-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinspec.yml
255 lines (219 loc) · 7.57 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
name: crunchy-data-postgres-16-stig-baseline
title: "Crunchy Data Postgres 16 Security Technical Implementation Guide ::
Version 1, Release 1 :: Benchmark Date: 13 Jun 2024"
maintainer: MITRE SAF Team
copyright: MITRE
copyright_email: [email protected]
license: Apache-2.0
summary: InSpec profile aligned to STIG Guidance for Crunchy Data Postgres 16
Security Technical Implementation Guide
description: null
version: 1.1.0
supports: []
depends: []
inspec_version: ">= 4.0"
### INPUTS ###
# Inputs are variables that can be referenced by any control in the profile,
# and are defined and given a default value in this file.
# By default, each parameter is set to exactly comply with the profile baseline
# wherever possible. Some profile controls will require a unique value reflecting
# the necessary context for the supporting system.
# Values provided here can be overridden using an input file or a CLI flag at
# execution time. See InSpec's Inputs docs at https://docs.chef.io/inspec/profiles/inputs/
# for details.
# NOTE: DO NOT directly change the default values by editing this file. Use
# overrides instead.
###
inputs:
- name: pg_owner
description: "The system user of the postgres process"
type: string
value: "postgres"
required: true
sensitive: false
- name: pg_group
description: "The system group of the progress process"
type: string
value: "postgres"
required: true
sensitive: true
- name: pg_dba
description: "The postgres DBA user to access the test database"
type: string
value: ""
required: true
sensitive: true
- name: pg_dba_password
description: "The password for the postgres DBA user"
type: string
value: ""
required: true
sensitive: true
- name: pg_host
description: "The hostname or IP address used to connect to the database"
type: string
value: "localhost"
required: true
sensitive: true
- name: pg_port
description: "The port used to connect to the database"
type: numeric
value: 5432
required: true
sensitive: true
# V-261859, V-261885, # V-261897, V-261914, V-261862, V-261884, V-261898, V-261888,
# V-261924, V-261878
- name: pg_superusers
description: "Authorized superuser accounts"
type: array
value:
- "postgres"
required: true
sensitive: true
# V-261890
- name: pg_users
description: "authorized postgres user accounts"
type: array
value:
- ""
required: true
sensitive: true
- name: pg_db
description: "The database used for stig configuration tests"
type: string
value: "stig"
required: true
# V-261902
- name: pg_object_granted_privileges
description: "Privileges that should be granted to a role for a database object"
type: string
value: "arwdDxt"
required: true
# V-261902
- name: pg_object_public_privileges
description: "Privileges that should be granted to public for a database object"
type: string
value: "rw"
required: true
# V-261902
- name: pg_object_exceptions
description: "List of database objects that should be returned from tests"
type: array
value:
- "pg_settings"
required: true
# V-261859, V-261890
- name: pg_replicas
description: "List of postgres replicas in CIDR notation"
type: array
value:
- ""
# V-261857
- name: pg_max_connections
description: "The maximum allowed number of connections to the postgres instance at any one time."
type: numeric
value: 100
# V-261921
- name: pg_timezone
description: "The timezone of the postgres server"
type: string
value: "UTC"
# V-261858, V-261859, V-261890
- name: approved_auth_methods
description: "V-261858, V-261859, V-261890 uses this list of approved authentication methods (e.g., per STIG, these are only: gss, sspi, or ldap)"
type: array
value: ['gss', 'sspi', 'ldap']
required: true
# V-261887
- name: approved_packages
description: "V-261887 uses this list of approved postgres-related packages (e.g., postgresql-server.x86_64, postgresql-odbc.x86_64)"
type: array
value: []
required: true
# V-261886, V-261888
- name: approved_ext
description: "V-261886, V-261888 uses this list of approved database extensions"
type: array
value: []
required: true
# V-261859, V-261885
- name: windows_runner
description: "Define if the runner is the runner is window or linux"
type: Boolean
value: false
# SV-261934, SV-261925, SV-261875, SV-261939, SV-261957, SV-261960,
# SV-261947, SV-261942, SV-261956, SV-261952, SV-261864, SV-261951,
# SV-261863, SV-261963, SV-261959, SV-261945, SV-261943
- name: pg_audit_log_dir
description: "The location of the postgres audit log files on the system. e.g., Default for version 12: '/var/lib/pgsql/12/data/log'"
type: string
value: "/var/lib/pgsql/12/data/log"
required: true
# V-261878
- name: pgaudit_installation
description: "V-261878 uses this location of the pgaudit installation on the system (e.g., /usr/pgsql-12/share/contrib/pgaudit)"
type: string
value: "/usr/pgsql-12/share/contrib/pgaudit"
required: true
# V-261883, V-261880
- name: pg_shared_dirs
description: "The location of the Postgres system libraries"
type: array
value:
- "/usr/pgsql-12"
- "/usr/pgsql-12/bin"
- "/usr/pgsql-12/lib"
- "/usr/pgsql-12/share"
required: true
# V-261936, V-261883, V-261935
- name: pg_version
description: "The version of the Postgres software. Change '12.x' to your version (This STIG applies to versions 10.x, 11.x, 12.x, and 13.x)"
type: string
value: "12.9"
required: true
# V-261893, V-261894, V-261880
- name: pg_data_dir
description: "The postgres data directory. e.g., Default for version 12: '/var/lib/pgsql/12/data'"
type: string
value: "/var/lib/pgsql/12/data"
required: true
- name: pg_conf_file
description: "The postgres configuration file. e.g., Default for version 12: '/var/lib/pgsql/12/data/postgresql.conf'"
type: string
value: "/var/lib/pgsql/12/data/postgresql.conf"
required: true
# V-261908, V-261880
- name: pg_user_defined_conf
description: "An additional postgres configuration file used to override default values. e.g., Default for version 12: '/var/lib/pgsql/12/data/stig-postgresql.conf'"
type: string
value: "/var/lib/pgsql/12/data/stig-postgresql.conf"
required: true
# V-261858, V-233518, V-233519, V-261859, V-261893, V-261880, V-261890
- name: pg_hba_conf_file
description: "The postgres hba configuration file. e.g., Default for version 12: '/var/lib/pgsql/12/data/pg_hba.conf'"
type: string
value: "/var/lib/pgsql/12/data/pg_hba.conf"
required: true
# V-233518, V-261880, V-261895
- name: pg_ident_conf_file
description: "The location of the `pg_ident_conf` file on the system. e.g., Default for version 12: '/var/lib/pgsql/12/data/pg_ident.conf'"
type: string
value: "/var/lib/pgsql/12/data/pg_ident.conf"
required: true
# V-261876, V-261877, V-261878
- name: pg_log_dir
description: "The location of the postgres log files on the system. e.g., Default for version 12: '/var/lib/pgsql/12/data/log'"
type: string
value: "/var/lib/pgsql/12/data/log"
required: true
- name: org_name
desc: "Name of the organization running this profile"
type: Hash
value:
acronym: "DoD"
full_form: "Department of Defense"
# V-261937
- name: min_org_allowed_postgres_version
desc: "The minimum Postgres version allowed by the organization"
type: string
value: ""