The EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

An XCCDF Rule

Description

<VulnDiscussion>Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats. A database cluster listens on a single port (usually 5444 for Postgres Plus Advanced Server). The Postgres Enterprise Manager (PEM) agents do not listen on ports, they only act as clients to the PEM server. The PEM server has two components (a repository which is a Postgres database) and an Apache HTTPD application. The Apache HTTPD application listens on a port configured in Apache, generally 8080 or 8443. The ports to check are: 1) The primary Postgres cluster port, 2) If PEM is in use, the PEM Apache HTTPD port, and 3) The PEM Repository DB port. Generally 2 and 3 should be installed on an isolated management machine without access from anyone other than administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-224203r879756_rule
Severity: Medium
References: CCI-001762
Updated: 9 months ago

Disable each prohibited network function, port, protocol, or service prohibited by the PPSM guidance.

Open the pg_hba.conf file in an editor and change the TYPE of any rows not starting with a "#" to be "hostssl". The METHOD for the hostssl rows should be one of these (in preferred order): cert, sspi, ldap, scram-sha-256

Note that the default location for the pg_hba.conf file is in the postgresql data directory. The location of the pg_hba.conf file for a running postgres instance can be found using the following command run from a Windows command prompt:
 psql -d <database name> -U <database superuser name> -c "SHOW hba_file"

where, <database name> is any database in the EDB postgres instance and <database superuser name> is a database superuser. By default, a database named "edb" and a superuser named "enterprisedb" are installed with EDB Postgres Advanced Server (EPAS).

Execute the following SQL as enterprisedb:

 ALTER SYSTEM SET port = <port>;

Restart the database service. For EDB Postgres Advanced Server, the default service name for an instance will be "edb-as-<version>" with a default display name of "edb-as-<version> - Advanced Server <version>", where "<version>" is the major version number of the EDB Postgres Advanced Server that is installed:

To restart the database service, using the Windows Services Control Manager:
 1. Open the Windows Services Control Manager.
 2. Select the database service from the list of services, right-click it, and select "Restart".

Alternatively, the database can be restarted via the Windows command line using either the NET or SC command as follows:

 NET STOP <service name>
 NET START <service name>

or

 SC STOP <service name>
 SC START <service name>

In the above commands, replace <service name> with the actual service name corresponding to the EDB Postgres instance.

Note that if pgAgent is installed and running, the corresponding pgAgent service is dependent on the EDB Postgres database service and must first be stopped to restart the database service. After restarting the database service, the pgAgent service may be started again.

The EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

Description

Remediation - Manual Procedure