Browse Source

Finished postgresql stig playbook and added appendicies

master
Micah Halter 10 months ago
parent
commit
2762daaa8e
4 changed files with 242 additions and 34 deletions
  1. +94
    -8
      README.md
  2. BIN
      U_PostgreSQL_9-x_V1R6_Supplemental.pdf
  3. +7
    -1
      roles/disa-v1r6/defaults/main.yml
  4. +141
    -25
      roles/disa-v1r6/tasks/main.yml

+ 94
- 8
README.md View File

@ -5,11 +5,97 @@ PostgreSQL to the DoD STIG v1r6.
## Rules to Investigate Manually
| Severity | Vulid | STIG-ID | Note |
|----------|---------|----------------|------|
| CAT II | V-72843 | PGS9-00-000200 |
| CAT II | V-72849 | PGS9-00-000500 |
| CAT II | V-72855 | PGS9-00-000710 | limit privleges to specific users/tasks |
| CAT II | V-72859 | PGS9-00-000900 | authentication requirements |
| CAT II | V-72865 | PGS9-00-001300 | permissions of roles |
| CAT II | V-72885 | PGS9-00-002300 | logging |
| Severity | Vulid | STIG-ID | Note |
|----------|---------|----------------|------------------------------------------------------------------|
| CAT II | V-72843 | PGS9-00-000200 | setup pgaudit |
| CAT II | V-72845 | PGS9-00-000300 | security updates |
| CAT II | V-72849 | PGS9-00-000500 | organization level authentication |
| CAT II | V-72855 | PGS9-00-000710 | limit privleges to specific users/tasks |
| CAT II | V-72859 | PGS9-00-000900 | authentication requirements |
| CAT II | V-72861 | PGS9-00-001100 | security labeling in transmission |
| CAT II | V-72865 | PGS9-00-001300 | permissions of roles |
| CAT II | V-72867 | PGS9-00-001400 | users must be uniquely identifiable |
| CAT II | V-72869 | PGS9-00-001700 | security labeling in storage |
| CAT II | V-73055 | PGS9-00-001800 | validity of data inputs |
| CAT II | V-72873 | PGS9-00-001900 | limit dynamic code execution |
| CAT II | V-72875 | PGS9-00-002000 | dynamic code execution must check inputs |
| CAT II | V-72877 | PGS9-00-002100 | make sure there is enough audit space |
| CAT II | V-72883 | PGS9-00-002200 | enforce access control policies |
| CAT II | V-72885 | PGS9-00-002300 | logging permissions (same as PGS9-00-000400) |
| CAT II | V-72891 | PGS9-00-002600 | logging permissions (same as PGS9-00-000400) |
| CAT II | V-72895 | PGS9-00-003000 | configure ssl (Appendix G) |
| CAT II | V-72897 | PGS9-00-003100 | make sure every object has an owner |
| CAT II | V-72899 | PGS9-00-003200 | admin account must restrict access |
| CAT II | V-72901 | PGS9-00-003300 | make sure no software is installed in the postgresql data folder |
| CAT II | V-72903 | PGS9-00-003500 | set up pgaudit (Appendix B) |
| CAT II | V-72905 | PGS9-00-003600 | limit access to privileged functions |
| CAT II | V-72907 | PGS9-00-003700 | set up pgaudit (Appendix B) |
| CAT II | V-72911 | PGS9-00-004000 | isolate security and non-security functions |
| CAT II | V-72913 | PGS9-00-004100 | set up logging (Appendix C) |
| CAT II | V-72915 | PGS9-00-004200 | logging permissions (same as PGS9-00-000400) |
| CAT II | V-72917 | PGS9-00-004300 | make sure old postgres installs are removed |
| CAT II | V-72921 | PGS9-00-004500 | set up logging (Appendix C) |
| CAT II | V-72925 | PGS9-00-004700 | log connections (same as PGS9-00-004600) |
| CAT II | V-72927 | PGS9-00-004800 | set up logging (Appendix C) |
| CAT II | V-72929 | PGS9-00-004900 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72931 | PGS9-00-005000 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72933 | PGS9-00-005100 | log connections (same as PGS9-00-004600) |
| CAT II | V-72939 | PGS9-00-005200 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72941 | PGS9-00-005300 | set up logging (Appendix C) |
| CAT II | V-72949 | PGS9-00-005600 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72951 | PGS9-00-005700 | set up logging (Appendix C) |
