Crunchy Data has recently announced an update to the CIS PostgreSQL Benchmark by the Center for Internet Security, a nonprofit organization that provides publications around standards and best practices for securing technologies systems. This newly published CIS PostgreSQL 11 Benchmark joins the existing CIS Benchmarks for PostgreSQL 9.5, 9.6, and 10 while continuing to build upon Crunchy Data's efforts with the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).
What is a CIS Benchmark?
As mentioned in earlier blog posts (here, here), a CIS Benchmark is a set of guidelines and best practices for securely configuring a target system. The benchmark contains a series of recommendations that help test the security of the system: some of the recommendations are "scored" (where a top score of 100 is the best), while others are are provided to establish best practices for security.
What’s in the CIS PostgreSQL 11 Benchmark?
The CIS PostgreSQL 11 Benchmark recommendations were developed by testing PostgreSQL 11 running on CentOS 7. While compiling a CIS Benchmark, the team looked at new features and security measures that were added in PostgreSQL 11 while taking account features that have been deprecated or removed that could affect security.
Data security involves many areas of the operating environment that PostgreSQL runs in; it's not just the database software itself. As such, the CIS PostgreSQL Benchmark provides recommendations in the following areas:
- Installation and Patches
- Directory and File Permissions
- Logging Monitoring and Auditing
- User Authentication , Access Controls, and Authorization
- Connection and Replication
- PostgreSQL Settings and special configuration considerations
These are also recommendations that you can find in the DISA PostgreSQL STIG
The CIS PostgreSQL Benchmark is a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to provide a practical, secure operating environment.
Example Update for PostgreSQL 11: Securing SSL keys
PostgreSQL 11 introduces the ability to specify a method of obtaining the password needed to unlock an SSL key at server startup. Prior versions of PostgreSQL required a key that was not password protected.
Two new options are introduced in
postgresql.conf: ssl_passphrase_command and ssl_passphrase_command_supports_reload. The former defines how the PostgreSQL server will obtain the SSL key at startup while the latter defines whether the SSL configuration should be reloaded and ssl_passphrase_command called during a server configuration reload.
ssl_passphrase_command = 'vault kv get -field=pem pg/ssl' ssl_passphrase_command_supports_reload = on
Here, we are making use of the open source vault utility to store the passphrase for the SSL PEM used by PostgreSQL.
Next Steps & Automation
The CIS PostgreSQL 11 Benchmark is available for free download at the CIS website, along with the Benchmarks for PostgreSQL 10, 9.6, and 9.5. The Crunchy Data team is continuing our work with CIS to continue to improve the Benchmark and take into account features that will become available after PostgreSQL 12 is released later this year.
If you’re interested in how to automate the process of performing security checks, we've open sourced the PostgreSQL STIG Compliance Validator, which uses InSpec and performs many of the same checks in the CIS PostgreSQL Benchmark.