cookbook 'postgres-hardening', '~> 2.0.0'
postgres-hardening (3) Versions 2.0.0 Follow12
Installs and configures a secure posgres server
cookbook 'postgres-hardening', '~> 2.0.0', :supermarket
knife supermarket install postgres-hardening
knife supermarket download postgres-hardening
postgres-hardening (Postgres cookbook)
Description
Provides security configurations for postgres.
Note: This is currently work in progress and not tested on all supported platforms
Requirements
- Chef >= 12.5.1
Platform
- Debian 7, 8
- Ubuntu 12.04, 14.04, 16.04
- RHEL 6, 7
- CentOS 6, 7
- Oracle Linux 6, 7
Usage
This cookbook is optimized to work with os-hardening and ssh-hardening. It will play well without, but you need to ensure all preconditions like apt-get update
or yum update
are met.
add the following to your runlist and customize security option attributes
"recipe[postgresql::server]", "recipe[postgres-hardening]"
You should also use the official postgres packages, because those offer the latest fixes. Enable the suitable option for the postgres cookbook.
"postgresql": { # debian, ubuntu "enable_pgdg_apt": true # rhel "enable_pgdg_yum": true }
The hardening cookbook is only optimized for Postgresql 9.4. This can be activated for [postgres cookbook](https://github.com/sous-chefs/postgresql.
"postgresql": { version: "9.4" }
Enable SSL
Please read http://www.postgresql.org/docs/9.1/static/ssl-tcp.html first.
This cookbook will delete the links from /var/lib/postgresql/#{node['postgresql']['version']}/main/server.crt
to /etc/ssl/certs/ssl-cert-snakeoil.pem
and /var/lib/postgresql/#{node['postgresql']['version']}/main/server.key
to /etc/ssl/private/ssl-cert-snakeoil.key
on Debian systems. This certificates are self-signed (see http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29) and therefore not trusted. You have to provide your own trusted certificates for SSL.
Security Options
node['postgresql']['config']['logging_collector'] = true
This parameter enables the logging collector, which is a background process
that captures log messages sent to stderr and redirects them into log files.
See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
Defaults to:true
node['postgresql']['config']['log_directory'] = 'pg_log'
When logging_collector is enabled, this parameter determines the
directory in which log files will be created.
See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
Defaults to:pg_log
node['postgresql']['config']['log_connections'] = true
Causes each attempted connection to the server to be logged, as well as successful
completion of client authentication.
See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
Defaults to:true
node['postgresql']['config']['log_disconnections'] = true
This outputs a line in the server log similar to log_connections but at session
termination, and includes the duration of the session.
See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
Defaults to:true
node['postgresql']['config']['log_duration'] = true
Causes the duration of every completed statement to be logged
See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
Defaults to:true
node['postgresql']['config']['log_hostname'] = true
By default, connection log messages only show the IP address of the connecting host.
See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
Defaults to:true
node['postgresql']['config']['log_line_prefix'] = '%t %u %d %h'
This is a printf-style string that is output at the beginning of each log line.
See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
Defaults to:%t %u %d %h
node['postgresql']['config']['password_encryption'] = true
When a password is specified in CREATE USER or ALTER ROLE without writing either
ENCRYPTED or UNENCRYPTED, this parameter determines whether the password is to be encrypted.
See http://www.postgresql.org/docs/9.1/static/runtime-config-connection.html for details
Defaults to:true
node['postgresql']['config']['ssl'] = false
Enables SSL connections. Please read http://www.postgresql.org/docs/9.1/static/ssl-tcp.html
SSL certificates are out of scope of this module. This is why this setting defaults tooff
.
You have to provide ssl certificates before the startup of postgres, otherwise it will fail to start.
See http://www.postgresql.org/docs/9.1/static/runtime-config-connection.html for details
Defaults to:false
Tests
# Install dependencies gem install bundler bundle install # Do lint checks bundle exec rake lint # fast test on one machine bundle exec kitchen test default-apt-ubuntu-1604 # test on all machines bundle exec kitchen test # for development bundle exec kitchen create default-apt-ubuntu-1604 bundle exec kitchen converge default-apt-ubuntu-1604
Contributors + Kudos
- Edmund Haselwanter ehaselwanter
- Dominik Richter arlimus
- Christoph Hartmann chris-rock
- Patrick Muench atomic111
License and Author
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
postgresql >= 6.0.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Change Log
v1.1.0 (2017-01-03)
Closed issues:
- Remove default self-generated ssl certificates #3
Merged pull requests:
- 1.1.0, add changelog, update gems #22 (chris-rock)
- upgrade to Berkshelf 4 #21 (chris-rock)
- update common kitchen.yml platforms #20 (chris-rock)
- add copyright header #19 (chris-rock)
- update common Gemfile for chef11+12 #18 (arlimus)
- common files: centos7 + rubocop #17 (arlimus)
- update travis tests for chef 11 and chef 12 #16 (chris-rock)
- update common kitchen.yml platforms #15 (arlimus)
- update common readme badges, kitchen.yml platforms #14 (arlimus)
- Fix Tests #13 (chris-rock)
- updating common files #12 (arlimus)
- add badges to readme #11 (chris-rock)
- add chefspec first pass, 100% coverage #10 (ehaselwanter)
- updating common files #9 (arlimus)
- updating common files #8 (arlimus)
- improvement: switch to site location in berkshelf #7 (chris-rock)
v1.0.0 (2014-09-02)
Merged pull requests:
- Overlay #6 (chris-rock)
- Lint #5 (chris-rock)
- add reame info for ssl and attributes, default ssl to false/off, remove snake-oil cert links #4 (ehaselwanter)
- add all boxes. remove all config for redhat derivates (missing cert) for now. #2 (ehaselwanter)
- add hardening requirements #1 (ehaselwanter)
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
2.0.0 passed this metric
Contributing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
2.0.0 passed this metric
No Binaries Metric
2.0.0 failed this metric
Failure: Cookbook should not contain binaries. Found:
postgres-hardening/templates/default/hardening.cnf.erb
Testing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
2.0.0 passed this metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
2.0.0 passed this metric
No Binaries Metric
2.0.0 failed this metric
Failure: Cookbook should not contain binaries. Found:
postgres-hardening/templates/default/hardening.cnf.erb
Testing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
2.0.0 passed this metric
2.0.0 failed this metric
Failure: Cookbook should not contain binaries. Found:
postgres-hardening/templates/default/hardening.cnf.erb
Testing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
2.0.0 failed this metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number