External PostgreSQL with Tenable Security Center
Note: When reviewing external PostgreSQL documentation, ensure that you use the appropriate documentation version for the PostgreSQL version you deployed.
For information about using the managed PostgreSQL server in Tenable Security Center, see Using the Managed PostgreSQL Server.
Requirements
If your Tenable Security Center installation manages more than 100,000 assets, Tenable strongly recommends that you use an external PostgreSQL server for performance. Depending on deployment complexity or usage, Tenable Support may recommend that you use an external PostgreSQL server for improved performance, even if you manage fewer than 100,000 assets.
Migration Between Internal and External PostgreSQL
You can use the Tenable-provided script and instructions to migrate between an internal and external PostgreSQL implementations with Tenable Security Center.
Responsibility Matrix
You are responsible for the following when you use an external PostgreSQL server with Tenable Security Center:
-
Installing and configuring PostgreSQL
-
Backing up PostgreSQL
-
Securing PostgreSQL
-
Patching and upgrading PostgreSQL
Tenable is responsible for:
-
The Tenable Security Center database and structure within PostgreSQL
-
Data integrity and database-level configuration
You must not access or modify the Tenable Security Center database within PostgreSQL directly.
Installation
You may use any currently supported version of PostgreSQL. These include:
-
PostgreSQL 13.x
-
PostgreSQL 14.x
-
PostgreSQL 15.x
-
PostgreSQL 16.x
-
PostgreSQL 17.x
Tenable follows the PostgreSQL lifecycle and removes support after that major version's final version is released.
Caution: If you use an external PostgreSQL 17, Tenable does not currently support migrating back to an internal PostgreSQL database.
Follow the PostgreSQL documentation for installation instructions.
You may choose a managed (by a cloud vendor or other) instance of PostgreSQL, as long as you meet the requirements listed above.
Note: When you use an external PostgreSQL database and you uninstall Tenable Security Center, the associated PostgreSQL database remains. Contact your Database Administrator to remove the database properly and completely, and ensure you take and maintain any required backups.
Configuration
External PostgreSQL Resource Requirements
For hardware requirements for PostgreSQL with Tenable Security Center, see Hardware Requirements
The table below shows the sizing requirements for Tenable Security Center based on the asset count. Tenable uses this information to determine the appropriate PostgreSQL configuration parameters needed for optimal Tenable Security Center performance.
| # of Hosts Managed by Tenable Security Center | CPU Cores | Memory | Minimum Disk Space Required for PostgreSQL Data |
|---|---|---|---|
| 2,500 active IPs | 4 | 16 GB RAM | 20 GB |
| 10,000 active IPs | 8 | 32 GB RAM | 50 GB |
| 25,000 active IPs | 16 | 64 GB RAM | 100 GB |
| 100,000 active IPs | 32 | 128 GB RAM | 400 GB |
| 250,000 active IPs | 64 | 256 GB RAM | 1 TB |
You can set PostgreSQL configuration items using various methods. Review the PostgreSQL documentation for information on how to apply these configuration changes.
