|
145 | 145 | describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do |
146 | 146 | its('output') { should match /^md5\S*$/i } |
147 | 147 | end |
148 | | - describe postgres_conf(POSTGRES_CONF_PATH) do |
149 | | - its('password_encryption') { should eq 'on' } |
| 148 | + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do |
| 149 | + its('output') { should eq 'on' } |
150 | 150 | end |
151 | 151 | else |
152 | 152 | describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do |
153 | 153 | its('output') { should match /^scram-sha-256\S*$/i } |
154 | 154 | end |
155 | | - describe postgres_conf(POSTGRES_CONF_PATH) do |
156 | | - its('password_encryption') { should eq 'scram-sha-256' } |
| 155 | + describe postgres_session(USER, PASSWORD).query('SHOW password_encryption;') do |
| 156 | + its('output') { should eq 'scram-sha-256' } |
157 | 157 | end |
158 | 158 | end |
159 | 159 | end |
|
197 | 197 | it { should be_file } |
198 | 198 | it { should be_owned_by USER } |
199 | 199 | it { should be_readable.by('owner') } |
200 | | - it { should_not be_readable.by('group') } |
| 200 | + it { should be_readable.by('group') } |
201 | 201 | it { should_not be_readable.by('other') } |
202 | 202 | it { should be_writable.by('owner') } |
203 | 203 | it { should_not be_writable.by('group') } |
|
225 | 225 | impact 1.0 |
226 | 226 | title 'It is recommended to activate ssl communication.' |
227 | 227 | desc 'The hardening-cookbook will delete the links from #var/lib/postgresql/%postgresql-version%/main/server.crt to etc/ssl/certs/ssl-cert-snakeoil.pem and #var/lib/postgresql/%postgresql-version%/main/server.key to etc/ssl/private/ssl-cert-snakeoil.key on Debian systems. This certificates are self-signed (see http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29) and therefore not trusted. You have to #provide our own trusted certificates for SSL.' |
228 | | - describe postgres_conf(POSTGRES_CONF_PATH) do |
229 | | - its('ssl') { should eq 'on' } |
| 228 | + describe postgres_session(USER, PASSWORD).query('SHOW ssl;') do |
| 229 | + its('output') { should eq 'on' } |
230 | 230 | end |
231 | 231 | end |
232 | 232 |
|
233 | 233 | control 'postgres-12' do |
234 | 234 | impact 1.0 |
235 | 235 | title 'Use strong chiphers for ssl communication' |
236 | 236 | desc 'The following categories of SSL Ciphers must not be used: ADH, LOW, EXP and MD5. A very good description for secure postgres installation / configuration can be found at: https://bettercrypto.org' |
237 | | - describe postgres_conf(POSTGRES_CONF_PATH) do |
238 | | - its('ssl_ciphers') { should eq 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' } |
| 237 | + describe postgres_session(USER, PASSWORD).query('SHOW ssl_ciphers;') do |
| 238 | + its('output') { should eq 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' } |
239 | 239 | end |
240 | 240 | end |
241 | 241 |
|
|
278 | 278 | impact 1.0 |
279 | 279 | title 'Enable logging functions' |
280 | 280 | desc 'Logging functions must be turned on and properly configured according / compliant to local law.' |
281 | | - describe postgres_conf(POSTGRES_CONF_PATH) do |
282 | | - its('logging_collector') { should eq 'on' } |
283 | | - its('log_connections') { should eq 'on' } |
284 | | - its('log_disconnections') { should eq 'on' } |
285 | | - its('log_duration') { should eq 'on' } |
286 | | - its('log_hostname') { should eq 'on' } |
287 | | - its('log_directory') { should eq 'pg_log' } |
288 | | - its('log_line_prefix') { should eq '%t %u %d %h' } |
| 281 | + describe postgres_session(USER, PASSWORD).query('SHOW logging_collector;') do |
| 282 | + its('output') { should eq 'on' } |
| 283 | + end |
| 284 | + describe postgres_session(USER, PASSWORD).query('SHOW log_connections;') do |
| 285 | + its('output') { should eq 'on' } |
| 286 | + end |
| 287 | + describe postgres_session(USER, PASSWORD).query('SHOW log_disconnections;') do |
| 288 | + its('output') { should eq 'on' } |
| 289 | + end |
| 290 | + describe postgres_session(USER, PASSWORD).query('SHOW log_duration;') do |
| 291 | + its('output') { should eq 'on' } |
| 292 | + end |
| 293 | + describe postgres_session(USER, PASSWORD).query('SHOW log_hostname;') do |
| 294 | + its('output') { should eq 'on' } |
| 295 | + end |
| 296 | + describe postgres_session(USER, PASSWORD).query('SHOW log_directory;') do |
| 297 | + its('output') { should_not eq 'log' } |
| 298 | + end |
| 299 | + describe postgres_session(USER, PASSWORD).query('SHOW log_line_prefix;') do |
| 300 | + its('output') { should eq '%t %u %d %h' } |
289 | 301 | end |
290 | 302 | end |
291 | 303 |
|
|
0 commit comments