Enhancing PostgreSQL 12 Security with the CIS Benchmark

Douglas Hunley
PostgreSQL Security

Crunchy Data has recently announced an update to the CIS PostgreSQL Benchmark by the Center for Internet Security, a nonprofit organization that provides publications around standards and best practices for securing technologies systems. This newly published CIS PostgreSQL 12 Benchmark joins the existing CIS Benchmarks for PostgreSQL 9.5, 9.6, 10, and 11 while continuing to build upon Crunchy Data's efforts with the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).

What is a CIS Benchmark?

A CIS Benchmark is a set of guidelines and best practices for securely configuring a target system. Authoring a CIS Benchmark is a collaborative process as CIS involves considerable peer reviews and discussion before a major version is published, to ensure there is a general consensus on the best practices for deploying a secure system.

The CIS Benchmark contains a series of compliance recommendations that are designed to test the security of the system. Some of these recommendations are “scored” - if the system meets the requirements of a check, it receives points towards a final benchmark score (scores are from 1-100, with 100 being the best possible score). There are other compliance recommendations available that are not scored but are there for informational purposes and can help guide you towards best practices.

These recommendations can further be divided into pertaining to different configuration profiles. CIS Benchmarks define two different configuration profiles. The first, a Level 1 profile, is considered to be a “base security configuration” which has recommendations that are considered easier to set up and overall lower the potential attack surface of a system. In contrast, Level 2 profiles are designed for environments where security is of the utmost concern.

What’s in the CIS PostgreSQL 12 Benchmark?

The CIS PostgreSQL 12 Benchmark recommendations were developed by testing PostgreSQL 12 running on CentOS 8, though these recommendations will also apply to newer versions of PostgreSQL. Similar to the PostgreSQL STIG, the CIS PostgreSQL Benchmark provides recommendations in the following areas:

1 - Installation and Patches

2 - Directory and File Permissions

3 - Logging Monitoring And Auditing

4 - User Access and Authorization

5 - Connection and Login

6 - PostgreSQL Settings

7 - Replication

8 - Special Configuration Considerations

At present, the CIS PostgreSQL Benchmark only contains a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to:

  • Be practical and prudent;
  • Provide a clear security benefit; and
  • Not inhibit the utility of the technology beyond acceptable means.

What's in a Recommendation?

Recommendations are first grouped together by general categories (e.g. “User Access & Authorization”) and then subdivided into their specific parts. Each recommendation is broken up into the following:

  • Profile Applicability - The configuration profiles that this recommendation is used for, i.e. Level 1, Level 2, or some combination thereof.
  • Description - A detailed explanation of the recommendation
  • Rationale - Why the recommendation is in place and what consequences could occur if the recommendation is not followed
  • Audit - Steps to take to check if the recommendation has been applied to a target system
  • Remediation - If the audit fails, the steps to take to apply the recommendation
  • Default Value - The default setup with PostgreSQL if no action is taken on the recommendation
  • References - If present, additional references to help with understanding and applying the recommendation
  • CIS Controls - A list of enumerated CIS Controls that represents actions to perform to secure a target system

An example control

Enabling FIPS mode on RHEL/CentOS 8

PostgreSQL makes use of the OpenSSL encryption library to provide end-to-end secure communications between the database and its users. This encryption is further strengthened by running the system in FIPS mode. Accordingly, the CIS PostgreSQL Benchmark details using the newly introduced fips-mode-setup tool in RHEL/CentOS 8:

$ fips-mode-setup --check #is fips enabled?
FIPS mode is enabled
$ openssl version #is it fips capable?
OpenSSL 1.1.1-fips 1 Sep 2019
$ fips-mode-setup --enable #enable fips
Setting system policy to FIPS
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

What's Next?

Try it out! The CIS PostgreSQL Benchmark is freely available to help you secure your PostgreSQL deployments. This is only the beginning of our work on the CIS PostgreSQL benchmark: the Crunchy Data team is continuing to collaborate with CIS to further refine and improve upon the Benchmark over time.

If you’re interested how we have worked on applying security validations at scale, take a look at our open source PostgreSQL STIG Compliance Validator, which uses the InSpec tool to automated many of the same checks that the CIS PostgreSQL Benchmark handles.

Read More

Crunchy News

Join the Discussion