diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index f5b6c01..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Actual behavior** - -```paste below - -``` - -**Example code** - -```paste below - -``` - -**OS / Environment** - - - -**Inspec Version** - -```paste below - -``` - -**Baseline Version** - -```paste below - -``` - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 066b2d9..0000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 0000000..aa95ac5 --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,12 @@ +--- +name: Codespell - Spellcheck + +on: # yamllint disable-line rule:truthy + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + codespell: + uses: "dev-sec/.github/.github/workflows/codespell.yml@main" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 986fa04..6a305c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,87 +1,12 @@ +--- name: New release -on: +on: # yamllint disable-line rule:truthy + workflow_dispatch: push: branches: - master jobs: generate_changelog: - runs-on: ubuntu-latest - name: create release draft - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - - name: 'Get Previous tag' - id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@master" - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - - name: calculate next version - id: version - uses: patrickjahns/version-drafter-action@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - future_release: ${{ steps.version.outputs.next-version }} - - - name: Generate changelog for the release - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - since_tag: ${{ steps.previoustag.outputs.tag }} - future_release: ${{ steps.version.outputs.next-version }} - output: CHANGELOGRELEASE.md - - - name: update inspec.yml - uses: mikefarah/yq@3.2.1 - with: - cmd: yq w -I4 -i inspec.yml version ${{ steps.version.outputs.next-version }} && sed -i '1i---' inspec.yml - - - name: push inspec.yml and changelog - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update inspec.yml and changelog' - files: inspec.yml CHANGELOG.md - name: dev-sec CI - email: hello@dev-sec.io - rebase: 'true' - - - name: Read CHANGELOG.md - id: package - uses: juliangruber/read-file-action@v1 - with: - path: ./CHANGELOGRELEASE.md - - - uses: actions/checkout@v2 - with: - ref: master - - - name: Get current commitish - id: current_commitish - run: echo "::set-output name=sha::$(git log -1 --format="%H")" - - - name: Check it - run: echo ${{ steps.current_commitish.outputs.sha }} - - - name: Create Release draft - id: create_release - uses: actions/create-release@v1.1.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - with: - release_name: ${{ steps.version.outputs.next-version }} - tag_name: ${{ steps.version.outputs.next-version }} - body: | - ${{ steps.package.outputs.content }} - commitish: ${{ steps.current_commitish.outputs.sha }} - draft: true + uses: dev-sec/.github/.github/workflows/baseline-release.yml@main diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 33f4a5c..e88a234 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,18 +10,4 @@ on: jobs: test: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - ruby-version: ['2.6', '2.7', '3.0'] - - steps: - - uses: actions/checkout@v2 - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby-version }} - bundler-cache: true # runs 'bundle install' and caches installed gems automatically - - name: Run tests - run: bundle exec rake + uses: dev-sec/.github/.github/workflows/baseline-test.yml@main diff --git a/.rubocop.yml b/.rubocop.yml index e836519..5484145 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -2,35 +2,3 @@ AllCops: Exclude: - vendor/**/* -Documentation: - Enabled: false -Layout/ParameterAlignment: - Enabled: true -HashSyntax: - Enabled: true -LineLength: - Enabled: false -EmptyLinesAroundBlockBody: - Enabled: false -Style/Encoding: - Enabled: false -MethodLength: - Max: 40 -NumericLiterals: - MinDigits: 10 -Metrics/BlockLength: - Max: 45 # needed for 6.1.1 -Metrics/CyclomaticComplexity: - Max: 10 -Metrics/PerceivedComplexity: - Max: 10 -Metrics/AbcSize: - Max: 30 -# Lint/AmbiguousBlockAssociation is incompatible with RSpec -# https://github.com/rubocop-hq/rubocop/issues/4222 -Lint/AmbiguousBlockAssociation: - Enabled: false -Lint/AmbiguousRegexpLiteral: - Enabled: false -Style/NumericPredicate: - Enabled: false diff --git a/CHANGELOG.md b/CHANGELOG.md index e1da68c..ee83524 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,44 @@ # Changelog -## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2021-03-25) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-08) -[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) **Implemented enhancements:** +- Update Supported Versions [\#52](https://github.com/dev-sec/postgres-baseline/issues/52) - Switch back to simple InSpec service description [\#17](https://github.com/dev-sec/postgres-baseline/issues/17) +- use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) + +**Merged pull requests:** + +- Remove control for running Database [\#54](https://github.com/dev-sec/postgres-baseline/pull/54) ([professormahi](https://github.com/professormahi)) +- Fix \#52: Update supported versions [\#53](https://github.com/dev-sec/postgres-baseline/pull/53) ([professormahi](https://github.com/professormahi)) +- ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) +- add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) +- Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) +- Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) + +## [3.1.0](https://github.com/dev-sec/postgres-baseline/tree/3.1.0) (2022-02-22) + +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.1...3.1.0) + +**Implemented enhancements:** + +- Verify controls in running configuration [\#44](https://github.com/dev-sec/postgres-baseline/pull/44) ([FLiPp3r90](https://github.com/FLiPp3r90)) + +**Merged pull requests:** + +- Cookstyle Bot Auto Corrections with Cookstyle 7.14.0 [\#43](https://github.com/dev-sec/postgres-baseline/pull/43) ([cookstyle[bot]](https://github.com/apps/cookstyle)) + +## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2022-01-12) + +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) **Merged pull requests:** +- use input instead of attribute [\#45](https://github.com/dev-sec/postgres-baseline/pull/45) ([micheelengronne](https://github.com/micheelengronne)) +- fix rubocop error for Rakefile [\#42](https://github.com/dev-sec/postgres-baseline/pull/42) ([schurzi](https://github.com/schurzi)) - update release action [\#41](https://github.com/dev-sec/postgres-baseline/pull/41) ([schurzi](https://github.com/schurzi)) - add dependency to chef-config for CI [\#40](https://github.com/dev-sec/postgres-baseline/pull/40) ([schurzi](https://github.com/schurzi)) @@ -85,6 +114,10 @@ [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/2.0.1...2.0.2) +**Merged pull requests:** + +- inspec check fix [\#21](https://github.com/dev-sec/postgres-baseline/pull/21) ([chris-rock](https://github.com/chris-rock)) + ## [2.0.1](https://github.com/dev-sec/postgres-baseline/tree/2.0.1) (2017-05-08) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/2.0.0...2.0.1) @@ -95,7 +128,6 @@ - restrict ruby testing to version 2.3.3 and update gemfile [\#18](https://github.com/dev-sec/postgres-baseline/pull/18) ([atomic111](https://github.com/atomic111)) - adjust the service for each os type and correct the control 10 [\#16](https://github.com/dev-sec/postgres-baseline/pull/16) ([atomic111](https://github.com/atomic111)) - remove the sudo command and remove duplicate control [\#15](https://github.com/dev-sec/postgres-baseline/pull/15) ([atomic111](https://github.com/atomic111)) -- 2.0.0 [\#14](https://github.com/dev-sec/postgres-baseline/pull/14) ([chris-rock](https://github.com/chris-rock)) ## [2.0.0](https://github.com/dev-sec/postgres-baseline/tree/2.0.0) (2017-01-05) @@ -103,6 +135,7 @@ **Merged pull requests:** +- 2.0.0 [\#14](https://github.com/dev-sec/postgres-baseline/pull/14) ([chris-rock](https://github.com/chris-rock)) - Migrate to InSpec [\#13](https://github.com/dev-sec/postgres-baseline/pull/13) ([atomic111](https://github.com/atomic111)) ## [1.1.0](https://github.com/dev-sec/postgres-baseline/tree/1.1.0) (2015-10-15) @@ -111,7 +144,7 @@ **Merged pull requests:** -- install server and apply hardening in seperate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) +- install server and apply hardening in separate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) - bugfix: lint error [\#4](https://github.com/dev-sec/postgres-baseline/pull/4) ([chris-rock](https://github.com/chris-rock)) - add ssl test back in for 'off' setting [\#3](https://github.com/dev-sec/postgres-baseline/pull/3) ([ehaselwanter](https://github.com/ehaselwanter)) diff --git a/Gemfile b/Gemfile index a076fc4..3a0b06c 100644 --- a/Gemfile +++ b/Gemfile @@ -2,6 +2,7 @@ source 'https://rubygems.org' +gem 'cookstyle' gem 'highline' gem 'rack' gem 'rake' diff --git a/README.md b/README.md index 5453f72..2a0add2 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ $ inspec exec https://github.com/dev-sec/postgres-baseline - Author:: Christoph Hartmann - Author:: Edmund Haselwanter -- Copyright 2014-2019, The DevSec Hardening Framework Team +- Copyright 2014-2022, The DevSec Hardening Framework Team Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/Rakefile b/Rakefile index c0fb9fa..5823b2a 100755 --- a/Rakefile +++ b/Rakefile @@ -1,7 +1,6 @@ # frozen_string_literal: true -# !