CIS PostgreSQL Hardening

[theadamlion]

Hello all, we have a customer running 12.3 and their security team has asked about the possibility of hardening the PostgreSQL instance on their VBR server to the CIS PostgreSQL 14 OS v1.2.0 specs.

I was curious if anyone here has any experience and/or thoughts on performing such a task, specifically these tasks, and whether or not it has any effect on VBR:

Verify That 'PGPASSWORD' is Not Set in Users' Profiles
Verify That the 'PGPASSWORD' Environment Variable is Not in Use
Ensure extension directory has appropriate ownership and permissions
Disable PostgreSQL Command History
Ensure Passwords are Not Stored in the service file
Ensure the PostgreSQL Audit Extension (pgAudit) is enabled
Ensure Interactive Login is Disabled
Ensure excessive administrative privileges are revoked
Lock Out Accounts if Not Currently in Use
Ensure excessive function privileges are revoked
Ensure excessive DML privileges are revoked
Ensure Row Level Security (RLS) is configured correctly
Ensure the set_user extension is installed
Make use of predefined roles
Do Not Specify Passwords in the Command Line
Ensure PostgreSQL is Bound to an IP Address
Ensure per-account connection limits are used
Ensure Password Complexity is configured
Understanding attack vectors and runtime parameters

[Gostev]

Yes our QA looked at these quite extensively some time ago. In short, be careful about implementing them all blindly because some result in a massive hit on database performance.

V13 implements by default all "safe" settings that do not come with a major performance impact.

[theadamlion]

Gostev, thanks for the info - I'll pass it along to the customer, any chance there is a list somewhere that shows which of these options were deemed safe and ultimately implemented?

[Gostev]

This information would not apply to PostgreSQL 14 in any case as the testing was in V13 scope and therefore with PostgreSQL 17. There can be significant differences this many major versions away. Further, if I'm not mistaken we actually never actively used PostgreSQL 14 with our product in principle, I believe V12 was originally shipped with PostgreSQL 15 on board. Which makes PostgreSQL 14 one big unknown.