行业智能>> postgres-baseline>> 返回
项目作者: EasyAppSecurity

项目描述 :
PostgreSQL Security Baseline Assessment - InSpec Profile - CIS Benchmark controls, secure defaults and HashiCorp Vault integration
高级语言: Ruby
项目地址: git://github.com/EasyAppSecurity/postgres-baseline.git
创建时间: 2020-05-28T11:46:02Z
项目社区:https://github.com/EasyAppSecurity/postgres-baseline
开源协议:Apache License 2.0
下载


Postgre installation Security Assessment InSpec profile

Standalone Usage

  1. Install InSpec for the profile execution

  2. Clone the repository
    ```
    $ git clone https://github.com/rusakovichma/postgres-baseline

  1. 3. Create properties .yml file in postgre-baseline/attributes folder, where specify postgre installation settings. 
  2. For example, centos7-test-attributes.yml:

user : postgres <— postgre superuser name
appuser : appuser <— application user account name
postgres_data : /var/lib/pgsql/data <— pg data directory path
postgres_conf_dir : /var/lib/pgsql/data <— pg configuration directory path
postgres_conf_path : /var/lib/pgsql/data/postgresql.conf <— postgresql.conf file path

  1. 4. Execute the profile:
  2.  - **Specifying the superuser password directly:**
  1. $ inspec exec postgres-baseline --input user_password='superuser_pass' --input-file postgres-baseline/attributes/centos7-test-attributes.yml --reporter html:/tmp/pg-inspec-baseline.html
  3. ```

  • (Recommended) Or obtain the superuser password from HashiCorp Vault:

    • Install InSpec Vault plugin:

      1. $ inspec plugin install inspec-vault

    • Ensure two environment variables are set for the plugin:

      1. VAULT_TOKEN  set to your authentication token. Contact your Vault administrator for instructions.
      2. VAULT_ADDR  set to the URL of your vault server, including the port.

    • Put PG superuser password in Vault profile space:

      1. $ vault kv put secret/inspec/postgres-baseline user_password=pg_superuser_pass

    • Run the profile:

      1. $ inspec exec postgres-baseline --input-file postgres-baseline/attributes/centos7-test-attributes.yml --reporter html:/tmp/pg-inspec-baseline.html
  1. Report of the baseline assessment will be at /tmp/pg-inspec-baseline.html

License and Author

Licensed under the Apache License, Version 2.0 (the “License”);
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

  1. http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an “AS IS” BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.