Details
When obtaining and installing software packages (typically via yum), it’s imperative that packages are sourced only from valid and authorized repositories. For PostgreSQL, a short list of valid repositories would include CentOS (www.centos.org) and the official PostgreSQL website (yum.postgresql.org).
Rationale:
Being open source, PostgreSQL packages are widely available across the internet through RPM aggregators and providers. However, using invalid or unauthorized sources for packages can lead to implementing untested, defective, or malicious software.
Many organizations choose to implement a local yum repository within their organization. Care must be taken to ensure that only valid and authorized packages are downloaded and installed into such local repositories.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Alter the configured repositories so they only include valid and authorized sources of packages.
As an example of adding an authorized repository, we will install the PGDG repository RPM from ‘yum.postgresql.org’:
$ whoami
root
$ rpm -ivh https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
Retrieving https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
warning: /var/tmp/rpm-tmp.xU8FK1: Header V4 DSA/SHA1 Signature, key ID 442df0f8: NOKEY
Preparing… ########################################### [100%]
1:pgdg-centos10 ########################################### [100%]
Verify the repository has been added and is enabled:
$ whoami
root
$ yum repolist all | grep enabled:
base CentOS-6 – Base enabled: 6,713
extras CentOS-6 – Extras enabled: 31
pgdg10 PostgreSQL 10.7 – x86_64 enabled: 536
updates CentOS-6 – Updates enabled: 96
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.