Detections
Analytics

1.1 Ensure packages are obtained from authorized repositories

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Standard Linux distributions, although possessing the requisite packages, often do not have PostgreSQL pre-installed. The installation process includes installing the binaries and the means to generate a data cluster. Package installation should include both the server and client packages. Contribution modules are optional depending upon one's architectural requirements (they are recommended though).

When obtaining and installing software packages (typically via dnf or apt), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, the canonical repositories are the official PostgreSQL YUM repository (yum.postgresql.org) and the official PostgreSQL APT repository (apt.postgresql.org). Your chosen PostgreSQL vendor may offer its own software repositories as well.

Rationale:

Being open-source, PostgreSQL packages are widely available across the internet through package aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.

Many organizations choose to implement a local software repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.

From a security perspective, it's imperative to verify the PostgreSQL binary packages are sourced from a valid software repository. For a complete listing of all PostgreSQL binaries available via configured repositories inspect the output from dnf provides '*libpq.so' or apt-file search /usr/pgsql-14/lib/libpq.so.5.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Alter the configured repositories so they only include valid and authorized sources of packages.

As an example of adding an authorized repository, we will install the PGDG repository RPM from 'yum.postgresql.org' (note that because of a change in the way packaging is handled in RHEL 8, we also need to disable the Red Hat built-in PostgreSQL module):

# whoami
root
# dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Last metadata expiration check: 0:01:35 ago on Fri 04 Oct 2019 01:19:37 PM EDT.
[snip]
Installed:
 pgdg-redhat-repo-42.0-19.noarch

Complete!
# dnf -qy module disable postgresql

Verify the repository has been added and is enabled:

# whoami
root
# dnf repolist all | egrep 'enabled$'
pgdg-common PostgreSQL common enabled
pgdg10 PostgreSQL 10 for enabled
pgdg11 PostgreSQL 11 for enabled
pgdg12 PostgreSQL 12 for enabled
pgdg13 PostgreSQL 13 for enabled
pgdg14 PostgreSQL 14 for enabled
pgdg96 PostgreSQL 9.6 fo enabled
rhel-8-for-x86_64-appstream-rpms Red Hat Enterpris enabled
rhel-8-for-x86_64-baseos-rpms Red Hat Enterpris enabled

If the version of PostgreSQL installed is not 14.x or they did not come from a valid repository, the packages may be uninstalled using this command:

# whoami
root
# dnf remove $(rpm -qa|grep postgres)

To install the PGDG RPMs for PostgreSQL 14.x, run:

# whoami
root
# dnf install -y postgresql14-{server,contrib}
<snip>
Installed:
 lz4-1.8.3-3.el8_4.x86_64 postgresql14-14.0-1PGDG.rhel8.x86_64
 postgresql14-contrib-14.0-1PGDG.rhel8.x86_64 postgresql14-libs-14.0-1PGDG.rhel8.x86_64
 postgresql14-server-14.0-1PGDG.rhel8.x86_64
Complete!

See Also

https://workbench.cisecurity.org/files/3558

Item Details

References: CSCv6|2, CSCv7|2.1

Plugin: Unix

Control ID: 3cb448f16d491e261925d1d419af1562ff1a487861c621e3188e0b4b08746103