Detections
Analytics

1.3 Ensure Installation of Community Packages

Information

Adding, and installing, the PostgreSQL community packages to the host's package repository.
 Rationale:
 It's an unfortunate reality that Linux distributions do not always have the most up-to-date versions of PostgreSQL. Disadvantages of older releases include: missing bug patches, no access to highly desirable contribution modules, no access to 3rd party projects that are complimentary to PostgreSQL, and no upgrade path migrating from one version of PostgreSQL to the next. The worst set of circumstances is to be limited to a version of the RDBMS that has reached its end-of-life.
 From a security perspective, it's imperative that Postgres Community Packages are only obtained from the official website https://yum.postgresql.org/. Being open source, the Postgres packages are widely available over the internet via myriad package aggregators and providers. Obtaining software from these unofficial sites risks installing defective, corrupt, or downright malicious versions of PostgreSQL.

 NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

The following example adds the PGDG repository RPM for PostgreSQL, configures yum to prefer the PGDG packages for version 11, and installs the client-server-contributions rpms to the host where you want to install the RDBMS.
 Using a web browser, go to http://yum.postgresql.org and navigate to the repo download link for your OS and version. Copy the URL to the repo file, and then tell yum to install it:
 [root@centos7 ~]# whoami
 root
 [root@centos7 ~]# yum install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
 Loaded plugins: fastestmirror
 pgdg-redhat-repo-latest.noarch.rpm | 5.6 kB 00:00:00
 Examining /var/tmp/yum-root-CubWbD/pgdg-redhat-repo-latest.noarch.rpm: pgdg-redhat-repo-42.0-4.noarch
 Marking /var/tmp/yum-root-CubWbD/pgdg-redhat-repo-latest.noarch.rpm to be installed
 Resolving Dependencies
 --> Running transaction check
 ---> Package pgdg-redhat-repo.noarch 0:42.0-4 will be installed
 --> Finished Dependency Resolution

 Dependencies Resolved

 ====================================================================================================================
 Package Arch Version Repository Size
 ====================================================================================================================
 Installing:
 pgdg-redhat-repo noarch 42.0-4 /pgdg-redhat-repo-latest.noarch 6.8 k

 Transaction Summary
 ====================================================================================================================
 Install 1 Package

 Total size: 6.8 k
 Installed size: 6.8 k
 Is this ok [y/d/N]: y
 Downloading packages:
 Running transaction check
 Running transaction test
 Transaction test succeeded
 Running transaction
 Installing : pgdg-redhat-repo-42.0-4.noarch 1/1
 Verifying : pgdg-redhat-repo-42.0-4.noarch 1/1

 Installed:
 pgdg-redhat-repo.noarch 0:42.0-4

 Complete!
 Now, configure yum to prefer the PGDG packages for version 11:
 [root@centos7 ~]# yum -y install yum-priorities
 Loaded plugins: fastestmirror
 Loading mirror speeds from cached hostfile
 * base: mirror.sfo12.us.leaseweb.net
 * extras: mirror.umd.edu
 * updates: ftp.usf.edu
 Resolving Dependencies
 --> Running transaction check
 ---> Package yum-plugin-priorities.noarch 0:1.1.31-50.el7 will be installed
 --> Finished Dependency Resolution

 Dependencies Resolved

 ====================================================================================================================
 Package Arch Version Repository Size
 ====================================================================================================================
 Installing:
 yum-plugin-priorities noarch 1.1.31-50.el7 base 29 k

 Transaction Summary
 ====================================================================================================================
 Install 1 Package

 Total download size: 29 k
 Installed size: 28 k
 Downloading packages:
 yum-plugin-priorities-1.1.31-50.el7.noarch.rpm | 29 kB 00:00:00
 Running transaction check
 Running transaction test
 Transaction test succeeded
 Running transaction
 Installing : yum-plugin-priorities-1.1.31-50.el7.noarch 1/1
 Verifying : yum-plugin-priorities-1.1.31-50.el7.noarch 1/1

 Installed:
 yum-plugin-priorities.noarch 0:1.1.31-50.el7

 Complete!
 [root@centos7 ~]# whoami
 root
 [root@centos7 ~]# vi /etc/yum.repos.d/pgdg-redhat-all.repo
 <snip>
 [pgdg11]
 name=PostgreSQL 11 $releasever - $basearch
 baseurl=https://download.postgresql.org/pub/repos/yum/11/redhat/rhel-$releasever-$basearch
 enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
 priority=1 <-- add this line
 <snip>
 Finally, install the PostgreSQL packages:
 [root@centos7 ~]# whoami
 root
 [root@centos7 ~]# yum -y groupinstall 'PostgreSQL Database Server 11 PGDG'
 Loaded plugins: fastestmirror, priorities
 There is no installed groups file.
 Maybe run: yum groups mark convert (see man yum)
 Loading mirror speeds from cached hostfile
 * base: mirror.sfo12.us.leaseweb.net
 * extras: mirror.umd.edu
 * updates: ftp.usf.edu
 pgdg10 | 3.6 kB 00:00:00
 pgdg11 | 3.6 kB 00:00:00
 pgdg94 | 3.6 kB 00:00:00
 pgdg95 | 3.6 kB 00:00:00
 pgdg96 | 3.6 kB 00:00:00
 1401 packages excluded due to repository priority protections
 Resolving Dependencies
 --> Running transaction check
 ---> Package postgresql11.x86_64 0:11.3-1PGDG.rhel7 will be installed
 --> Processing Dependency: libicu for package: postgresql11-11.3-1PGDG.rhel7.x86_64
 ---> Package postgresql11-contrib.x86_64 0:11.3-1PGDG.rhel7 will be installed
 --> Processing Dependency: libxslt.so.1(LIBXML2_1.0.22)(64bit) for package: postgresql11-contrib-11.3-1PGDG.rhel7.x86_64
 --> Processing Dependency: libxslt.so.1(LIBXML2_1.0.18)(64bit) for package: postgresql11-contrib-11.3-1PGDG.rhel7.x86_64
 --> Processing Dependency: libxslt.so.1(LIBXML2_1.0.11)(64bit) for package: postgresql11-contrib-11.3-1PGDG.rhel7.x86_64
 --> Processing Dependency: libxslt.so.1()(64bit) for package: postgresql11-contrib-11.3-1PGDG.rhel7.x86_64
 ---> Package postgresql11-libs.x86_64 0:11.3-1PGDG.rhel7 will be installed
 ---> Package postgresql11-server.x86_64 0:11.3-1PGDG.rhel7 will be installed
 --> Running transaction check
 ---> Package libicu.x86_64 0:50.1.2-17.el7 will be installed
 ---> Package libxslt.x86_64 0:1.1.28-5.el7 will be installed
 --> Finished Dependency Resolution

