VCPG-70-000001 - VMware Postgres must limit the number of connections.

Information

Database management includes the ability to control the number of users and user sessions utilizing a database management system (DBMS). Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources, and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks.

VMware Postgres as deployed on the vCenter Service Appliance (VCSA) comes preconfigured with a 'max_connections' limit that is appropriate for all tested, supported scenarios. The out-of-the-box configuration is dynamic, based on a lower limit plus allowances for the resources assigned to VCSA and the deployment size. However, this number will always be between 100 and 1000 (inclusive).

Solution

At the command prompt, run the following command:

# vmon-cli --restart vmware-vpostgres

Note: Restarting the service runs the 'pg_tuning' script that will configure 'max_connections' to the appropriate value based on the allocated memory for vCenter.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-10, CAT|II, CCI|CCI-000054, Rule-ID|SV-256591r887559_rule, STIG-ID|VCPG-70-000001, Vuln-ID|V-256591

Plugin: Unix

Control ID: 93e30684729e89900d2c528a83957bd120877038c45aa66f48c80d2ab8f58678