/usr/bin/env rake - +require 'cookstyle' require 'rake/testtask' require 'rubocop/rake_task' @@ -11,6 +10,10 @@ task :rubocop do RuboCop::RakeTask.new end +RuboCop::RakeTask.new(:cookstyle) do |task| + task.options << '--display-cop-names' +end + # lint the project desc 'Run robocop linter' task lint: [:rubocop] @@ -46,5 +49,4 @@ task :changelog do Rake::Task[:changelog].execute rescue LoadError puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' - end diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 5d34275..c27c2d3 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true -# Copyright 2016, Patrick Muench -# Copyright 2016-2019 DevSec Hardening Framework Team +# Copyright:: 2016, Patrick Muench +# Copyright:: 2016-2019 DevSec Hardening Framework Team # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,69 +22,24 @@ title 'PostgreSQL Server Configuration' # inputs -USER = input( - 'user', - description: 'define the postgresql user to access the database', - value: 'postgres' -) - -PASSWORD = input( - 'password', - description: 'define the postgresql password to access the database', - value: 'iloverandompasswordsbutthiswilldo' -) - -POSTGRES_DATA = input( - 'postgres_data', - description: 'define the postgresql data directory', - value: postgres.data_dir -) - -POSTGRES_CONF_DIR = input( - 'postgres_conf_dir', - description: 'define the postgresql configuration directory', - value: postgres.conf_dir -) - -POSTGRES_CONF_PATH = input( - 'postgres_conf_path', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf') -) - -POSTGRES_HBA_CONF_FILE = input( - 'postgres_hba_conf_file', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf') -) - -POSTGRES_LOG_DIR = input( - 'postgres_log_dir', - description: 'define path for the postgresql log file', - value: '/var/log/postgresql' -) +USER = input('user', value: 'postgres') +PASSWORD = input('password', value: 'iloverandompasswordsbutthiswilldo') +POSTGRES_DATA = input('postgres_data', value: postgres.data_dir) +POSTGRES_CONF_DIR = input('postgres_conf_dir', value: postgres.conf_dir) +POSTGRES_CONF_PATH = input('postgres_conf_path', value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf')) +POSTGRES_HBA_CONF_FILE = input('postgres_hba_conf_file', value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf')) +POSTGRES_LOG_DIR = input('postgres_log_dir', value: '/var/log/postgresql') only_if do command('psql').exist? end -control 'postgres-01' do - impact 1.0 - title 'Postgresql should be running' - desc 'Postgresql should be running.' - describe service(postgres.service) do - it { should be_installed } - it { should be_running } - it { should be_enabled } - end -end - control 'postgres-02' do impact 1.0 title 'Use stable postgresql version' - desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL oder BETA versions in a production environment.' + desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do - its('stdout') { should match /^psql\s\(PostgreSQL\)\s(9.6|10|11|12|13).*/ } + its('stdout') { should match /^psql\s\(PostgreSQL\)\s(13|14|15|16|17).*/ } end describe command('psql -V') do its('stdout') { should_not match /RC/ } @@ -145,15 +100,15 @@ describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^md5\S*$/i } end - describe postgres_conf(POSTGRES_CONF_PATH) do - its('password_encryption') { should eq 'on' } + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do + its('output') { should eq 'on' } end else describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^scram-sha-256\S*$/i } end - describe postgres_conf(POSTGRES_CONF_PATH) do - its('password_encryption') { should eq 'scram-sha-256' } + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do + its('output') { should eq 'scram-sha-256' } end end end @@ -197,7 +152,7 @@ it { should be_file } it { should be_owned_by USER } it { should be_readable.by('owner') } - it { should_not be_readable.by('group') } + it { should be_readable.by('group') } it { should_not be_readable.by('other') } it { should be_writable.by('owner') } it { should_not be_writable.by('group') } @@ -225,8 +180,8 @@ impact 1.0 