Crunchy Data has recently announced an update to the CIS PostgreSQL Benchmark by the Center for Internet Security, a nonprofit organization that provides publications around standards and best practices for securing technologies systems. This newly published CIS PostgreSQL 10 Benchmark joins the existing CIS Benchmarks for PostgreSQL 9.5 and 9.6 while continuing to build upon Crunchy Data's efforts with the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).
What is a CIS Benchmark?
As mentioned in an earlier blog post, a CIS Benchmark is a set of guidelines and best practices for securely configuring a target system. The benchmark contains a series of recommendations that help test the security of the system: some of the recommendations are "scored" (where a top score of 100 is the best), while others are are provided to establish best practices for security.
What’s in the CIS PostgreSQL 10Benchmark?
The CIS PostgreSQL 10 Benchmark recommendations were developed by testing PostgreSQL 10 running on CentOS 7 with an eye on the new features and security measures that were added in this PostgreSQL release.
Similar to the PostgreSQL STIG, the CIS PostgreSQL Benchmark provides recommendations in the following areas:
- Installation and Patches
- Directory and File Permissions
- Logging Monitoring And Auditing
- User Access and Authorization
- Connection and Login
- PostgreSQL Settings
- Special Configuration Considerations
As long as it does not reference a feature that was removed, recommendations for securing PostgreSQL 10 should apply to newer versions of PostgreSQL.
The CIS PostgreSQL Benchmark is a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to provide a practical, secure operating environment.
Example Update for PostgreSQL 10: Using Default Roles
PostgreSQL 10 introduced more default roles, which provide access to certain, commonly needed, privileged capabilities and information. Administrators can GRANT these roles to users and/or other roles in their environment, providing those users with access to the specified capabilities and information.
In keeping with the principle of least privilege, judicious use of the PostgreSQL default roles can greatly limit the access to privileged, or superuser, access.
Without default roles, a monitoring user, e.g. pgmonitor is granted superuser access to properly report on all database metrics:
postgres=# select rolname from pg_roles where rolsuper is true; rolname ---------- postgres pgmonitor (2 rows)
Making use of the default roles, one can REVOKE superuser and GRANT the appropriate default role:
postgres=# ALTER ROLE pgmonitor NOSUPERUSER; ALTER ROLE postgres=# GRANT pg_monitor TO pgmonitor; GRANT ROLE postgres=# select rolname from pg_roles where rolsuper is true; rolname ---------- postgres (1 rows)
This allows the pgmonitor role to continue to report on all database metrics while not having escalated superuser privileges.
Next Steps & Automation
I recommend you try it out: the CIS PostgreSQL Benchmark is available for free. The Crunchy Data team is continuing our work with CIS to continue to improve the Benchmark and take into account features in newer version of PostgreSQL that allow users to further safely lock down their systems.
If you’re interested how to automate the process of performing security checks, we've open sourced the PostgreSQL STIG Compliance Validator, which uses InSpec and performs many of the same checks in the CIS PostgreSQL Benchmark.