From 9cceb7747233e12eb36cd9fb771aae4a69ecbf38 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 1 Dec 2023 13:48:41 +0330 Subject: [PATCH 01/24] Feat: Add basis for postgres-hardening Signed-off-by: Mahdi Fooladgar (professormahi) --- .github/labeler.yml | 8 ++ .github/workflows/postgres_hardening.yml | 89 ++++++++++++++++++++ molecule/postgres_hardening/converge.yml | 13 +++ molecule/postgres_hardening/molecule.yml | 60 +++++++++++++ molecule/postgres_hardening/prepare.yml | 17 ++++ molecule/postgres_hardening/verify.yml | 36 ++++++++ roles/postgres_hardening/CHANGELOG.md | 0 roles/postgres_hardening/README.md | 18 ++++ roles/postgres_hardening/defaults/main.yml | 7 ++ roles/postgres_hardening/handlers/main.yml | 6 ++ roles/postgres_hardening/tasks/hardening.yml | 33 ++++++++ roles/postgres_hardening/tasks/main.yml | 7 ++ roles/postgres_hardening/vars/Ubuntu.yml | 2 + roles/postgres_hardening/vars/main.yml | 0 14 files changed, 296 insertions(+) create mode 100644 .github/workflows/postgres_hardening.yml create mode 100644 molecule/postgres_hardening/converge.yml create mode 100644 molecule/postgres_hardening/molecule.yml create mode 100644 molecule/postgres_hardening/prepare.yml create mode 100644 molecule/postgres_hardening/verify.yml create mode 100644 roles/postgres_hardening/CHANGELOG.md create mode 100644 roles/postgres_hardening/README.md create mode 100644 roles/postgres_hardening/defaults/main.yml create mode 100644 roles/postgres_hardening/handlers/main.yml create mode 100644 roles/postgres_hardening/tasks/hardening.yml create mode 100644 roles/postgres_hardening/tasks/main.yml create mode 100644 roles/postgres_hardening/vars/Ubuntu.yml create mode 100644 roles/postgres_hardening/vars/main.yml diff --git a/.github/labeler.yml b/.github/labeler.yml index 05a1f76cd..2ce525108 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -28,3 +28,11 @@ nginx_hardening: - roles/nginx_hardening/** - molecule/nginx_hardening/** - .github/workflows/nginx_hardening.yml + + +postgres_hardening: + - changed-files: + - any-glob-to-any-file: + - "roles/postgres_hardening/**" + - "molecule/postgres_hardening/**" + - ".github/workflows/postgres_hardening.yml" diff --git a/.github/workflows/postgres_hardening.yml b/.github/workflows/postgres_hardening.yml new file mode 100644 index 000000000..db72befef --- /dev/null +++ b/.github/workflows/postgres_hardening.yml @@ -0,0 +1,89 @@ +--- +name: "devsec.postgres_hardening" +on: # yamllint disable-line rule:truthy + workflow_dispatch: + push: + branches: [master] + paths: + - "roles/postgres_hardening/**" + - "molecule/postgres_hardening/**" + - ".github/workflows/postgres_hardening.yml" + - "requirements.txt" + pull_request: + branches: [master] + paths: + - "roles/postgres_hardening/**" + - "molecule/postgres_hardening/**" + - ".github/workflows/postgres_hardening.yml" + - "requirements.txt" + schedule: + - cron: "0 6 * * 1" + +concurrency: + group: >- + ${{ github.workflow }}-${{ + github.event.pull_request.number || github.sha + }} + cancel-in-progress: true + +jobs: + build: + runs-on: ubuntu-latest + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + strategy: + fail-fast: false + matrix: + molecule_distro: + # - centos7 + # - centosstream8 + # - centosstream9 + # - rocky8 + # - rocky9 + - ubuntu1804 + - ubuntu2004 + - ubuntu2204 + # - debian10 + # - debian11 + # - debian12 + # - amazon2023 + # - arch # needs to be fixed + # - opensuse_tumbleweed # needs to be fixed + # - fedora # no support from geerlingguy role + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + path: ansible_collections/devsec/hardening + submodules: true + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: 3.12 + + - name: Install dependencies + run: | + sudo apt install git + python -m pip install --no-cache-dir --upgrade pip + pip install -r requirements.txt + working-directory: ansible_collections/devsec/hardening + + # Molecule has problems detecting the proper location for installing roles + # https://github.com/ansible/molecule/issues/3806 + # we do not set a custom role path, but the automatically determined install path used is not compatible with the location molecule expects the role + # see CI logs of this action "INFO Set ANSIBLE_ROLES_PATH" should not be present, since we do not set a custom path + # we have to find a proper way to configure this + - name: Temporary fix for roles + run: | + mkdir -p /home/runner/.ansible + ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles + + - name: Test with molecule + run: | + molecule --version + molecule test -s postgres_hardening + env: + MOLECULE_DISTRO: ${{ matrix.molecule_distro }} + working-directory: ansible_collections/devsec/hardening diff --git a/molecule/postgres_hardening/converge.yml b/molecule/postgres_hardening/converge.yml new file mode 100644 index 000000000..79ad90828 --- /dev/null +++ b/molecule/postgres_hardening/converge.yml @@ -0,0 +1,13 @@ +--- +- name: wrapper playbook for kitchen testing "ansible-postgres-hardening" with custom settings + become: true + hosts: all + collections: + - devsec.hardening + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + tasks: + - include_role: + name: postgres_hardening diff --git a/molecule/postgres_hardening/molecule.yml b/molecule/postgres_hardening/molecule.yml new file mode 100644 index 000000000..591a5a514 --- /dev/null +++ b/molecule/postgres_hardening/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: docker +platforms: + - name: instance + image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + privileged: true + cgroupns_mode: host + pre_build_image: true +provisioner: + name: ansible + options: + diff: true + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer, yaml + inventory: + host_vars: + # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user + # setting for the platform instance named 'instance' + instance: + ansible_user: ansible +verifier: + name: ansible + +scenario: + create_sequence: + - dependency + - create + - prepare + check_sequence: + - dependency + - destroy + - create + - prepare + - converge + - check + - destroy + converge_sequence: + - dependency + - create + - prepare + - converge + destroy_sequence: + - destroy + test_sequence: + - dependency + - destroy + - syntax + - create + - prepare + - check + - converge + - idempotence + - verify + - destroy diff --git a/molecule/postgres_hardening/prepare.yml b/molecule/postgres_hardening/prepare.yml new file mode 100644 index 000000000..e397a98d0 --- /dev/null +++ b/molecule/postgres_hardening/prepare.yml @@ -0,0 +1,17 @@ +--- +- name: prepare playbook for kitchen testing "ansible-postgres-hardening" with custom settings + become: true + hosts: all + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + tasks: + - name: install required packages + package: + name: "python3-apt" + update_cache: true + ignore_errors: true # noqa ignore-errors + + - include_role: + name: geerlingguy.postgres diff --git a/molecule/postgres_hardening/verify.yml b/molecule/postgres_hardening/verify.yml new file mode 100644 index 000000000..554f7a24f --- /dev/null +++ b/molecule/postgres_hardening/verify.yml @@ -0,0 +1,36 @@ +--- +- name: Verify + hosts: all + become: true + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + +- name: Verify + hosts: localhost + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + tasks: + - name: Execute cinc-auditor tests + command: > + docker run + --volume /run/docker.sock:/run/docker.sock + docker.io/cincproject/auditor exec + -t docker://instance + --no-show-progress --no-color + --no-distinct-exit https://github.com/dev-sec/postgres-baseline/archive/refs/heads/master.zip + register: test_results + changed_when: false + ignore_errors: true + + - name: Display details about the cinc-auditor results + debug: + msg: "{{ test_results.stdout_lines }}" + + - name: Fail when tests fail + fail: + msg: "Inspec failed to validate" + when: test_results.rc != 0 diff --git a/roles/postgres_hardening/CHANGELOG.md b/roles/postgres_hardening/CHANGELOG.md new file mode 100644 index 000000000..e69de29bb diff --git a/roles/postgres_hardening/README.md b/roles/postgres_hardening/README.md new file mode 100644 index 000000000..4a0abada4 --- /dev/null +++ b/roles/postgres_hardening/README.md @@ -0,0 +1,18 @@ +# devsec.postgres_hardening + +[![devsec.postgres_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/postgres_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/postgres_hardening.yml) + +## Description + +This role provides secure postgres configuration. It is intended to be compliant with the [DevSec Postgres Baseline](https://github.com/dev-sec/postgres-baseline). + + +**NOTE: This role does not work with postgres 1.0.15 or older! Please use the latest version from the official postgres repositories!** + + + +## Supported Operating Systems [For Now] +- Ubuntu + - bionic, focal, jammy + +## Role Variables diff --git a/roles/postgres_hardening/defaults/main.yml b/roles/postgres_hardening/defaults/main.yml new file mode 100644 index 000000000..381756f88 --- /dev/null +++ b/roles/postgres_hardening/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# switcher to enable/disable role +postgres_hardening_enabled: true + +postgres_daemon_enabled: true + +postgres_hardening_restart_postgres: true diff --git a/roles/postgres_hardening/handlers/main.yml b/roles/postgres_hardening/handlers/main.yml new file mode 100644 index 000000000..104d536c9 --- /dev/null +++ b/roles/postgres_hardening/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart postgres + ansible.builtin.service: + name: "{{ postgres_daemon }}" + state: restarted + when: postgres_hardening_restart_postgres | bool diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml new file mode 100644 index 000000000..ab3a5ba6e --- /dev/null +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -0,0 +1,33 @@ +--- +- name: Fetch OS dependent variables + ansible.builtin.include_vars: + file: "{{ item }}" + name: os_vars + with_first_found: + - files: + - "{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.distribution }}.yml" + - "{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.os_family }}.yml" + skip: true + tags: always + +# we only override variables with our default if they have not been specified already. +# by default the lookup functions finds all varnames containing the string, therefore +# we add ^ and $ to denote start and end of string, so this returns only exact matches. +- name: Set OS dependent variables, if not already defined by user # noqa var-naming + ansible.builtin.set_fact: + "{{ item.key }}": "{{ item.value }}" + when: not lookup('varnames', '^' + item.key + '$') + with_dict: "{{ os_vars }}" + tags: always + +- name: Get postgres + ansible.builtin.command: psql -V + register: postgres_version_raw + changed_when: false + check_mode: false + +- name: Parse postgres-version + ansible.builtin.set_fact: + postgres_version: "{{ postgres_version_raw.stderr | regex_replace('^psql\\s\\(PostgreSQL)\\s(9.[3-6]|10.5).