Douglas Hunley | CrunchyData Blog

Secure PostgreSQL 14 with CIS Benchmark

Douglas.Hunley@crunchydata.com (Douglas Hunley) — Thu, 28 Oct 2021 05:00:00 EDT

Crunchy Data is proud to announce an update to the CIS PostgreSQL Benchmark by the Center for Internet Security (CIS). CIS is a nonprofit organization that publishes best practices and standards for securing modern technology and systems. This newly published CIS PostgreSQL 14 Benchmark ads to the existing CIS Benchmarks for PostgreSQL 9.5 - 13 and builds upon Crunchy Data's ongoing efforts with the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).

About CIS Benchmarks

A CIS Benchmark is a published list of guidelines and best practices for securely configuring a target system. Authoring a CIS Benchmark is a collaborative process and involves considerable peer reviews and discussion before a major version is published, ensuring there is a general consensus on the best practices for deploying a secure system.

The CIS Benchmark contains a series of compliance recommendations that are designed to test the security of the system. Some of these recommendations can be “scored”. If the system meets the requirements of a check, it receives points towards a final benchmark score. Scores range from 1-100, with 100 being the best possible score. There are additional non-scored compliance recommendations for informational purposes that also guide towards best practices.

CIS benchmark recommendations are often divided into two different configuration profiles. A Level 1 profile is considered to be a “base security configuration” which has recommendations that generally easier to set up and lower the overall potential attack surface of a system. Level 2 profiles are designed for environments where security is paramount.

About the CIS PostgreSQL 14 Benchmark

The CIS PostgreSQL 14 Benchmark recommendations were developed by testing PostgreSQL 14 running on RHEL 8, though these recommendations will also apply to newer versions of PostgreSQL. Similar to the PostgreSQL STIG, the CIS PostgreSQL Benchmark provides recommendations in the following areas:

Installation and Patches
Directory and File Permissions
Logging Monitoring And Auditing
User Access and Authorization
Connection and Login
PostgreSQL Settings
Replication
Special Configuration Considerations

At present, the CIS PostgreSQL Benchmark contains a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to:

Be practical and prudent;
Provide a clear security benefit; and
Not inhibit the utility of the technology beyond acceptable means.

About Benchmark Recommendations

Recommendations are first grouped together by general categories (e.g. “User Access & Authorization”) and then subdivided into their specific parts. Each recommendation is broken up into the following:

Profile Applicability - The configuration profiles that this recommendation is used for, i.e. Level 1, Level 2, or some combination thereof.
Description - A detailed explanation of the recommendation
Rationale - Why the recommendation is in place and what consequences could occur if the recommendation is not followed
Audit - Steps to take to check if the recommendation has been applied to a target system
Remediation - If the audit fails, the steps to take to apply the recommendation
Default Value - The default setup with PostgreSQL if no action is taken on the recommendation
References - If present, additional references to help with understanding and applying the recommendation
CIS Controls - A list of enumerated CIS Controls that represents actions to perform to secure a target system

An example control: Enabling FIPS mode on RHEL/CentOS 8

PostgreSQL makes use of the OpenSSL encryption library to provide end-to-end secure communications between the database and its users. This encryption is further strengthened by running the system in FIPS mode. Accordingly, the CIS PostgreSQL Benchmark details using the fips-mode-setup tool in RHEL/CentOS 8:

$ fips-mode-setup --check #is fips enabled?
FIPS mode is enabled
$ openssl version #is it fips capable?
OpenSSL 1.1.1-fips  1 Sep 2019
$ fips-mode-setup --enable #enable fips
Setting system policy to FIPS
FIPS mode will be enabled.

Please reboot the system for the setting to take effect.

Getting Started

The CIS PostgreSQL Benchmark is freely available as a guide to help you secure your Postgres deployments. If you’re interested in security validation, take a look at our open source PostgreSQL STIG Compliance Validator, which uses the InSpec tool to automate many of the same checks that the CIS PostgreSQL Benchmark handles.

Check back for updates as the Crunchy Data team is continuing to work with CIS to refine and improve upon the Benchmark.

