Detections
Analytics
1.3 Ensure Installation of Community Packages
Information
Adding, and installing, the PostgreSQL community packages to the host's package repository.Rationale:
It's an unfortunate reality that Linux distributions do not always have the most up-to-date versions of PostgreSQL. Disadvantages of older releases include: missing bug patches, no access to highly desirable contribution modules, no access to 3rd party projects that are complimentary to PostgreSQL, and no upgrade path migrating from one version of PostgreSQL to the next. The worst set of circumstances is to be limited to a version of the RDBMS that has reached its end-of-life.
From a security perspective, it's imperative that Postgres Community Packages are only obtained from the official website https://yum.postgresql.org/. Being open source, the Postgres packages are widely available over the internet via myriad package aggregators and providers. Obtaining software from these unofficial sites risks installing defective, corrupt, or downright malicious versions of PostgreSQL.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
The following example blocks the outdated distro packages, adds the PGDG repository RPM for PostgreSQL version 10, and installs the client-server-contributions rpms to the host where you want to install the RDBMS:$ whoami
root
$ vi /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude=postgresql* <-- add this line
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude=postgresql* <-- add this line
Using a web browser, go to http://yum.postgresql.org and navigate to the repo download link for your OS and version:
$ whoami
root
$ yum -y install https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
Finally, install the PostgreSQL packages:
$ whoami
root
$ yum -y groupinstall 'PostgreSQL Database Server 10 PGDG'
Loaded plugins: fastestmirror
Setting up Group Process
Loading mirror speeds from cached hostfile
* base: mirror.us.oneandone.net
* extras: centos.mirrors.tds.net
* updates: mirror.cisp.com
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
base/group_gz | 242 kB 00:00
pgdg10/group_gz | 249 B 00:00
Resolving Dependencies
--> Running transaction check
---> Package postgresql10.x86_64 0:10.7-1PGDG.rhel7 will be installed
---> Package postgresql10-contrib.x86_64 0:10.7-1PGDG.rhel7 will be installed
--> Processing Dependency: libxslt.so.1(LIBXML2_1.0.22)(64bit) for package: postgresql10-contrib-10.7-1PGDG.rhel7.x86_64
--> Processing Dependency: libxslt.so.1(LIBXML2_1.0.18)(64bit) for package: postgresql10-contrib-10.7-1PGDG.rhel7.x86_64
--> Processing Dependency: libxslt.so.1(LIBXML2_1.0.11)(64bit) for package: postgresql10-contrib-10.7-1PGDG.rhel7.x86_64
--> Processing Dependency: libxslt.so.1()(64bit) for package: postgresql10-contrib-10.7-1PGDG.rhel7.x86_64
---> Package postgresql10-libs.x86_64 0:10.7-1PGDG.rhel7 will be installed
---> Package postgresql10-server.x86_64 0:10.7-1PGDG.rhel7 will be installed
--> Running transaction check
---> Package libxslt.x86_64 0:1.1.26-2.el7_3.1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
postgresql10 x86_64 10.7-1PGDG.rhel7 pgdg10 1.4 M
postgresql10-contrib x86_64 10.7-1PGDG.rhel7 pgdg10 492 k
postgresql10-libs x86_64 10.7-1PGDG.rhel7 pgdg10 289 k
postgresql10-server x86_64 10.7-1PGDG.rhel7 pgdg10 5.0 M
Installing for dependencies:
libxslt x86_64 1.1.26-2.el7_3.1 base 452 k
Transaction Summary
================================================================================
Install 5 Package(s)
Total download size: 7.7 M
Installed size: 31 M
Downloading Packages:
(1/5): libxslt-1.1.26-2.el7_3.1.x86_64.rpm | 452 kB 00:00
(2/5): postgresql10-10.7-1PGDG.rhel7.x86_64.rpm | 1.4 MB 00:01
(3/5): postgresql10-contrib-10.7-1PGDG.rhel7.x86_64.rpm | 492 kB 00:00
(4/5): postgresql10-libs-10.7-1PGDG.rhel7.x86_64.rpm | 289 kB 00:00
(5/5): postgresql10-server-10.7-1PGDG.rhel7.x86_64.rpm | 5.0 MB 00:00
--------------------------------------------------------------------------------
Total 2.5 MB/s | 7.7 MB 00:03
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : postgresql10-libs-10.7-1PGDG.rhel7.x86_64 1/5
Installing : postgresql10-10.7-1PGDG.rhel7.x86_64 2/5
Installing : libxslt-1.1.26-2.el7_3.1.x86_64 3/5
Installing : postgresql10-contrib-10.7-1PGDG.rhel6.x86_64 4/5
Installing : postgresql10-server-10.7-1PGDG.rhel6.x86_64 5/5
Verifying : libxslt-1.1.26-2.el7_3.1.x86_64 1/5
Verifying : postgresql10-10.7-1PGDG.rhel7.x86_64 2/5
Verifying : postgresql10-libs-10.7-1PGDG.rhel7.x86_64 3/5
Verifying : postgresql10-server-10.7-1PGDG.rhel7.x86_64 4/5
Verifying : postgresql10-contrib-10.7-1PGDG.rhel7.x86_64 5/5
Installed:
postgresql10.x86_64 0:10.7-1PGDG.rhel7
postgresql10-contrib.x86_64 0:10.7-1PGDG.rhel7
postgresql10-libs.x86_64 0:10,7-1PGDG.rhel7
postgresql10-server.x86_64 0:10,7-1PGDG.rhel7
Dependency Installed:
libxslt.x86_64 0:1.1.26-2.el7_3.1
Complete!
Note: The above-mentioned example is referenced as an illustration only. Package names and versions may differ.
See Also
Item Details
Audit Name: CIS PostgreSQL 10 OS v1.0.0
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-2c., CSCv6|18.1, CSCv7|18.3
Plugin: Unix
Control ID: 20c067568b95ed2fd9f6d9f5caa812777b462d9b2daf4cd720b5564aac4a79dd