title 'It is recommended to activate ssl communication.' desc 'The hardening-cookbook will delete the links from #var/lib/postgresql/%postgresql-version%/main/server.crt to etc/ssl/certs/ssl-cert-snakeoil.pem and #var/lib/postgresql/%postgresql-version%/main/server.key to etc/ssl/private/ssl-cert-snakeoil.key on Debian systems. This certificates are self-signed (see http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29) and therefore not trusted. You have to #provide our own trusted certificates for SSL.' - describe postgres_conf(POSTGRES_CONF_PATH) do - its('ssl') { should eq 'on' } + describe postgres_session(USER, PASSWORD).query('SHOW ssl;') do + its('output') { should eq 'on' } end end @@ -234,8 +189,8 @@ impact 1.0 title 'Use strong chiphers for ssl communication' desc 'The following categories of SSL Ciphers must not be used: ADH, LOW, EXP and MD5. A very good description for secure postgres installation / configuration can be found at: https://bettercrypto.org' - describe postgres_conf(POSTGRES_CONF_PATH) do - its('ssl_ciphers') { should eq 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' } + describe postgres_session(USER, PASSWORD).query('SHOW ssl_ciphers;') do + its('output') { should eq 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' } end end @@ -250,7 +205,7 @@ control 'postgres-14' do impact 1.0 - title 'Require only trusted authentication mathods in pg_hba.conf' + title 'Require only trusted authentication methods in pg_hba.conf' desc 'Require trusted auth method for ALL users, peers in pg_hba.conf and do not allow untrusted authentication methods.' case postgres.version when /^9/ @@ -278,14 +233,26 @@ impact 1.0 title 'Enable logging functions' desc 'Logging functions must be turned on and properly configured according / compliant to local law.' - describe postgres_conf(POSTGRES_CONF_PATH) do - its('logging_collector') { should eq 'on' } - its('log_connections') { should eq 'on' } - its('log_disconnections') { should eq 'on' } - its('log_duration') { should eq 'on' } - its('log_hostname') { should eq 'on' } - its('log_directory') { should eq 'pg_log' } - its('log_line_prefix') { should eq '%t %u %d %h' } + describe postgres_session(USER, PASSWORD).query('SHOW logging_collector;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_connections;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_disconnections;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_duration;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_hostname;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_directory;') do + its('output') { should_not eq 'log' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_line_prefix;') do + its('output') { should eq '%t %u %d %h' } end end @@ -301,7 +268,7 @@ control 'postgres-18' do impact 1.0 title 'Grants should not be assigned with grant option privilege' - desc 'Grants should not be assigned with grant option exept postgresql admin superuser.' + desc 'Grants should not be assigned with grant option except postgresql admin superuser.' describe postgres_session(USER, PASSWORD).query("SELECT COUNT(is_grantable) FROM information_schema.table_privileges WHERE grantee NOT LIKE 'postgres' AND is_grantable = 'YES';") do its('output') { should eq '0' } end diff --git a/inspec.yml b/inspec.yml index ae903c5..7306f8e 100644 --- a/inspec.yml +++ b/inspec.yml @@ -6,6 +6,22 @@ copyright: DevSec Hardening Framework Team copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening -version: 3.0.1 +inspec_version: '>= 4.6.3' +version: 3.1.1 supports: - os-family: unix +inputs: + - name: user + description: define the postgresql user to access the database + - name: password + description: define the postgresql password to access the database + - name: postgres_data + description: define the postgresql data directory + - name: postgres_conf_dir + description: define the postgresql configuration directory + - name: postgres_conf_path + description: define path for the postgresql configuration file + - name: postgres_hba_conf_file + description: define path for the postgresql configuration file + - name: postgres_log_dir + description: define path for the postgresql log file diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..830b725 --- /dev/null +++ b/renovate.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base", + ":gitSignOff" + ], + "dependencyDashboard": true, + "dependencyDashboardAutoclose": true, + "packageRules": [ + { + "matchUpdateTypes": ["patch", "minor"], + "automerge": true + } + ] +}