EP11-00-008700 – The EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

Details

Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.

A database cluster listens on a single port (usually 5444 for Postgres Plus Advanced Server). The Postgres Enterprise Manager (PEM) agents do not listen on ports, they only act as clients to the PEM server. The PEM server has two components (a repository which is a Postgres database) and an Apache HTTPD application. The Apache HTTPD application listens on a port configured in Apache, generally 8080 or 8443.

The ports to check are:

1) The primary Postgres cluster port,

2) If PEM is in use, the PEM Apache HTTPD port, and

3) The PEM Repository DB port.

Generally 2 and 3 should be installed on an isolated management machine without access from anyone other than administrators.

Solution

Disable each prohibited network function, port, protocol, or service prohibited by the PPSM guidance.

Open the pg_hba.conf file in an editor and change the TYPE of any rows not starting with a ‘#’ to be ‘hostssl’. The METHOD for the hostssl rows should be one of these (in preferred order): cert, sspi, ldap, scram-sha-256

Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:

psql -d -U -c ‘SHOW hba_file’

where, is any database in the EDB postgres instance and is a database superuser. By default, a database named ‘edb’ and a superuser named ‘enterprisedb’ are installed with EDB Postgres Advanced Server (EPAS).

Execute the following SQL as enterprisedb:

ALTER SYSTEM SET port = ;

Restart the database service. For EDB Postgres Advanced Server, the default service name for an instance will be ‘edb-as-‘ with a default display name of ‘edb-as- – Advanced Server ‘, where ‘‘ is the major version number of the EDB Postgres Advanced Server that is installed:

To restart the database service, using the Windows Services Control Manager:
1. Open the Windows Services Control Manager.
2. Select the database service from the list of services, right-click it, and select ‘Restart’.

Alternatively, the database can be restarted via the Windows command line using either the NET or SC command as follows:

NET STOP
NET START

SC STOP
SC START

In the above commands, replace with the actual service name corresponding to the EDB Postgres instance.

Note that if pgAgent is installed and running, the corresponding pgAgent service is dependent on the EDB Postgres database service and must first be stopped to restart the database service. After restarting the database service, the pgAgent service may be started again.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_EDB_PGS_Advanced_Server_v11_Windows_V2R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

800-53|CM-7(1)(b)
CAT|II
CCI|CCI-001762
Rule-ID|SV-224203r508023_rule
STIG-ID|EP11-00-008700
STIG-Legacy|SV-109531
STIG-Legacy|V-100427
Vuln-ID|V-224203

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles