Detections
Analytics

1.1 Ensure packages are obtained from authorized repositories

Information

When obtaining and installing software packages (typically via yum), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, a short list of valid repositories would include CentOS (www.centos.org) and the official PostgreSQL website (yum.postgresql.org).
 Rationale:
 Being open source, PostgreSQL packages are widely available across the internet through RPM aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.
 Many organizations choose to implement a local yum repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.

 NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Alter the configured repositories so they only include valid and authorized sources of packages.
 As an example of adding an authorized repository, we will install the PGDG repository RPM from 'yum.postgresql.org':
 [root@centos7 ~]# whoami
 root
 [root@centos7 ~]# yum install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
 Loaded plugins: fastestmirror
 pgdg-redhat-repo-latest.noarch.rpm | 5.6 kB 00:00:00
 Examining /var/tmp/yum-root-CubWbD/pgdg-redhat-repo-latest.noarch.rpm: pgdg-redhat-repo-42.0-4.noarch
 Marking /var/tmp/yum-root-CubWbD/pgdg-redhat-repo-latest.noarch.rpm to be installed
 Resolving Dependencies
 --> Running transaction check
 ---> Package pgdg-redhat-repo.noarch 0:42.0-4 will be installed
 --> Finished Dependency Resolution

 Dependencies Resolved

 ====================================================================================================================
 Package Arch Version Repository Size
 ====================================================================================================================
 Installing:
 pgdg-redhat-repo noarch 42.0-4 /pgdg-redhat-repo-latest.noarch 6.8 k

 Transaction Summary
 ====================================================================================================================
 Install 1 Package

 Total size: 6.8 k
 Installed size: 6.8 k
 Is this ok [y/d/N]: y
 Downloading packages:
 Running transaction check
 Running transaction test
 Transaction test succeeded
 Running transaction
 Installing : pgdg-redhat-repo-42.0-4.noarch 1/1
 Verifying : pgdg-redhat-repo-42.0-4.noarch 1/1

 Installed:
 pgdg-redhat-repo.noarch 0:42.0-4

 Complete!
 Verify the repository has been added and is enabled:
 [root@centos7 ~]# whoami
 root
 [root@centos7 ~]# yum repolist all | grep enabled:
 base/7/x86_64 CentOS-7 - Base enabled: 10,019
 extras/7/x86_64 CentOS-7 - Extras enabled: 409
 pgdg10/7/x86_64 PostgreSQL 10 7 - x86_64 enabled: 663
 pgdg11/7/x86_64 PostgreSQL 11 7 - x86_64 enabled: 487
 pgdg94/7/x86_64 PostgreSQL 9.4 7 - x86_64 enabled: 746
 pgdg95/7/x86_64 PostgreSQL 9.5 7 - x86_64 enabled: 732
 pgdg96/7/x86_64 PostgreSQL 9.6 7 - x86_64 enabled: 745
 updates/7/x86_64 CentOS-7 - Updates enabled: 1,945

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, 800-53|CM-11, CSCv6|2, CSCv7|2.1

Plugin: Unix

Control ID: 60c3d9072464327d42b628a7edb4d5e0d1d20be92ef09f3ecbe04bf89d91955b