From 613831a5a039c81e4f7e48fdc297e28b7dd999d2 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sat, 24 Apr 2021 14:02:47 +0000 Subject: [PATCH 01/46] update inspec.yml and changelog --- CHANGELOG.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1da68c..9b706ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2021-03-25) +## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2021-04-24) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- fix rubocop error for Rakefile [\#42](https://github.com/dev-sec/postgres-baseline/pull/42) ([schurzi](https://github.com/schurzi)) - update release action [\#41](https://github.com/dev-sec/postgres-baseline/pull/41) ([schurzi](https://github.com/schurzi)) - add dependency to chef-config for CI [\#40](https://github.com/dev-sec/postgres-baseline/pull/40) ([schurzi](https://github.com/schurzi)) @@ -85,6 +86,10 @@ [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/2.0.1...2.0.2) +**Merged pull requests:** + +- inspec check fix [\#21](https://github.com/dev-sec/postgres-baseline/pull/21) ([chris-rock](https://github.com/chris-rock)) + ## [2.0.1](https://github.com/dev-sec/postgres-baseline/tree/2.0.1) (2017-05-08) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/2.0.0...2.0.1) @@ -95,7 +100,6 @@ - restrict ruby testing to version 2.3.3 and update gemfile [\#18](https://github.com/dev-sec/postgres-baseline/pull/18) ([atomic111](https://github.com/atomic111)) - adjust the service for each os type and correct the control 10 [\#16](https://github.com/dev-sec/postgres-baseline/pull/16) ([atomic111](https://github.com/atomic111)) - remove the sudo command and remove duplicate control [\#15](https://github.com/dev-sec/postgres-baseline/pull/15) ([atomic111](https://github.com/atomic111)) -- 2.0.0 [\#14](https://github.com/dev-sec/postgres-baseline/pull/14) ([chris-rock](https://github.com/chris-rock)) ## [2.0.0](https://github.com/dev-sec/postgres-baseline/tree/2.0.0) (2017-01-05) @@ -103,6 +107,7 @@ **Merged pull requests:** +- 2.0.0 [\#14](https://github.com/dev-sec/postgres-baseline/pull/14) ([chris-rock](https://github.com/chris-rock)) - Migrate to InSpec [\#13](https://github.com/dev-sec/postgres-baseline/pull/13) ([atomic111](https://github.com/atomic111)) ## [1.1.0](https://github.com/dev-sec/postgres-baseline/tree/1.1.0) (2015-10-15) From a799e6cd413a9b754d686fc9397a38c9873c6fc6 Mon Sep 17 00:00:00 2001 From: Cookstyle Date: Mon, 21 Jun 2021 13:47:34 -0700 Subject: [PATCH 02/46] Cookstyle Bot Auto Corrections with Cookstyle 7.14.0 This change is automatically generated by the Cookstyle Bot using the latest version of Cookstyle (7.14.0). Adopting changes suggested by Cookstyle improves cookbook readability, avoids common coding mistakes, and eases upgrades to newer versions of the Chef Infra Client. ### Layout/EmptyLinesAroundBlockBody - **/Rakefile:49**: Extra empty line detected at block body end. (https://rubystyle.guide#empty-lines-around-bodies) Signed-off-by: Cookstyle --- Rakefile | 1 - controls/postgres_spec.rb | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Rakefile b/Rakefile index c0fb9fa..b527561 100755 --- a/Rakefile +++ b/Rakefile @@ -46,5 +46,4 @@ task :changelog do Rake::Task[:changelog].execute rescue LoadError puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' - end diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 5d34275..7dc355c 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true -# Copyright 2016, Patrick Muench -# Copyright 2016-2019 DevSec Hardening Framework Team +# Copyright:: 2016, Patrick Muench +# Copyright:: 2016-2019 DevSec Hardening Framework Team # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From 068d021bee3541eaf8a857c2469fa8c56968e6d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Wed, 12 Jan 2022 12:46:37 +0100 Subject: [PATCH 03/46] use input instead of attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the last versions of Inspec and cinc-auditor, attribute is deprecated and input should be used. https://docs.chef.io/workstation/cookstyle/inspec_deprecations_attributehelper/ Signed-off-by: Michée Lengronne --- inspec.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/inspec.yml b/inspec.yml index ae903c5..0407f11 100644 --- a/inspec.yml +++ b/inspec.yml @@ -6,6 +6,7 @@ copyright: DevSec Hardening Framework Team copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening +inspec_version: '>= 4.6.3' version: 3.0.1 supports: - os-family: unix From 445800aec24fb481556f406f61ada8711adf51b4 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Wed, 12 Jan 2022 16:14:47 +0000 Subject: [PATCH 04/46] update inspec.yml and changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b706ba..915e2f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2021-04-24) +## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2022-01-12) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- use input instead of attribute [\#45](https://github.com/dev-sec/postgres-baseline/pull/45) ([micheelengronne](https://github.com/micheelengronne)) - fix rubocop error for Rakefile [\#42](https://github.com/dev-sec/postgres-baseline/pull/42) ([schurzi](https://github.com/schurzi)) - update release action [\#41](https://github.com/dev-sec/postgres-baseline/pull/41) ([schurzi](https://github.com/schurzi)) - add dependency to chef-config for CI [\#40](https://github.com/dev-sec/postgres-baseline/pull/40) ([schurzi](https://github.com/schurzi)) From 7270eb0048c68d259e5f036acb13a05f91dc8879 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Wed, 14 Jul 2021 09:23:29 +0200 Subject: [PATCH 05/46] allow weaker file permission for postgres group Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 5d34275..9032590 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -197,7 +197,7 @@ it { should be_file } it { should be_owned_by USER } it { should be_readable.by('owner') } - it { should_not be_readable.by('group') } + it { should be_readable.by('group') } it { should_not be_readable.by('other') } it { should be_writable.by('owner') } it { should_not be_writable.by('group') } @@ -210,7 +210,7 @@ it { should be_file } it { should be_owned_by USER } it { should be_readable.by('owner') } - it { should_not be_readable.by('group') } + it { should be_readable.by('group') } it { should_not be_readable.by('other') } it { should be_writable.by('owner') } it { should_not be_writable.by('group') } From ae1d079f0c566fce2ba949f4225eae7fa5bcd3a0 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Wed, 14 Jul 2021 09:29:43 +0200 Subject: [PATCH 06/46] increase version Signed-off-by: Filip Krahl --- inspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index f49f90e..ae903c5 100644 --- a/inspec.yml +++ b/inspec.yml @@ -6,6 +6,6 @@ copyright: DevSec Hardening Framework Team copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening -version: 3.0.0 +version: 3.0.1 supports: - os-family: unix From 947376f7d53983a49256d20229fd87943a117759 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Wed, 14 Jul 2021 10:45:29 +0200 Subject: [PATCH 07/46] postgres log_directory should not be empty Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 9032590..357b809 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -284,7 +284,7 @@ its('log_disconnections') { should eq 'on' } its('log_duration') { should eq 'on' } its('log_hostname') { should eq 'on' } - its('log_directory') { should eq 'pg_log' } + its('log_directory') { should_not eq ' ' } its('log_line_prefix') { should eq '%t %u %d %h' } end end From 6d54fa6fd53af20b77b8a69a7f8fb1c37b14d93a Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 11:44:55 +0200 Subject: [PATCH 08/46] check database parameters instead of config file Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 357b809..c20f970 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -145,14 +145,14 @@ describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^md5\S*$/i } end - describe postgres_conf(POSTGRES_CONF_PATH) do + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do its('password_encryption') { should eq 'on' } end else describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^scram-sha-256\S*$/i } end - describe postgres_conf(POSTGRES_CONF_PATH) do + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do its('password_encryption') { should eq 'scram-sha-256' } end end From 5d1ece211302a6b84ec4ea33e230c813e37a567e Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 11:48:41 +0200 Subject: [PATCH 09/46] check database parameters instead of config file - use select statement Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index c20f970..79ec0fa 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -145,14 +145,14 @@ describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^md5\S*$/i } end - describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do + describe postgres_session(USER, PASSWORD).query("SELECT setting FROM pg_settings WHERE name = 'password_encryption';") do its('password_encryption') { should eq 'on' } end else describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^scram-sha-256\S*$/i } end - describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do + describe postgres_session(USER, PASSWORD).query("SELECT setting FROM pg_settings WHERE name = 'password_encryption';") do its('password_encryption') { should eq 'scram-sha-256' } end end From 91fa9cc26b7718c59095288511bcc98fd8726a20 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 11:52:14 +0200 Subject: [PATCH 10/46] check database parameters instead of config file - fix output param Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 79ec0fa..98bf463 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -145,15 +145,15 @@ describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^md5\S*$/i } end - describe postgres_session(USER, PASSWORD).query("SELECT setting FROM pg_settings WHERE name = 'password_encryption';") do - its('password_encryption') { should eq 'on' } + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do + its('output') { should eq 'on' } end else describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do its('output') { should match /^scram-sha-256\S*$/i } end - describe postgres_session(USER, PASSWORD).query("SELECT setting FROM pg_settings WHERE name = 'password_encryption';") do - its('password_encryption') { should eq 'scram-sha-256' } + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do + its('output') { should eq 'scram-sha-256' } end end end From 170e50d1f0ad0df4d10cf944ad5aebec0159c525 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 13:05:03 +0200 Subject: [PATCH 11/46] add comment, restrict hba_conf priviliges Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 98bf463..316cc74 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -198,6 +198,7 @@ it { should be_owned_by USER } it { should be_readable.by('owner') } it { should be_readable.by('group') } + # https://github.com/geerlingguy/ansible-role-postgresql/pull/187 it { should_not be_readable.by('other') } it { should be_writable.by('owner') } it { should_not be_writable.by('group') } @@ -210,7 +211,7 @@ it { should be_file } it { should be_owned_by USER } it { should be_readable.by('owner') } - it { should be_readable.by('group') } + it { should_not be_readable.by('group') } it { should_not be_readable.by('other') } it { should be_writable.by('owner') } it { should_not be_writable.by('group') } From 71f26c51e982c1ec9d478d87461e7714e3ebf158 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 13:16:54 +0200 Subject: [PATCH 12/46] check database parameters instead of config file - ssl param Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 316cc74..b4c3de6 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -226,8 +226,8 @@ impact 1.0 title 'It is recommended to activate ssl communication.' desc 'The hardening-cookbook will delete the links from #var/lib/postgresql/%postgresql-version%/main/server.crt to etc/ssl/certs/ssl-cert-snakeoil.pem and #var/lib/postgresql/%postgresql-version%/main/server.key to etc/ssl/private/ssl-cert-snakeoil.key on Debian systems. This certificates are self-signed (see http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29) and therefore not trusted. You have to #provide our own trusted certificates for SSL.' - describe postgres_conf(POSTGRES_CONF_PATH) do - its('ssl') { should eq 'on' } + describe postgres_session(USER, PASSWORD).query('SHOW ssl;') do + its('output') { should eq 'on' } end end From 43efb1ef105971c83f7e58bf8b4c44e855c96307 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 13:20:46 +0200 Subject: [PATCH 13/46] check database parameters instead of config file - ssl_ciphers param Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index b4c3de6..a0ad96e 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -235,8 +235,8 @@ impact 1.0 title 'Use strong chiphers for ssl communication' desc 'The following categories of SSL Ciphers must not be used: ADH, LOW, EXP and MD5. A very good description for secure postgres installation / configuration can be found at: https://bettercrypto.org' - describe postgres_conf(POSTGRES_CONF_PATH) do - its('ssl_ciphers') { should eq 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' } + describe postgres_session(USER, PASSWORD).query('SHOW ssl_ciphers;') do + its('output') { should eq 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' } end end From f551ded659c64d7e9963859e3ae284511301cbb2 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 13:55:21 +0200 Subject: [PATCH 14/46] check database parameters instead of config file - logging params Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index a0ad96e..77dd0b0 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -279,14 +279,26 @@ impact 1.0 title 'Enable logging functions' desc 'Logging functions must be turned on and properly configured according / compliant to local law.' - describe postgres_conf(POSTGRES_CONF_PATH) do - its('logging_collector') { should eq 'on' } - its('log_connections') { should eq 'on' } - its('log_disconnections') { should eq 'on' } - its('log_duration') { should eq 'on' } - its('log_hostname') { should eq 'on' } - its('log_directory') { should_not eq ' ' } - its('log_line_prefix') { should eq '%t %u %d %h' } + describe postgres_session(USER, PASSWORD).query('SHOW logging_collector;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_connections;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_disconnections;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_duration;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_hostname;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_directory;') do + its('output') { should eq 'on' } + end + describe postgres_session(USER, PASSWORD).query('SHOW log_line_prefix;') do + its('output') { should eq 'on' } end end From a6b9ba6760115a763df37bfb2f22a3ee76eaeb31 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 14:06:36 +0200 Subject: [PATCH 15/46] define log_directory Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 77dd0b0..ae33487 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -295,7 +295,7 @@ its('output') { should eq 'on' } end describe postgres_session(USER, PASSWORD).query('SHOW log_directory;') do - its('output') { should eq 'on' } + its('output') { should eq '/var/log/postgresql' } end describe postgres_session(USER, PASSWORD).query('SHOW log_line_prefix;') do its('output') { should eq 'on' } From b2df7e44b7fb49a0f5d1f351db6db05493544488 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 14:38:05 +0200 Subject: [PATCH 16/46] fix log_line_prefix output Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index ae33487..85d1e9f 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -298,7 +298,7 @@ its('output') { should eq '/var/log/postgresql' } end describe postgres_session(USER, PASSWORD).query('SHOW log_line_prefix;') do - its('output') { should eq 'on' } + its('output') { should eq '%t %u %d %h' } end end From d6bc86139b1989466169ebe248e248df6ad445cb Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 14:45:32 +0200 Subject: [PATCH 17/46] postgres log_directory should_not be empty Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 85d1e9f..c1bb2fa 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -295,7 +295,7 @@ its('output') { should eq 'on' } end describe postgres_session(USER, PASSWORD).query('SHOW log_directory;') do - its('output') { should eq '/var/log/postgresql' } + its('output') { should_not eq ' ' } end describe postgres_session(USER, PASSWORD).query('SHOW log_line_prefix;') do its('output') { should eq '%t %u %d %h' } From 902c4c8b6374b85df8e4efd70dd82a4d9b0087e0 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Fri, 16 Jul 2021 14:48:28 +0200 Subject: [PATCH 18/46] postgres log_directory should_not be default Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index c1bb2fa..f647afd 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -295,7 +295,7 @@ its('output') { should eq 'on' } end describe postgres_session(USER, PASSWORD).query('SHOW log_directory;') do - its('output') { should_not eq ' ' } + its('output') { should_not eq 'log' } end describe postgres_session(USER, PASSWORD).query('SHOW log_line_prefix;') do its('output') { should eq '%t %u %d %h' } From 256117eeac98de36aa38a9a90cc0d11082d8a38f Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Thu, 3 Feb 2022 14:51:25 +0100 Subject: [PATCH 19/46] remove obsolete comment