*', '\\2') }}" diff --git a/roles/postgres_hardening/tasks/main.yml b/roles/postgres_hardening/tasks/main.yml new file mode 100644 index 000000000..0ca3c41ea --- /dev/null +++ b/roles/postgres_hardening/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Include hardening tasks + ansible.builtin.include_tasks: hardening.yml + args: + apply: + become: true + when: postgres_hardening_enabled | bool diff --git a/roles/postgres_hardening/vars/Ubuntu.yml b/roles/postgres_hardening/vars/Ubuntu.yml new file mode 100644 index 000000000..d2f1aec46 --- /dev/null +++ b/roles/postgres_hardening/vars/Ubuntu.yml @@ -0,0 +1,2 @@ +--- +postgres_daemon: postgresql diff --git a/roles/postgres_hardening/vars/main.yml b/roles/postgres_hardening/vars/main.yml new file mode 100644 index 000000000..e69de29bb From bcdf88d1709d9fe7a9afc87c3d5b0d8474f37e63 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 1 Dec 2023 14:03:17 +0330 Subject: [PATCH 02/24] Fix a typo on geerlingguy.postgresql Signed-off-by: Mahdi Fooladgar (professormahi) --- molecule/postgres_hardening/prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/postgres_hardening/prepare.yml b/molecule/postgres_hardening/prepare.yml index e397a98d0..b94b69ea5 100644 --- a/molecule/postgres_hardening/prepare.yml +++ b/molecule/postgres_hardening/prepare.yml @@ -14,4 +14,4 @@ ignore_errors: true # noqa ignore-errors - include_role: - name: geerlingguy.postgres + name: geerlingguy.postgresql From d53986ac3781d5bd74773c7882a2cac5f938e709 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 1 Dec 2023 14:58:38 +0330 Subject: [PATCH 03/24] Fix: Add galaxy dependecy Signed-off-by: Mahdi Fooladgar (professormahi) --- molecule/postgres_hardening/molecule.yml | 4 ++++ molecule/postgres_hardening/prepare.yml | 5 +---- molecule/postgres_hardening/requirements.yml | 3 +++ 3 files changed, 8 insertions(+), 4 deletions(-) create mode 100644 molecule/postgres_hardening/requirements.yml diff --git a/molecule/postgres_hardening/molecule.yml b/molecule/postgres_hardening/molecule.yml index 591a5a514..668fa84c7 100644 --- a/molecule/postgres_hardening/molecule.yml +++ b/molecule/postgres_hardening/molecule.yml @@ -1,4 +1,8 @@ --- +dependency: + name: galaxy + options: + role-file: molecule/postgres_hardening/requirements.yml driver: name: docker platforms: diff --git a/molecule/postgres_hardening/prepare.yml b/molecule/postgres_hardening/prepare.yml index b94b69ea5..dd4696949 100644 --- a/molecule/postgres_hardening/prepare.yml +++ b/molecule/postgres_hardening/prepare.yml @@ -11,7 +11,4 @@ package: name: "python3-apt" update_cache: true - ignore_errors: true # noqa ignore-errors - - - include_role: - name: geerlingguy.postgresql + ignore_errors: true # noqa ignore-errors \ No newline at end of file diff --git a/molecule/postgres_hardening/requirements.yml b/molecule/postgres_hardening/requirements.yml new file mode 100644 index 000000000..abd4a9b4f --- /dev/null +++ b/molecule/postgres_hardening/requirements.yml @@ -0,0 +1,3 @@ +--- +roles: + - geerlingguy.postgresql From 1b19d6f8f00fcff704c9a253b87be7d8e854a6bc Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 1 Dec 2023 17:03:37 +0330 Subject: [PATCH 04/24] Fix: change test version to galaxyproject.postgresql Signed-off-by: Mahdi Fooladgar (professormahi) --- molecule/postgres_hardening/prepare.yml | 5 ++++- molecule/postgres_hardening/requirements.yml | 3 ++- roles/postgres_hardening/tasks/hardening.yml | 10 ---------- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/molecule/postgres_hardening/prepare.yml b/molecule/postgres_hardening/prepare.yml index dd4696949..489e91991 100644 --- a/molecule/postgres_hardening/prepare.yml +++ b/molecule/postgres_hardening/prepare.yml @@ -11,4 +11,7 @@ package: name: "python3-apt" update_cache: true - ignore_errors: true # noqa ignore-errors \ No newline at end of file + ignore_errors: true # noqa ignore-errors + + - include_role: + name: galaxyproject.postgresql \ No newline at end of file diff --git a/molecule/postgres_hardening/requirements.yml b/molecule/postgres_hardening/requirements.yml index abd4a9b4f..72d91d06b 100644 --- a/molecule/postgres_hardening/requirements.yml +++ b/molecule/postgres_hardening/requirements.yml @@ -1,3 +1,4 @@ --- roles: - - geerlingguy.postgresql + - galaxyproject.postgresql + diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index ab3a5ba6e..91d6b91ec 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -21,13 +21,3 @@ when: not lookup('varnames', '^' + item.key + '$') with_dict: "{{ os_vars }}" tags: always - -- name: Get postgres - ansible.builtin.command: psql -V - register: postgres_version_raw - changed_when: false - check_mode: false - -- name: Parse postgres-version - ansible.builtin.set_fact: - postgres_version: "{{ postgres_version_raw.stderr | regex_replace('^psql\\s\\(PostgreSQL)\\s(9.[3-6]|10.5).*', '\\2') }}" From 6bce1f9277d05673470bbe11639f034af18dbf94 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 1 Dec 2023 18:55:19 +0330 Subject: [PATCH 05/24] Feat: Add postgres-01 and postgres-02 Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/tasks/hardening.yml | 46 ++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 91d6b91ec..147e9b801 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -21,3 +21,49 @@ when: not lookup('varnames', '^' + item.key + '$') with_dict: "{{ os_vars }}" tags: always + +################################# +# Check Compatibility ########### +################################# +- name: Print the OS + debug: + var: ansible_facts.os_family + +- name: Only compatible OS versions + ansible.builtin.fail: + msg: "Only Ubuntu/Debian are supported" + when: ansible_facts.os_family not in ["Ubuntu", "Debian"] + +################################# +# POSTGRES-01 ################### +################################# +- name: Check postgres service status + service: + name: "{{ postgres_daemon }}" + state: started + +################################# +# POSTGRES-02 ################### +################################# +- name: Get postgres version + ansible.builtin.command: psql -V + register: postgres_version_raw + changed_when: false + check_mode: false + +- name: Print the postgres version + debug: + var: postgres_version_raw + +- name: Parse postgres-version + ansible.builtin.set_fact: + postgres_version: "{{ postgres_version_raw.stdout | regex_search('psql\\s\\(PostgreSQL\\)\\s(12|13|14|15|16).