GithubHelp home page GithubHelp logo

dev-sec / postgres-baseline Goto Github PK

View Code? Open in Web Editor NEW
50.0 16.0 23.0 119 KB

DevSec PostgreSQL Baseline - InSpec Profile

Home Page: https://dev-sec.io/baselines/postgres/

License: Apache License 2.0

Ruby 100.00%
inspec audit security baseline devsec postgresql hardening

postgres-baseline's Introduction

DevSec PostgreSQL Baseline

This Compliance Profile ensures, that all hardening projects keep the same quality.

Standalone Usage

This Compliance Profile requires InSpec for execution:

$ git clone https://github.com/dev-sec/postgres-baseline
$ inspec exec postgres-baseline

You can also execute the profile directly from Github:

$ inspec exec https://github.com/dev-sec/postgres-baseline

License and Author

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

postgres-baseline's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

ehaselwanter atomic111 guoyu07 pmav99 wheelq neatnerdprime ojongerius rbytheway rusakovichma alexbmw00 apollusehs-devops unitedtraders opstree devopstoday11 opstree-sec-labs renangraciano d1pakda5 bharath6208 isabella232 mekhanique iq-scm professormahi

postgres-baseline's Issues

Support sha256 on Postgresql 10+

Postgresql 10+ supports scram-sha256 hashing for passwords. The inspect check though only allows md5.
More info here: https://paquier.xyz/postgresql-2/postgres-10-scram-authentication/

postgres-baseline/controls/postgres_spec.rb

Lines 259 to 271 in 01175b7

control 'postgres-13' do
impact 1.0
title 'Require MD5 for ALL users, peers in pg_hba.conf'
desc 'Require MD5 for ALL users, peers in pg_hba.conf and do not allow untrusted authentication methods.'
describe file(POSTGRES_HBA_CONF_FILE) do
its('content') { should match(/local\s.*?all\s.*?all\s.*?md5/) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5}) }
its('content') { should_not match(/.*password/) }
its('content') { should_not match(/.*trust/) }
its('content') { should_not match(/.*crypt/) }
end
end

Must run as postgres user?

Describe the bug
We're trying to run the postgres inspec as an inspec user so that we don't need to configure password authentication for our DB owner. However we see two problems when this happens:

  1. The control doesn't specify a database name, so it attempts to log into a database named after the user. Since we don't have an inspec database to match, it fails to create a postgres_session.
  2. Checks like ownership seem to assume that the user we specify will be the DB owner, with failures like "message": "expected File /var/lib/postgresql/12/main.owned_by?("inspec") to be truthy, got false",

Expected behavior
We had hoped to be able to run this as a user other than the DB owner/superuser. Is that possible?

Actual behavior

Apparently it has to run as the DB owner (postgres) and so we'd have to allow md5 auth from 127.0.0.1. That would be a huge security concern to me. Hopefully I'm missing something obvious.

Example code

/opt/chef/embedded/bin/inspec exec https://github.com/dev-sec/postgres-baseline/archive/master.zip --reporter=json --input-file /opt/foo/inspec-cron/postgres-inputs.yaml | jq -c '.profiles[].controls | map(.results=(.results | map(select(.status=="failed"))) | select(.results | length > 0)) | .[] | {inspec: .}' >> /var/log/inspec-reports/postgres-report.json

OS / Environment

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.6 LTS"

Inspec Version
Our inspec script pulls https://github.com/dev-sec/postgres-baseline/archive/master.zip every time.

ansible

Any plans for having postgres-baseline with ansible?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.