1.1 Ensure packages are obtained from authorized repositories

Information

When obtaining and installing software packages (typically via yum), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, a short list of valid repositories would include CentOS (www.centos.org) and the official PostgreSQL website (yum.postgresql.org).
Rationale:
Being open source, PostgreSQL packages are widely available across the internet through RPM aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.
Many organizations choose to implement a local yum repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Alter the configured repositories so they only include valid and authorized sources of packages.
As an example of adding an authorized repository, we will install the PGDG repository RPM from 'yum.postgresql.org':
[[email protected] ~]# whoami
root
[[email protected] ~]# yum install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Loaded plugins: fastestmirror
pgdg-redhat-repo-latest.noarch.rpm | 5.6 kB 00:00:00
Examining /var/tmp/yum-root-CubWbD/pgdg-redhat-repo-latest.noarch.rpm: pgdg-redhat-repo-42.0-4.noarch
Marking /var/tmp/yum-root-CubWbD/pgdg-redhat-repo-latest.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package pgdg-redhat-repo.noarch 0:42.0-4 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================
Package Arch Version Repository Size
====================================================================================================================
Installing:
pgdg-redhat-repo noarch 42.0-4 /pgdg-redhat-repo-latest.noarch 6.8 k

Transaction Summary
====================================================================================================================
Install 1 Package

Total size: 6.8 k
Installed size: 6.8 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pgdg-redhat-repo-42.0-4.noarch 1/1
Verifying : pgdg-redhat-repo-42.0-4.noarch 1/1

Installed:
pgdg-redhat-repo.noarch 0:42.0-4

Complete!
Verify the repository has been added and is enabled:
[[email protected] ~]# whoami
root
[[email protected] ~]# yum repolist all | grep enabled:
base/7/x86_64 CentOS-7 - Base enabled: 10,019
extras/7/x86_64 CentOS-7 - Extras enabled: 409
pgdg10/7/x86_64 PostgreSQL 10 7 - x86_64 enabled: 663
pgdg11/7/x86_64 PostgreSQL 11 7 - x86_64 enabled: 487
pgdg94/7/x86_64 PostgreSQL 9.4 7 - x86_64 enabled: 746
pgdg95/7/x86_64 PostgreSQL 9.5 7 - x86_64 enabled: 732
pgdg96/7/x86_64 PostgreSQL 9.6 7 - x86_64 enabled: 745
updates/7/x86_64 CentOS-7 - Updates enabled: 1,945

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, 800-53|CM-11, CSCv6|2, CSCv7|2.1

Plugin: Unix

Control ID: 60c3d9072464327d42b628a7edb4d5e0d1d20be92ef09f3ecbe04bf89d91955b