Add Support for PostgreSQL

.config/ansible-lint.yml

@@ -11,10 +11,12 @@ exclude_paths:
  - molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
  - molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
  - molecule/ssh_hardening_bsd/waivers_openbsd7.yaml
+ - molecule/postgres_hardening/geerlingguy_postgresql_vars.yml
 
 mock_roles:
  - geerlingguy.git
  - nginxinc.nginx
+ - geerlingguy.postgresql
 
 skip_list:
  - var-naming[no-role-prefix]

.github/labeler.yml

@@ -28,3 +28,10 @@ nginx_hardening:
  - roles/nginx_hardening/**
  - molecule/nginx_hardening/**
  - .github/workflows/nginx_hardening.yml
+
+postgres_hardening:
+ - changed-files:
+ - any-glob-to-any-file:
+ - "roles/postgres_hardening/**"
+ - "molecule/postgres_hardening/**"
+ - ".github/workflows/postgres_hardening.yml"

.github/workflows/postgres_hardening.yml

@@ -0,0 +1,90 @@
+---
+name: "devsec.postgres_hardening"
+on: # yamllint disable-line rule:truthy
+ workflow_dispatch:
+ push:
+ branches: [master]
+ paths:
+ - "roles/postgres_hardening/**"
+ - "molecule/postgres_hardening/**"
+ - ".github/workflows/postgres_hardening.yml"
+ - "requirements.txt"
+ pull_request:
+ branches: [master]
+ paths:
+ - "roles/postgres_hardening/**"
+ - "molecule/postgres_hardening/**"
+ - ".github/workflows/postgres_hardening.yml"
+ - "requirements.txt"
+ schedule:
+ - cron: "0 6 * * 1"
+
+concurrency:
+ group: >-
+ ${{ github.workflow }}-${{
+ github.event.pull_request.number || github.sha
+ }}
+ cancel-in-progress: true
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ env:
+ PY_COLORS: 1
+ ANSIBLE_FORCE_COLOR: 1
+ strategy:
+ fail-fast: false
+ matrix:
+ molecule_distro:
+ # - centos7
+ # - centosstream8
+ # - centosstream9
+ # - rocky8
+ # - rocky9
+ # - ubuntu1804
+ - ubuntu2004
+ - ubuntu2204
+ # - debian10
+ # - debian11
+ # - debian12
+ # - amazon2023
+ # - arch # needs to be fixed
+ # - opensuse_tumbleweed # needs to be fixed
+ # - fedora # no support from geerlingguy role
+ steps:
+ - name: Checkout repo
+ uses: actions/checkout@v4
+ with:
+ path: ansible_collections/devsec/hardening
+ submodules: true
+
+ - name: Set up Python
+ uses: actions/setup-python@v4
+ with:
+ python-version: 3.12
+
+ - name: Install dependencies
+ run: |
+ sudo apt install git
+ python -m pip install --no-cache-dir --upgrade pip
+ pip install -r requirements.txt
+ working-directory: ansible_collections/devsec/hardening
+
+ # Molecule has problems detecting the proper location for installing roles
+ # https://github.com/ansible/molecule/issues/3806
+ # we do not set a custom role path, but the automatically determined install path used is not compatible with the location molecule expects the role
+ # see CI logs of this action "INFO Set ANSIBLE_ROLES_PATH" should not be present, since we do not set a custom path
+ # we have to find a proper way to configure this
+ - name: Temporary fix for roles
+ run: |
+ mkdir -p /home/runner/.ansible
+ ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
+ /home/runner/.ansible/roles
+
+ - name: Test with molecule
+ run: |
+ molecule --version
+ molecule test -s postgres_hardening
+ env:
+ MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+ working-directory: ansible_collections/devsec/hardening

