V-72841
Severity: Medium
Generated
2019-05-20 15:48:11.984914
Status
PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
NIST 800-53
| STIG # | Description | Result |
|---|---|---|
| CM-7 | CM-7: Least Functionality | passed |
Guidance
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols/services on information systems.
Applications are capable of providing a wide variety of functions and
services. Some of the functions and services provided by default may
not be necessary to support essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services
from a single component (e.g., email and web services); however, doing
so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the
application must support the organizational requirements providing only
essential capabilities and limiting the use of ports, protocols, and/or
services to only those required, authorized, and approved to conduct
official business or to address authorized quality of life issues.
Database Management Systems using ports, protocols, and services deemed
unsafe are open to attack through those ports, protocols, and services.
This can allow unauthorized access to the database and through the
database to other components of the information system.
Check
As the database administrator, run the following SQL:
$ psql -c “SHOW port”
If the currently defined port configuration is deemed prohibited, this is a finding.
Fix
Note: The following instructions use the PGDATA environment variable. See supplementary content APPENDIX-F for instructions on configuring PGDATA.
To change the listening port of the database, as the database administrator, change the following setting in postgresql.conf:
$ sudo su - postgres $ vi $PGDATA/postgresql.conf
Change the port parameter to the desired port.
Next, restart the database:
$ sudo su - postgres # SYSTEMD SERVER ONLY $ systemctl restart postgresql-9.5 # INITD SERVER ONLY $ service postgresql-9.5 restart
Note: psql uses the default port 5432 by default. This can be changed by specifying the port with psql or by setting the PGPORT environment variable:
$ psql -p 5432 -c “SHOW port” $ export PGPORT=5432
Test Results
| Result | |
|---|---|
| PostgreSQL query: SHOW port; output should eq "5432" | passed |
| Port 5432 should be listening | passed |
| Port 5432 processes should include "postgres" | passed |
Code
control "V-72841" do
title "PostgreSQL must be configured to prohibit or restrict the use of
organization-defined functions, ports, protocols, and/or services, as
defined in the PPSM CAL and vulnerability assessments."
desc "In order to prevent unauthorized connection of devices, unauthorized
transfer of information, or unauthorized tunneling (i.e., embedding of
data types within data types), organizations must disable or restrict
unused or unnecessary physical and logical ports/protocols/services on
information systems.
Applications are capable of providing a wide variety of functions and
services. Some of the functions and services provided by default may
not be necessary to support essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services
from a single component (e.g., email and web services); however, doing
so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the
application must support the organizational requirements providing only
essential capabilities and limiting the use of ports, protocols, and/or
services to only those required, authorized, and approved to conduct
official business or to address authorized quality of life issues.
Database Management Systems using ports, protocols, and services deemed
unsafe are open to attack through those ports, protocols, and services.
This can allow unauthorized access to the database and through the
database to other components of the information system."
impact 0.5
tag "severity": "medium"
tag "gtitle": "SRG-APP-000142-DB-000094"
tag "gid": "V-72841"
tag "rid": "SV-87493r1_rule"
tag "stig_id": "PGS9-00-000100"
tag "cci": "CCI-000382"
tag "nist": ["CM-7 b", "Rev_4"]
tag "cci": "CCI-001762"
tag "nist": ["CM-7 (1) (b)", "Rev_4"]
tag "check": "As the database administrator, run the following SQL:
$ psql -c \"SHOW port\"
If the currently defined port configuration is deemed prohibited, this is a
finding."
tag "fix": "Note: The following instructions use the PGDATA environment
variable. See supplementary content APPENDIX-F for instructions on configuring
PGDATA.
To change the listening port of the database, as the database administrator,
change the following setting in postgresql.conf:
$ sudo su - postgres
$ vi $PGDATA/postgresql.conf
Change the port parameter to the desired port.
Next, restart the database:
$ sudo su - postgres
# SYSTEMD SERVER ONLY
$ systemctl restart postgresql-9.5
# INITD SERVER ONLY
$ service postgresql-9.5 restart
Note: psql uses the default port 5432 by default. This can be changed by
specifying the port with psql or by setting the PGPORT environment variable:
$ psql -p 5432 -c \"SHOW port\"
$ export PGPORT=5432"
sql = postgres_session(PG_DBA, PG_DBA_PASSWORD, PG_HOST)
describe sql.query('SHOW port;', [PG_DB]) do
its('output') { should eq PG_PORT }
end
describe port(PG_PORT) do
it { should be_listening }
its('processes') { should include 'postgres' }
end
end