1.1 Ensure packages are obtained from authorized repositories

Information

When obtaining and installing software packages (typically via dnf), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, the canonical repositories are the official PostgreSQL YUM repository (yum.postgresql.org) and the official PostgreSQL APT repository (apt.postgresql.org).

Rationale:

Being open source, PostgreSQL packages are widely available across the internet through RPM aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.

Many organizations choose to implement a local software repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Alter the configured repositories so they only include valid and authorized sources of packages.

As an example of adding an authorized repository, we will install the PGDG repository RPM from 'yum.postgresql.org' (note that because of a change in the way packaging is handled in RHEL 8, we also need to disable the PostgreSQL module):

# whoami
root
# dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Last metadata expiration check: 0:01:35 ago on Fri 04 Oct 2019 01:19:37 PM EDT.
[snip]
Installed:
pgdg-redhat-repo-42.0-5.noarch

Complete!
# dnf -qy module disable postgresql
#

Verify the repository has been added and is enabled:

# whoami
root
# dnf repolist all | grep enabled:
AppStream CentOS-8 - AppStream enabled: 4,928
BaseOS CentOS-8 - Base enabled: 2,713
extras CentOS-8 - Extras enabled: 3
pgdg10 PostgreSQL 10 for RHEL/CentOS 8 - x enabled: 504
pgdg11 PostgreSQL 11 for RHEL/CentOS 8 - x enabled: 526
pgdg12 PostgreSQL 12 for RHEL/CentOS 8 - x enabled: 377
pgdg94 PostgreSQL 9.4 for RHEL/CentOS 8 - enabled: 184
pgdg95 PostgreSQL 9.5 for RHEL/CentOS 8 - enabled: 322
pgdg96 PostgreSQL 9.6 for RHEL/CentOS 8 - enabled: 482

References:

https://wiki.centos.org/PackageManagement/Yum/

https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-yum-yumconf-repository.html

https://en.wikipedia.org/wiki/Yum_(software)

https://www.howtoforge.com/creating_a_local_yum_repository_centos

https://yum.postgresql.org

https://apt.postgresql.org

See Also

https://workbench.cisecurity.org/files/2536

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, 800-53|CM-11, CSCv6|2, CSCv7|2.1

Plugin: Unix

Control ID: 92b3a1c859d2bc3fcbbb646f539aa1bf1d54207ffb4b08a30c75cd4e80dd7bd6