diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index f5b6c01..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Actual behavior** - -```paste below - -``` - -**Example code** - -```paste below - -``` - -**OS / Environment** - - - -**Inspec Version** - -```paste below - -``` - -**Baseline Version** - -```paste below - -``` - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 066b2d9..0000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 0000000..aa95ac5 --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,12 @@ +--- +name: Codespell - Spellcheck + +on: # yamllint disable-line rule:truthy + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + codespell: + uses: "dev-sec/.github/.github/workflows/codespell.yml@main" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 986fa04..6a305c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,87 +1,12 @@ +--- name: New release -on: +on: # yamllint disable-line rule:truthy + workflow_dispatch: push: branches: - master jobs: generate_changelog: - runs-on: ubuntu-latest - name: create release draft - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - - name: 'Get Previous tag' - id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@master" - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - - name: calculate next version - id: version - uses: patrickjahns/version-drafter-action@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - future_release: ${{ steps.version.outputs.next-version }} - - - name: Generate changelog for the release - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - since_tag: ${{ steps.previoustag.outputs.tag }} - future_release: ${{ steps.version.outputs.next-version }} - output: CHANGELOGRELEASE.md - - - name: update inspec.yml - uses: mikefarah/yq@3.2.1 - with: - cmd: yq w -I4 -i inspec.yml version ${{ steps.version.outputs.next-version }} && sed -i '1i---' inspec.yml - - - name: push inspec.yml and changelog - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update inspec.yml and changelog' - files: inspec.yml CHANGELOG.md - name: dev-sec CI - email: hello@dev-sec.io - rebase: 'true' - - - name: Read CHANGELOG.md - id: package - uses: juliangruber/read-file-action@v1 - with: - path: ./CHANGELOGRELEASE.md - - - uses: actions/checkout@v2 - with: - ref: master - - - name: Get current commitish - id: current_commitish - run: echo "::set-output name=sha::$(git log -1 --format="%H")" - - - name: Check it - run: echo ${{ steps.current_commitish.outputs.sha }} - - - name: Create Release draft - id: create_release - uses: actions/create-release@v1.1.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - with: - release_name: ${{ steps.version.outputs.next-version }} - tag_name: ${{ steps.version.outputs.next-version }} - body: | - ${{ steps.package.outputs.content }} - commitish: ${{ steps.current_commitish.outputs.sha }} - draft: true + uses: dev-sec/.github/.github/workflows/baseline-release.yml@main diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 33f4a5c..e88a234 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,18 +10,4 @@ on: jobs: test: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - ruby-version: ['2.6', '2.7', '3.0'] - - steps: - - uses: actions/checkout@v2 - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby-version }} - bundler-cache: true # runs 'bundle install' and caches installed gems automatically - - name: Run tests - run: bundle exec rake + uses: dev-sec/.github/.github/workflows/baseline-test.yml@main diff --git a/CHANGELOG.md b/CHANGELOG.md index a998637..ee83524 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,24 @@ # Changelog +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-08) + +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) + +**Implemented enhancements:** + +- Update Supported Versions [\#52](https://github.com/dev-sec/postgres-baseline/issues/52) +- Switch back to simple InSpec service description [\#17](https://github.com/dev-sec/postgres-baseline/issues/17) +- use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) + +**Merged pull requests:** + +- Remove control for running Database [\#54](https://github.com/dev-sec/postgres-baseline/pull/54) ([professormahi](https://github.com/professormahi)) +- Fix \#52: Update supported versions [\#53](https://github.com/dev-sec/postgres-baseline/pull/53) ([professormahi](https://github.com/professormahi)) +- ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) +- add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) +- Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) +- Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) + ## [3.1.0](https://github.com/dev-sec/postgres-baseline/tree/3.1.0) (2022-02-22) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.1...3.1.0) @@ -16,10 +35,6 @@ [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) -**Implemented enhancements:** - -- Switch back to simple InSpec service description [\#17](https://github.com/dev-sec/postgres-baseline/issues/17) - **Merged pull requests:** - use input instead of attribute [\#45](https://github.com/dev-sec/postgres-baseline/pull/45) ([micheelengronne](https://github.com/micheelengronne)) @@ -129,7 +144,7 @@ **Merged pull requests:** -- install server and apply hardening in seperate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) +- install