7.5 Ensure streaming replication parameters are configured correctly

Information

Streaming replication from a PRIMARY host transmits DDL, DML, passwords, and other potentially sensitive activities and data. These connections should be protected with Secure Sockets Layer (SSL).

Rationale:

Unencrypted transmissions could reveal sensitive information to unauthorized parties. Unauthenticated connections could enable man-in-the-middle attacks.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Review prior sections in this benchmark regarding TLS certificates, replication user, and WAL archiving.

Confirm the file $PGDATA/standby.signal is present on the STANDBY host and $PGDATA/postgresql.auto.conf contains lines similar to the following:

primary_conninfo = 'user=replication_user password=mypassword host=mySrcHost port=5432 sslmode=require sslcompression=1'

See Also

https://workbench.cisecurity.org/benchmarks/14977

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: PostgreSQLDB

Control ID: ac2ef8534b7d9f981ee96cc4d437dd97a38faf5181ef4a45bac9b6d914e3ce1f