Browse Source

Added details of how to stig postgresql

master
Micah Halter 1 year ago
parent
commit
63e2b6c3ff
  1. 126
      PROCESS.md
  2. 5
      roles/disa-v1r6/defaults/main.yml
  3. 25
      roles/disa-v1r6/tasks/main.yml

126
PROCESS.md

@ -0,0 +1,126 @@
---
title: STIG Postgresql 12
date: March 23, 2020
author: Micah Halter
---
# Set Up Environment Variables
Find the `postgresql` data folder and version
```
$~ sudo su - postgres
$~ psql -c "SHOW data_directory"
$~ psql -c "SHOW server_version"
```
As a DB administrator, add the following lines to `~/.bashrc` (Updated for your `postgresql` installation
```
export PATH="/usr/pgsql-12/bin:$PATH"
export PGDATA='/var/lib/pgsql/12/data'
export PGVER=12
```
# Set up pgaudit
Install `pgaudit` extension with
```
$~ sudo yum install pgaudit14_12
```
Change `shared_preload_libraries` line in `${PGDATA}/postgresql.conf` to
```
shared_preload_libraries = 'pgaudit'
```
Add `pgaudit` configuration options to the bottom of `${PGDATA}/postgresql.conf`
```
#------------------------------------------------------------------------------
# PGAUDIT OPTIONS
#------------------------------------------------------------------------------
# Enable catalog logging - default is 'on'
pgaudit.log_catalog='on'
# Specify the verbosity of log information (INFO, NOTICE, LOG, WARNING, DEBUG)
pgaudit.log_level='log'
# Log the parameters being passed
pgaudit.log_parameter='on'
# Log each relation (TABLE, VIEW, etc.) mentioned in a SELECT or DML statement
pgaudit.log_relation='off'
# For every statement and substatement, log the statement and parameters
pgaudit.log_statement_once='off'
# Define the master role to use for object logging
# pgaudit.role=''
# Choose the statements to log:
# READ - SELECT, COPY
# WRITE - INSERT, UPDATE, DELETE, TRUNCATE, COPY
# FUNCTION - Function Calls and DO Blocks
# ROLE - GRANT, REVOKE, CREATE/ALTER/DROP ROLE
# DDL - All DDL not included in ROLE
# MISC - DISCARD, FETCH, CHECKPOINT, VACUUM
pgaudit.log='ddl,role,write,read'
```
# Set up Logging
Verify the following logging settings in `${PGDATA}/postgresql.conf`
```
log_destination = 'syslog'
logging_collector = on
log_directory = 'log'
log_filename = 'postgresql-%a.log'
log_file_mode = 0600
log_truncate_on_rotation = on
log_rotation_age = 1d
log_rotation_size = 0
syslog_facility = 'LOCAL0'
syslog_ident = 'postgres'
log_checkpoints = on
log_connections = on
log_disconnections = on
log_duration = off
log_error_verbosity = default
log_hostname = on
log_line_prefix = '%m %u %d: '
log_lock_waits = on
log_statement = 'none'
log_timezone = 'America/New_York'
client_min_messages = notice
log_min_messages = warning
log_min_error_statement = error
log_min_duration_statement = -1
```
# Install pgcrypto
Run
```
$~ sudo su - postgres
$~ psql -c "CREATE EXTENSION pgcrypto"
```
# Setup SSL
COMING SOON...
# Run the ansible
Set the defaults in `roles/disa-v1r6/defaults/main.yml`
```
$~ sudo ansible-playbook playbook.yml
```

5
roles/disa-v1r6/defaults/main.yml

@ -1,7 +1,8 @@
PGPORT: "5432"
PGDATA: "/var/lib/postgres/data"
PGVER: "12"
log_directory: "log"
log_timezone: "EST"
log_prefix: "< %m %a %u %d %r %p %i %e %s>"
log_timezone: "America/New_York"
log_prefix: "%m %u %d %r: "
max_connections: 10

25
roles/disa-v1r6/tasks/main.yml

@ -24,13 +24,6 @@
shell: "chmod 0600 {{ PGDATA }}/{{ log_directory }}/*.log"
notify: restart postgresql
- name: "CAT II | PGS9-00-000600 | The audit information produced by PostgreSQL must be protected from unauthorized modification"
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?client_min_messages
line: "client_min_messages = error"
notify: restart postgresql
- name: " CAT II | PGS9-00-000700 | Privileges to change PostgreSQL software modules must be limited."
block:
- name: "configure permissions of postgresql configuration file"
@ -39,22 +32,22 @@
owner: "postgres"
group: "postgres"
mode: "0600"
- name: " change the ownership of shared objects in /usr/pgsql-${PGVER?}/*.so "
- name: " change the ownership of shared objects in /usr/pgsql-{{ PGVER }}/*.so "
shell: "chown root:root /usr/pgsql-{{ PGVER }}/lib/*.so"
failed_when: "'FAILED' in command_result.stderr"
- name: " change the opermissions of shared objects in /usr/pgsql-${PGVER?}/*.so "
shell: "chmod 0755 /usr/pgsql-${PGVER?}/lib/*.so"
- name: " change the opermissions of shared objects in /usr/pgsql-{{ PGVER }}/*.so "
shell: "chmod 0755 /usr/pgsql-{{ PGVER }}/lib/*.so"
failed_when: "'FAILED' in command_result.stderr"
- name: "change the ownership of executables in /usr/pgsql-${PGVER?}/bin:"
shell: "chown root:root /usr/pgsql-${PGVER?}/bin/*"
- name: "change the ownership of executables in /usr/pgsql-{{ PGVER }}/bin:"
shell: "chown root:root /usr/pgsql-{{ PGVER }}/bin/*"
failed_when: "'FAILED' in command_result.stderr"
- name: "change the permissions of executables in /usr/pgsql-${PGVER?}/bin:"
shell: "chmod 0755 /usr/pgsql-${PGVER?}/bin/*"
- name: "change the permissions of executables in /usr/pgsql-{{ PGVER }}/bin:"
shell: "chmod 0755 /usr/pgsql-{{ PGVER }}/bin/*"
failed_when: "'FAILED' in command_result.stderr"
- name: " CAT II | PGS9-00-000800 | If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords."
replace:
dest: "{{ PGDATA }}/postgresql.conf"
dest: "{{ PGDATA }}/pg_hba.conf"
regexp: password
replace: "md5"
@ -147,7 +140,7 @@
lineinfile:
dest: "{{ PGDATA }}/postgresql.conf"
regexp: ^#?password_encryption
line: "password_encryption = on"
line: "password_encryption = md5"
notify: restart postgresql
- name: "CAT II | PGS9-00-010600 | PostgreSQL must invalidate session identifiers upon user logout or other session termination."

Loading…
Cancel
Save