6.5 Ensure 'Superuser' Runtime Parameters are Configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

PostgreSQL runtime parameters that can only be executed by the server's superuser, postgres.

Rationale:

In order to improve and optimize server performance, the server's superuser has the privilege of setting these parameters which are found in the configuration file postgresql.conf. Alternatively, they can be changed in a PostgreSQL login session via the SQL command ALTER SYSTEM which writes its changes in the configuration file postgresql.auto.conf.

Impact:

All changes made on this level will affect the overall behavior of the server. These changes can only be affected by a server restart after the parameters have been altered in the configuration files. A denial of service is possible by the over-allocating of limited resources, such as RAM. Data can be corrupted by allowing damaged pages to load or by changing parameters to reinterpret values in an unexpected fashion, e.g. changing the time zone. Client messages can be altered in such a way as to interfere with the application logic. Logging can be altered and obfuscated inhibiting root cause analysis.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

The exploit is made in the configuration files. These changes are effected upon server restart. Once detected, the unauthorized/undesired change can be made by editing the altered configuration file and executing a server restart. In the case where the parameter has been set on the command-line invocation of pg_ctl the restart invocation is insufficient and an explicit stop and start must instead be made.
Detecting a change is possible by one of the following methods:

Query the view pg_settings and compare with previous query outputs for any changes.

Review the configuration files postgreql.conf and postgreql.auto.conf and compare with previously archived file copies for any changes

Examine the process output and look for parameters that were used at server startup:

ps aux | grep -E -- '[p]ost.*-[D]'

Examine the contents of $PGDATA/postmaster.opts

See Also

https://workbench.cisecurity.org/files/4247