| CAT II | V-72955 | PGS9-00-005900 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72957 | PGS9-00-006000 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72959 | PGS9-00-006100 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72961 | PGS9-00-006200 | log connections (set with PGS9-00-004600) |
| CAT II | V-72963 | PGS9-00-006300 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72965 | PGS9-00-006400 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72969 | PGS9-00-006500 | set up logging (Appendix C) |
| CAT II | V-72971 | PGS9-00-006600 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72973 | PGS9-00-006700 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-72975 | PGS9-00-006800 | set up logging (Appendix C) |
| CAT II | V-72977 | PGS9-00-006900 | set up logging (Appendix C) |
| CAT II | V-72979 | PGS9-00-007000 | set up ssl (Appendix G) |
| CAT II | V-72981 | PGS9-00-007200 | set up ssl (Appendix G) |
| CAT II | V-72983 | PGS9-00-007400 | set up pgaudit (Appendix B) |
| CAT II | V-72985 | PGS9-00-007700 | set up logging (Appendix C) |
| CAT II | V-72987 | PGS9-00-007800 | set up logging (Appendix C) |
| CAT II | V-72989 | PGS9-00-008000 | enable FIPS |
| CAT II | V-72991 | PGS9-00-008100 | set up ssl (Appendix G) |
| CAT II | V-72993 | PGS9-00-008200 | enable FIPS |
| CAT II | V-72995 | PGS9-00-008300 | set up pgcrypto (Appendix E) |
| CAT II | V-72997 | PGS9-00-008400 | maintain appropriate permissions |
| CAT II | V-72999 | PGS9-00-008500 | separate admins and general users |
| CAT II | V-73001 | PGS9-00-008600 | set up logging (Appendix C) |
| CAT II | V-73003 | PGS9-00-008700 | set up pgcrypto (Appendix E) |
| CAT II | V-73005 | PGS9-00-008800 | log connections (set with PGS9-00-004600) |
| CAT II | V-73007 | PGS9-00-008900 | drop unused extensions |
| CAT II | V-73009 | PGS9-00-009100 | maintain access to external functions |
| CAT II | V-73011 | PGS9-00-009200 | remove unused database components |
| CAT II | V-73013 | PGS9-00-009400 | maintain organization level security |
| CAT II | V-73017 | PGS9-00-009600 | separate admins and general users |
| CAT II | V-73019 | PGS9-00-009700 | log connections (set with PGS9-00-004600) |
| CAT II | V-73023 | PGS9-00-009900 | notify sys admin when audit space hits 75% capacity |
| CAT II | V-73025 | PGS9-00-010000 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-73027 | PGS9-00-010100 | postgresql must require reauthentication when necessary |
| CAT II | V-73029 | PGS9-00-010200 | make sure ssl keys are stored in a protected directory |
| CAT II | V-73031 | PGS9-00-010300 | set up ssl (Appendix G) |
| CAT II | V-73033 | PGS9-00-010400 | log connections (set with PGS9-00-004600) |
| CAT II | V-73035 | PGS9-00-010500 | set up pgcrypto (Appendix E) |
| CAT II | V-73039 | PGS9-00-010700 | prevent unauthorized audit access |
| CAT II | V-73041 | PGS9-00-011100 | log connections (set with PGS9-00-004600) |
| CAT II | V-73043 | PGS9-00-011200 | logging permissions (same as PGS9-00-000400) |
| CAT II | V-73045 | PGS9-00-011300 | off-load audit data (same as PGS9-00-003800) |
| CAT II | V-73047 | PGS9-00-011400 | set up ssl (Appendix G) |
| CAT II | V-73049 | PGS9-00-011500 | require unique authentication for all roles |
| CAT II | V-73051 | PGS9-00-011600 | automatically disconnect users after timeout (Appendix A) |
| CAT II | V-73053 | PGS9-00-011700 | maintain appropriate permissions |
| CAT II | V-73055 | PGS9-00-011800 | set up ssl (Appendix G) |
| CAT II | V-73057 | PGS9-00-011900 | protect data during data transfer |
| CAT II | V-73059 | PGS9-00-012000 | maintain appropriate permissions |
| CAT II | V-73061 | PGS9-00-012200 | logging permissions (same as PGS9-00-000400) |
| CAT II | V-73063 | PGS9-00-012300 | set up ssl (Appendix G) |
| CAT II | V-73065 | PGS9-00-012500 | pgaudit log (set with PGS9-00-004400) |
| CAT II | V-73067 | PGS9-00-012600 | log connections (set with PGS9-00-004600) |
| CAT II | V-73069 | PGS9-00-012700 | log connections (set with PGS9-00-004600) |
| CAT II | V-73071 | PGS9-00-012800 | enable FIPS |

