7.3 Ensure base backups are configured and functional

Information

A 'base backup' is a copy of the PRIMARY host's data cluster ($PGDATA) and is used to create STANDBY hosts and for Point In Time Recovery (PITR) mechanisms. Base backups should be copied across networks in a secure manner using an encrypted transport mechanism. The PostgreSQL CLI pg_basebackup can be used, however, TLS encryption should be enabled on the server as per section 6.8 of this benchmark. The pgBackRest tool detailed in section 8.3 of this benchmark can also be used to create a 'base backup'.

Rationale:

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Executing base backups using pg_basebackup requires the following steps on the standby server:

$ whoami
postgres
$ pg_basebackup --host=name_or_IP_of_master \
--port=5432 \
--username=replication_user \
--pgdata=~postgres/16/data \
--progress --verbose --write-recovery-conf --wal-method=stream

See Also

https://workbench.cisecurity.org/benchmarks/14977

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-4, 800-53|CP-9(1), CSCv7|10.3

Plugin: PostgreSQLDB

Control ID: 753e0b866c13f6877f030e783c6d262e713523a67e40a5e156520e357d84dc46