From a84b9a8c29b357a0e7ca357047728d4ec30d7de9 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 18 Mar 2022 19:07:03 +0000 Subject: [PATCH 01/22] update inspec.yml and changelog --- CHANGELOG.md | 8 ++++++++ inspec.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a998637..997e484 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-03-18) + +[Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) + +**Merged pull requests:** + +- Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) + ## [3.1.0](https://github.com/dev-sec/postgres-baseline/tree/3.1.0) (2022-02-22) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.1...3.1.0) diff --git a/inspec.yml b/inspec.yml index 1962832..7707da8 100644 --- a/inspec.yml +++ b/inspec.yml @@ -7,6 +7,6 @@ copyright_email: hello@dev-sec.io license: Apache-2.0 summary: Test-suite for best-practice postgres hardening inspec_version: '>= 4.6.3' -version: 3.1.0 +version: 3.1.1 supports: - os-family: unix From b59e929502c91f0c77316c8ed16709796c5d8217 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 29 Sep 2022 09:24:45 +0200 Subject: [PATCH 02/22] Update release.yml --- .github/workflows/release.yml | 41 +++++++++++++++-------------------- 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 986fa04..542794d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,8 @@ +--- name: New release -on: +on: # yamllint disable-line rule:truthy + workflow_dispatch: push: branches: - master @@ -10,9 +12,10 @@ jobs: runs-on: ubuntu-latest name: create release draft steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 0 + ref: master - name: 'Get Previous tag' id: previoustag @@ -32,13 +35,6 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} future_release: ${{ steps.version.outputs.next-version }} - - name: Generate changelog for the release - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - since_tag: ${{ steps.previoustag.outputs.tag }} - future_release: ${{ steps.version.outputs.next-version }} - output: CHANGELOGRELEASE.md - name: update inspec.yml uses: mikefarah/yq@3.2.1 @@ -46,7 +42,7 @@ jobs: cmd: yq w -I4 -i inspec.yml version ${{ steps.version.outputs.next-version }} && sed -i '1i---' inspec.yml - name: push inspec.yml and changelog - uses: github-actions-x/commit@v2.6 + uses: github-actions-x/commit@v2.9 with: github-token: ${{ secrets.GITHUB_TOKEN }} push-branch: 'master' @@ -54,7 +50,11 @@ jobs: files: inspec.yml CHANGELOG.md name: dev-sec CI email: hello@dev-sec.io - rebase: 'true' + force-add: 'true' + + - name: Generate changelog for the release + run: | + sed '/## \[${{ steps.previoustag.outputs.tag }}\]/Q' CHANGELOG.md > CHANGELOGRELEASE.md - name: Read CHANGELOG.md id: package @@ -62,26 +62,19 @@ jobs: with: path: ./CHANGELOGRELEASE.md - - uses: actions/checkout@v2 - with: - ref: master - - - name: Get current commitish - id: current_commitish - run: echo "::set-output name=sha::$(git log -1 --format="%H")" - - - name: Check it - run: echo ${{ steps.current_commitish.outputs.sha }} + - name: Delete old drafts + uses: hugo19941994/delete-draft-releases@v1.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create Release draft id: create_release - uses: actions/create-release@v1.1.2 + uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token with: release_name: ${{ steps.version.outputs.next-version }} tag_name: ${{ steps.version.outputs.next-version }} body: | ${{ steps.package.outputs.content }} - commitish: ${{ steps.current_commitish.outputs.sha }} draft: true From 44ab02a0513fdd738ea67d1a9b4ea98858a8148e Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Thu, 29 Sep 2022 07:26:01 +0000 Subject: [PATCH 03/22] update inspec.yml and changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 997e484..190c827 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-03-18) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-09-29) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) From 3af32d68018969d0ccbe401b4b11fa1127d843dd Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 5 Dec 2022 15:23:19 +0100 Subject: [PATCH 04/22] use centralised issue templates and workflows Signed-off-by: Martin Schurz --- .github/ISSUE_TEMPLATE/bug_report.md | 42 -------------- .github/ISSUE_TEMPLATE/feature_request.md | 17 ------ .github/workflows/release.yml | 70 +---------------------- .github/workflows/test.yml | 16 +----- 4 files changed, 2 insertions(+), 143 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index f5b6c01..