PostgreSQL must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-233548 | CD12-00-004150 | SV-233548r961470_rule | CCI-001762 | medium |
| Description | ||||
| Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats. | ||||
| STIG | Date | |||
| Crunchy Data PostgreSQL Security Technical Implementation Guide | 2024-08-27 | |||
Details
Check Text (C-233548r961470_chk)
As the database administrator, run the following SQL:
$ psql -c "SHOW port"
If the currently defined port configuration is deemed prohibited, this is a finding.
Fix Text (F-36707r606868_fix)
Note: The following instructions use the PGDATA and PGVER environment variables. See supplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.
To change the listening port of the database, as the database administrator, change the following setting in postgresql.conf:
$ sudo su - postgres
$ vi $PGDATA/postgresql.conf
Change the port parameter to the desired port.
Next, restart the database:
$ sudo systemctl restart postgresql-${PGVER?}
Note: psql uses the port 5432 by default. This can be changed by specifying the port with psql or by setting the PGPORT environment variable:
$ psql -p 5432 -c "SHOW port"
$ export PGPORT=5432