Avatar of sunhux
sunhux asked on

embedded postgresql to be exempted fr CIS hardening & how to onboard it to SOC


Our GIS (Geospatial Info System) vendor replied me that 

"their ArcGIS Data Store is a PostgreSQL database that runs 'under the hood' of ArcGIS Enterprise. It’s managed by the software and does not have a UI to interact with it directly. The ArcGIS Data Stores are behind the scenes databases that allow for full functionality of ArcGIS Enterprise and are not used as databases for authoritative GIS data. Hence, in all our project implementation for all clients, we cannot perform hardening on PostgreSQL.


Hence our commitment for Esri Software Security and Privacy released under the Trust.ArcGIS.com"


However, if I still want to onboard the 'embedded' postgresql to our

SOC (Qradar SIEM), I find quite a number of CIS hardenings (esp on

logging, logs retention/rotation and types of events to be logged)

still highly relevant.   Is the vendor's argument above valid or I should

still select some of the pertinent CIS hardenings to be applied & ask

them to test it out the other CIS settings if it affect their ArcGIS

functioning?


Btw, the CIS hardening benchmark for postgresql is based on

Linux OS but this vendor is running postgresql on Windows:

guess I should just skip all Linux related hardenings or is there

a specific postgresql hardening doc for Windows (& in particular

for ArcGIS?)

PostgreSQLSecurityCyber Security

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
sunhux

So I should still onboard that 'embedded postgresql'
into our SOC?   A past SOC2 report produced by an
SaaS vendor revealed still quite a bit of settings
missing out on CIS compliances.

eg: SWIFT's embedded DB could have been
monitored by a Db Activity Monitoring with certain
loggings enabled
SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
sunhux


Esri_SDLC.pdf

When requested, the attached above was the assurance
report given: it doesn't say anything much about what's
been configured.  Guess will have to request a report
that indicates specifically what's the security configs
that are being done
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Your help has saved me hundreds of hours of internet surfing.
fblack61