server and apply hardening in separate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) - bugfix: lint error [\#4](https://github.com/dev-sec/postgres-baseline/pull/4) ([chris-rock](https://github.com/chris-rock)) - add ssl test back in for 'off' setting [\#3](https://github.com/dev-sec/postgres-baseline/pull/3) ([ehaselwanter](https://github.com/ehaselwanter)) diff --git a/README.md b/README.md index 5453f72..2a0add2 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ $ inspec exec https://github.com/dev-sec/postgres-baseline - Author:: Christoph Hartmann - Author:: Edmund Haselwanter -- Copyright 2014-2019, The DevSec Hardening Framework Team +- Copyright 2014-2022, The DevSec Hardening Framework Team Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index b54b762..c27c2d3 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -22,69 +22,24 @@ title 'PostgreSQL Server Configuration' # inputs -USER = input( - 'user', - description: 'define the postgresql user to access the database', - value: 'postgres' -) - -PASSWORD = input( - 'password', - description: 'define the postgresql password to access the database', - value: 'iloverandompasswordsbutthiswilldo' -) - -POSTGRES_DATA = input( - 'postgres_data', - description: 'define the postgresql data directory', - value: postgres.data_dir -) - -POSTGRES_CONF_DIR = input( - 'postgres_conf_dir', - description: 'define the postgresql configuration directory', - value: postgres.conf_dir -) - -POSTGRES_CONF_PATH = input( - 'postgres_conf_path', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf') -) - -POSTGRES_HBA_CONF_FILE = input( - 'postgres_hba_conf_file', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf') -) - -POSTGRES_LOG_DIR = input( - 'postgres_log_dir', - description: 'define path for the postgresql log file', - value: '/var/log/postgresql' -) +USER = input('user', value: 'postgres') +PASSWORD = input('password', value: 'iloverandompasswordsbutthiswilldo') +POSTGRES_DATA = input('postgres_data', value: postgres.data_dir) +POSTGRES_CONF_DIR = input('postgres_conf_dir', value: postgres.conf_dir) +POSTGRES_CONF_PATH = input('postgres_conf_path', value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf')) +POSTGRES_HBA_CONF_FILE = input('postgres_hba_conf_file', value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf')) +POSTGRES_LOG_DIR = input('postgres_log_dir', value: '/var/log/postgresql') only_if do command('psql').exist? end -control 'postgres-01' do - impact 1.0 - title 'Postgresql should be running' - desc 'Postgresql should be running.' - describe service(postgres.service) do - it { should be_installed } - it { should be_running } - it { should be_enabled } - end -end - control 'postgres-02' do impact 1.0 title 'Use stable postgresql version' - desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL oder BETA versions in a production environment.' + desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do - its('stdout') { should match /^psql\s\(PostgreSQL\)\s(9.6|10|11|12|13).*/ } + its('stdout') { should match /^psql\s\(PostgreSQL\)\s(13|14|15|16|17).*/ } end describe command('psql -V') do its('stdout') { should_not match /RC/ } @@ -250,7 +205,7 @@ control 'postgres-14' do impact 1.0 - title 'Require only trusted authentication mathods in pg_hba.conf' + title 'Require only trusted authentication methods in pg_hba.conf' desc 'Require trusted auth method for ALL users, peers in pg_hba.conf and do not allow untrusted authentication methods.' case postgres.version when /^9/ @@ -313,7 +268,7 @@ control 'postgres-18' do impact 1.0 title 'Grants should not be assigned with grant option privilege' - desc 'Grants should not be assigned with grant option exept postgresql admin superuser.' + desc 'Grants should not be assigned with grant option except postgresql admin superuser.' describe postgres_session(USER, PASSWORD).query("SELECT COUNT(is_grantable) FROM information_schema.table_privileges WHERE grantee NOT LIKE 'postgres' AND is_grantable = 'YES';") do its('output') { should eq '0' } end diff --git a/inspec.yml b/inspec.yml index 1962832..7306f8e 100644 --- a/inspec.yml +++ b/inspec.yml @@ -7,6 +7,21 @@ copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening inspec_version: '>= 4.6.3' -version: 3.1.0 +version: 3.1.1 supports: - os-family: unix +inputs: + - name: user + description: define the postgresql user to access the database + - name: password + description: define the postgresql password to access the database + - name: postgres_data + description: define the postgresql data directory + - name: postgres_conf_dir + description: define the postgresql configuration directory + - name: postgres_conf_path + description: define path for the postgresql configuration file + - name: postgres_hba_conf_file + description: define path for the postgresql configuration file + - name: postgres_log_dir + description: define path for the postgresql log file diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..830b725 --- /dev/null +++ b/renovate.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base", + ":gitSignOff" + ], + "dependencyDashboard": true, + "dependencyDashboardAutoclose": true, + "packageRules": [ + { + "matchUpdateTypes": ["patch", "minor"], + "automerge": true + } + ] +}