Signed-off-by: Filip Krahl --- controls/postgres_spec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index f647afd..0871e17 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -198,7 +198,6 @@ it { should be_owned_by USER } it { should be_readable.by('owner') } it { should be_readable.by('group') } - # https://github.com/geerlingguy/ansible-role-postgresql/pull/187 it { should_not be_readable.by('other') } it { should be_writable.by('owner') } it { should_not be_writable.by('group') } From 14fe2eb83f76cbf2cfee96a33df94b4e5d8c904b Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Thu, 3 Feb 2022 15:00:41 +0100 Subject: [PATCH 20/46] update inspec version Signed-off-by: Filip Krahl --- inspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index ae903c5..39abd6c 100644 --- a/inspec.yml +++ b/inspec.yml @@ -6,6 +6,6 @@ copyright: DevSec Hardening Framework Team copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening -version: 3.0.1 +version: '>= 4.6.3' supports: - os-family: unix From 5bee4aca3ad8a71dd69944a0c0e8fad893aae116 Mon Sep 17 00:00:00 2001 From: Filip Krahl Date: Thu, 3 Feb 2022 15:32:25 +0100 Subject: [PATCH 21/46] fix inspec.yml Signed-off-by: Filip Krahl --- inspec.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index 39abd6c..0407f11 100644 --- a/inspec.yml +++ b/inspec.yml @@ -6,6 +6,7 @@ copyright: DevSec Hardening Framework Team copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening -version: '>= 4.6.3' +inspec_version: '>= 4.6.3' +version: 3.0.1 supports: - os-family: unix From 60a13d43b9799a09531db906836a6b192208f6bf Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Tue, 22 Feb 2022 09:09:48 +0000 Subject: [PATCH 22/46] update inspec.yml and changelog --- CHANGELOG.md | 8 ++++++++ inspec.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 915e2f4..a271d29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [3.0.2](https://github.com/dev-sec/postgres-baseline/tree/3.0.2) (2022-02-22) + +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.1...3.0.2) + +**Implemented enhancements:** + +- Verify controls in running configuration [\#44](https://github.com/dev-sec/postgres-baseline/pull/44) ([FLiPp3r90](https://github.com/FLiPp3r90)) + ## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2022-01-12) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) diff --git a/inspec.yml b/inspec.yml index 0407f11..6bc6f09 100644 --- a/inspec.yml +++ b/inspec.yml @@ -7,6 +7,6 @@ copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening inspec_version: '>= 4.6.3' -version: 3.0.1 +version: 3.0.2 supports: - os-family: unix From f9ccafce6e4efe78ad836d975c04258c30e59785 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Tue, 22 Feb 2022 09:20:28 +0000 Subject: [PATCH 23/46] update inspec.yml and changelog --- CHANGELOG.md | 8 ++++++-- inspec.yml | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a271d29..a998637 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,17 @@ # Changelog -## [3.0.2](https://github.com/dev-sec/postgres-baseline/tree/3.0.2) (2022-02-22) +## [3.1.0](https://github.com/dev-sec/postgres-baseline/tree/3.1.0) (2022-02-22) -[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.1...3.0.2) +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.1...3.1.0) **Implemented enhancements:** - Verify controls in running configuration [\#44](https://github.com/dev-sec/postgres-baseline/pull/44) ([FLiPp3r90](https://github.com/FLiPp3r90)) +**Merged pull requests:** + +- Cookstyle Bot Auto Corrections with Cookstyle 7.14.0 [\#43](https://github.com/dev-sec/postgres-baseline/pull/43) ([cookstyle[bot]](https://github.com/apps/cookstyle)) + ## [3.0.1](https://github.com/dev-sec/postgres-baseline/tree/3.0.1) (2022-01-12) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) diff --git a/inspec.yml b/inspec.yml index 6bc6f09..1962832 100644 --- a/inspec.yml +++ b/inspec.yml @@ -7,6 +7,6 @@ copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening inspec_version: '>= 4.6.3' -version: 3.0.2 +version: 3.1.0 supports: - os-family: unix From 86ee90899aad32898a1e72df9bc525650aa5a595 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Fri, 18 Mar 2022 20:01:11 +0100 Subject: [PATCH 24/46] use cookstyle for linting Signed-off-by: Martin Schurz --- .rubocop.yml | 32 -------------------------------- Gemfile | 1 + Rakefile | 7 +++++-- 3 files changed, 6 insertions(+), 34 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index e836519..5484145 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -2,35 +2,3 @@ AllCops: Exclude: - vendor/**/* -Documentation: - Enabled: false -Layout/ParameterAlignment: - Enabled: true -HashSyntax: - Enabled: true -LineLength: - Enabled: false -EmptyLinesAroundBlockBody: - Enabled: false -Style/Encoding: - Enabled: false -MethodLength: - Max: 40 -NumericLiterals: - MinDigits: 10 -Metrics/BlockLength: - Max: 45 # needed for 6.1.1 -Metrics/CyclomaticComplexity: - Max: 10 -Metrics/PerceivedComplexity: - Max: 10 -Metrics/AbcSize: - Max: 30 -# Lint/AmbiguousBlockAssociation is incompatible with RSpec -# https://github.com/rubocop-hq/rubocop/issues/4222 -Lint/AmbiguousBlockAssociation: - Enabled: false -Lint/AmbiguousRegexpLiteral: - Enabled: false -Style/NumericPredicate: - Enabled: false diff --git a/Gemfile b/Gemfile index a076fc4..3a0b06c 100644 --- a/Gemfile +++ b/Gemfile @@ -2,6 +2,7 @@ source 'https://rubygems.org' +gem 'cookstyle' gem 'highline' gem 'rack' gem 'rake' diff --git a/Rakefile b/Rakefile index b527561..5823b2a 100755 --- a/Rakefile +++ b/Rakefile @@ -1,7 +1,6 @@ # frozen_string_literal: true -# !