- name:"change the permissions of executables in /usr/pgsql-${PGVER?}/bin:"
shell:"chmod 0755 /usr/pgsql-{{ PGVER }}/bin/*"
failed_when:"'FAILED' in command_result.stderr"
shell:"chmod 0755 /usr/pgsql-${PGVER?}/bin/*"
failed_when:"'FAILED' in command_result.stderr"
- name:" CAT II | PGS9-00-000800 | If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords."
replace:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:password
replace:"md5"
replace:"md5"
- name:"CAT II | PGS9-00-001200 | PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:max_connections
line:"max_commnections = {{ max_connections }}"
regexp:^#?max_connections
line:"max_connections = {{ max_connections }}"
notify:restart postgresql
- name:"CAT II | PGS9-00-002400 | PostgreSQL must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT)."
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?log_timezone
line:"log_timezone = {{ log_timezone }}"
notify:restart postgresql
- name:"CAT II | PGS9-00-002500 | PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA and DBA."
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?client_min_messages
line:"client_min_messages = notice"
notify:restart postgresql
- name:"CAT II | PGS9-00-003800 | PostgreSQL must utilize centralized management of the content captured in audit records generated by all components of PostgreSQL."
block:
- name:"Set log destination"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?log_destination
line:"log_destination = 'syslog'"
- name:"Set syslog facility"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?syslog_facility
line:"syslog_facility = 'LOCAL0'"
- name:"Set syslog identity"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?syslog_ident
line:"syslog_ident = 'postgres'"
notify:restart postgresql
- name:"CAT II | PGS9-00-004400 | PostgreSQL must generate audit records when categorized information (e.g., classification levels/security levels) is accessed."
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?pgaudit.log
line:"pgaudit.log = 'ddl,role,write,read'"
notify:restart postgresql
- name:"CAT II | PGS9-00-004600 | PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur."
block:
- name:"Enable log connections"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?log_connections
line:"log_connections = on"
- name:"Enable log disconnections"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?log_disconnections
line:"log_disconnections = on"
- name:"Enable log hostname"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?log_hostname
line:"log_hostname = on"
- name:"Set log line prefix"
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?log_line_prefix
line:"log_line_prefix = '{{ log_prefix }}'"
notify:restart postgresql
- name:"CAT II | PGS9-00-005500 | PostgreSQL must be able to generate audit records when privileges/permissions are retrieved."
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?pgaudit.log_catalog
line:"pgaudit.log_catalog = 'on'"
notify:restart postgresql
- name:"CAT II | PGS9-00-005800 | PostgreSQL must generate audit records for all privileged activities or other system-level access."
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?shared_preload_libraries
line:"shared_preload_libraries = 'pgaudit'"
notify:restart postgresql
- name:"CAT II | PGS9-00-009500 | If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords."
lineinfile:
dest:"{{ PGDATA }}/postgresql.conf"
regexp:^#?password_encryption
line:"password_encryption = on"
notify:restart postgresql
- name:"CAT II | PGS9-00-010600 | PostgreSQL must invalidate session identifiers upon user logout or other session termination."