|
| 1 | + |
| 2 | +\t |
| 3 | +select '-------------------' |
| 4 | +union all |
| 5 | +SELECT 'GENERAL INFORMATION' |
| 6 | +union all |
| 7 | +select '-------------------'; |
| 8 | + |
| 9 | +select 'Instance: <Your instance name>'; |
| 10 | +select 'Script run: ' || current_timestamp::text; |
| 11 | +select 'Version: ' || version(); |
| 12 | +\t |
| 13 | +select datname as databases from pg_database order by datname; |
| 14 | +\t |
| 15 | +select 'Extensions:'; |
| 16 | +\t |
| 17 | +select * from pg_extension order by extname; |
| 18 | + |
| 19 | +\t |
| 20 | +select '-----------------' |
| 21 | +union all |
| 22 | +select 'SECURITY AUDITING' |
| 23 | +union all |
| 24 | +select '-----------------'; |
| 25 | +\t |
| 26 | + |
| 27 | +SELECT name, setting , case when setting = 'on' then 'PASS' else 'FAIL' end as verify |
| 28 | +FROM pg_settings |
| 29 | +where name = 'log_connections' |
| 30 | +union all |
| 31 | +SELECT name, setting , case when setting = 'ddl' then 'PASS' else 'FAIL' end as verify |
| 32 | +FROM pg_settings |
| 33 | +where name = 'log_statement' |
| 34 | +union all |
| 35 | +select 'pgaudit installed',(select 'version ' || extversion::text from pg_extension where extname = 'pgaudit'), case when exists (select 1 from pg_extension where extname = 'pgaudit') then 'PASS' else 'FAIL' end; |
| 36 | + |
| 37 | +\t |
| 38 | +select '---------------' |
| 39 | +union all |
| 40 | +select 'PASSWORD EXPIRY' |
| 41 | +union all |
| 42 | +select '---------------'; |
| 43 | +\t |
| 44 | + |
| 45 | +select usename, valuntil, |
| 46 | + case |
| 47 | + when valuntil between now() and now() + interval '90 days' then 'PASS' |
| 48 | + when valuntil < now() then 'EXPIRED' |
| 49 | + when valuntil is null or valuntil = 'infinity' then 'FAILED IF A PERSON' else 'PASS' |
| 50 | + end |
| 51 | +from pg_user |
| 52 | +where usename not in ('rdsadmin','appd_mon', 'system_userx', 'etc.') -- Exclude system users |
| 53 | +order by valuntil; |
| 54 | + |
| 55 | +\t |
| 56 | +select '---------------------' |
| 57 | +union all |
| 58 | +select 'USERS WHO CAN CONNECT' |
| 59 | +union all |
| 60 | +select '---------------------'; |
| 61 | +\t |
| 62 | + |
| 63 | +SELECT pgu.usename as user_name, |
| 64 | + (SELECT string_agg(pgd.datname, ',' ORDER BY pgd.datname) |
| 65 | + FROM pg_database pgd |
| 66 | + WHERE has_database_privilege(pgu.usename, pgd.datname, 'CONNECT')) AS database_name |
| 67 | +FROM pg_user pgu |
| 68 | +ORDER BY pgu.usename; |
| 69 | + |
| 70 | +\t |
| 71 | +select '------' |
| 72 | +union all |
| 73 | +select 'GROUPS' |
| 74 | +union all |
| 75 | +select '------'; |
| 76 | +\t |
| 77 | + |
| 78 | +select groname |
| 79 | +from pg_group |
| 80 | +where groname not like 'pg%' |
| 81 | + and groname not in ('rds_ad','rds_iam', 'rds_password', 'rds_replication') |
| 82 | +order by groname; |
| 83 | + |
| 84 | +\t |
| 85 | +select '---------------' |
| 86 | +union all |
| 87 | +select 'USERS IN GROUPS' |
| 88 | +union all |
| 89 | +select '---------------'; |
| 90 | +\t |
| 91 | + |
| 92 | +select t2.rolname group_name , t3.rolname member_name, t4.rolname as grantor, admin_option |
| 93 | +from pg_auth_members t1 |
| 94 | +join pg_roles t2 on t1.roleid = t2.oid |
| 95 | +join pg_roles t3 on t1.member = t3.oid and t3.rolcanlogin |
| 96 | +join pg_roles t4 on t1.grantor = t4.oid |
| 97 | +order by t2.rolname,t3.rolname; |
| 98 | + |
| 99 | +\t |
| 100 | +select '----------------------------' |
| 101 | +union all |
| 102 | +select 'PERMISSIONS BY OWNERSHIP' |
| 103 | +union all |
| 104 | +select '----------------------------'; |
| 105 | +\t |
| 106 | + |
| 107 | +select schemaname, tableowner, count(*) |
| 108 | +from pg_tables |
| 109 | +group by 1,2 |
| 110 | + |
| 111 | +\t |
| 112 | +select '----------------------------' |
| 113 | +union all |
| 114 | +select 'DIRECTLY GRANTED PERMISSIONS' |
| 115 | +union all |
| 116 | +select '----------------------------'; |
| 117 | +\t |
| 118 | + |
| 119 | +SELECT grantee, privilege_type, is_grantable, count(distinct table_schema||table_name) table_count |
| 120 | +FROM information_schema.role_table_grants t1 |
| 121 | +join pg_tables t2 on t1.table_schema = t2.schemaname and t1.table_name = t2.tablename |
| 122 | +join pg_roles on grantee = rolname and rolcanlogin |
| 123 | +where grantee <> tableowner |
| 124 | +group by grantee, privilege_type, is_grantable |
| 125 | +order by grantee; |
| 126 | + |
| 127 | +\t |
| 128 | +select '---------------------' |
| 129 | +union all |
| 130 | +select 'EXECUTION PERMISSIONS' |
| 131 | +union all |
| 132 | +select '---------------------'; |
| 133 | +\t |
| 134 | + |
| 135 | +SELECT p1.grantee,p1.is_grantable,p1.privilege_type,p1.routine_schema,p1.routine_name |
| 136 | +FROM information_schema.role_routine_grants p1 |
| 137 | +join pg_proc p2 on p1.routine_name = p2.proname |
| 138 | +join pg_roles p3 on p2.proowner = p3.oid |
| 139 | +where p1.grantee <> p3.rolname |
| 140 | +order by p1.grantee,p1.routine_schema,p1.routine_name; |
| 141 | + |
| 142 | +\t |
| 143 | +select '-------------------' |
| 144 | +union all |
| 145 | +select 'DEFAULT PERMISSIONS' |
| 146 | +union all |
| 147 | +select '-------------------'; |
| 148 | +\t |
| 149 | + |
| 150 | +select pg_get_userbyid(d.defaclrole) as user, n.nspname as schema, case d.defaclobjtype when 'r' then 'tables' when 'f' then 'functions' when 'S' then 'sequences' end as object_type,array_to_string(d.defaclacl, ' + ') as default_privileges |
| 151 | +from pg_catalog.pg_default_acl d |
| 152 | +left join pg_catalog.pg_namespace n on n.oid = d.defaclnamespace |
| 153 | +order by 1,2,3; |
| 154 | + |
| 155 | +\t |
| 156 | +select '-------------------------------------' |
| 157 | +union all |
| 158 | +select 'SCRIPT END ' || current_timestamp::text |
| 159 | +union all |
| 160 | +select '-------------------------------------'; |
| 161 | +\t |
0 commit comments