Detections
Analytics

EP11-00-004000 - Access to external executables must be disabled or restricted.

Information

Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives.

Applications must adhere to the principles of least functionality by providing only essential capabilities.

EDB Postgres Advanced Server may spawn additional external processes to execute procedures that are defined in EDB Postgres Advanced Server but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than EDB Postgres Advanced Server and provide unauthorized access to the host system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To uninstall programs that are not approved, open Control Program | Programs | Programs and Features. Select any programs that should not be installed, click the 'uninstall' button, and follow the prompts to uninstall the software.

To remove the SUPERUSER privilege from a role, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:

 ALTER ROLE <role name> WITH NOSUPERUSER;

To remove a role that has been granted to another role, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:

 REVOKE ROLE <name of role to be removed> FROM <role name>;

To remove an extension from a Postgres database, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:

 DROP EXTENSION <name of extension to be removed>;

To remove a function from a Postgres database, execute the following SQL statement in psql or another Postgres SQL client as enterprisedb:

 DROP FUNCTION <name of function to be removed>;

If the unapproved function is contained in an EDB-SPL database package, drop the package specification and body or replace the package specification and package body source with an updated version of the source that does not include the unapproved function.

To drop a package, execute the following SQL statements in psql or another EDB Postgres Advanced Server SQL client as enterprisedb:

 DROP PACKAGE BODY <name of package to be dropped>;
 DROP PACKAGE <name of package to be dropped>;

To update a package, execute the 'CREATE OR REPLACE PACKAGE <package name>' and 'CREATE OR REPLACE PACKAGE BODY <package name>' SQL statements in psql or another EDB Postgres Advanced Server SQL client. See the EnterpriseDB 'Database Compatibility for Oracle Developers Reference Guide' for more information about the commands for creating, replacing, and dropping database packages.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EDB_PGS_Advanced_Server_v11_Windows_V2R4_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-224163r960963_rule, STIG-ID|EP11-00-004000, STIG-Legacy|SV-109457, STIG-Legacy|V-100353, Vuln-ID|V-224163

Plugin: Windows

Control ID: 0b5df82cad148bdca997a157f1ac42e12b671c87a2289e202d5c97b9e5a16817