VMware Postgres must limit the number of connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239196 | VCPG-67-000001 | SV-239196r717045_rule | Medium |
| Description |
|---|
| Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources, and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. VMware Postgres as deployed on the VCSA comes preconfigured with a max_connections limit that is appropriate for all tested, supported scenarios. The out-of-the-box configuration is dynamic, based on a lower limit plus allowances for the resources assigned to VCSA and the deployment size. However, this number will always be between 100 and 1000 (inclusive). |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 PostgreSQL Security Technical Implementation Guide | 2021-04-15 |
Details
| Check Text ( C-42429r717044_chk ) |
|---|
| At the command prompt, execute the following command: # /opt/vmware/vpostgres/current/bin/psql -U postgres -c "SHOW max_connections;"|sed -n 3p|sed -e 's/^[ ]*//' If the returned number is not greater than or equal to 100 and less than or equal to 1000, this is a finding. |
| Fix Text (F-42388r678960_fix) |
|---|
| At the command prompt, execute the following commands: # /opt/vmware/vpostgres/current/bin/psql -U postgres -c "ALTER SYSTEM SET max_connections TO '345';" # /opt/vmware/vpostgres/current/bin/psql -U postgres -c "SELECT pg_reload_conf();" |