/usr/bin/env rake - +require 'cookstyle' require 'rake/testtask' require 'rubocop/rake_task' @@ -11,6 +10,10 @@ task :rubocop do RuboCop::RakeTask.new end +RuboCop::RakeTask.new(:cookstyle) do |task| + task.options << '--display-cop-names' +end + # lint the project desc 'Run robocop linter' task lint: [:rubocop] From a84b9a8c29b357a0e7ca357047728d4ec30d7de9 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 18 Mar 2022 19:07:03 +0000 Subject: [PATCH 25/46] update inspec.yml and changelog --- CHANGELOG.md | 8 ++++++++ inspec.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a998637..997e484 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-03-18) + +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) + +**Merged pull requests:** + +- Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) + ## [3.1.0](https://github.com/dev-sec/postgres-baseline/tree/3.1.0) (2022-02-22) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.1...3.1.0) diff --git a/inspec.yml b/inspec.yml index 1962832..7707da8 100644 --- a/inspec.yml +++ b/inspec.yml @@ -7,6 +7,6 @@ copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening inspec_version: '>= 4.6.3' -version: 3.1.0 +version: 3.1.1 supports: - os-family: unix From b59e929502c91f0c77316c8ed16709796c5d8217 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 29 Sep 2022 09:24:45 +0200 Subject: [PATCH 26/46] Update release.yml --- .github/workflows/release.yml | 41 +++++++++++++++-------------------- 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 986fa04..542794d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,8 @@ +--- name: New release -on: +on: # yamllint disable-line rule:truthy + workflow_dispatch: push: branches: - master @@ -10,9 +12,10 @@ jobs: runs-on: ubuntu-latest name: create release draft steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 0 + ref: master - name: 'Get Previous tag' id: previoustag @@ -32,13 +35,6 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} future_release: ${{ steps.version.outputs.next-version }} - - name: Generate changelog for the release - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - since_tag: ${{ steps.previoustag.outputs.tag }} - future_release: ${{ steps.version.outputs.next-version }} - output: CHANGELOGRELEASE.md - name: update inspec.yml uses: mikefarah/yq@3.2.1 @@ -46,7 +42,7 @@ jobs: cmd: yq w -I4 -i inspec.yml version ${{ steps.version.outputs.next-version }} && sed -i '1i---' inspec.yml - name: push inspec.yml and changelog - uses: github-actions-x/commit@v2.6 + uses: github-actions-x/commit@v2.9 with: github-token: ${{ secrets.GITHUB_TOKEN }} push-branch: 'master' @@ -54,7 +50,11 @@ jobs: files: inspec.yml CHANGELOG.md name: dev-sec CI email: hello@dev-sec.io - rebase: 'true' + force-add: 'true' + + - name: Generate changelog for the release + run: | + sed '/## \[${{ steps.previoustag.outputs.tag }}\]/Q' CHANGELOG.md > CHANGELOGRELEASE.md - name: Read CHANGELOG.md id: package @@ -62,26 +62,19 @@ jobs: with: path: ./CHANGELOGRELEASE.md - - uses: actions/checkout@v2 - with: - ref: master - - - name: Get current commitish - id: current_commitish - run: echo "::set-output name=sha::$(git log -1 --format="%H")" - - - name: Check it - run: echo ${{ steps.current_commitish.outputs.sha }} + - name: Delete old drafts + uses: hugo19941994/delete-draft-releases@v1.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create Release draft id: create_release - uses: actions/create-release@v1.1.2 + uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token with: release_name: ${{ steps.version.outputs.next-version }} tag_name: ${{ steps.version.outputs.next-version }} body: | ${{ steps.package.outputs.content }} - commitish: ${{ steps.current_commitish.outputs.sha }} draft: true From 44ab02a0513fdd738ea67d1a9b4ea98858a8148e Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Thu, 29 Sep 2022 07:26:01 +0000 Subject: [PATCH 27/46] update inspec.yml and changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 997e484..190c827 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-03-18) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-09-29) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) From 3af32d68018969d0ccbe401b4b11fa1127d843dd Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 5 Dec 2022 15:23:19 +0100 Subject: [PATCH 28/46] use centralised issue templates and workflows Signed-off-by: Martin Schurz --- .github/ISSUE_TEMPLATE/bug_report.md | 42 -------------- .github/ISSUE_TEMPLATE/feature_request.md | 17 ------ .github/workflows/release.yml | 70 +---------------------- .github/workflows/test.yml | 16 +----- 4 files changed, 2 insertions(+), 143 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index f5b6c01..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Actual behavior** - -```paste below - -``` - -**Example code** - -```paste below - -``` - -**OS / Environment** - - - -**Inspec Version** - -```paste below - -``` - -**Baseline Version** - -```paste below - -``` - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 066b2d9..0000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 542794d..6a305c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,72 +9,4 @@ on: # yamllint disable-line rule:truthy jobs: generate_changelog: - runs-on: ubuntu-latest - name: create release draft - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: master - - - name: 'Get Previous tag' - id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@master" - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - - name: calculate next version - id: version - uses: patrickjahns/version-drafter-action@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - future_release: ${{ steps.version.outputs.next-version }} - - - - name: update inspec.yml - uses: mikefarah/yq@3.2.1 - with: - cmd: yq w -I4 -i inspec.yml version ${{ steps.version.outputs.next-version }} && sed -i '1i---' inspec.yml - - - name: push inspec.yml and changelog - uses: github-actions-x/commit@v2.9 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update inspec.yml and changelog' - files: inspec.yml CHANGELOG.md - name: dev-sec CI - email: hello@dev-sec.io - force-add: 'true' - - - name: Generate changelog for the release - run: | - sed '/## \[${{ steps.previoustag.outputs.tag }}\]/Q' CHANGELOG.md > CHANGELOGRELEASE.md - - - name: Read CHANGELOG.md - id: package - uses: juliangruber/read-file-action@v1 - with: - path: ./CHANGELOGRELEASE.md - - - name: Delete old drafts - uses: hugo19941994/delete-draft-releases@v1.0.