Detections
Analytics

1.3 Ensure Installation of Community Packages

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Adding, and installing, the PostgreSQL community packages to the host's package repository.

Rationale:

It's an unfortunate reality that Linux distributions do not always have the most up-to-date versions of PostgreSQL. Disadvantages of older releases include: missing bug patches, no access to highly desirable contribution modules, no access to 3rd party projects that are complimentary to PostgreSQL, and no upgrade path migrating from one version of PostgreSQL to the next. The worst set of circumstances is to be limited to a version of the RDBMS that has reached its end-of-life.

From a security perspective, it's imperative that Postgres Community Packages are only obtained from the official website https://yum.postgresql.org/. Being open source, the Postgres packages are widely available over the internet via myriad package aggregators and providers. Obtaining software from these unofficial sites risks installing defective, corrupt, or downright malicious versions of PostgreSQL.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

The following example adds the PGDG repository RPM for PostgreSQL, configures dnf to prefer the PGDG packages for version 12, and installs the client-server-contributions rpms to the host where you want to install the RDBMS.

Using a web browser, go to http://yum.postgresql.org and navigate to the repo download link for your OS and version. Copy the URL to the repo file, and then tell dnf to install it:

# whoami
root
# dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Last metadata expiration check: 0:01:35 ago on Fri 04 Oct 2019 01:19:37 PM EDT.
[snip]
Installed:
 pgdg-redhat-repo-42.0-5.noarch

Complete!
# dnf -qy module disable postgresql
#

Now, configure dnf to prefer the PGDG packages for version 12:

# cd /etc/yum.repos.d
# for i in AppStream Base Extras
do
echo 'exclude=postgresql*' >> CentOS-$i.repo
done

Finally, install the PostgreSQL packages:

# whoami
root
# dnf -y groupinstall 'PostgreSQL Database Server 12 PGDG'
Dependencies resolved.
[snip]
Installed:
 postgresql12-12.0-1PGDG.rhel8.x86_64
 postgresql12-contrib-12.0-1PGDG.rhel8.x86_64
 postgresql12-libs-12.0-1PGDG.rhel8.x86_64
 postgresql12-server-12.0-1PGDG.rhel8.x86_64
 python2-2.7.15-22.module_el8.0.0+32+017b2cba.x86_64
 python2-libs-2.7.15-22.module_el8.0.0+32+017b2cba.x86_64
 python2-pip-9.0.3-13.module_el8.0.0+32+017b2cba.noarch
 python2-setuptools-39.0.1-11.module_el8.0.0+32+017b2cba.noarch
 libicu-60.2-7.el8.x86_64
 libxslt-1.1.32-3.el8.x86_64

Complete!

Note: The above-mentioned example is referenced as an illustration only. Package names and versions may differ.

References:

https://www.postgresql.org/

https://www.postgresql.org/support/versioning/

https://www.postgresql.org/developer/roadmap/

https://yum.postgresql.org/repopackages.php

See Also

https://workbench.cisecurity.org/files/2536

Item Details

References: CSCv6|18.1, CSCv7|18.3

Plugin: Unix

Control ID: 79a8691eeec3bf46cebf944e35e47b42c640d0492425ec024114bdbd4aa25aaf