BIN
U_PostgreSQL_9-x_V1R6_Supplemental.pdf View File


+ 7
- 1
roles/disa-v1r6/defaults/main.yml View File

@ -1 +1,7 @@
---
PGPORT: "5432"
PGDATA: "/var/lib/postgres/data"
log_directory: "log"
log_timezone: "EST"
log_prefix: "< %m %a %u %d %r %p %i %e %s>"
max_connections: 10

+ 141
- 25
roles/disa-v1r6/tasks/main.yml View File

@ -4,56 +4,172 @@
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?port
line: "port = 5432"
line: "port = {{ PGPORT }}"
notify: restart postgresql
- name: "CAT II | PGS9-00-000400 | The audit information produced by PostgreSQL must be protected from unauthorized modification"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_file_mode
line: "log_file_mode = 0600"
block:
- name: "Check log file mode"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_file_mode
line: "log_file_mode = 0600"
- name: "Fix log directory ownership"
file:
path: "{{ PGDATA}}/{{ log_directory }}"
owner: "postgres"
group: "postgres"
mode: "0700"
- name: "Fix log file permissions"
shell: "chmod 0600 {{ PGDATA }}/{{ log_directory }}/*.log"
notify: restart postgresql
- name: "CAT II | PGS9-00-000600 | The audit information produced by PostgreSQL must be protected from unauthorized modification"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?client_min_messages
line: "client_min_messages = error "
line: "client_min_messages = error"
notify: restart postgresql
- name: " CAT II | PGS9-00-000700 | Privileges to change PostgreSQL software modules must be limited."
block:
- name: "change the ownership configuration files in PGDATA"
shell: "chown postgres:postgres {{ PGDATA }}/postgresql.conf"
failed_when: "'FAILED' in command_result.stderr"
- name: "change the and permissions of files in PGDATA "
shell: "chmod 0600 {{ PGDATA }}/postgresql.conf"
failed_when: "'FAILED' in command_result.stderr"
- name: "configure permissions of postgresql configuration file"
file:
path: "{{ PGDATA }}/postgresql.conf"
owner: "postgres"
group: "postgres"
mode: "0600"
- name: " change the ownership of shared objects in /usr/pgsql-${PGVER?}/*.so "
shell: "chown root:root /usr/pgsql-{{ PGVER }}/lib/*.so"
failed_when: "'FAILED' in command_result.stderr"
failed_when: "'FAILED' in command_result.stderr"
- name: " change the opermissions of shared objects in /usr/pgsql-${PGVER?}/*.so "
shell: "chmod 0755 /usr/pgsql-{{ PGVER }}/lib/*.so"
failed_when: "'FAILED' in command_result.stderr"
shell: "chmod 0755 /usr/pgsql-${PGVER?}/lib/*.so"
failed_when: "'FAILED' in command_result.stderr"
- name: "change the ownership of executables in /usr/pgsql-${PGVER?}/bin:"
shell: "chown root:root /usr/pgsql-{{ PGVER }}/bin/*"
failed_when: "'FAILED' in command_result.stderr"
shell: "chown root:root /usr/pgsql-${PGVER?}/bin/*"
failed_when: "'FAILED' in command_result.stderr"
- name: "change the permissions of executables in /usr/pgsql-${PGVER?}/bin:"
shell: "chmod 0755 /usr/pgsql-{{ PGVER }}/bin/*"
failed_when: "'FAILED' in command_result.stderr"
shell: "chmod 0755 /usr/pgsql-${PGVER?}/bin/*"
failed_when: "'FAILED' in command_result.stderr"
- name: " CAT II | PGS9-00-000800 | If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords."
replace:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: password
replace: "md5"
replace: "md5"
- name: "CAT II | PGS9-00-001200 | PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: max_connections
line: "max_commnections = {{ max_connections }}"
regexp: ^#?max_connections
line: "max_connections = {{ max_connections }}"
notify: restart postgresql