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Create Release draft - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - with: - release_name: ${{ steps.version.outputs.next-version }} - tag_name: ${{ steps.version.outputs.next-version }} - body: | - ${{ steps.package.outputs.content }} - draft: true + uses: dev-sec/.github/.github/workflows/baseline-release.yml@main diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 33f4a5c..e88a234 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,18 +10,4 @@ on: jobs: test: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - ruby-version: ['2.6', '2.7', '3.0'] - - steps: - - uses: actions/checkout@v2 - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby-version }} - bundler-cache: true # runs 'bundle install' and caches installed gems automatically - - name: Run tests - run: bundle exec rake + uses: dev-sec/.github/.github/workflows/baseline-test.yml@main From 6858eaa3907ebd9c8f6853ad41b86164cfbdc03c Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 5 Dec 2022 21:54:18 +0100 Subject: [PATCH 29/46] update README.md Signed-off-by: Martin Schurz --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5453f72..2a0add2 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ $ inspec exec https://github.com/dev-sec/postgres-baseline - Author:: Christoph Hartmann - Author:: Edmund Haselwanter -- Copyright 2014-2019, The DevSec Hardening Framework Team +- Copyright 2014-2022, The DevSec Hardening Framework Team Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 8fb3ff384cce1d20f1738bdeb389f9b936306934 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Mon, 5 Dec 2022 20:56:09 +0000 Subject: [PATCH 30/46] update inspec.yml and changelog --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 190c827..6f20a7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,13 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-09-29) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-12-05) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) +**Implemented enhancements:** + +- use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) + **Merged pull requests:** - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) From 28bc9808a2104a1d67d2eeebb1cb659dd281faf3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 30 Mar 2023 00:02:22 +0000 Subject: [PATCH 31/46] Add renovate.json --- renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..39a2b6e --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ] +} From b241cdf4be1152412f65fb17f05319dded54dcb2 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Fri, 31 Mar 2023 10:26:41 +0200 Subject: [PATCH 32/46] configure renovate Signed-off-by: Martin Schurz --- renovate.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 39a2b6e..830b725 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,15 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:base" + "config:base", + ":gitSignOff" + ], + "dependencyDashboard": true, + "dependencyDashboardAutoclose": true, + "packageRules": [ + { + "matchUpdateTypes": ["patch", "minor"], + "automerge": true + } ] } From 7c2f5c8020949925815605d9332ef1126ded2693 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 31 Mar 2023 08:28:22 +0000 Subject: [PATCH 33/46] update inspec.yml and changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f20a7f..de9f2b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-12-05) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-03-31) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) ## [3.1.0](https://github.com/dev-sec/postgres-baseline/tree/3.1.0) (2022-02-22) From 0036bd25fb843851e329885a1b3d4882e0dba33d Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 30 Apr 2023 21:40:49 +0200 Subject: [PATCH 34/46] add codespell action Signed-off-by: Martin Schurz --- .github/workflows/codespell.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/workflows/codespell.yml diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 0000000..aa95ac5 --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,12 @@ +--- +name: Codespell - Spellcheck + +on: # yamllint disable-line rule:truthy + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + codespell: + uses: "dev-sec/.github/.github/workflows/codespell.yml@main" From 7feaebea399b308501132820cf6af0c7d9a50768 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 30 Apr 2023 21:41:46 +0200 Subject: [PATCH 35/46] fix spelling errors Signed-off-by: Martin Schurz --- controls/postgres_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index b54b762..b3f1169 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -82,7 +82,7 @@ control 'postgres-02' do impact 1.0 title 'Use stable postgresql version' - desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL oder BETA versions in a production environment.' + desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do its('stdout') { should match /^psql\s\(PostgreSQL\)\s(9.6|10|11|12|13).