1.1 Ensure packages are obtained from authorized repositories

Information

When obtaining and installing software packages (typically via yum), it's imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, a short list of valid repositories would include CentOS (www.centos.org) and the official PostgreSQL website (yum.postgresql.org).
Rationale:
Being open source, PostgreSQL packages are widely available across the internet through RPM aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective or malicious software.
Many organizations choose to implement a local yum repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Alter the configured repositories so they only include valid and authorized sources of packages.
Here is an example of adding an authorized repository:
1. Install the PGDG repository RPM from yum.postgresql.org
$ rpm -ivh https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-6-x86_64/pgdg-centos95-9.5-3.noarch.rpm
Retrieving https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-6-x86_64/pgdg-centos95-9.5-3.noarch.rpm
warning: /var/tmp/rpm-tmp.DAPqyf: Header V4 DSA/SHA1 Signature, key ID 442df0f8: NOKEY
Preparing... ########################################### [100%]
1:pgdg-centos95 ########################################### [100%]
2. Verify the repository has been added and is enabled.
$ yum repolist all | grep enabled:
base CentOS-6 - Base enabled: 6,696
extras CentOS-6 - Extras enabled: 62
updates CentOS-6 - Updates enabled: 581
pgdg PostgreSQL 9.5 6 - x86_64 enabled: 406

See Also

https://workbench.cisecurity.org/files/2063

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2

Plugin: Unix

Control ID: 91a8a322de7c0b68c1875e39c158cb641afa8903a6d5fcf0692e02e5d2388fa6