8.3 Ensure the backup and restore tool, 'pgBackRest', is installed and configured

Information

pgBackRest aims to be a simple, reliable backup and restore system that can seamlessly scale up to the largest databases and workloads. Instead of relying on traditional backup tools like tar and rsync, pgBackRest implements all backup features internally and uses a custom protocol for communicating with remote systems. Removing reliance on tar and rsync allows for better solutions to database-specific backup challenges. The custom remote protocol allows for more flexibility and limits the types of connections that are required to perform a backup which increases security.
Rationale:
The native PostgreSQL backup facility pg_dump provides adequate logical backup operations but does not provide for Point In Time Recovery (PITR). The PostgreSQL facility pg_basebackup performs physical backup of the database files and does provide for PITR, but it is constrained by single threading. Both of these methodologies are standard in the PostgreSQL ecosystem and appropriate for particular backup/recovery needs. pgBackRest offers another option with much more robust features and flexibility.
pgBackRest is open source software developed to perform efficient backups on PostgreSQL databases that measure in tens of terabytes and greater. It supports per file checksums, compression, partial/failed backup resume, high-performance parallel transfer, asynchronous archiving, tablespaces, expiration, full/differential/incremental, local/remote operation via SSH, hard-linking, restore, backup encryption, and more. pgBackRest is written in C and Perl and does not depend on rsync or tar but instead performs its own deltas which gives it maximum flexibility. Finally, pgBackRest provides an easy to use internal repository listing backup details accessible via the pgbackrest info command, as illustrated below.
$ pgbackrest info
stanza: proddb01
status: ok

db (current)
wal archive min/max (10.6-1): 000000010000000000000012 / 000000010000000000000017

full backup: 20181002-153106F
timestamp start/stop: 2018-10-02 15:31:06 / 2018-10-02 15:31:49
wal start/stop: 000000010000000000000012 / 000000010000000000000012
database size: 29.4MB, backup size: 29.4MB
repository size: 3.4MB, repository backup size: 3.4MB

diff backup: 20181002-153106F_20181002-173109D
timestamp start/stop: 2018-10-02 17:31:09 / 2018-10-02 17:31:19
wal start/stop: 000000010000000000000015 / 000000010000000000000015
database size: 29.4MB, backup size: 2.6MB
repository size: 3.4MB, repository backup size: 346.8KB
backup reference list: 20181002-153106F

incr backup: 20181002-153106F_20181002-183114I
timestamp start/stop: 2018-10-02 18:31:14 / 2018-10-02 18:31:22
wal start/stop: 000000010000000000000017 / 000000010000000000000017
database size: 29.4MB, backup size: 8.2KB
repository size: 3.4MB, repository backup size: 519B
backup reference list: 20181002-153106F, 20181002-153106F_20181002-173109D

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

pgBackRest is not installed nor configured for PostgreSQL by default, but instead is maintained as a GitHub project. Fortunately, it is a part of the PGDG repository and can be easily installed:
$ whoami
root
$ Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.cc.columbia.edu
* epel: mirror.us.leaseweb.net
* extras: mirror.es.its.nyu.edu
* updates: mirror.cogentco.com
Resolving Dependencies
[snip]

Dependencies Resolved

=================================================================================================================
Package Arch Version Repository Size
=================================================================================================================
Installing:
pgbackrest x86_64 2.10-1.rhel7 pgdg10 241 k
Installing for dependencies:
mailcap noarch 2.1.41-2.el7 base 31 k
perl-Business-ISBN noarch 2.06-2.el7 base 25 k
perl-Business-ISBN-Data noarch 20120719.001-2.el7 base 24 k
perl-Compress-Raw-Bzip2 x86_64 2.061-3.el7 base 32 k
perl-Compress-Raw-Zlib x86_64 1:2.061-4.el7 base 57 k
perl-DBD-Pg x86_64 2.19.3-4.el7 base 195 k
perl-DBI x86_64 1.627-4.el7 base 802 k
perl-Data-Dumper x86_64 2.145-3.el7 base 47 k
perl-Digest noarch 1.17-245.el7 base 23 k
perl-Digest-MD5 x86_64 2.52-3.el7 base 30 k
perl-Digest-SHA x86_64 1:5.85-4.el7 base 58 k
perl-Encode-Locale noarch 1.03-5.el7 base 16 k
perl-File-Listing noarch 6.04-7.el7 base 13 k
perl-HTML-Parser x86_64 3.71-4.el7 base 115 k
perl-HTML-Tagset noarch 3.20-15.el7 base 18 k
perl-HTTP-Cookies noarch 6.01-5.el7 base 26 k
perl-HTTP-Daemon noarch 6.01-8.el7 base 21 k
perl-HTTP-Date noarch 6.02-8.el7 base 14 k
perl-HTTP-Message noarch 6.06-6.el7 base 82 k
perl-HTTP-Negotiate noarch 6.01-5.el7 base 17 k
perl-IO-Compress noarch 2.061-2.el7 base 260 k
perl-IO-HTML noarch 1.00-2.el7 base 23 k
perl-IO-Socket-IP noarch 0.21-5.el7 base 36 k
perl-IO-Socket-SSL noarch 1.94-7.el7 base 115 k
perl-JSON-PP noarch 2.27202-2.el7 base 55 k
perl-LWP-MediaTypes noarch 6.02-2.el7 base 24 k
perl-Mozilla-CA noarch 20130114-5.el7 base 11 k
perl-Net-Daemon noarch 0.48-5.el7 base 51 k
perl-Net-HTTP noarch 6.06-2.el7 base 29 k
perl-Net-LibIDN x86_64 0.12-15.el7 base 28 k
perl-Net-SSLeay x86_64 1.55-6.el7 base 285 k
perl-PlRPC noarch 0.2020-14.el7 base 36 k
perl-TimeDate noarch 1:2.30-2.el7 base 52 k
perl-URI noarch 1.60-9.el7 base 106 k
perl-WWW-RobotRules noarch 6.02-5.el7 base 18 k
perl-XML-LibXML x86_64 1:2.0018-5.el7 base 373 k
perl-XML-NamespaceSupport noarch 1.11-10.el7 base 18 k
perl-XML-SAX noarch 0.99-9.el7 base 63 k
perl-XML-SAX-Base noarch 1.08-7.el7 base 32 k
perl-libwww-perl noarch 6.05-2.el7 base 205 k
perl-version x86_64 3:0.99.07-3.el7 base 84 k