 Dependencies Resolved

 ====================================================================================================================
 Package Arch Version Repository Size
 ====================================================================================================================
 Installing for group install "PostgreSQL Database Server 11 PGDG":
 postgresql11 x86_64 11.3-1PGDG.rhel7 pgdg11 1.7 M
 postgresql11-contrib x86_64 11.3-1PGDG.rhel7 pgdg11 616 k
 postgresql11-libs x86_64 11.3-1PGDG.rhel7 pgdg11 360 k
 postgresql11-server x86_64 11.3-1PGDG.rhel7 pgdg11 4.7 M
 Installing for dependencies:
 libicu x86_64 50.1.2-17.el7 base 6.9 M
 libxslt x86_64 1.1.28-5.el7 base 242 k

 Transaction Summary
 ====================================================================================================================
 Install 4 Packages (+2 Dependent packages)

 Total download size: 14 M
 Installed size: 55 M
 Downloading packages:
 (1/6): libxslt-1.1.28-5.el7.x86_64.rpm | 242 kB 00:00:00
 warning: /var/cache/yum/x86_64/7/pgdg11/packages/postgresql11-11.3-1PGDG.rhel7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 442df0f8: NOKEY
 Public key for postgresql11-11.3-1PGDG.rhel7.x86_64.rpm is not installed
 (2/6): postgresql11-11.3-1PGDG.rhel7.x86_64.rpm | 1.7 MB 00:00:00
 (3/6): postgresql11-libs-11.3-1PGDG.rhel7.x86_64.rpm | 360 kB 00:00:00
 (4/6): libicu-50.1.2-17.el7.x86_64.rpm | 6.9 MB 00:00:01
 (5/6): postgresql11-server-11.3-1PGDG.rhel7.x86_64.rpm | 4.7 MB 00:00:00
 (6/6): postgresql11-contrib-11.3-1PGDG.rhel7.x86_64.rpm | 616 kB 00:00:02
 --------------------------------------------------------------------------------------------------------------------
 Total 4.7 MB/s | 14 MB 00:00:03
 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
 Importing GPG key 0x442DF0F8:
 Userid : "PostgreSQL RPM Building Project <[email protected]>"
 Fingerprint: 68c9 e2b9 1a37 d136 fe74 d176 1f16 d2e1 442d f0f8
 Package : pgdg-redhat-repo-42.0-4.noarch (installed)
 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
 Running transaction check
 Running transaction test
 Transaction test succeeded
 Running transaction
 Installing : postgresql11-libs-11.3-1PGDG.rhel7.x86_64 1/6
 Installing : libicu-50.1.2-17.el7.x86_64 2/6
 Installing : postgresql11-11.3-1PGDG.rhel7.x86_64 3/6
 Installing : libxslt-1.1.28-5.el7.x86_64 4/6
 Installing : postgresql11-contrib-11.3-1PGDG.rhel7.x86_64 5/6
 Installing : postgresql11-server-11.3-1PGDG.rhel7.x86_64 6/6
 Verifying : postgresql11-libs-11.3-1PGDG.rhel7.x86_64 1/6
 Verifying : postgresql11-server-11.3-1PGDG.rhel7.x86_64 2/6
 Verifying : libicu-50.1.2-17.el7.x86_64 3/6
 Verifying : libxslt-1.1.28-5.el7.x86_64 4/6
 Verifying : postgresql11-11.3-1PGDG.rhel7.x86_64 5/6
 Verifying : postgresql11-contrib-11.3-1PGDG.rhel7.x86_64 6/6

 Installed:
 postgresql11.x86_64 0:11.3-1PGDG.rhel7 postgresql11-contrib.x86_64 0:11.3-1PGDG.rhel7
 postgresql11-libs.x86_64 0:11.3-1PGDG.rhel7 postgresql11-server.x86_64 0:11.3-1PGDG.rhel7

 Dependency Installed:
 libicu.x86_64 0:50.1.2-17.el7 libxslt.x86_64 0:1.1.28-5.el7

 Complete!
 Note: The above-mentioned example is referenced as an illustration only. Package names and versions may differ.

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2c., CSCv6|18.1, CSCv7|18.3

Plugin: Unix

Control ID: 04e202164120d91c52dea55cf6b91b23486c1150d010d8afb5e9955cf2bb47b4