7.5 Ensure streaming replication parameters are configured correctly

Information

Streaming replication from a PRIMARY host transmits DDL, DML, passwords, and other potentially sensitive activities and data. These connections should be protected with Secure Sockets Layer (SSL).
Rationale:
Unencrypted transmissions could reveal sensitive information to unauthorized parties. Unauthenticated connections could enable man-in-the-middle attacks.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Review prior sections in this benchmark regarding SSL certificates, replication user, and WAL archiving.
Confirm the file recovery.conf is present on the STANDBY host and contains lines similar to the following:
standby_mode=on
primary_conninfo = 'user=replication_user password=mypassword host=mySrcHost port=5432 sslmode=require sslcompression=1'

See Also

https://workbench.cisecurity.org/files/2235

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: PostgreSQLDB

Control ID: d1f5e3e1297fe7758027fcf56976bd92a4599fa5637ad1c358f3330869391e15