as to interfere with the application logic. Logging can be altered and obfuscated inhibiting root cause analysis.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Once detected, the unauthorized/undesired change can be corrected by editing the altered configuration file and executing a server restart. In the case where the parameter has been specified on the command-line invocation of pg_ctl the restart invocation is insufficient and an explicit stop and start must instead be made.
Detecting a change is possible by one of the following methods:

Query the view pg_settings and compare with previous query outputs for any changes

Review the configuration files postgresql.conf and postgresql.auto.conf and compare with previously archived file copies for any changes

Examine the process output and look for parameters that were used at server startup:

ps -few | grep -E -- '[p]ost.*-[D]'

Examine the contents of $PGDATA/postmaster.opts

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|18.11

Plugin: PostgreSQLDB

Control ID: 6aa56979abca348605549d90df8cdb9ab7ea4da9ee8685bd8a2d0191ac37dc9e