*/ } end @@ -313,7 +313,7 @@ control 'postgres-18' do impact 1.0 title 'Grants should not be assigned with grant option privilege' - desc 'Grants should not be assigned with grant option exept postgresql admin superuser.' + desc 'Grants should not be assigned with grant option except postgresql admin superuser.' describe postgres_session(USER, PASSWORD).query("SELECT COUNT(is_grantable) FROM information_schema.table_privileges WHERE grantee NOT LIKE 'postgres' AND is_grantable = 'YES';") do its('output') { should eq '0' } end From 8ed10646628d42a92287571865f1dd869c54f093 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 2 May 2023 15:13:04 +0200 Subject: [PATCH 36/46] fix spelling errors Signed-off-by: Martin Schurz --- CHANGELOG.md | 2 +- controls/postgres_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de9f2b5..4d4d148 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -142,7 +142,7 @@ **Merged pull requests:** -- install server and apply hardening in seperate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) +- install server and apply hardening in separate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) - bugfix: lint error [\#4](https://github.com/dev-sec/postgres-baseline/pull/4) ([chris-rock](https://github.com/chris-rock)) - add ssl test back in for 'off' setting [\#3](https://github.com/dev-sec/postgres-baseline/pull/3) ([ehaselwanter](https://github.com/ehaselwanter)) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index b3f1169..3f194e7 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -250,7 +250,7 @@ control 'postgres-14' do impact 1.0 - title 'Require only trusted authentication mathods in pg_hba.conf' + title 'Require only trusted authentication methods in pg_hba.conf' desc 'Require trusted auth method for ALL users, peers in pg_hba.conf and do not allow untrusted authentication methods.' case postgres.version when /^9/ From 79aea7aef858abe6e502d2a7215810d170473ff9 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Tue, 2 May 2023 13:15:32 +0000 Subject: [PATCH 37/46] update inspec.yml and changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d4d148..c2d6e35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-03-31) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-05-02) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) - Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) From 1516b0aeb5003fc1bf31097363e5be631470a829 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 19 Nov 2023 15:00:56 +0100 Subject: [PATCH 38/46] ensure compatibility with new inspec version Signed-off-by: Martin Schurz --- controls/postgres_spec.rb | 48 ++++++--------------------------------- inspec.yml | 15 ++++++++++++ 2 files changed, 22 insertions(+), 41 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 3f194e7..f628d50 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -22,47 +22,13 @@ title 'PostgreSQL Server Configuration' # inputs -USER = input( - 'user', - description: 'define the postgresql user to access the database', - value: 'postgres' -) - -PASSWORD = input( - 'password', - description: 'define the postgresql password to access the database', - value: 'iloverandompasswordsbutthiswilldo' -) - -POSTGRES_DATA = input( - 'postgres_data', - description: 'define the postgresql data directory', - value: postgres.data_dir -) - -POSTGRES_CONF_DIR = input( - 'postgres_conf_dir', - description: 'define the postgresql configuration directory', - value: postgres.conf_dir -) - -POSTGRES_CONF_PATH = input( - 'postgres_conf_path', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf') -) - -POSTGRES_HBA_CONF_FILE = input( - 'postgres_hba_conf_file', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf') -) - -POSTGRES_LOG_DIR = input( - 'postgres_log_dir', - description: 'define path for the postgresql log file', - value: '/var/log/postgresql' -) +USER = input('user', value: 'postgres') +PASSWORD = input('password', value: 'iloverandompasswordsbutthiswilldo') +POSTGRES_DATA = input('postgres_data', value: postgres.data_dir) +POSTGRES_CONF_DIR = input('postgres_conf_dir', value: postgres.conf_dir) +POSTGRES_CONF_PATH = input('postgres_conf_path', value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf')) +POSTGRES_HBA_CONF_FILE = input('postgres_hba_conf_file', value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf')) +POSTGRES_LOG_DIR = input('postgres_log_dir', value: '/var/log/postgresql') only_if do command('psql').exist? diff --git a/inspec.yml b/inspec.yml index 7707da8..7306f8e 100644 --- a/inspec.yml +++ b/inspec.yml @@ -10,3 +10,18 @@ inspec_version: '>= 4.6.3' version: 3.1.1 supports: - os-family: unix +inputs: + - name: user + description: define the postgresql user to access the database + - name: password + description: define the postgresql password to access the database + - name: postgres_data + description: define the postgresql data directory + - name: postgres_conf_dir + description: define the postgresql configuration directory + - name: postgres_conf_path + description: define path for the postgresql configuration file + - name: postgres_hba_conf_file + description: define path for the postgresql configuration file + - name: postgres_log_dir + description: define path for the postgresql log file From c2b268cee5dc6e862b8d7cf0577a05d2057832f4 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sun, 19 Nov 2023 15:48:56 +0000 Subject: [PATCH 39/46] update inspec.yml and changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2d6e35..d244520 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-05-02) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-11-19) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) - add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) - Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) From eb7aeadb5015c0f06d661f203d2206669b95f446 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Thu, 7 Dec 2023 16:24:04 +0330 Subject: [PATCH 40/46] Fix #52: Update supported versions Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index f628d50..dc40f56 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -50,7 +50,7 @@ title 'Use stable postgresql version' desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do - its('stdout') { should match /^psql\s\(PostgreSQL\)\s(9.6|10|11|12|13).