8.4 Ensure miscellaneous configuration settings are correct

Information

This recommendation covers non-regular, special files, and dynamic libraries.
PostgreSQL permits local logins via the UNIX DOMAIN SOCKET and, for the most part, anyone with a legitimate Unix login account can make the attempt. Limiting PostgreSQL login attempts can be made by relocating the UNIX DOMAIN SOCKET to a subdirectory with restricted permissions.
The creation and implementation of user-defined dynamic libraries is an extraordinary powerful capability. In the hands of an experienced DBA/programmer, it can significantly enhance the power and flexibility of the RDBMS. But new and unexpected behavior can also be assigned to the RDBMS, resulting in a very dangerous environment in what should otherwise be trusted.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Follow these steps to remediate the configuration:
Determine permissions based on your organization's security policies.
Relocate all files and ensure their permissions are restricted as much as possible, i.e. only superuser read access.
Ensure all directories where these files are located have restricted permissions such that the superuser can read but not write.
Lastly, change the settings accordingly in the postgresql.conf configuration file and restart the database cluster for changes to take effect.
Default Value:
The dynamic_library_path default is $libdir and unix_socket_directories default is /var/run/postgresql, /tmp. The default for external_pid_file and all library parameters are initially null, or not set, upon cluster creation.

See Also

https://workbench.cisecurity.org/files/2234

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv6|18.7, CSCv7|18.11

Plugin: PostgreSQLDB

Control ID: a67ad6ad37e95e2aef6ff66c4726a341bceb38f77f8b9c2e48b09ae297057df3