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Actual behavior** - -```paste below - -``` - -**Example code** - -```paste below - -``` - -**OS / Environment** - - - -**Inspec Version** - -```paste below - -``` - -**Baseline Version** - -```paste below - -``` - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 066b2d9..0000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 542794d..6a305c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,72 +9,4 @@ on: # yamllint disable-line rule:truthy jobs: generate_changelog: - runs-on: ubuntu-latest - name: create release draft - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: master - - - name: 'Get Previous tag' - id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@master" - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - - name: calculate next version - id: version - uses: patrickjahns/version-drafter-action@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - future_release: ${{ steps.version.outputs.next-version }} - - - - name: update inspec.yml - uses: mikefarah/yq@3.2.1 - with: - cmd: yq w -I4 -i inspec.yml version ${{ steps.version.outputs.next-version }} && sed -i '1i---' inspec.yml - - - name: push inspec.yml and changelog - uses: github-actions-x/commit@v2.9 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update inspec.yml and changelog' - files: inspec.yml CHANGELOG.md - name: dev-sec CI - email: hello@dev-sec.io - force-add: 'true' - - - name: Generate changelog for the release - run: | - sed '/## \[${{ steps.previoustag.outputs.tag }}\]/Q' CHANGELOG.md > CHANGELOGRELEASE.md - - - name: Read CHANGELOG.md - id: package - uses: juliangruber/read-file-action@v1 - with: - path: ./CHANGELOGRELEASE.md - - - name: Delete old drafts - uses: hugo19941994/delete-draft-releases@v1.0.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Create Release draft - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - with: - release_name: ${{ steps.version.outputs.next-version }} - tag_name: ${{ steps.version.outputs.next-version }} - body: | - ${{ steps.package.outputs.content }} - draft: true + uses: dev-sec/.github/.github/workflows/baseline-release.yml@main diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 33f4a5c..e88a234 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,18 +10,4 @@ on: jobs: test: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - ruby-version: ['2.6', '2.7', '3.0'] - - steps: - - uses: actions/checkout@v2 - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby-version }} - bundler-cache: true # runs 'bundle install' and caches installed gems automatically - - name: Run tests - run: bundle exec rake + uses: dev-sec/.github/.github/workflows/baseline-test.yml@main From 6858eaa3907ebd9c8f6853ad41b86164cfbdc03c Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 5 Dec 2022 21:54:18 +0100 Subject: [PATCH 05/22] update README.md Signed-off-by: Martin Schurz --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5453f72..2a0add2 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ $ inspec exec https://github.com/dev-sec/postgres-baseline - Author:: Christoph Hartmann - Author:: Edmund Haselwanter -- Copyright 2014-2019, The DevSec Hardening Framework Team +- Copyright 2014-2022, The DevSec Hardening Framework Team Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 8fb3ff384cce1d20f1738bdeb389f9b936306934 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Mon, 5 Dec 2022 20:56:09 +0000 Subject: [PATCH 06/22] update inspec.yml and changelog --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 190c827..6f20a7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,13 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-09-29) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-12-05) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) +**Implemented enhancements:** + +- use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) + **Merged pull requests:** - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) From 28bc9808a2104a1d67d2eeebb1cb659dd281faf3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 30 Mar 2023 00:02:22 +0000 Subject: [PATCH 07/22] Add renovate.json --- renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..39a2b6e --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ] +} From b241cdf4be1152412f65fb17f05319dded54dcb2 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Fri, 31 Mar 2023 10:26:41 +0200 Subject: [PATCH 08/22] configure renovate Signed-off-by: Martin Schurz --- renovate.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 39a2b6e..830b725 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,15 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:base" + "config:base", + ":gitSignOff" + ], + "dependencyDashboard": true, + "dependencyDashboardAutoclose": true, + "packageRules": [ + { + "matchUpdateTypes": ["patch", "minor"], + "automerge": true + } ] } From 7c2f5c8020949925815605d9332ef1126ded2693 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 31 Mar 2023 08:28:22 +0000 Subject: [PATCH 09/22] update inspec.yml and changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f20a7f..de9f2b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2022-12-05) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-03-31) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) ## [3.1.0](https://github.com/dev-sec/postgres-baseline/tree/3.1.0) (2022-02-22) From 0036bd25fb843851e329885a1b3d4882e0dba33d Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 30 Apr 2023 21:40:49 +0200 Subject: [PATCH 10/22] add codespell action Signed-off-by: Martin Schurz --- .github/workflows/codespell.