Update SV-261861.rb

README.md

@@ -158,6 +158,10 @@ Chef InSpec Resources:
 [top](#table-of-contents)
 ### Testing the Profile Controls
 The Gemfile provided contains all the necessary ruby dependencies for checking the profile controls.
+#### Testing against a Local Postgres Container
+```bash
+inspec exec ./ --input-file ./inputs_postgres16_example.yml --reporter cli json:./results/file.json
+```
 #### Requirements
 All action are conducted using `ruby` (gemstone/programming language). Currently `inspec` 
 commands have been tested with ruby version 3.1.2. A higher version of ruby is not guaranteed to

controls/SV-261861.rb

@@ -1,35 +1,35 @@
 control 'SV-261861' do
-  title "PostgreSQL must provide audit record generation capability for #{input('org_name')[:acronym]}-defined auditable events within all DBMS/database components.'
+  title 'PostgreSQL must provide audit record generation capability for #{input(\'org_name\')[:acronym]}-defined auditable events within all DBMS/database components.'
   desc 'Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
 
 Audit records can be generated from various components within PostgreSQL (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
 
-#{input('org_name')[:acronym]} has defined the list of events for which PostgreSQL will provide an audit record generation capability as the following: 
+#{input(\'org_name\')[:acronym]} has defined the list of events for which PostgreSQL will provide an audit record generation capability as the following: 
 
 (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
 
 (ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities, or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and
 
 (iii) All account creation, modification, disabling, and termination actions.
 
-Organizations may define additional events requiring continuous or ad hoc auditing."
-  desc 'check', 'Note: The following instructions use the PGLOG environment variables. Refer to supplementary content APPENDIX-I for instructions on configuring PGVER.
+Organizations may define additional events requiring continuous or ad hoc auditing.'
+  desc 'check', %q(Note: The following instructions use the PGLOG environment variables. Refer to supplementary content APPENDIX-I for instructions on configuring PGVER.'
 
-Check PostgreSQL audit logs to determine whether organization-defined auditable events are being audited by the system.
+'Check PostgreSQL audit logs to determine whether organization-defined auditable events are being audited by the system.'
 
-For example, if the organization defines 'CREATE TABLE' as an auditable event, issuing the following command should return a result:
+"For example, if the organization defines 'CREATE TABLE' as an auditable event, issuing the following command should return a result:"
 
-$ sudo su - postgres
+'$ sudo su - postgres
 $ psql -c "CREATE TABLE example (id int)"
 $ grep 'AUDIT:.*,CREATE TABLE.*example' ${PGLOG?}/<latest_log>
 $ psql -c 'DROP TABLE example;'
 
-If organization-defined auditable events are not being audited, this is a finding.)'
-  desc 'fix', "Configure PostgreSQL to generate audit records for at least the DOD minimum set of events.
+If organization-defined auditable events are not being audited, this is a finding.)
+  desc 'fix', 'Configure PostgreSQL to generate audit records for at least the DOD minimum set of events.
 
-Using \"pgaudit\", PostgreSQL can be configured to audit these requests. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.
+Using "pgaudit", PostgreSQL can be configured to audit these requests. Refer to supplementary content APPENDIX-B for documentation on installing pgaudit.
 
-To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C."
+To ensure logging is enabled, see the instructions in the supplementary content APPENDIX-C.'
   impact 0.5
   tag severity: 'medium'
   tag gtitle: 'SRG-APP-000089-DB-000064'

controls/SV-261909.rb

@@ -9,14 +9,14 @@
 Administrative users authorized to review detailed error messages typically are the ISSO, ISSM, SA, and DBA. Other individuals or roles may be specified according to organization-specific needs, with appropriate approval.
 
 This calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the DBA is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.)
-  desc 'check', %q(Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for instructions on configuring PGLOG.
+  desc 'check', "(Note: The following instructions use the PGDATA and PGLOG environment variables. Refer to APPENDIX-F for instructions on configuring PGDATA and APPENDIX-I for instructions on configuring PGLOG.
 
 Check PostgreSQL settings and custom database code to determine if detailed error messages are ever displayed to unauthorized individuals.
 
-To check the level of detail for errors exposed to clients, as the DBA (shown here as "postgres"), run the following:
+To check the level of detail for errors exposed to clients, as the DBA (shown here as \"postgres\"), run the following:
 
 $ sudo su - postgres
-$ psql -c "SHOW client_min_messages;"
+$ psql -c \"SHOW client_min_messages;\"
 
 If client_min_messages is not set to error, this is a finding.
 
@@ -31,7 +31,7 @@
 Note: Consult the organization's documentation on acceptable log privileges.
 
 $ sudo su - postgres
-$ psql -c "SHOW log_file_mode;" 
+$ psql -c \"SHOW log_file_mode;\" 
 
 Verify the log files have the set configurations.
 
@@ -51,11 +51,11 @@
 If PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log files. If the logs are not owned by root or have permissions that are not 0600, this is a finding.)
   desc 'fix', 'Note: The following instructions use the PGDATA environment variable. Refer to APPENDIX-F for instructions on configuring PGDATA.
 
