Detections
Analytics

1.2 Ensure Installation of Community Packages

Information

Adding, and installing, the PostgreSQL community packages to the host's package repository.
Rationale:
It's an unfortunate reality that Linux Distributions do not always have the most up-to-date versions of PostgreSQL. Disadvantages of older releases include: missing bug patches, no access to highly desirable contribution modules, no access to 3rd party projects that are complimentary to Postgres, and no upgrade path migrating from one version of Postgres to the next. The worst set of circumstances is to be limited to a version of the DBMS that has reached its end-of-life.
From a security perspective, it's imperative that Postgres Community Packages are only obtained from the official website https://www.postgresql.org/. Being open source, the Postgres packages are widely available over the internet via myriad package aggregators and providers. Obtaining software from these unofficial sites risks installing defective, corrupt, or downright malicious versions of Postgres.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using a web browser, go to http://yum.postgresql.org and navigate to the repo download link for your OS and version. The following example blocks the outdated distro packages, adds the PGDG repository RPM for PostgreSQL version 9.5, and installs the client-server-contributions rpms to the host where you want to install the RDBMS:
$ vi /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude=postgresql* <-- add this line

#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude=postgresql* <-- add this line

$ yum -y install https://yum.postgresql.org/9.5/redhat/rhel-6-x86_64/pgdg-redhat95-9.5-3.noarch.rpm

$ yum -y groupinstall "PostgreSQL Database Server 9.5 PGDG"
Loaded plugins: fastestmirror
Setting up Group Process
Loading mirror speeds from cached hostfile
 * base: ftp.osuosl.org
 * extras: repo.us.bigstepcloud.com
 * updates: repo1.dal.innoscale.net
Resolving Dependencies
--> Running transaction check
---> Package postgresql95.x86_64 0:9.5.6-5PGDG.rhel6 will be installed
---> Package postgresql95-contrib.x86_64 0:9.5.6-5PGDG.rhel6 will be installed
---> Package postgresql95-libs.x86_64 0:9.5.6-5PGDG.rhel6 will be installed
---> Package postgresql95-server.x86_64 0:9.5.6-5PGDG.rhel6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package Arch Version Repository Size
================================================================================
Installing:
 postgresql95 x86_64 9.5.6-5PGDG.rhel6 pgdg95 1.4 M
 postgresql95-contrib x86_64 9.5.6-5PGDG.rhel6 pgdg95 491 k
 postgresql95-libs x86_64 9.5.6-5PGDG.rhel6 pgdg95 285 k
 postgresql95-server x86_64 9.5.6-5PGDG.rhel6 pgdg95 4.8 M

Transaction Summary
================================================================================
Install 4 Package(s)

Total download size: 6.9 M
Installed size: 27 M
Downloading Packages:
(1/4): postgresql95-9.5.6-5PGDG.rhel6.x86_64.rpm | 1.4 MB 00:00
(2/4): postgresql95-contrib-9.5.6-5PGDG.rhel6.x86_64.rpm | 491 kB 00:00
(3/4): postgresql95-libs-9.5.6-5PGDG.rhel6.x86_64.rpm | 285 kB 00:00
(4/4): postgresql95-server-9.5.6-5PGDG.rhel6.x86_64.rpm | 4.8 MB 00:00
--------------------------------------------------------------------------------
Total 2.1 MB/s | 6.9 MB 00:03
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
 Installing : postgresql95-libs-9.5.6-5PGDG.rhel6.x86_64 1/4
 Installing : postgresql95-9.5.6-5PGDG.rhel6.x86_64 2/4
 Installing : postgresql95-server-9.5.6-5PGDG.rhel6.x86_64 3/4
 Installing : postgresql95-contrib-9.5.6-5PGDG.rhel6.x86_64 4/4
 Verifying : postgresql95-libs-9.5.6-5PGDG.rhel6.x86_64 1/4
 Verifying : postgresql95-server-9.5.6-5PGDG.rhel6.x86_64 2/4
 Verifying : postgresql95-contrib-9.5.6-5PGDG.rhel6.x86_64 3/4
 Verifying : postgresql95-9.5.6-5PGDG.rhel6.x86_64 4/4

Installed:
 postgresql95.x86_64 0:9.5.6-5PGDG.rhel6
 postgresql95-contrib.x86_64 0:9.5.6-5PGDG.rhel6
 postgresql95-libs.x86_64 0:9.5.6-5PGDG.rhel6
 postgresql95-server.x86_64 0:9.5.6-5PGDG.rhel6

Complete!
Note: The above-mentioned example is referenced as an illustration only. The distro, and version, varies according to one's requirements. Visit the Postgres community web portal for more information.

See Also

https://workbench.cisecurity.org/files/2063

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2, CSCv6|18.1

Plugin: Unix

Control ID: 114afe16fac74e39881d9a464e4d80b5e0d0b3b86cb3d754241e9a93f2a4c928