- name: "CAT II | PGS9-00-002400 | PostgreSQL must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT)."
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_timezone
line: "log_timezone = {{ log_timezone }}"
notify: restart postgresql
- name: "CAT II | PGS9-00-002500 | PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA and DBA."
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?client_min_messages
line: "client_min_messages = notice"
notify: restart postgresql
- name: "CAT II | PGS9-00-003800 | PostgreSQL must utilize centralized management of the content captured in audit records generated by all components of PostgreSQL."
block:
- name: "Set log destination"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_destination
line: "log_destination = 'syslog'"
- name: "Set syslog facility"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?syslog_facility
line: "syslog_facility = 'LOCAL0'"
- name: "Set syslog identity"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?syslog_ident
line: "syslog_ident = 'postgres'"
notify: restart postgresql
- name: "CAT II | PGS9-00-004400 | PostgreSQL must generate audit records when categorized information (e.g., classification levels/security levels) is accessed."
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?pgaudit.log
line: "pgaudit.log = 'ddl,role,write,read'"
notify: restart postgresql
- name: "CAT II | PGS9-00-004600 | PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur."
block:
- name: "Enable log connections"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_connections
line: "log_connections = on"
- name: "Enable log disconnections"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_disconnections
line: "log_disconnections = on"
- name: "Enable log hostname"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_hostname
line: "log_hostname = on"
- name: "Set log line prefix"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?log_line_prefix
line: "log_line_prefix = '{{ log_prefix }}'"
notify: restart postgresql
- name: "CAT II | PGS9-00-005500 | PostgreSQL must be able to generate audit records when privileges/permissions are retrieved."
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?pgaudit.log_catalog
line: "pgaudit.log_catalog = 'on'"
notify: restart postgresql
- name: "CAT II | PGS9-00-005800 | PostgreSQL must generate audit records for all privileged activities or other system-level access."
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?shared_preload_libraries
line: "shared_preload_libraries = 'pgaudit'"
notify: restart postgresql
- name: "CAT II | PGS9-00-009500 | If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords."
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?password_encryption
line: "password_encryption = on"
notify: restart postgresql
- name: "CAT II | PGS9-00-010600 | PostgreSQL must invalidate session identifiers upon user logout or other session termination."
block:
- name: "set statement timeout"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?statement_timeout
line: "statement_timeout = 10000"
- name: "set tcp idle timeout"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?tcp_keepalives_idle
line: "tcp_keepalives_idle = 10"
- name: "set tcp interval"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?tcp_keepalives_interval
line: "tcp_keepalives_interval = 10"
- name: "set tcp count"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?tcp_keepalives_count
line: "tcp_keepalives_count = 10"
notify: restart postgresql

Loading…
Cancel
Save