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/workflows/codespell.yml diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 0000000..aa95ac5 --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,12 @@ +--- +name: Codespell - Spellcheck + +on: # yamllint disable-line rule:truthy + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + codespell: + uses: "dev-sec/.github/.github/workflows/codespell.yml@main" From 7feaebea399b308501132820cf6af0c7d9a50768 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 30 Apr 2023 21:41:46 +0200 Subject: [PATCH 11/22] fix spelling errors Signed-off-by: Martin Schurz --- controls/postgres_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index b54b762..b3f1169 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -82,7 +82,7 @@ control 'postgres-02' do impact 1.0 title 'Use stable postgresql version' - desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL oder BETA versions in a production environment.' + desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do its('stdout') { should match /^psql\s\(PostgreSQL\)\s(9.6|10|11|12|13).*/ } end @@ -313,7 +313,7 @@ control 'postgres-18' do impact 1.0 title 'Grants should not be assigned with grant option privilege' - desc 'Grants should not be assigned with grant option exept postgresql admin superuser.' + desc 'Grants should not be assigned with grant option except postgresql admin superuser.' describe postgres_session(USER, PASSWORD).query("SELECT COUNT(is_grantable) FROM information_schema.table_privileges WHERE grantee NOT LIKE 'postgres' AND is_grantable = 'YES';") do its('output') { should eq '0' } end From 8ed10646628d42a92287571865f1dd869c54f093 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 2 May 2023 15:13:04 +0200 Subject: [PATCH 12/22] fix spelling errors Signed-off-by: Martin Schurz --- CHANGELOG.md | 2 +- controls/postgres_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de9f2b5..4d4d148 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -142,7 +142,7 @@ **Merged pull requests:** -- install server and apply hardening in seperate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) +- install server and apply hardening in separate steps [\#5](https://github.com/dev-sec/postgres-baseline/pull/5) ([chris-rock](https://github.com/chris-rock)) - bugfix: lint error [\#4](https://github.com/dev-sec/postgres-baseline/pull/4) ([chris-rock](https://github.com/chris-rock)) - add ssl test back in for 'off' setting [\#3](https://github.com/dev-sec/postgres-baseline/pull/3) ([ehaselwanter](https://github.com/ehaselwanter)) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index b3f1169..3f194e7 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -250,7 +250,7 @@ control 'postgres-14' do impact 1.0 - title 'Require only trusted authentication mathods in pg_hba.conf' + title 'Require only trusted authentication methods in pg_hba.conf' desc 'Require trusted auth method for ALL users, peers in pg_hba.conf and do not allow untrusted authentication methods.' case postgres.version when /^9/ From 79aea7aef858abe6e502d2a7215810d170473ff9 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Tue, 2 May 2023 13:15:32 +0000 Subject: [PATCH 13/22] update inspec.yml and changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d4d148..c2d6e35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-03-31) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-05-02) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) - Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) From 1516b0aeb5003fc1bf31097363e5be631470a829 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 19 Nov 2023 15:00:56 +0100 Subject: [PATCH 14/22] ensure compatibility with new inspec version Signed-off-by: Martin Schurz --- controls/postgres_spec.rb | 48 ++++++--------------------------------- inspec.yml | 15 ++++++++++++ 2 files changed, 22 insertions(+), 41 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 3f194e7..f628d50 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -22,47 +22,13 @@ title 'PostgreSQL Server Configuration' # inputs -USER = input( - 'user', - description: 'define the postgresql user to access the database', - value: 'postgres' -) - -PASSWORD = input( - 'password', - description: 'define the postgresql password to access the database', - value: 'iloverandompasswordsbutthiswilldo' -) - -POSTGRES_DATA = input( - 'postgres_data', - description: 'define the postgresql data directory', - value: postgres.data_dir -) - -POSTGRES_CONF_DIR = input( - 'postgres_conf_dir', - description: 'define the postgresql configuration directory', - value: postgres.conf_dir -) - -POSTGRES_CONF_PATH = input( - 'postgres_conf_path', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf') -) - -POSTGRES_HBA_CONF_FILE = input( - 'postgres_hba_conf_file', - description: 'define path for the postgresql configuration file', - value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf') -) - -POSTGRES_LOG_DIR = input( - 'postgres_log_dir', - description: 'define path for the postgresql log file', - value: '/var/log/postgresql' -) +USER = input('user', value: 'postgres') +PASSWORD = input('password', value: 'iloverandompasswordsbutthiswilldo') +POSTGRES_DATA = input('postgres_data', value: postgres.data_dir) +POSTGRES_CONF_DIR = input('postgres_conf_dir', value: postgres.conf_dir) +POSTGRES_CONF_PATH = input('postgres_conf_path', value: File.join(POSTGRES_CONF_DIR.to_s, 'postgresql.conf')) +POSTGRES_HBA_CONF_FILE = input('postgres_hba_conf_file', value: File.join(POSTGRES_CONF_DIR.to_s, 'pg_hba.conf')) +POSTGRES_LOG_DIR = input('postgres_log_dir', value: '/var/log/postgresql') only_if do command('psql').exist? diff --git a/inspec.yml b/inspec.yml index 7707da8..7306f8e 100644 --- a/inspec.yml +++ b/inspec.yml @@ -10,3 +10,18 @@ inspec_version: '>= 4.6.3' version: 3.1.1 supports: - os-family: unix +inputs: + - name: user + description: define the postgresql user to access the database + - name: password + description: define the postgresql password to access the database + - name: postgres_data + description: define the postgresql data directory + - name: postgres_conf_dir + description: define the postgresql configuration directory + - name: postgres_conf_path + description: define path for the postgresql configuration file + - name: postgres_hba_conf_file + description: define path for the postgresql configuration file + - name: postgres_log_dir + description: define path for the postgresql log file From c2b268cee5dc6e862b8d7cf0577a05d2057832f4 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sun, 19 Nov 2023 15:48:56 +0000 Subject: [PATCH 15/22] update inspec.yml and changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2d6e35..d244520 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-05-02) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-11-19) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) @@ -10,6 +10,7 @@ **Merged pull requests:** +- ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) - add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) - Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) - Change linting to Cookstyle [\#46](https://github.com/dev-sec/postgres-baseline/pull/46) ([schurzi](https://github.com/schurzi)) From eb7aeadb5015c0f06d661f203d2206669b95f446 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Thu, 7 Dec 2023 16:24:04 +0330 Subject: [PATCH 16/22] Fix #52: Update supported versions Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index f628d50..dc40f56 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -50,7 +50,7 @@ title 'Use stable postgresql version' desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do - its('stdout') { should match /^psql\s\(PostgreSQL\)\s(9.6|10|11|12|13).*/ } + its('stdout') { should match /^psql\s\(PostgreSQL\)\s(12|13|14|15|16).*/ } end describe command('psql -V') do its('stdout') { should_not match /RC/ } From 1bcdb4d0abaa34164d5c9219168c9c7a003503b4 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Thu, 7 Dec 2023 16:06:59 +0000 Subject: [PATCH 17/22] update inspec.yml and changelog --- CHANGELOG.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d244520..02d8eeb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,17 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-11-19) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-07) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) **Implemented enhancements:** +- Update Supported Versions [\#52](https://github.com/dev-sec/postgres-baseline/issues/52) - use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) **Merged pull requests:** +- Fix \#52: Update supported versions [\#53](https://github.com/dev-sec/postgres-baseline/pull/53) ([professormahi](https://github.com/professormahi)) - ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) - add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) - Configure Renovate [\#49](https://github.com/dev-sec/postgres-baseline/pull/49) ([renovate[bot]](https://github.com/apps/renovate)) @@ -31,10 +33,6 @@ [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.0.0...3.0.1) -**Implemented enhancements:** - -- Switch back to simple InSpec service description [\#17](https://github.com/dev-sec/postgres-baseline/issues/17) - **Merged pull requests:** - use input instead