Enhancing PostgreSQL 13 Security with the CIS Benchmark

Douglas.Hunley@crunchydata.com (Douglas Hunley) — Mon, 15 Mar 2021 05:00:00 EDT

Crunchy Data has recently announced an update to the CIS PostgreSQL Benchmark by the Center for Internet Security, a nonprofit organization that provides publications around standards and best practices for securing technologies systems. This newly published CIS PostgreSQL 13 Benchmark joins the existing CIS Benchmarks for PostgreSQL 9.5, 9.6, 10, 11, and 12 while continuing to build upon the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).

What is a CIS Benchmark?

A CIS Benchmark is a set of guidelines and best practices for securely configuring a target system. Authoring a CIS Benchmark is a collaborative process as CIS involves considerable peer reviews and discussion before a major version is published, to ensure there is a general consensus on the best practices for deploying a secure system.

The CIS Benchmark contains a series of compliance recommendations that are designed to test the security of the system. Some of these recommendations are “scored” - if the system meets the requirements of a check, it receives points towards a final benchmark score (scores are from 1-100, with 100 being the best possible score). There are other compliance recommendations available that are not scored but are there for informational purposes and can help guide you towards best practices.

These recommendations can further be divided into pertaining to different configuration profiles. CIS Benchmarks define two different configuration profiles. The first, a Level 1 profile, is considered to be a “base security configuration” which has recommendations that are considered easier to set up and overall lower the potential attack surface of a system. In contrast, Level 2 profiles are designed for environments where security is of the utmost concern.

What’s in the CIS PostgreSQL 13 Benchmark?

The CIS PostgreSQL 13 Benchmark recommendations were developed by testing PostgreSQL 13 running on CentOS 8, though these recommendations will also apply to newer versions of PostgreSQL. Similar to the PostgreSQL STIG, the CIS PostgreSQL Benchmark provides recommendations in the following areas:

Installation and Patches
Directory and File Permissions
Logging Monitoring And Auditing
User Access and Authorization
Connection and Login
PostgreSQL Settings
Replication
Special Configuration Considerations

At present, the CIS PostgreSQL Benchmark contains a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to:

Be practical and prudent;
Provide a clear security benefit; and
Not inhibit the utility of the technology beyond acceptable means.

What's in a Recommendation?

Profile Applicability - The configuration profiles that this recommendation is used for, i.e. Level 1, Level 2, or some combination thereof.
Description - A detailed explanation of the recommendation
Rationale - Why the recommendation is in place and what consequences could occur if the recommendation is not followed
Audit - Steps to take to check if the recommendation has been applied to a target system
Remediation - If the audit fails, the steps to take to apply the recommendation
Default Value - The default setup with PostgreSQL if no action is taken on the recommendation
References - If present, additional references to help with understanding and applying the recommendation
CIS Controls - A list of enumerated CIS Controls that represents actions to perform to secure a target system

An example control

Enabling FIPS mode on RHEL/CentOS 8

$ fips-mode-setup --check #is fips enabled?
FIPS mode is enabled
$ openssl version #is it fips capable?
OpenSSL 1.1.1-fips  1 Sep 2019
$ fips-mode-setup --enable #enable fips
Setting system policy to FIPS
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

What's Next?

Try it out! The CIS PostgreSQL Benchmark is freely available to help you secure your PostgreSQL deployments. This is only the beginning of our work on the CIS PostgreSQL benchmark: the Crunchy Data team is continuing to collaborate with CIS to further refine and improve upon the Benchmark over time.

If you’re interested how we have worked on applying security validations at scale, take a look at our open source PostgreSQL STIG Compliance Validator, which uses the InSpec tool to automated many of the same checks that the CIS PostgreSQL Benchmark handles, or if you have any questions please feel free to reach out to us.

Announcing the Crunchy Data PostgreSQL Security Technical Implementation Guide

Douglas.Hunley@crunchydata.com (Douglas Hunley) — Thu, 07 Jan 2021 04:00:00 EST

Crunchy Data is pleased to announce the publication of the Crunchy Data PostgreSQL Security Technical Implementation Guide (STIG) by the United States Defense Information Systems Agency (DISA). Crunchy Data collaborated with DISA to make PostgreSQL the first open source database to provide a published STIG in 2017, and this new STIG reflects Crunchy Data's ongoing collaboration with DISA to provide enhanced security guidance as PostgreSQL continues to advance and evolve.