-To set the level of detail for error messages exposed to clients, as the DBA (shown here as "postgres"), run the following commands:
+To set the level of detail for error messages exposed to clients, as the DBA (shown here as \"postgres\"), run the following commands:
 
 $ sudo su - postgres
 $ vi ${PGDATA?}/postgresql.conf
-client_min_messages = error'
+client_min_messages = error'"
   impact 0.5
   tag check_id: 'C-65763r1000972_chk'
   tag severity: 'medium'
@@ -67,4 +67,13 @@
   tag 'documentable'
   tag cci: ['CCI-001314']
   tag nist: ['SI-11 b']
+
+  sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))
+
+  describe sql.query('SHOW client_min_messages;',  [input('pg_db')]) do
+    its('output') { should match (/^error$/i) }
+    end
+  describe sql.query('SHOW log_file_mode;',  [input('pg_db')]) do  
+    its('output') { should cmp '0600' }
+  end
 end

controls/SV-261917.rb

@@ -24,7 +24,7 @@
 
 To ensure logging is enabled, review supplementary content APPENDIX-C for instructions on enabling logging.
 
-With logging enabled, as the database owner (shown here as "postgres"), configure the following parameters in postgresql.conf:
+With logging enabled, as the database owner {shown here as "postgres"} configure the following parameters in postgresql.conf:
 
 Note: Consult the organization on how syslog facilities are defined in the syslog daemon configuration.
 
@@ -49,4 +49,13 @@
   tag cci: ['CCI-001844']
   tag nist: ['AU-3 (2)']
 
+  sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))
+
+  describe sql.query('SHOW log_destination;', [input('pg_db')]) do
+    its('output') { should include 'syslog' }
+  end
+
+  describe sql.query('SHOW syslog_facility;', [input('pg_db')]) do
+    its('output') { should cmp 'LOCAL0' }    
+  end
 end

docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  db:
+    image: postgres:16
+    container_name: test_postgres
+    environment:
+      POSTGRES_USER: testuser
+      POSTGRES_PASSWORD: testpassword
+      POSTGRES_DB: testdb
+    volumes:
+      - ./init.sql:/docker-entrypoint-initdb.d/init.sql
+    ports:
+      - "5432:5432"

init.sql

@@ -0,0 +1,10 @@
+-- init.sql
+CREATE TABLE users (
+    id SERIAL PRIMARY KEY,
+    username VARCHAR(50) NOT NULL,
+    password VARCHAR(50) NOT NULL
+);
+
+INSERT INTO users (username, password) VALUES
+('testuser1', 'password1'),
+('testuser2', 'password2');

inputs_postgres16_example.yml

@@ -0,0 +1,55 @@
+---
+windows_runner: false
+pg_owner: 'testuser'
+pg_group: ''
+pg_dba: 'testuser'
+pg_dba_password: 'testpassword'
+pg_host: 'localhost'
+pg_port: '5432'
+pg_db: 'testdb'
+pg_version: '16.8'
+pg_data_dir: "/var/lib/postgresql/data/"
+pg_log_dir: "/var/log/postgresql"
+pg_audit_log_dir: "/var/log/postgresql/pg_log/"
+pg_conf_file: "/var/lib/postgresql/data/postgresql.conf"
+pg_user_defined_conf: ""
+pg_hba_conf_file: "/var/lib/postgresql/data/pg_hba.conf"
+pg_ident_conf_file: "/var/lib/postgresql/data/pg_ident.conf"
+pg_shared_dirs:
+  - "/usr/lib/postgresql/16"
+  - "/usr/lib/postgresql/16/bin"
+  - "/usr/lib/postgresql/16/lib"
+  - "/usr/share/postgresql/16"
+pg_superusers:
+  - 'postgres'
+pg_users:
+  - 'pg_execute_server_program'
+  - 'pg_monitor'
+  - 'pg_read_all_settings'
+  - 'pg_read_all_stats'
+  - 'pg_read_server_files'
+  - 'pg_signal_backend'
+  - 'pg_stat_scan_tables'
+  - 'pg_write_server_files'
+  - 'postgres'
+pg_replicas:
+  - ''
+approved_auth_methods:
+  - 'gss'
+  - 'sspi'
+  - 'ldap'
+  - 'cert clientcert=verify-full'
+pgaudit_installation: '/usr/lib/postgresql/14/lib/bitcode/pgaudit'
+pg_max_connections: 100
+pg_timezone: 'UTC'
+pg_object_granted_privileges: 'arwdDxt'
+pg_object_public_privileges: 'rw'
+approved_packages:
+  - 'postgresql16-server.x86_64'
+  - 'postgresql16-libs.x86_64'
+  - 'postgresql16-contrib.x86_64'
+  - 'postgresql16.x86_64'
+approved_ext: 
+  - ''
+pg_object_exceptions:
+  - 'pg_setting'

inspec.yml

@@ -1,4 +1,4 @@
-name: crunchy-data-postgres-16-stig-baseline
+name: crunchy-data-postgresql-16-stig-baseline
 title: "Crunchy Data Postgres 16 Security Technical Implementation Guide ::
   Version 1, Release 1 :: Benchmark Date:  13 Jun 2024"
 maintainer: MITRE SAF Team
@@ -91,13 +91,16 @@ inputs:
       - ""
     required: true
     sensitive: true
-
+
+  #V261909, V-261917
   - name: pg_db
     description: "The database used for stig configuration tests"
     type: string
     value: "stig"
     required: true
-
+  #V-261917
+  - name: pg_db_owner
+    description: ""
   # V-261902
   - name: pg_object_granted_privileges
     description: "Privileges that should be granted to a role for a database object"