postgres-hardened-fips
Data
Fips
Hardened
Stig
docker pull reg.mini.dev/postgres-hardened-fips
Data
Fips
Hardened
Stig
Updated 3 days ago
docker pull reg.mini.dev/postgres-hardened-fips
CIS Postgres
CIS Postgres Compliance
100%
Passed
Scan Date
Image Tag
Checks
Analyzed
39Passed
39Failed
0CIS PostgreSQL 17 Benchmark v1.0.0
Ensure packages are obtained from authorized repositories
CIS ID
1.1Status
Passed
Notes
Minimus packages and images are built using a supply-chain process aligned with SLSA Build L3 controls (hardened builds). The PostgreSQL package is built from the official PostgreSQL repo and the signatures of the downloaded artifacts are verified.
Install only required packages
CIS ID
1.2Status
Passed
Notes
The Minimus hardened image is minimal and distroless, and includes only the necessary packages. View the SBOM for a complete list of packages included in this image.
Ensure systemd service files are enabled
CIS ID
1.3Status
Passed
Notes
PostgreSQL starts automatically via the container entrypoint at runtime, making it functionally equivalent to a systemd enabled service.
Ensure data cluster initialized successfully
CIS ID
1.4Status
Passed
Notes
The image initializes the data cluster (`$PGDATA`) on first start when the data directory is empty, and ensures it is securely owned by the postgres user.
Ensure the latest security patches are applied
CIS ID
1.5Status
Passed
Notes
Minimus updates the image's PostgreSQL package regularly to incorporate the latest official PostgreSQL security releases. View the Minimusnew version SLAfor further information.
Verify that 'PGPASSWORD' is not set in users' profiles
CIS ID
1.6Status
Passed
Notes
This Minimus hardened image does not set PGPASSWORD in any user profile or environment by default.
Verify that the 'PGPASSWORD' environment variable is not in use
CIS ID
1.7Status
Passed
Notes
This Minimus hardened image does not set PGPASSWORD for any process by default and PostgreSQL runs without relying on this environment variable.
Ensure the file permissions mask is correct
CIS ID
2.1Status
Passed
Hardened configuration
Notes
The postgres user's umask is set to 0077 to restrict default file permissions for newly created files, and `$PGDATA` files and directories are created with restrictive permissions.
Ensure extension directory has appropriate ownership and permissions
CIS ID
2.2Status
Passed
Notes
The extension directory is owned by root and has restrictive permissions (755) in accordance with the benchmark.
Disable PostgreSQL command history
CIS ID
2.3Status
Passed
Notes
PostgreSQL client command history is disabled by setting `PSQL_HISTORY=/dev/null` so interactive psql commands are not written to `.psql_history`.
Ensure passwords are not stored in the service file
CIS ID
2.4Status
Passed
Notes
This audit confirms the image does not store passwords in service files. The postgres connection service file (.pg_service.conf) should not contain password entries since it would store them in cleartext.
Ensure the log destinations are set correctly
CIS ID
3.1.2Status
Passed
Notes
The log destinations are configured to meet the benchmark's intent by ensuring server logs are written to an approved destination (for example: `stderr` and/or `csvlog`) in accordance with the organization's logging policy. If multiple destinations are required, `log_destination` is configured as a comma-separated list.
Ensure the logging collector is enabled
CIS ID
3.1.3Status
Passed
Hardened configuration
Notes
The logging collector is enabled by default.
Ensure the log file destination directory is set correctly
CIS ID
3.1.4Status
Passed
Notes
The `log_directory` is set to log (relative to `$PGDATA`) to ensure log files are written to a defined location consistent with the benchmark's intent.
Ensure the filename pattern for log files is set correctly
CIS ID
3.1.5Status
Passed
Notes
The `log_filename` pattern includes a timestamp (postgresql-%Y-%m-%d_%H%M%S.log) to support predictable, time-stamped log file naming, aligned with the benchmark's intent.
Ensure the log file permissions are set correctly
CIS ID
3.1.6Status
Passed
Notes
The `log_file_mode` is set to 0600 to restrict access to the server owner only, in accordance with the benchmark's intent to prevent unauthorized log access.
Ensure 'log_truncate_on_rotation' is enabled
CIS ID
3.1.7Status
Passed
Hardened configuration
Notes
`log_truncate_on_rotation` is enabled to ensure that if a log file name is reused during rotation, the existing file is truncated rather than appended, to prevent unintended log growth and to align with the benchmark's intent.
Ensure the maximum log file lifetime is set correctly
CIS ID
3.1.8Status
Passed
Notes
The `log_rotation_age` is configured to enforce time-based log rotation at the required interval (usually daily), to ensure log files are rotated in accordance with the benchmark's intent and organizational policy.
Ensure the maximum log file size is set correctly
CIS ID
3.1.9Status
Passed
Notes
`log_rotation_size` is configured to enforce size-based log rotation so individual log files do not grow without bound, to align with the benchmark's intent to manage log volume and disk usage.