The following are recommended settings for various Tenable Security Center sizes:
4 vCPUs/16 GB RAM, Cloud Equivalent- m6g.xlarge (2,500 active IPs and ~2 million Vulnerabilities)
max_connections=50
max_worker_processes=4
max_parallel_workers_per_gather=2
max_parallel_maintenance_workers=2
max_parallel_workers=4
shared_buffers=4GB
work_mem=128MB
maintenance_work_mem=1024MB
effective_cache_size=12GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
8 vCPUs/32 GB RAM, Cloud Equivalent- m6g.2x large (10,000 active IPs and ~8 million Vulnerabilities)
max_connections=50
max_worker_processes=8
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=8
shared_buffers=8GB
work_mem=256MB
maintenance_work_mem=2048MB
effective_cache_size=24GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
16 vCPUs/64 GB RAM, Cloud Equivalent- m6g.4x large (25,000 active IPs)
max_connections=50
max_worker_processes=16
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=16
shared_buffers=32GB
work_mem=1024MB
maintenance_work_mem=2048MB
effective_cache_size=96GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
32 vCPUs/128 GB RAM, Cloud Equivalent- m6g.8x large (70,000 Hosts and ~40 million Vulnerabilities)
max_connections=50
max_worker_processes=32
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=32
shared_buffers=32GB
work_mem=1024MB
maintenance_work_mem=2048MB
effective_cache_size=96GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
64 vCPUs/256 GB RAM, Cloud Equivalent- m6g.16x large
max_connections=50
max_worker_processes=64
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=64
shared_buffers=64GB
work_mem=1024MB
maintenance_work_mem=2048MB
effective_cache_size=192GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
Security
Tenable recommends that you implement an applicable PostgreSQL security baseline—such as the Center for Internet Security (CIS) PostgreSQL Benchmark or the Crunchy Data PostgreSQL STIG—if you host your own PostgreSQL instance. Tenable does not provide support for implementing these benchmarks, and some configurations may impact Tenable Security Center performance or functionality.
Implementation of security benchmarks may require adding external extensions, for example, pgaudit and pgcrypto, to PostgreSQL. Tenable does not provide support or documentation on how to install or configure these extensions.
External PostgreSQL Credential Encryption
You can encrypt on-disk usernames and passwords for your external PostgreSQL credentials.
PostgreSQL usernames and passwords are currently stored in plain text within the /opt/sc/.pgvars file. To encrypt these fields, you must log in and use the Tenable Security Center encryption utility before the credentials are stored in the .pgvars file.
Tenable Security Center Encryption Utility Overview (sc-enc)
The encryption utility binary is located at: /opt/sc/bin/sc-enc-linux-amd64.
NAME:
sc-enc - A Command Line Interface (CLI) tool for Advanced Encryption Standard (AES) encryption
USAGE:
sc-enc [global options] command [command options]
VERSION:
1.0.0
COMMANDS:
encrypt Encrypts a string using AES encryption
decrypt Decrypts a string using AES encryption
generate Generates a key
grpc-server Starts a gRPC server for encryption and decryption
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--key-path value, -k value Specifieds the encryption key (default: "/opt/sc/data/enc.key")
--fips-disable, --fd Disables Federal Information Processing Standards (FIPS) 140-2 mode (default: false)
--help, -h Shows help information
--version, -v Prints the version
To use the sc-enc utility to encrypt a password:
-
Invoke the binary with the encrypt command followed by the -i flag and the data you need encrypted. The following is an example, where [my secret password] is the password you want to encrypt.
/opt/sc/bin/sc-enc-linux-amd64 encrypt -i [my secret password]
The output produces the encrypted string:
sc_enc:1:c05eab151b29704f133dd597552d7ca1f11ba34fb25716fb9e62f2c1f6073df7
-
Place the encrypted data into the .pgvars file.
export SC_PG_HOST=127.0.0.1
export SC_PG_PORT=5432
export SC_PG_USER=sc_enc:1:c05eab151b29704f133dd597552d7ca1f11ba34fb25716fb9e62f2c1f6073df7
export SC_PG_PASSWORD=sc_enc:1:2c80aaf0a140443abdf1820f9a8dd78ea0caf4fe234dd0ba43713e09d048cb8c
export SC_PG_DATABASE=SecurityCenter
export SC_PG_CA_PATH=
export SC_PG_REQUIRE_TLS=
Note: Tenable Security Center automatically generates an encryption key during installation or upgrade. The key is stored at /opt/sc/data/enc.key. Tenable recommends that you back up this key and store it in a safe location.
Patching and Upgrades
Note: You must shut down Tenable Security Center before you patch or upgrade PostgreSQL.
Tenable recommends you do the following:
-
Monitor PostgreSQL Security Updates and apply the relevant security patches after testing.
-
Take a backup of the Tenable Security Center database before you patch or upgrade PostgreSQL.