*', '\\1') | first }}" + +- name: Print the postgres version + debug: + var: postgres_version + +- name: Only compatible postgres versions allowed + ansible.builtin.fail: + msg: "Postgres Version is not secure or supported!" + when: not postgres_version or 'RC' in postgres_version_raw or 'DEVEL' in postgres_version_raw or 'BETA' in postgres_version_raw From f66e1ea422ebf74ef27ddb4b32b9aa5b7f57979e Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 1 Dec 2023 19:08:02 +0330 Subject: [PATCH 06/24] Fix: user fqcn of builtin modules Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/tasks/hardening.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 147e9b801..33b6bd12c 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -26,7 +26,7 @@ # Check Compatibility ########### ################################# - name: Print the OS - debug: + ansible.builtin.debug: var: ansible_facts.os_family - name: Only compatible OS versions @@ -38,7 +38,7 @@ # POSTGRES-01 ################### ################################# - name: Check postgres service status - service: + ansible.builtin.service: name: "{{ postgres_daemon }}" state: started @@ -52,7 +52,7 @@ check_mode: false - name: Print the postgres version - debug: + ansible.builtin.debug: var: postgres_version_raw - name: Parse postgres-version @@ -60,7 +60,7 @@ postgres_version: "{{ postgres_version_raw.stdout | regex_search('psql\\s\\(PostgreSQL\\)\\s(12|13|14|15|16).*', '\\1') | first }}" - name: Print the postgres version - debug: + ansible.builtin.debug: var: postgres_version - name: Only compatible postgres versions allowed From 1a33ca4eaa82e9a1b0ad794543b3ad8b2fb2df92 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 17:06:04 +0330 Subject: [PATCH 07/24] Feat: Change molecule postgres collection to geerlingguy Signed-off-by: Mahdi Fooladgar (professormahi) --- .../postgres_hardening/geerlingguy_postgresql_vars.yml | 5 +++++ molecule/postgres_hardening/prepare.yml | 4 +++- molecule/postgres_hardening/requirements.yml | 7 +++++-- 3 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 molecule/postgres_hardening/geerlingguy_postgresql_vars.yml diff --git a/molecule/postgres_hardening/geerlingguy_postgresql_vars.yml b/molecule/postgres_hardening/geerlingguy_postgresql_vars.yml new file mode 100644 index 000000000..9799d28e9 --- /dev/null +++ b/molecule/postgres_hardening/geerlingguy_postgresql_vars.yml @@ -0,0 +1,5 @@ +postgresql_databases: + - name: example_db +postgresql_users: + - name: postgres + password: iloverandompasswordsbutthiswilldo \ No newline at end of file diff --git a/molecule/postgres_hardening/prepare.yml b/molecule/postgres_hardening/prepare.yml index 489e91991..6888e3308 100644 --- a/molecule/postgres_hardening/prepare.yml +++ b/molecule/postgres_hardening/prepare.yml @@ -6,6 +6,8 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + vars_files: + - geerlingguy_postgresql_vars.yml tasks: - name: install required packages package: @@ -14,4 +16,4 @@ ignore_errors: true # noqa ignore-errors - include_role: - name: galaxyproject.postgresql \ No newline at end of file + name: geerlingguy.postgresql \ No newline at end of file diff --git a/molecule/postgres_hardening/requirements.yml b/molecule/postgres_hardening/requirements.yml index 72d91d06b..f3aeeb733 100644 --- a/molecule/postgres_hardening/requirements.yml +++ b/molecule/postgres_hardening/requirements.yml @@ -1,4 +1,7 @@ --- -roles: - - galaxyproject.postgresql +collections: + - community.postgresql + +roles: + - geerlingguy.postgresql From 2e8c6380687b8c90fde3b3292108b90ab1b63b6d Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 17:39:15 +0330 Subject: [PATCH 08/24] Feat: Add postgres-10 Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/tasks/hardening.yml | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 33b6bd12c..1976db181 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -67,3 +67,31 @@ ansible.builtin.fail: msg: "Postgres Version is not secure or supported!" when: not postgres_version or 'RC' in postgres_version_raw or 'DEVEL' in postgres_version_raw or 'BETA' in postgres_version_raw + + +################################# +# POSTGRES-10 ################### +################################# +- name: Manage permissions on /etc/postgresql/14/main + ansible.builtin.file: + path: /etc/postgresql/14/main + state: directory + owner: postgres + group: postgres + mode: u=rwx,g=,o= + +- name: Manage permissions on /etc/postgresql/14/main/postgresql.conf + ansible.builtin.file: + path: /etc/postgresql/14/main/postgresql.conf + state: file + owner: postgres + group: postgres + mode: u=rw,g=r,o= + +- name: Manage permissions on /etc/postgresql/14/main/pg_hba.conf + ansible.builtin.file: + path: /etc/postgresql/14/main/pg_hba.conf + state: file + owner: postgres + group: postgres + mode: u=rw,g=,o= From 6ddf542db75812518f1ad582c002b7fd04f15d1b Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 17:40:36 +0330 Subject: [PATCH 09/24] Add geerlingguy_postgresql to .gitignore Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/.gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 roles/.gitignore diff --git a/roles/.gitignore b/roles/.gitignore new file mode 100644 index 000000000..74ccee7c9 --- /dev/null +++ b/roles/.gitignore @@ -0,0 +1 @@ +geerlingguy.postgresql/ \ No newline at end of file From 9048b6c14152489dc2201a6f493c5a6ac3d70a25 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 19:34:05 +0330 Subject: [PATCH 10/24] Feat: Add configration for postgres user/group Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/defaults/main.yml | 4 ++++ roles/postgres_hardening/tasks/hardening.yml | 12 ++++++------ roles/postgres_hardening/vars/main.yml | 0 3 files changed, 10 insertions(+), 6 deletions(-) delete mode 100644 roles/postgres_hardening/vars/main.yml diff --git a/roles/postgres_hardening/defaults/main.yml b/roles/postgres_hardening/defaults/main.yml index 381756f88..89cee1d08 100644 --- a/roles/postgres_hardening/defaults/main.yml +++ b/roles/postgres_hardening/defaults/main.yml @@ -5,3 +5,7 @@ postgres_hardening_enabled: true postgres_daemon_enabled: true postgres_hardening_restart_postgres: true + +# Postgres user/group +postgres_user: postgres +postgres_group: postgres diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 1976db181..e1dceb950 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -76,22 +76,22 @@ ansible.builtin.file: path: /etc/postgresql/14/main state: directory - owner: postgres - group: postgres + owner: "{{ postgres_user }}" + group: "{{ postgres_group }}" mode: u=rwx,g=,o= - name: Manage permissions on /etc/postgresql/14/main/postgresql.conf ansible.builtin.file: path: /etc/postgresql/14/main/postgresql.conf state: file - owner: postgres - group: postgres + owner: "{{ postgres_user }}" + group: "{{ postgres_group }}" mode: u=rw,g=r,o= - name: Manage permissions on /etc/postgresql/14/main/pg_hba.conf ansible.builtin.file: path: /etc/postgresql/14/main/pg_hba.conf state: file - owner: postgres - group: postgres + owner: "{{ postgres_user }}" + group: "{{ postgres_group }}" mode: u=rw,g=,o= diff --git a/roles/postgres_hardening/vars/main.yml b/roles/postgres_hardening/vars/main.yml deleted file mode 100644 index e69de29bb..000000000 From 27997f3a1734e724833c003bd565c123e4c39386 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 21:02:06 +0330 Subject: [PATCH 11/24] Feat: Add postgres-11/12 Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/defaults/main.yml | 4 +++ roles/postgres_hardening/tasks/hardening.yml | 29 +++++++++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/roles/postgres_hardening/defaults/main.yml b/roles/postgres_hardening/defaults/main.yml index 89cee1d08..651f2b91a 100644 --- a/roles/postgres_hardening/defaults/main.yml +++ b/roles/postgres_hardening/defaults/main.yml @@ -9,3 +9,7 @@ postgres_hardening_restart_postgres: true # Postgres user/group postgres_user: postgres postgres_group: postgres + +# SSL +ssl_enabled: "on" +ssl_ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH \ No newline at end of file diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index e1dceb950..9544afffc 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -68,30 +68,45 @@ msg: "Postgres Version is not secure or supported!" when: not postgres_version or 'RC' in postgres_version_raw or 'DEVEL' in postgres_version_raw or 'BETA' in postgres_version_raw - ################################# # POSTGRES-10 ################### ################################# -- name: Manage permissions on /etc/postgresql/14/main +- name: Manage permissions on /etc/postgresql//main ansible.builtin.file: - path: /etc/postgresql/14/main + path: "/etc/postgresql/{{ postgres_version }}/main" state: directory owner: "{{ postgres_user }}" group: "{{ postgres_group }}" mode: u=rwx,g=,o= -- name: Manage permissions on /etc/postgresql/14/main/postgresql.conf +- name: Manage permissions on /etc/postgresql//main/postgresql.conf ansible.builtin.file: - path: /etc/postgresql/14/main/postgresql.conf + path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf" state: file owner: "{{ postgres_user }}" group: "{{ postgres_group }}" mode: u=rw,g=r,o= -- name: Manage permissions on /etc/postgresql/14/main/pg_hba.conf +- name: Manage permissions on /etc/postgresql//main/pg_hba.conf ansible.builtin.file: - path: /etc/postgresql/14/main/pg_hba.conf + path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf" state: file owner: "{{ postgres_user }}" group: "{{ postgres_group }}" mode: u=rw,g=,o= + +################################# +# POSTGRES-11/12 ################ +################################# +- name: Secure postgresql.conf Configuration + ansible.builtin.lineinfile: + path: "/etc/postgresql/{{ postgres_version }}/main/postgresql.conf" + line: "{{ item.line }}" + regexp: "{{ item.regexp }}" + state: present + with_items: + - line: "ssl = {{ ssl_enabled }}" + regexp: "#?ssl\\s?=" + - line: "ssl_ciphers = '{{ ssl_ciphers }}'" + regexp: "#?ssl_ciphers\\s?=" + notify: Restart postgres \ No newline at end of file From 5c3c04f1c59ebbf3498fd1c64fbc8d9583e4baa7 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 21:26:44 +0330 Subject: [PATCH 12/24] Feat: Add Postgres-16 Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/defaults/main.yml | 11 ++++++++++- roles/postgres_hardening/tasks/hardening.yml | 18 ++++++++++++++++-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/roles/postgres_hardening/defaults/main.yml b/roles/postgres_hardening/defaults/main.yml index 651f2b91a..d8f7bc259 100644 --- a/roles/postgres_hardening/defaults/main.yml +++ b/roles/postgres_hardening/defaults/main.yml @@ -12,4 +12,13 @@ postgres_group: postgres # SSL ssl_enabled: "on" -ssl_ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH \ No newline at end of file +ssl_ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH + +# Logging +logging_collector: "on" +log_connections: "on" +log_disconnections: "on" +log_duration: "on" +log_hostname: "on" +log_directory: pg_log +log_line_prefix: "%t %u %d %h" \ No newline at end of file diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 9544afffc..901425637 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -96,7 +96,7 @@ mode: u=rw,g=,o= ################################# -# POSTGRES-11/12 ################ +# POSTGRES-11/12/16 ############# ################################# - name: Secure postgresql.conf Configuration ansible.builtin.lineinfile: @@ -106,7 +106,21 @@ state: present with_items: - line: "ssl = {{ ssl_enabled }}" - regexp: "#?ssl\\s?