Secure PostgreSQL 14 with CIS Benchmark

Douglas Hunley
Security CIS Benchmark

Crunchy Data is proud to announce an update to the CIS PostgreSQL Benchmark by the Center for Internet Security (CIS). CIS is a nonprofit organization that publishes best practices and standards for securing modern technology and systems. This newly published CIS PostgreSQL 14 Benchmark ads to the existing CIS Benchmarks for PostgreSQL 9.5 - 13 and builds upon Crunchy Data's ongoing efforts with the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).

 

About CIS Benchmarks

A CIS Benchmark is a published list of guidelines and best practices for securely configuring a target system. Authoring a CIS Benchmark is a collaborative process and involves considerable peer reviews and discussion before a major version is published, ensuring there is a general consensus on the best practices for deploying a secure system.

The CIS Benchmark contains a series of compliance recommendations that are designed to test the security of the system. Some of these recommendations can be “scored”. If the system meets the requirements of a check, it receives points towards a final benchmark score. Scores range from 1-100, with 100 being the best possible score. There are additional non-scored compliance recommendations for informational purposes that also guide towards best practices.

CIS benchmark recommendations are often divided into two different configuration profiles. A Level 1 profile is considered to be a “base security configuration” which has recommendations that generally easier to set up and lower the overall potential attack surface of a system. Level 2 profiles are designed for environments where security is paramount.

 

About the CIS PostgreSQL 14 Benchmark

The CIS PostgreSQL 14 Benchmark recommendations were developed by testing PostgreSQL 14 running on RHEL 8, though these recommendations will also apply to newer versions of PostgreSQL. Similar to the PostgreSQL STIG, the CIS PostgreSQL Benchmark provides recommendations in the following areas:

 

  1. Installation and Patches
  2. Directory and File Permissions
  3. Logging Monitoring And Auditing
  4. User Access and Authorization
  5. Connection and Login
  6. PostgreSQL Settings
  7. Replication
  8. Special Configuration Considerations

At present, the CIS PostgreSQL Benchmark contains a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to:

 

  • Be practical and prudent;
  • Provide a clear security benefit; and
  • Not inhibit the utility of the technology beyond acceptable means.

About Benchmark Recommendations

Recommendations are first grouped together by general categories (e.g. “User Access & Authorization”) and then subdivided into their specific parts. Each recommendation is broken up into the following:

 

  • Profile Applicability - The configuration profiles that this recommendation is used for, i.e. Level 1, Level 2, or some combination thereof.
  • Description - A detailed explanation of the recommendation
  • Rationale - Why the recommendation is in place and what consequences could occur if the recommendation is not followed
  • Audit - Steps to take to check if the recommendation has been applied to a target system
  • Remediation - If the audit fails, the steps to take to apply the recommendation
  • Default Value - The default setup with PostgreSQL if no action is taken on the recommendation
  • References - If present, additional references to help with understanding and applying the recommendation
  • CIS Controls - A list of enumerated CIS Controls that represents actions to perform to secure a target system

An example control: Enabling FIPS mode on RHEL/CentOS 8

PostgreSQL makes use of the OpenSSL encryption library to provide end-to-end secure communications between the database and its users. This encryption is further strengthened by running the system in FIPS mode. Accordingly, the CIS PostgreSQL Benchmark details using the `fips-mode-setup` tool in RHEL/CentOS 8:

 

$ fips-mode-setup --check #is fips enabled?
FIPS mode is enabled
$ openssl version #is it fips capable?
OpenSSL 1.1.1-fips  1 Sep 2019
$ fips-mode-setup --enable #enable fips
Setting system policy to FIPS
FIPS mode will be enabled.

Please reboot the system for the setting to take effect.

 

Getting Started

The CIS PostgreSQL Benchmark is freely available as a guide to help you secure your Postgres deployments. If you’re interested in security validation, take a look at our open source PostgreSQL STIG Compliance Validator, which uses the InSpec tool to automate many of the same checks that the CIS PostgreSQL Benchmark handles. 

Check back for updates as the Crunchy Data team is continuing to work with CIS to refine and improve upon the Benchmark.

Newsletter