7.3 Ensure base backups are configured and functional

Information

A 'base backup' is a copy of the PRIMARY host's data cluster ($PGDATA) and is used to create STANDBY hosts and for Point In Time Recovery (PITR) mechanisms. Base backups should be copied across networks in a secure manner using an encrypted transport mechanism. CLI examples includes scp, sftp and rsync -e ssh. Alternatively, the CLI cp can be used with an SSL-enabled implementation of an NFS mount point, or the PostgreSQL CLI pg_basebackup can be used. However, SSL encryption should be enabled on the server. Beware it is possible to use this utility without SSL encryption enabled.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

There are two methods of creating base backups; manual and simple. The 'manual' method explicitly first signals that a backup is about to start, then copies both the data cluster and WALs, using the appropriate tools/utilities, and finally signaling the PRIMARY host the copy process has finished and the backup has finished.
postgres=# SELECT pg_start_backup('my base backup');
pg_start_backup
-----------------
0/2000028
(1 row)
# copy both the data cluster and
# all WALs generated during the process
# ex:
$ scp -rp $PGDATA user@dest:/path
postgres=# SELECT pg_stop_backup();
pg_start_backup
-----------------
0/2000030
(1 row)
Executing base backups using pg_basebackup requires the following steps on the standby server:
$ whoami
postgres
$ pg_basebackup -h name_or_IP_of_master \
-p 5432 \
-U replication_user \
-D ~postgres/9.6/data \
-P -v -R -XS

See Also

https://workbench.cisecurity.org/files/2234

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-10(1), CSCv6|10.2, CSCv7|10.3

Plugin: PostgreSQLDB

Control ID: 79589f8de3bff769bf736f9514f24524e50a83d41417e21ec5f96b25b8c66675