=" + regexp: "#?ssl\\s?=" - line: "ssl_ciphers = '{{ ssl_ciphers }}'" regexp: "#?ssl_ciphers\\s?=" + - line : "logging_collector = {{ logging_collector }}" + regexp: "#?logging_collector\\s?=" + - line: "log_connections = {{ log_connections }}" + regexp: "#?log_connections\\s?=" + - line: "log_disconnections = {{ log_disconnections }}" + regexp: "#?log_disconnections\\s?=" + - line: "log_duration = {{ log_duration }}" + regexp: "#?log_duration\\s?=" + - line: "log_hostname = {{ log_hostname }}" + regexp: "#?log_hostname\\s?=" + - line: "log_directory = '{{ log_directory }}'" + regexp: "#?log_directory\\s?=" + - line: "log_line_prefix = '{{ log_line_prefix }}'" + regexp: "#?log_line_prefix\\s?=" notify: Restart postgres \ No newline at end of file From 05f3c60efbb3f809d9723ddc763d569891c9c3b6 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 21:36:28 +0330 Subject: [PATCH 13/24] Feat: Add Postgres-20 Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/tasks/hardening.yml | 25 +++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 901425637..df53dd167 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -106,10 +106,10 @@ state: present with_items: - line: "ssl = {{ ssl_enabled }}" - regexp: "#?ssl\\s?=" + regexp: "#?ssl\\s?=" - line: "ssl_ciphers = '{{ ssl_ciphers }}'" regexp: "#?ssl_ciphers\\s?=" - - line : "logging_collector = {{ logging_collector }}" + - line: "logging_collector = {{ logging_collector }}" regexp: "#?logging_collector\\s?=" - line: "log_connections = {{ log_connections }}" regexp: "#?log_connections\\s?=" @@ -123,4 +123,23 @@ regexp: "#?log_directory\\s?=" - line: "log_line_prefix = '{{ log_line_prefix }}'" regexp: "#?log_line_prefix\\s?=" - notify: Restart postgres \ No newline at end of file + notify: Restart postgres + +################################# +# POSTGRES-20 ################### +################################# +- name: Manage permissions on /var/lib/postgresql//main + ansible.builtin.file: + path: "/var/lib/postgresql/{{ postgres_version }}/main" + state: directory + owner: "{{ postgres_user }}" + group: "{{ postgres_group }}" + mode: u=rwx,g=,o= + +- name: Manage permissions on /var/log/postgresql + ansible.builtin.file: + path: /var/log/postgresql + state: directory + owner: "{{ postgres_user }}" + group: "{{ postgres_group }}" + mode: u=rwx,g=,o= From d87d37e5803f8166be666fd7a762c27bb3e3d55c Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Wed, 6 Dec 2023 22:09:02 +0330 Subject: [PATCH 14/24] Feat: Add Postgres-13/14/15 Signed-off-by: Mahdi Fooladgar (professormahi) --- roles/postgres_hardening/defaults/main.yml | 2 +- roles/postgres_hardening/tasks/hardening.yml | 20 +++++++++++-------- .../postgres_hardening/templates/pg_hba.conf | 5 +++++ 3 files changed, 18 insertions(+), 9 deletions(-) create mode 100644 roles/postgres_hardening/templates/pg_hba.conf diff --git a/roles/postgres_hardening/defaults/main.yml b/roles/postgres_hardening/defaults/main.yml index d8f7bc259..bc4448ce6 100644 --- a/roles/postgres_hardening/defaults/main.yml +++ b/roles/postgres_hardening/defaults/main.yml @@ -21,4 +21,4 @@ log_disconnections: "on" log_duration: "on" log_hostname: "on" log_directory: pg_log -log_line_prefix: "%t %u %d %h" \ No newline at end of file +log_line_prefix: "%t %u %d %h" diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index df53dd167..dfe58bfd3 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -87,14 +87,6 @@ group: "{{ postgres_group }}" mode: u=rw,g=r,o= -- name: Manage permissions on /etc/postgresql//main/pg_hba.conf - ansible.builtin.file: - path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf" - state: file - owner: "{{ postgres_user }}" - group: "{{ postgres_group }}" - mode: u=rw,g=,o= - ################################# # POSTGRES-11/12/16 ############# ################################# @@ -125,6 +117,18 @@ regexp: "#?log_line_prefix\\s?=" notify: Restart postgres +################################# +# POSTGRES-13/14/15 ############# +################################# +- name: Secure pg_hba.conf Configuration + ansible.builtin.template: + src: templates/pg_hba.conf + dest: /etc/postgresql/{{ postgres_version }}/main/pg_hba.conf + owner: "{{ postgres_user }}" + group: "{{ postgres_group }}" + mode: u=rw,g=,o= + notify: Restart postgres + ################################# # POSTGRES-20 ################### ################################# diff --git a/roles/postgres_hardening/templates/pg_hba.conf b/roles/postgres_hardening/templates/pg_hba.conf new file mode 100644 index 000000000..61f853bfc --- /dev/null +++ b/roles/postgres_hardening/templates/pg_hba.conf @@ -0,0 +1,5 @@ +local all postgres peer +local all all peer +hostssl all all 127.0.0.1/32 scram-sha-256 +hostssl all all ::1/128 scram-sha-256 +local replication all peer \ No newline at end of file From f171c9df0d62c2a230e4b6becb991d0e315b1cfc Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Thu, 7 Dec 2023 17:24:37 +0330 Subject: [PATCH 15/24] Feat: Add support for Postgres-07 and Ubuntu2004 Signed-off-by: Mahdi Fooladgar (professormahi) --- .github/workflows/postgres_hardening.yml | 2 +- molecule/postgres_hardening/geerlingguy_postgresql_vars.yml | 3 ++- roles/postgres_hardening/defaults/main.yml | 3 +++ roles/postgres_hardening/tasks/hardening.yml | 4 +++- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/postgres_hardening.yml b/.github/workflows/postgres_hardening.yml index db72befef..124889eae 100644 --- a/.github/workflows/postgres_hardening.yml +++ b/.github/workflows/postgres_hardening.yml @@ -41,7 +41,7 @@ jobs: # - centosstream9 # - rocky8 # - rocky9 - - ubuntu1804 + # - ubuntu1804 - ubuntu2004 - ubuntu2204 # - debian10 diff --git a/molecule/postgres_hardening/geerlingguy_postgresql_vars.yml b/molecule/postgres_hardening/geerlingguy_postgresql_vars.yml index 9799d28e9..a88dddc51 100644 --- a/molecule/postgres_hardening/geerlingguy_postgresql_vars.yml +++ b/molecule/postgres_hardening/geerlingguy_postgresql_vars.yml @@ -2,4 +2,5 @@ postgresql_databases: - name: example_db postgresql_users: - name: postgres - password: iloverandompasswordsbutthiswilldo \ No newline at end of file + password: iloverandompasswordsbutthiswilldo +postgresql_auth_method: scram-sha-256 \ No newline at end of file diff --git a/roles/postgres_hardening/defaults/main.yml b/roles/postgres_hardening/defaults/main.yml index bc4448ce6..7a7ae0cb6 100644 --- a/roles/postgres_hardening/defaults/main.yml +++ b/roles/postgres_hardening/defaults/main.yml @@ -10,6 +10,9 @@ postgres_hardening_restart_postgres: true postgres_user: postgres postgres_group: postgres +# Password Authentication +password_encryption: scram-sha-256 + # SSL ssl_enabled: "on" ssl_ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index dfe58bfd3..0fd3f485b 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -88,7 +88,7 @@ mode: u=rw,g=r,o= ################################# -# POSTGRES-11/12/16 ############# +# POSTGRES-07/11/12/16 ########## ################################# - name: Secure postgresql.conf Configuration ansible.builtin.lineinfile: @@ -97,6 +97,8 @@ regexp: "{{ item.regexp }}" state: present with_items: + - line: "password_encryption = {{ password_encryption }}" + regexp: "#?password_encryption\\s?=" - line: "ssl = {{ ssl_enabled }}" regexp: "#?ssl\\s?=" - line: "ssl_ciphers = '{{ ssl_ciphers }}'" From 82fb017e59c071be12cdc9274ba5b95349a8fc1f Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 8 Dec 2023 14:11:53 +0330 Subject: [PATCH 16/24] Fix: geerlingguy_postgresql_vars.yml should be excluded from ansible-lint Signed-off-by: Mahdi Fooladgar (professormahi) --- .config/ansible-lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index d5770786c..8411a546f 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -11,6 +11,7 @@ exclude_paths: - molecule/ssh_hardening_bsd/waivers_freebsd13.yaml - molecule/ssh_hardening_bsd/waivers_freebsd14.yaml - molecule/ssh_hardening_bsd/waivers_openbsd7.yaml + - molecule/postgres_hardening/geerlingguy_postgresql_vars.yml mock_roles: - geerlingguy.git From ebb1d9db6f75541241a491441ff1a632bb917447 Mon Sep 17 00:00:00 2001 From: "Mahdi Fooladgar (professormahi)" Date: Fri, 8 Dec 2023 14:57:20 +0330 Subject: [PATCH 17/24] Fix: refactor all linting problems Signed-off-by: Mahdi Fooladgar (professormahi) --- .config/ansible-lint.yml | 1 + .github/labeler.yml | 7 +++---- .github/workflows/postgres_hardening.yml | 3 ++- molecule/postgres_hardening/converge.yml | 9 ++++----- molecule/postgres_hardening/prepare.yml | 11 ++++++----- molecule/postgres_hardening/requirements.yml | 5 ++--- molecule/postgres_hardening/verify.yml | 6 +++--- 7 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index 8411a546f..b14b1fefe 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -16,6 +16,7 @@ exclude_paths: mock_roles: - geerlingguy.git - nginxinc.nginx + - geerlingguy.postgresql skip_list: - var-naming[no-role-prefix] diff --git a/.github/labeler.yml b/.github/labeler.yml index 2ce525108..7f5773a1f 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -29,10 +29,9 @@ nginx_hardening: - molecule/nginx_hardening/** - .github/workflows/nginx_hardening.yml - postgres_hardening: - changed-files: - any-glob-to-any-file: - - "roles/postgres_hardening/**" - - "molecule/postgres_hardening/**" - - ".github/workflows/postgres_hardening.yml" + - "roles/postgres_hardening/**" + - "molecule/postgres_hardening/**" + - ".github/workflows/postgres_hardening.yml" diff --git a/.github/workflows/postgres_hardening.yml b/.github/workflows/postgres_hardening.yml index 124889eae..30e491b4d 100644 --- a/.github/workflows/postgres_hardening.yml +++ b/.github/workflows/postgres_hardening.yml @@ -78,7 +78,8 @@ jobs: - name: Temporary fix for roles run: | mkdir -p /home/runner/.ansible - ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles + ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \ + /home/runner/.ansible/roles - name: Test with molecule run: | diff --git a/molecule/postgres_hardening/converge.yml b/molecule/postgres_hardening/converge.yml index 79ad90828..7ae261c11 100644 --- a/molecule/postgres_hardening/converge.yml +++ b/molecule/postgres_hardening/converge.yml @@ -1,13 +1,12 @@ --- -- name: wrapper playbook for kitchen testing "ansible-postgres-hardening" with custom settings +- name: Wrapper playbook for kitchen testing "ansible-postgres-hardening" with custom settings become: true hosts: all - collections: - - devsec.hardening environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - - include_role: - name: postgres_hardening + - name: Start Hardening + ansible.builtin.include_role: + name: devsec.hardening.postgres_hardening diff --git a/molecule/postgres_hardening/prepare.yml b/molecule/postgres_hardening/prepare.yml index 6888e3308..fc9e8e65c 100644 --- a/molecule/postgres_hardening/prepare.yml +++ b/molecule/postgres_hardening/prepare.yml @@ -1,5 +1,5 @@ --- -- name: prepare playbook for kitchen testing "ansible-postgres-hardening" with custom settings +- name: Prepare playbook for kitchen testing "ansible-postgres-hardening" with custom settings become: true hosts: all environment: @@ -9,11 +9,12 @@ vars_files: - geerlingguy_postgresql_vars.yml tasks: - - name: install required packages - package: + - name: Install required packages + ansible.builtin.package: name: "python3-apt" update_cache: true ignore_errors: true # noqa ignore-errors - - include_role: - name: geerlingguy.postgresql \ No newline at end of file + - name: Installing PostgreSQL + ansible.builtin.include_role: + name: geerlingguy.postgresql diff --git a/molecule/postgres_hardening/requirements.yml b/molecule/postgres_hardening/requirements.yml index f3aeeb733..f9f654283 100644 --- a/molecule/postgres_hardening/requirements.yml +++ b/molecule/postgres_hardening/requirements.yml @@ -2,6 +2,5 @@ collections: - community.postgresql -roles: - - geerlingguy.postgresql - +roles: + - name: geerlingguy.postgresql diff --git a/molecule/postgres_hardening/verify.yml b/molecule/postgres_hardening/verify.yml index 554f7a24f..1fa1b51e8 100644 --- a/molecule/postgres_hardening/verify.yml +++ b/molecule/postgres_hardening/verify.yml @@ -15,7 +15,7 @@ no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - name: Execute cinc-auditor tests - command: > + ansible.builtin.command: > docker run --volume /run/docker.sock:/run/docker.sock docker.io/cincproject/auditor exec @@ -27,10 +27,10 @@ ignore_errors: true - name: Display details about the cinc-auditor results - debug: + ansible.builtin.debug: msg: "{{ test_results.stdout_lines }}" - name: Fail when tests fail - fail: + ansible.builtin.fail: msg: "Inspec failed to validate" when: test_results.rc != 0 From c28749d9c739ee2a326eaa3e9b7119e91dc2e0a0 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Sat, 27 Apr 2024 09:39:47 +0330 Subject: [PATCH 18/24] Fix: Remove debug Tasks Co-authored-by: Sebastian Gumprich --- roles/postgres_hardening/tasks/hardening.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 0fd3f485b..49d9a638b 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -25,9 +25,6 @@ ################################# # Check Compatibility ########### ################################# -- name: Print the OS - ansible.builtin.debug: - var: ansible_facts.os_family - name: Only compatible OS versions ansible.builtin.fail: From c3b66011ae3729881519b74fa7d3eb1a1ae881a4 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Sat, 27 Apr 2024 09:40:20 +0330 Subject: [PATCH 19/24] Fix: remove typo about supporting Debian Co-authored-by: Sebastian Gumprich --- roles/postgres_hardening/tasks/hardening.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 49d9a638b..1c3006c14 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -29,7 +29,7 @@ - name: Only compatible OS versions ansible.builtin.fail: msg: "Only Ubuntu/Debian are supported" - when: ansible_facts.os_family not in ["Ubuntu", "Debian"] + when: ansible_facts.os_family not in ["Ubuntu"] ################################# # POSTGRES-01 ################### From c8c6982972f0e39afe15afd052c7036ab2e16e38 Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Sat, 27 Apr 2024 09:40:59 +0330 Subject: [PATCH 20/24] Fix: Remove debug Tasks Co-authored-by: Sebastian Gumprich --- roles/postgres_hardening/tasks/hardening.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 1c3006c14..6174d7c4c 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -48,9 +48,6 @@ changed_when: false check_mode: false -- name: Print the postgres version - ansible.builtin.debug: - var: postgres_version_raw - name: Parse postgres-version ansible.builtin.set_fact: From 8da4e0d4ed44ed7886eb3d8a0e4203913ab6471e Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Sat, 27 Apr 2024 09:41:22 +0330 Subject: [PATCH 21/24] Fix: Remove Debug Tasks. Co-authored-by: Sebastian Gumprich --- roles/postgres_hardening/tasks/hardening.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 6174d7c4c..179990d66 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -53,9 +53,6 @@ ansible.builtin.set_fact: postgres_version: "{{ postgres_version_raw.stdout | regex_search('psql\\s\\(PostgreSQL\\)\\s(12|13|14|15|16).*', '\\1') | first }}" -- name: Print the postgres version - ansible.builtin.debug: - var: postgres_version - name: Only compatible postgres versions allowed ansible.builtin.fail: From 88bc36460324851a463d54cc169311ae4eaf156a Mon Sep 17 00:00:00 2001 From: Mahdi Fooladgar Date: Sat, 27 Apr 2024 09:42:39 +0330 Subject: [PATCH 22/24] Fix: use octal format for modes Co-authored-by: Sebastian Gumprich --- roles/postgres_hardening/tasks/hardening.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/postgres_hardening/tasks/hardening.yml b/roles/postgres_hardening/tasks/hardening.yml index 179990d66..7b36e0d24 100644 --- a/roles/postgres_hardening/tasks/hardening.yml +++ b/roles/postgres_hardening/tasks/hardening.yml @@ -68,7 +68,7 @@ state: directory owner: "{{ postgres_user }}" group: "{{ postgres_group }}" - mode: u=rwx,g=,o= + mode: "0700" - name: Manage permissions on /etc/postgresql//main/postgresql.conf ansible.builtin.file: @@ -76,7 +76,7 @@ state: file owner: "{{ postgres_user }}" group: "{{ postgres_group }}" - mode: u=rw,g=r,o= + mode: "0640" ################################# # POSTGRES-07/11/12/16 ########## From 533b8c4e8893ed6a992631cef765ec222a3c17bb Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 2 Aug 2024 09:22:47 +0000 Subject: [PATCH 23/24] update ssh_hardening readme --- roles/ssh_hardening/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index 420edacb3..05d0ea51a 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -46,7 +46,6 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec ## Supported Operating Systems - - EL - 8, 9 - Ubuntu From 22c9f5943f80aff776a30b673b87bbd4d7d7a1bb Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 2 Aug 2024 09:22:49 +0000 Subject: [PATCH 24/24] update os_hardening readme --- roles/os_hardening/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 27835b8d7..51989252d 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -145,7 +145,6 @@ This role is mostly based on guides by: ## Supported Operating Systems - - EL - 8, 9 - Ubuntu