CIS Benchmarks - Postgres
Section 1: Installation and Patches
1.2 Ensure systemd Service Files Are Enabled
1.3 Ensure Data Cluster Initialized Successfully
Section 2: Directory and File Permissions
2.1 Ensure the file permissions mask is correct
Sectioin 3: Logging Monitoring and Auditing
3.1.2 Ensure the log destinations are set correctly
3.1.3 Ensure the logging collector is enabled
3.1.4 Ensure the log file destination directory is set correctly
3.1.5 Ensure the filename pattern for log files is set correctly
3.1.6 Ensure the log file permissions are set correctly
3.1.7 Ensure 'log_truncate_on_rotation' is enabled
3.1.8 Ensure the maximum log file lifetime is set correctly
3.1.9 Ensure the maximum log file size is set correctly
3.1.10 Ensure the correct syslog facility is selected
3.1.11 Ensure syslog messages are not suppressed
3.1.12 Ensure syslog messages are not lost due to size
3.1.13 Ensure the program name for PostgreSQL syslog messages is correct
3.1.14 Ensure the correct messages are written to the server log
3.1.15 Ensure the correct SQL statements generating errors are recorded
3.1.16 Ensure 'debug_print_parse' is disabled
3.1.17 Ensure 'debug_print_rewritten' is disabled
3.1.18 Ensure 'debug_print_plan' is disabled
3.1.19 Ensure 'debug_pretty_print' is enabled
3.1.20 Ensure 'log_connections' is enabled
3.1.21 Ensure 'log_disconnections' is enabled
3.1.22 Ensure 'log_error_verbosity' is set correctly
3.1.23 Ensure 'log_hostname' is set correctly
3.1.24 Ensure 'log_line_prefix' is set correctly
3.1.25 Ensure 'log_statement' is set correctly
3.1.26 Ensure 'log_timezone' is set correctly
3.2 Ensure the PostgreSQL Audit Extension (pgAudit) is enabled
Section 4: User Access and Authorization
4.2 Ensure excessive administrative privileges are revoked
4.3 Ensure excessive function privileges are revoked
4.4 Ensure excessive DML privileges are revoked
4.5 Ensure Row Level Security (RLS) is configured correctly
4.6 Ensure the set_user extension is installed
4.7 Make use of predefined roles
Section 5: Connection and Login
5.1 Ensure login via "local" UNIX Domain Socket is configured correctly
5.2 Ensure login via "host" TCP/IP Socket is configured correctly
5.3 Ensure Password Complexity is configured
Section 6: Postgres Settings
6.2 Ensure 'backend' runtime parameters are configured correctly
6.3 Ensure 'Postmaster' Runtime Parameters are Configured
6.4 Ensure 'SIGHUP' Runtime Parameters are Configured
6.5 Ensure 'Superuser' Runtime Parameters are Configured
6.6 Ensure 'User' Runtime Parameters are Configured
6.7 Ensure FIPS 140-2 OpenSSL Cryptography Is Used
6.8 Ensure SSL is enabled and configured correctly
6.9 Ensure the pgcrypto extension is installed and configured correctly
Section 7: Replication
7.1 Ensure a replication-only user is created and used for streaming replication
7.2 Ensure logging of replication commands is configured
7.3 Ensure base backups are configured and functional
7.4 Ensure WAL archiving is configured and functional
7.5 Ensure streaming replication parameters are configured correctly
Section 8: Special Configuration Considerations
8.1 Ensure PostgreSQL subdirectory locations are outside the data cluster
8.2 Ensure the backup and restore tool, 'pgBackRest', is installed and configured
8.3 Ensure miscellaneous configuration settings are correctLast updated