of attribute [\#45](https://github.com/dev-sec/postgres-baseline/pull/45) ([micheelengronne](https://github.com/micheelengronne)) From bfd74b9edf45c55715ef9aca326ac2399e267c87 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Fri, 8 Dec 2023 12:23:55 +0330 Subject: [PATCH 18/22] Fix #17: Checking postgresql status on Ubuntu Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index dc40f56..0fb93ee 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -38,10 +38,16 @@ impact 1.0 title 'Postgresql should be running' desc 'Postgresql should be running.' - describe service(postgres.service) do - it { should be_installed } - it { should be_running } - it { should be_enabled } + if os[:name] == "ubuntu" + describe command('/etc/init.d/postgresql status') do + its('stdout') { should include 'active' } + end + else + describe service(postgres.service) do + it { should be_installed } + it { should be_running } + it { should be_enabled } + end end end From b402ef615f30eb4a4fc1d2bbadf1c7e187f20f54 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Fri, 8 Dec 2023 12:37:30 +0330 Subject: [PATCH 19/22] Fix a typo on using double-quoted strings Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 0fb93ee..7a8ef10 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -38,7 +38,7 @@ impact 1.0 title 'Postgresql should be running' desc 'Postgresql should be running.' - if os[:name] == "ubuntu" + if os[:name] == 'ubuntu' describe command('/etc/init.d/postgresql status') do its('stdout') { should include 'active' } end From 17eb756e6c0838d84d974cd32fb599d875582543 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Fri, 8 Dec 2023 19:05:36 +0330 Subject: [PATCH 20/22] Remove postgre-01 Signed-off-by: Mahdi Fooladgar --- controls/postgres_spec.rb | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 7a8ef10..35d354f 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -34,23 +34,6 @@ command('psql').exist? end -control 'postgres-01' do - impact 1.0 - title 'Postgresql should be running' - desc 'Postgresql should be running.' - if os[:name] == 'ubuntu' - describe command('/etc/init.d/postgresql status') do - its('stdout') { should include 'active' } - end - else - describe service(postgres.service) do - it { should be_installed } - it { should be_running } - it { should be_enabled } - end - end -end - control 'postgres-02' do impact 1.0 title 'Use stable postgresql version' From 0e2fa88eef98974bc245da271294908fba38b8c0 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 8 Dec 2023 15:52:30 +0000 Subject: [PATCH 21/22] update inspec.yml and changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02d8eeb..ee83524 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,18 @@ # Changelog -## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-07) +## [3.1.1](https://github.com/dev-sec/postgres-baseline/tree/3.1.1) (2023-12-08) [Full Changelog](https://github.com/dev-sec/postgres-baseline/compare/3.1.0...3.1.1) **Implemented enhancements:** - Update Supported Versions [\#52](https://github.com/dev-sec/postgres-baseline/issues/52) +- Switch back to simple InSpec service description [\#17](https://github.com/dev-sec/postgres-baseline/issues/17) - use centralised issue templates and workflows [\#48](https://github.com/dev-sec/postgres-baseline/pull/48) ([schurzi](https://github.com/schurzi)) **Merged pull requests:** +- Remove control for running Database [\#54](https://github.com/dev-sec/postgres-baseline/pull/54) ([professormahi](https://github.com/professormahi)) - Fix \#52: Update supported versions [\#53](https://github.com/dev-sec/postgres-baseline/pull/53) ([professormahi](https://github.com/professormahi)) - ensure compatibility with new inspec version [\#51](https://github.com/dev-sec/postgres-baseline/pull/51) ([schurzi](https://github.com/schurzi)) - add spellchecking with codespell [\#50](https://github.com/dev-sec/postgres-baseline/pull/50) ([schurzi](https://github.com/schurzi)) From a9824c65a72f5b8520aae2d8a48fcc22014eb314 Mon Sep 17 00:00:00 2001 From: Jaco Stroebel Date: Mon, 24 Mar 2025 09:20:11 +0200 Subject: [PATCH 22/22] Update supported version check Signed-off-by: Jaco Stroebel --- controls/postgres_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb index 35d354f..c27c2d3 100644 --- a/controls/postgres_spec.rb +++ b/controls/postgres_spec.rb @@ -39,7 +39,7 @@ title 'Use stable postgresql version' desc 'Use only community or commercially supported version of the PostgreSQL software (https://www.postgresql.org/support/versioning/). Do not use RC, DEVEL or BETA versions in a production environment.' describe command('psql -V') do - its('stdout') { should match /^psql\s\(PostgreSQL\)\s(12|13|14|15|16).*/ } + its('stdout') { should match /^psql\s\(PostgreSQL\)\s(13|14|15|16|17).*/ } end describe command('psql -V') do its('stdout') { should_not match /RC/ }