STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

DISA Rule

SV-224164r508023_rule

Vulnerability Number

V-224164

Group Title

SRG-APP-000142-DB-000094

Rule Version

EP11-00-004100

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Execute the following SQL as enterprisedb:

ALTER SYSTEM SET port = <port>;
ALTER SYSTEM SET listen_addresses = <comma separated addresses>;

Restart the database service. For EDB Postgres Advanced Server, the default service name is "edb-as-<EDB Version #>" with a default display name of "edb-as-<EDB Version #> - Advanced Server <EDB Version #>":

To restart the database service, using the Windows Services Control Manager:
1. Open the Windows Services Control Manager.
2. Select the database service from the list of services, right-click it, and select "Restart".

Alternatively, the database can be restarted via the Windows command line using either the NET or SC command as follows:

NET STOP <service name>
NET START <service name>

or

SC STOP <service name>
SC START <service name>

Note that if pgAgent is installed and running, the corresponding pgAgent service is dependent on the EDB Postgres database service and will first need to be stopped in order to restart the database service. After restarting the database service, the pgAgent service may be started again.

Check Contents

Review documentation for approved list of ports, protocols, and addresses.

To list the port that is being used, execute the following SQL as enterprisedb:

SHOW port;

If the port returned by the above command is not approved, this is a finding.

To list the interface addresses that are being used, execute the following SQL as enterprisedb:

SHOW listen_addresses;

For the above statement, a return value of "*" indicates that the database cluster (i.e., instance) is configured to listen on all interfaces on the database host.

If the addresses returned are not approved, this is a finding.

Vulnerability Number

V-224164

Documentable

False

Rule Version

EP11-00-004100

Severity Override Guidance

Review documentation for approved list of ports, protocols, and addresses.

To list the port that is being used, execute the following SQL as enterprisedb:

SHOW port;

If the port returned by the above command is not approved, this is a finding.

To list the interface addresses that are being used, execute the following SQL as enterprisedb:

SHOW listen_addresses;

For the above statement, a return value of "*" indicates that the database cluster (i.e., instance) is configured to listen on all interfaces on the database host.

If the addresses returned are not approved, this is a finding.

Check Content Reference

M

Target Key

4107

Comments