6.6 Ensure 'User' Runtime Parameters are Configured

Information

These PostgreSQL runtime parameters are managed at the user account (ROLE) level.
Rationale:
In order to improve performance and optimize features, a ROLE has the privilege of setting numerous parameters in a transaction, session, or as an entity attribute. Any ROLE can alter any of these parameters.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

In the matter of a user session, the login sessions must be validated that it is not executing undesired parameter changes. In the matter of attributes that have been changed in entities, they must be manually reverted to its default value(s).
Impact:
A denial of service is possible by the over-allocating of limited resources, such as RAM. Changing VACUUM parameters can force a server shutdown which is standard procedure preventing data corruption from transaction ID wraparound. Data can be corrupted by changing parameters to reinterpret values in an unexpected fashion, e.g. changing the time zone. Logging can be altered and obfuscated to inhibit root cause analysis.

See Also

https://workbench.cisecurity.org/files/2235

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv6|5.1, CSCv7|4

Plugin: PostgreSQLDB

Control ID: db3753987a50ce916535fa40a5d86d9bf522a37283220d116a4d7b73ff98b8ba