Transaction Summary
===================================================================================================================
Install 1 Package (+41 Dependent packages)

Total download size: 3.7 M
Installed size: 9.4 M
[snip]
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
[snip]
Installed:
pgbackrest.x86_64 0:2.10-1.rhel7

Dependency Installed:
mailcap.noarch 0:2.1.41-2.el7 perl-Business-ISBN.noarch 0:2.06-2.el7
perl-Business-ISBN-Data.noarch 0:20120719.001-2.el7 perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7
perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBD-Pg.x86_64 0:2.19.3-4.el7
perl-DBI.x86_64 0:1.627-4.el7 perl-Data-Dumper.x86_64 0:2.145-3.el7
perl-Digest.noarch 0:1.17-245.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7
perl-Digest-SHA.x86_64 1:5.85-4.el7 perl-Encode-Locale.noarch 0:1.03-5.el7
perl-File-Listing.noarch 0:6.04-7.el7 perl-HTML-Parser.x86_64 0:3.71-4.el7
perl-HTML-Tagset.noarch 0:3.20-15.el7 perl-HTTP-Cookies.noarch 0:6.01-5.el7
perl-HTTP-Daemon.noarch 0:6.01-8.el7 perl-HTTP-Date.noarch 0:6.02-8.el7
perl-HTTP-Message.noarch 0:6.06-6.el7 perl-HTTP-Negotiate.noarch 0:6.01-5.el7
perl-IO-Compress.noarch 0:2.061-2.el7 perl-IO-HTML.noarch 0:1.00-2.el7
perl-IO-Socket-IP.noarch 0:0.21-5.el7 perl-IO-Socket-SSL.noarch 0:1.94-7.el7
perl-JSON-PP.noarch 0:2.27202-2.el7 perl-LWP-MediaTypes.noarch 0:6.02-2.el7
perl-Mozilla-CA.noarch 0:20130114-5.el7 perl-Net-Daemon.noarch 0:0.48-5.el7
perl-Net-HTTP.noarch 0:6.06-2.el7 perl-Net-LibIDN.x86_64 0:0.12-15.el7
perl-Net-SSLeay.x86_64 0:1.55-6.el7 perl-PlRPC.noarch 0:0.2020-14.el7
perl-TimeDate.noarch 1:2.30-2.el7 perl-URI.noarch 0:1.60-9.el7
perl-WWW-RobotRules.noarch 0:6.02-5.el7 perl-XML-LibXML.x86_64 1:2.0018-5.el7
perl-XML-NamespaceSupport.noarch 0:1.11-10.el7 perl-XML-SAX.noarch 0:0.99-9.el7
perl-XML-SAX-Base.noarch 0:1.08-7.el7 perl-libwww-perl.noarch 0:6.05-2.el7
perl-version.x86_64 3:0.99.07-3.el7

Complete!
Once installed, pgBackRest must be configured for things like stanza name, backup location, retention policy, logging, etc. Please consult the configuration guide.
If employing pgBackRest for your backup/recovery solution, ensure the repository, base backups, and WAL archives are stored on a reliable file system separate from the database server. Further, the external storage system where backups resided should have limited access to only those system administrators as necessary. Finally, as with any backup/recovery solution, stringent testing must be conducted. A backup is only good if it can be restored successfully.

See Also

https://workbench.cisecurity.org/files/2306

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-9, CSCv6|10, CSCv7|10.1, CSCv7|10.2

Plugin: Unix

Control ID: 205294d11b3d231b6a0ba868acd69a55e00ec04bd8bba071e25cfae80bb674dd