1.2 Ensure Installation of Binary Packages

Information

The PostgreSQL packages are installed on the Operating System from valid source.
Rationale:
Standard Linux distributions, although possessing the requisite packages, often do not have PostgreSQL pre-installed. The installation process includes installing the binaries and the means to generate a data cluster too. Package installation should include both the server and client packages. Contribution modules are optional depending upon one's architectural requirements (they are recommended though).
From a security perspective, it's imperative to verify the PostgreSQL binary packages are sourced from a valid Linux yum repository. The most common Linux repositories include CentOS base and PGDG base; however, it's up to the organization to validate. For a complete listing of all PostgreSQL binaries available via configured repositories inspect the output from yum provides libpq.so.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If the version of PostgreSQL installed is not 11.x, the packages may be uninstalled using this command:
$ whoami
root
$ yum remove $(rpm -qa|grep postgres)
The next recommendation "1.3 Ensure Installation of Community Packages" describes how to explicitly choose which version of PostgreSQL to install, regardless of Linux distribution association.
Impact:
If the PostgreSQL version shipped as part of the default binary installation associated with your Linux distribution satisfies your requirements, this may be adequate for development and testing purposes. However, for production instances it's generally recommended to install the latest stable release of PostgreSQL.
CIS Controls:
<<<CSC>>>Version 6
2 Inventory of Authorized and Unauthorized Software
Inventory of Authorized and Unauthorized Software
Version 7
2.1 Maintain Inventory of Authorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.

See Also

https://workbench.cisecurity.org/files/2407

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, 800-53|CM-11, CSCv6|2, CSCv7|2.1

Plugin: Unix

Control ID: 002a95c44427a81b8b7620b84a1b72819fcb6c618c449d9720649dba8eee069e