Ensure the correct syslog facility is selected
CIS ID
3.1.10Status
Passed
Notes
When syslog is used as a log destination, `syslog_facility` is configured to the organization-approved facility (for example `local0`) to ensure consistent syslog routing and alignment with logging policy.
Ensure syslog messages are not suppressed
CIS ID
3.1.11Status
Passed
Notes
When syslog is used as a log destination, `syslog_sequence_numbers` is enabled so each syslog message includes a sequence number to reduce the risk of suppression of repeated messages.
Ensure syslog messages are not lost due to size
CIS ID
3.1.12Status
Passed
Notes
When syslog is used as a log destination, `syslog_split_messages` is enabled so long PostgreSQL log messages are split before being sent to syslog, to reduce the risk of message loss due to syslog size limits.
Ensure the program name for PostgreSQL syslog messages are correct
CIS ID
3.1.13Status
Passed
Notes
When syslog is used as a log destination, `syslog_ident` is defined to ensure PostgreSQL messages include a recognizable program identifier for reliable filtering and attribution.
Ensure the correct messages are written to the server log
CIS ID
3.1.14Status
Passed
Notes
`log_min_messages` is set to WARNING to ensure relevant logs are written to the server log, as per the benchmark's recommendation.
Ensure the correct SQL statements generating errors are recorded
CIS ID
3.1.15Status
Passed
Notes
`log_min_error_statement` is set to ERROR to ensure that all SQL statements generating errors at or above the ERROR severity level are recorded in the server log.
Ensure 'debug_print_parse' is disabled
CIS ID
3.1.16Status
Passed
Notes
`debug_print_parse` is disabled to ensure that parse trees for executed queries are not logged, reducing the risk of exposing sensitive information.
Ensure 'debug_print_rewritten' is disabled
CIS ID
3.1.17Status
Passed
Notes
`debug_print_rewritten` is disabled to ensure that query rewriter output is not logged, preventing exposure of potentially sensitive information in debug logs.
Ensure 'debug_print_plan' is disabled
CIS ID
3.1.18Status
Passed
Notes
`debug_print_plan` is disabled, preventing exposure of potentially sensitive information in debug logs.
Ensure 'debug_pretty_print' is enabled
CIS ID
3.1.19Status
Passed
Notes
`debug_pretty_print` is enabled to enhance readability of debug messages.
Ensure 'log_connections' is enabled
CIS ID
3.1.20Status
Passed
Hardened configuration
Notes
`log_connections` is enabled to record all connection attempts and successful authentications.
Ensure 'log_disconnections' is enabled
CIS ID
3.1.21Status
Passed
Hardened configuration
Notes
`log_disconnections` is enabled to record session terminations, including session duration.
Ensure 'log_error_verbosity' is set correctly
CIS ID
3.1.22Status
Passed
Hardened configuration
Notes
`log_error_verbosity` is set to VERBOSE to capture full error details, as recommended.
Ensure 'log_hostname' is set correctly
CIS ID
3.1.23Status
Passed
Notes
The `log_hostname` is disabled to avoid DNS resolution overhead. Only IP addresses of connecting clients are logged, as per the recommended best practice.
Ensure 'log_line_prefix' is set correctly
CIS ID
3.1.24Status
Passed
Hardened configuration
Notes
`log_line_prefix` defines the prefix added to each PostgreSQL log line. It is configured to ensure that logs include key contextual information (such as timestamp, process ID, user, database, application, and client host) for auditing and security review.
Ensure 'log_statement' is set correctly
CIS ID
3.1.25Status
Passed
Hardened configuration
Notes
SQL statement logging is set to `ddl` for capturing data definition statements or higher.
Ensure 'log_timezone' is set correctly
CIS ID
3.1.26Status
Passed
Notes
Log timezone is set to UTC as per the recommended setting.
Ensure the PostgreSQL Audit Extension (pgAudit) is enabled
CIS ID
3.2Status
Passed
Hardened configuration
Notes
The PostgreSQL Audit Extension (pgAudit) is enabled and pgaudit.log components are configured to audit the desired actions (READ, WRITE, FUNCTION, ROLE, DDL, MISC).
Ensure interactive login is disabled
CIS ID
4.1Status
Passed
Hardened configuration
Notes
The password field is locked in the `/etc/shadow` file for the postgres user.
Ensure FIPS 140-2 OpenSSL cryptography is used
CIS ID
6.7Status
Passed
Notes
This image uses a NIST CMVP certified FIPS 140-3 cryptographic provider. See the Compliance tab for further information.
Sections 4.2-8 (Runtime benchmarks)
Additional checks
Sections 4.2 through 8.2 involve runtime checks that are out of scope for the image level. Compliance must be configured and validated by operators in the deployed environment.
Runtime benchmarks depend on deployment-specific inputs which cannot be controlled by Minimus, including startup parameters, mounted secrets and certificates, the network policy, the live database role and schema state, etc. The Minimus postgres-hardened image is CIS-aligned and provides secure defaults with the required configuration hooks to implement these controls.
Status
Out of scope