While the STIG was authored to enable the U.S. Government to comply with U.S. Government security requirements, the Crunchy Data PostgreSQL STIG offers security-conscious enterprises a comprehensive guide for the configuration and operation of open source PostgreSQL. Organizations of all sizes can refer to the STIG for information on security best practices as they consider PostgreSQL as an alternative to proprietary, closed source, database software.

The security functionality reflected within the Crunchy Data PostgreSQL STIG is provided by 100% open source Postgres, Postgres extensions and documentation. The Crunchy Data PostgreSQL STIG provides security guidance regarding the use of PostgreSQL (versions 10 - 12) used in conjunction with certain open source PostgreSQL extensions – most notably, pgaudit.

In order to help PostgreSQL users benefit from the guidance provided in the Crunchy Data PostgreSQL STIG, let's provide some background information for getting started.

What is a DISA STIG?

The Security Technical Implementation Guide (STIG) is the configuration standards for United States Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA). Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the STIGs. The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

Is the Crunchy Data PostgreSQL STIG US Government Specific?

The PostgreSQL STIG is from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4 and related documents. While the DISA STIG is intended to provide technical guidance to “lock down” information systems and software used within the DoD, the guidance provided in it is not specific to the DoD and is generally helpful to those interested in securing their PostgreSQL deployments.

What does the Crunchy Data PostgreSQL STIG Cover?

PostgreSQL STIG provides guidance on the configuration of PostgreSQL to address requirements associated with:

Auditing
Logging
Data Encryption at Rest
Data Encryption Over the Wire
Access Controls
Administration
Authentication
Protecting against SQL Injection

How does the Crunchy Data PostgreSQL STIG work?

The PostgreSQL STIG provides a series of Requirements, Checks and Fixes where:

Requirements are provided as a series of security requirements for an operating environment.
Checks are provided as a series of instructions or commands for verifying compliance with the stated requirement.
Fixes are provided as remediation steps to the extent the Check determines that the system is not in fact in compliance with the stated Requirement.

Looking Ahead

Crunchy Data views the Crunchy Data PostgreSQL STIG as yet another validation of the comprehensive security functionality of PostgreSQL and the accomplishments of the PostgreSQL Global Development Community. The Crunchy Data PostgreSQL STIG demonstrates that open source PostgreSQL is capable of meeting the exacting security requirements of the DoD.

We are proud to be part of the team that developed this STIG for PostgreSQL and look forward to working with all of the organizations who have been anxiously waiting for the Crunchy Data PostgreSQL STIG to be approved for modern versions of this quality open source relational database.

Additional Resources

Download the Crunchy Data PostgreSQL Security Technical Implementation Guide

Enhancing PostgreSQL 12 Security with the CIS Benchmark

Douglas.Hunley@crunchydata.com (Douglas Hunley) — Wed, 20 Nov 2019 04:00:00 EST

Crunchy Data has recently announced an update to the CIS PostgreSQL Benchmark by the Center for Internet Security, a nonprofit organization that provides publications around standards and best practices for securing technologies systems. This newly published CIS PostgreSQL 12 Benchmark joins the existing CIS Benchmarks for PostgreSQL 9.5, 9.6, 10, and 11 while continuing to build upon Crunchy Data's efforts with the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).

What is a CIS Benchmark?

What’s in the CIS PostgreSQL 12 Benchmark?

The CIS PostgreSQL 12 Benchmark recommendations were developed by testing PostgreSQL 12 running on CentOS 8, though these recommendations will also apply to newer versions of PostgreSQL. Similar to the PostgreSQL STIG, the CIS PostgreSQL Benchmark provides recommendations in the following areas:

Installation and Patches
Directory and File Permissions
Logging Monitoring And Auditing
User Access and Authorization
Connection and Login
PostgreSQL Settings
Replication
Special Configuration Considerations

At present, the CIS PostgreSQL Benchmark only contains a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to:

Be practical and prudent;
Provide a clear security benefit; and
Not inhibit the utility of the technology beyond acceptable means.

