6.2 Ensure 'backend' runtime parameters are configured correctly

Information

In order to serve multiple clients efficiently, the PostgreSQL server launches a new 'backend' process for each client. The runtime parameters in this benchmark section are controlled by the backend process. The server's performance, in the form of slow queries causing a denial of service, and the RDBM's auditing abilities for determining root cause analysis can be potentially compromised via these parameters.

Rationale:

A denial of service is possible by denying the use of indexes and by slowing down client access to an unreasonable level. Unsanctioned behavior can be introduced by introducing rogue libraries which can then be called in a database session. Logging can be altered and obfuscated inhibiting root cause analysis.

Impact:

All changes made on this level will affect the overall behavior of the server. These changes can only be affected by a server restart after the parameters have been altered in the configuration files.

Solution

Once detected, the unauthorized/undesired change can be corrected by altering the configuration file and executing a server restart. In the case where the parameter has been specified on the command-line invocation of pg_ctl the restart invocation is insufficient and an explicit stop and start must instead be made.

Query the view pg_settings and compare with previous query outputs for any changes.

Review configuration files postgresql.conf and postgresql.auto.conf and compare them with previously archived file copies for any changes.

Examine the process output and look for parameters that were used at server startup:

ps -few | grep -E -- '[p]ost.*-[D]'

Examine the contents of $PGDATA/postmaster.opts

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|18.11

Plugin: PostgreSQLDB

Control ID: 08136f175768030b8ad4b2d6410a6f540b8024b03b4f2f430970f78d3d84bdb4