*/ } + its('stdout') { should match /^psql\s\(PostgreSQL\)\s(12|13|14|15|16).*/ } end describe command('psql -V') do its('stdout') { should_not match /RC/ } From 1bcdb4d0abaa34164d5c9219168c9c7a003503b4 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Thu, 7 Dec 2023 16:06:59 +0000 Subject: [PATCH 41/46] update inspec.yml and changelog --- CHANGELOG.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d244520..02d8eeb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,17 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-11-19) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-07) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) **Implemented enhancements:** +- Update Supported Versions [\#52](https://github.com/dev-sec/postgres-baseline/issues/52) - use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) **Merged pull requests:** +- Fix \#52: Update supported versions [\#53](https://github.com/dev-sec/postgres-baseline/pull/53) ([professormahi](https://github.com/professormahi)) - ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) - add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) - Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) @@ -31,10 +33,6 @@ [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) -**Implemented enhancements:** - -- Switch back to simple InSpec service description [\#17](https://github.com/dev-sec/postgres-baseline/issues/17) - **Merged pull requests:** - use input instead of attribute [\#45](https://github.com/dev-sec/postgres-baseline/pull/45) ([micheelengronne](https://github.com/micheelengronne)) From bfd74b9edf45c55715ef9aca326ac2399e267c87 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Fri, 8 Dec 2023 12:23:55 +0330 Subject: [PATCH 42/46] Fix #17: Checking postgresql status on Ubuntu Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index dc40f56..0fb93ee 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -38,10 +38,16 @@ impact 1.0 title 'Postgresql should be running' desc 'Postgresql should be running.' - describe service(postgres.service) do - it { should be_installed } - it { should be_running } - it { should be_enabled } + if os[:name] == "ubuntu" + describe command('/etc/init.d/postgresql status') do + its('stdout') { should include 'active' } + end + else + describe service(postgres.service) do + it { should be_installed } + it { should be_running } + it { should be_enabled } + end end end From b402ef615f30eb4a4fc1d2bbadf1c7e187f20f54 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Fri, 8 Dec 2023 12:37:30 +0330 Subject: [PATCH 43/46] Fix a typo on using double-quoted strings Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 0fb93ee..7a8ef10 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -38,7 +38,7 @@ impact 1.0 title 'Postgresql should be running' desc 'Postgresql should be running.' - if os[:name] == "ubuntu" + if os[:name] == 'ubuntu' describe command('/etc/init.d/postgresql status') do its('stdout') { should include 'active' } end From 17eb756e6c0838d84d974cd32fb599d875582543 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Fri, 8 Dec 2023 19:05:36 +0330 Subject: [PATCH 44/46] Remove postgre-01 Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 7a8ef10..35d354f 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -34,23 +34,6 @@ command('psql').exist? end -control 'postgres-01' do - impact 1.0 - title 'Postgresql should be running' - desc 'Postgresql should be running.' - if os[:name] == 'ubuntu' - describe command('/etc/init.d/postgresql status') do - its('stdout') { should include 'active' } - end - else - describe service(postgres.service) do - it { should be_installed } - it { should be_running } - it { should be_enabled } - end - end -end - control 'postgres-02' do impact 1.0 title 'Use stable postgresql version' From 0e2fa88eef98974bc245da271294908fba38b8c0 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 8 Dec 2023 15:52:30 +0000 Subject: [PATCH 45/46] update inspec.yml and changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02d8eeb..ee83524 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,18 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-07) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-08) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) **Implemented enhancements:** - Update Supported Versions [\#52](https://github.com/dev-sec/postgres-baseline/issues/52) +- Switch back to simple InSpec service description [\#17](https://github.com/dev-sec/postgres-baseline/issues/17) - use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) **Merged pull requests:** +- Remove control for running Database [\#54](https://github.com/dev-sec/postgres-baseline/pull/54) ([professormahi](https://github.com/professormahi)) - Fix \#52: Update supported versions [\#53](https://github.com/dev-sec/postgres-baseline/pull/53) ([professormahi](https://github.com/professormahi)) - ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) - add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) From a9824c65a72f5b8520aae2d8a48fcc22014eb314 Mon Sep 17 00:00:00 2001 From: Jaco Stroebel Date: Mon, 24 Mar 2025 09:20:11 +0200 Subject: [PATCH 46/46] Update supported version check Signed-off-by: Jaco Stroebel --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 35d354f..c27c2d3 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -39,7 +39,7 @@ title 'Use stable postgresql version' desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do - its('stdout') { should match /^psql\s\(PostgreSQL\)\s(12|13|14|15|16).*/ } + its('stdout') { should match /^psql\s\(PostgreSQL\)\s(13|14|15|16|17).*/ } end describe command('psql -V') do its('stdout') { should_not match /RC/ }