What's in a Recommendation?

Profile Applicability - The configuration profiles that this recommendation is used for, i.e. Level 1, Level 2, or some combination thereof.
Description - A detailed explanation of the recommendation
Rationale - Why the recommendation is in place and what consequences could occur if the recommendation is not followed
Audit - Steps to take to check if the recommendation has been applied to a target system
Remediation - If the audit fails, the steps to take to apply the recommendation
Default Value - The default setup with PostgreSQL if no action is taken on the recommendation
References - If present, additional references to help with understanding and applying the recommendation
CIS Controls - A list of enumerated CIS Controls that represents actions to perform to secure a target system

An example control

Enabling FIPS mode on RHEL/CentOS 8

$ fips-mode-setup --check #is fips enabled?
FIPS mode is enabled
$ openssl version #is it fips capable?
OpenSSL 1.1.1-fips  1 Sep 2019
$ fips-mode-setup --enable #enable fips
Setting system policy to FIPS
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

What's Next?

How the CIS Benchmark for PostgreSQL 11 Works

Douglas.Hunley@crunchydata.com (Douglas Hunley) — Tue, 02 Jul 2019 05:00:00 EDT

Crunchy Data has recently announced an update to the CIS PostgreSQL Benchmark by the Center for Internet Security, a nonprofit organization that provides publications around standards and best practices for securing technologies systems. This newly published CIS PostgreSQL 11 Benchmark joins the existing CIS Benchmarks for PostgreSQL 9.5, 9.6, and 10 while continuing to build upon Crunchy Data's efforts with the PostgreSQL Security Technical Implementation Guide (PostgreSQL STIG).

What is a CIS Benchmark?

As mentioned in earlier blog posts (here, here), a CIS Benchmark is a set of guidelines and best practices for securely configuring a target system. The benchmark contains a series of recommendations that help test the security of the system: some of the recommendations are "scored" (where a top score of 100 is the best), while others are are provided to establish best practices for security.

What’s in the CIS PostgreSQL 11 Benchmark?

The CIS PostgreSQL 11 Benchmark recommendations were developed by testing PostgreSQL 11 running on CentOS 7. While compiling a CIS Benchmark, the team looked at new features and security measures that were added in PostgreSQL 11 while taking account features that have been deprecated or removed that could affect security.

Data security involves many areas of the operating environment that PostgreSQL runs in; it's not just the database software itself. As such, the CIS PostgreSQL Benchmark provides recommendations in the following areas:

Installation and Patches
Directory and File Permissions
Logging Monitoring and Auditing
User Authentication , Access Controls, and Authorization
Connection and Replication
PostgreSQL Settings and special configuration considerations

These are also recommendations that you can find in the DISA PostgreSQL STIG

The CIS PostgreSQL Benchmark is a Level 1 configuration profile, which as described in the Benchmark documentation, is intended to provide a practical, secure operating environment.

Example Update for PostgreSQL 11: Securing SSL keys

PostgreSQL 11 introduces the ability to specify a method of obtaining the password needed to unlock an SSL key at server startup. Prior versions of PostgreSQL required a key that was not password protected.

Two new options are introduced in postgresql.conf: ssl_passphrase_command and ssl_passphrase_command_supports_reload. The former defines how the PostgreSQL server will obtain the SSL key at startup while the latter defines whether the SSL configuration should be reloaded and ssl_passphrase_command called during a server configuration reload.

ssl_passphrase_command = 'vault kv get -field=pem pg/ssl'
ssl_passphrase_command_supports_reload = on

Here, we are making use of the open source vault utility to store the passphrase for the SSL PEM used by PostgreSQL.

Next Steps & Automation

The CIS PostgreSQL 11 Benchmark is available for free download at the CIS website, along with the Benchmarks for PostgreSQL 10, 9.6, and 9.5. The Crunchy Data team is continuing our work with CIS to continue to improve the Benchmark and take into account features that will become available after PostgreSQL 12 is released later this year.

If you’re interested in how to automate the process of performing security checks, we've open sourced the PostgreSQL STIG Compliance Validator, which uses InSpec and performs many of the same checks in the CIS PostgreSQL Benchmark.