Information
The PostgreSQL packages are installed on the Operating System from valid source.
Rationale:
Standard Linux distributions, although possessing the requisite packages, often do not have PostgreSQL pre-installed. The installation process includes installing the binaries and the means to generate a data cluster too. Package installation should include both the server and client packages. Contribution modules are optional depending upon one's architectural requirements (they are recommended though).
From a security perspective, it's imperative to verify the PostgreSQL binary packages are sourced from a valid Linux yum repository. The most common Linux repositories include CentOS base and PGDG base; however, it's up to the organization to validate. For a complete listing of all PostgreSQL binaries available via configured repositories inspect the output from yum provides postgres*.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If the version of PostgreSQL installed is not 9.6.x, the packages may be uninstalled using this command:
$ whoami
root
$ yum remove $(rpm -qa|grep postgres)
The next recommendation '1.3 Ensure Installation of Community Packages' describes how to explicitly choose which version of PostgreSQL to install, regardless of Linux distribution association.
Impact:
If the PostgreSQL version shipped as part of the default binary installation associated with your Linux distribution satisfies your requirements, this may be adequate for development and testing purposes. However, for production instances it's generally recommended to install the latest stable release of PostgreSQL.