1.1 Ensure packages are obtained from authorized repositories

Information

Standard Linux distributions, although possessing the requisite packages, often do not have PostgreSQL pre-installed. The installation process includes installing the binaries and the means to generate a data cluster. Package installation should include both the server and client packages. Contribution modules are optional depending upon one's architectural requirements (they are recommended though).

When obtaining and installing software packages (typically via dnf or apt), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, the canonical repositories are the official PostgreSQL YUM repository (yum.postgresql.org) and the official PostgreSQL APT repository (apt.postgresql.org). Your chosen PostgreSQL vendor may offer its own software repositories as well.

Rationale:

Being open-source, PostgreSQL packages are widely available across the internet through package aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.

Many organizations choose to implement a local software repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.

From a security perspective, it's imperative to verify the PostgreSQL binary packages are sourced from a valid software repository. For a complete listing of all PostgreSQL binaries available via configured repositories inspect the output from dnf provides '*libpq.so' or apt-file search /usr/pgsql-14/lib/libpq.so.5.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Alter the configured repositories so they only include valid and authorized sources of packages.

As an example of adding an authorized repository, we will install the PGDG repository RPM from 'yum.postgresql.org':

# whoami
root
# dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Last metadata expiration check: 0:01:35 ago on Mon 03 Oct 2022 01:19:37 PM EDT.
[snip]
Installed:
pgdg-redhat-repo-42.0-27.noarch

Complete!
# whoami
root
# dnf repolist all | egrep 'enabled$'
pgdg-common PostgreSQL common enabled
pgdg11 PostgreSQL 11 for enabled
pgdg12 PostgreSQL 12 for enabled
pgdg13 PostgreSQL 13 for enabled
pgdg14 PostgreSQL 14 for enabled
pgdg15 PostgreSQL 15 for enabled
rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise enabled
rhel-9-for-x86_64-baseos-rpms Red Hat Enterprise enabled

If the version of PostgreSQL installed is not 14.x or they did not come from a valid repository, the packages may be uninstalled using this command:

# whoami
root
# dnf remove $(rpm -qa|grep postgres)

To install the PGDG RPMs for PostgreSQL 14.x, run:

# whoami
root
# dnf install -y postgresql14-{server,contrib}
<snip>
Installed:
<snip>
postgresql14-14.6-1PGDG.rhel9.x86_64 postgresql14-contrib-14.6-1PGDG.rhel9.x86_64
postgresql14-libs-14.6-1PGDG.rhel9.x86_64 postgresql14-server-14.6-1PGDG.rhel9.x86_64
Complete!

See Also

https://workbench.cisecurity.org/benchmarks/11866