Our GIS (Geospatial Info System) vendor replied me that
"their ArcGIS Data Store is a PostgreSQL database that runs 'under the hood' of ArcGIS Enterprise. It’s managed by the software and does not have a UI to interact with it directly. The ArcGIS Data Stores are behind the scenes databases that allow for full functionality of ArcGIS Enterprise and are not used as databases for authoritative GIS data. Hence, in all our project implementation for all clients, we cannot perform hardening on PostgreSQL.
Hence our commitment for Esri Software Security and Privacy released under the Trust.ArcGIS.com"
However, if I still want to onboard the 'embedded' postgresql to our
SOC (Qradar SIEM), I find quite a number of CIS hardenings (esp on
logging, logs retention/rotation and types of events to be logged)
still highly relevant. Is the vendor's argument above valid or I should
still select some of the pertinent CIS hardenings to be applied & ask
them to test it out the other CIS settings if it affect their ArcGIS
Btw, the CIS hardening benchmark for postgresql is based on
Linux OS but this vendor is running postgresql on Windows:
guess I should just skip all Linux related hardenings or is there
a specific postgresql hardening doc for Windows (& in particular
into our SOC? A past SOC2 report produced by an
SaaS vendor revealed still quite a bit of settings
missing out on CIS compliances.
eg: SWIFT's embedded DB could have been
monitored by a Db Activity Monitoring with certain
When requested, the attached above was the assurance
report given: it doesn't say anything much about what's
been configured. Guess will have to request a report
that indicates specifically what's the security configs
that are being done