1.1 Ensure packages are obtained from authorized repositories

Information

Standard Linux distributions, although possessing the requisite packages, often do not have PostgreSQL pre-installed. The installation process includes installing the binaries and the means to generate a data cluster. Package installation should include both the server and client packages. Contribution modules are optional depending upon one's architectural requirements (they are recommended though).

When obtaining and installing software packages (typically via dnf or apt), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, the canonical repositories are the official PostgreSQL YUM repository (yum.postgresql.org) and the official PostgreSQL APT repository (apt.postgresql.org). Your chosen PostgreSQL vendor may offer their own software repositories as well.

Rationale:

Being open source, PostgreSQL packages are widely available across the internet through package aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.

Many organizations choose to implement a local software repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.

From a security perspective, it's imperative to verify the PostgreSQL binary packages are sourced from a valid software repository. For a complete listing of all PostgreSQL binaries available via configured repositories inspect the output from dnf provides '*libpq.so' or apt-file search /usr/pgsql-13/lib/libpq.so.5.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Alter the configured repositories so they only include valid and authorized sources of packages.
As an example of adding an authorized repository, we will install the PGDG repository RPM from 'yum.postgresql.org' (note that because of a change in the way packaging is handled in RHEL 8, we also need to disable the Red Hat built-in PostgreSQL module):

# whoami
root
# dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Last metadata expiration check: 0:01:35 ago on Fri 04 Oct 2019 01:19:37 PM EDT.
[snip]
Installed:
pgdg-redhat-repo-42.0-11.noarch

Complete!
# dnf -qy module disable postgresql

Verify the repository has been added and is enabled:

# whoami
root
# dnf repolist all | egrep 'enabled$'
AppStream CentOS-8 - AppStream enabled
BaseOS CentOS-8 - Base enabled
extras CentOS-8 - Extras enabled
pgdg-common PostgreSQL common RPMs for RHEL/CentOS enabled
pgdg10 PostgreSQL 10 for RHEL/CentOS 8 - x86_ enabled
pgdg11 PostgreSQL 11 for RHEL/CentOS 8 - x86_ enabled
pgdg12 PostgreSQL 12 for RHEL/CentOS 8 - x86_ enabled
pgdg13 PostgreSQL 13 for RHEL/CentOS 8 - x86_ enabled
pgdg95 PostgreSQL 9.5 for RHEL/CentOS 8 - x86 enabled
pgdg96 PostgreSQL 9.6 for RHEL/CentOS 8 - x86 enabled

If the version of PostgreSQL installed is not 13.x or they did not come from a valid repository, the packages may be uninstalled using this command:

$ whoami
root
$ dnf remove $(rpm -qa|grep postgres)

To install the PGDG rpms for PostgreSQL 13.x, run:

$ whoami
root
$ dnf -y groupinstall 'PostgreSQL Database Server 13 PGDG'
<snip>
Installing group/module packages:
postgresql13 x86_64 13.0-1PGDG.rhel8 pgdg13 1.6 M
postgresql13-contrib x86_64 13.0-1PGDG.rhel8 pgdg13 663 k
postgresql13-libs x86_64 13.0-1PGDG.rhel8 pgdg13 431 k
postgresql13-server x86_64 13.0-1PGDG.rhel8 pgdg13 6.1 M
Installing dependencies:
libicu x86_64 60.3-2.el8_1 BaseOS 8.8 M
libxslt x86_64 1.1.32-4.el8 BaseOS 249 k
Installing Groups:
PostgreSQL Database Server 13 PGDG
<snip>
Installed:
libicu-60.3-2.el8_1.x86_64 libxslt-1.1.32-4.el8.x86_64
postgresql13-13.0-1PGDG.rhel8.x86_64 postgresql13-contrib-13.0-1PGDG.rhel8.x86_64
postgresql13-libs-13.0-1PGDG.rhel8.x86_64 postgresql13-server-13.0-1PGDG.rhel8.x86_64

Complete!

See Also

https://workbench.cisecurity.org/files/3170

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, 800-53|CM-11, CSCv6|2, CSCv7|2.1

Plugin: Unix

Control ID: 69a5c508c655e725b026243905292a2dae9023dcdc90b993d666ea5a60744de2