molecule/postgres_hardening/converge.yml

@@ -0,0 +1,12 @@
+---
+- name: Wrapper playbook for kitchen testing "ansible-postgres-hardening" with custom settings
+ become: true
+ hosts: all
+ environment:
+ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
+ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+ no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+ tasks:
+ - name: Start Hardening
+ ansible.builtin.include_role:
+ name: devsec.hardening.postgres_hardening

molecule/postgres_hardening/geerlingguy_postgresql_vars.yml

@@ -0,0 +1,6 @@
+postgresql_databases:
+ - name: example_db
+postgresql_users:
+ - name: postgres
+ password: iloverandompasswordsbutthiswilldo
+postgresql_auth_method: scram-sha-256

molecule/postgres_hardening/molecule.yml

@@ -0,0 +1,64 @@
+---
+dependency:
+ name: galaxy
+ options:
+ role-file: molecule/postgres_hardening/requirements.yml
+driver:
+ name: docker
+platforms:
+ - name: instance
+ image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+ command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
+ volumes:
+ - /sys/fs/cgroup:/sys/fs/cgroup:rw
+ privileged: true
+ cgroupns_mode: host
+ pre_build_image: true
+provisioner:
+ name: ansible
+ options:
+ diff: true
+ config_options:
+ defaults:
+ interpreter_python: auto_silent
+ callbacks_enabled: profile_tasks, timer, yaml
+ inventory:
+ host_vars:
+ # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user
+ # setting for the platform instance named 'instance'
+ instance:
+ ansible_user: ansible
+verifier:
+ name: ansible
+
+scenario:
+ create_sequence:
+ - dependency
+ - create
+ - prepare
+ check_sequence:
+ - dependency
+ - destroy
+ - create
+ - prepare
+ - converge
+ - check
+ - destroy
+ converge_sequence:
+ - dependency
+ - create
+ - prepare
+ - converge
+ destroy_sequence:
+ - destroy
+ test_sequence:
+ - dependency
+ - destroy
+ - syntax
+ - create
+ - prepare
+ - check
+ - converge
+ - idempotence
+ - verify
+ - destroy

molecule/postgres_hardening/prepare.yml

@@ -0,0 +1,20 @@
+---
+- name: Prepare playbook for kitchen testing "ansible-postgres-hardening" with custom settings
+ become: true
+ hosts: all
+ environment:
+ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
+ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+ no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+ vars_files:
+ - geerlingguy_postgresql_vars.yml
+ tasks:
+ - name: Install required packages
+ ansible.builtin.package:
+ name: "python3-apt"
+ update_cache: true
+ ignore_errors: true # noqa ignore-errors
+
+ - name: Installing PostgreSQL
+ ansible.builtin.include_role:
+ name: geerlingguy.postgresql

molecule/postgres_hardening/requirements.yml

@@ -0,0 +1,6 @@
+---
+collections:
+ - community.postgresql
+
+roles:
+ - name: geerlingguy.postgresql

molecule/postgres_hardening/verify.yml

@@ -0,0 +1,36 @@
+---
+- name: Verify
+ hosts: all
+ become: true
+ environment:
+ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
+ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+ no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+
+- name: Verify
+ hosts: localhost
+ environment:
+ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
+ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+ no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+ tasks:
+ - name: Execute cinc-auditor tests
+ ansible.builtin.command: >
+ docker run
+ --volume /run/docker.sock:/run/docker.sock
+ docker.io/cincproject/auditor exec
+ -t docker://instance
+ --no-show-progress --no-color
+ --no-distinct-exit https://github.com/dev-sec/postgres-baseline/archive/refs/heads/master.zip
+ register: test_results
+ changed_when: false
+ ignore_errors: true
+
+ - name: Display details about the cinc-auditor results
+ ansible.builtin.debug:
+ msg: "{{ test_results.stdout_lines }}"
+
+ - name: Fail when tests fail
+ ansible.builtin.fail:
+ msg: "Inspec failed to validate"
+ when: test_results.rc != 0

roles/.gitignore

@@ -0,0 +1 @@
+geerlingguy.postgresql/

roles/postgres_hardening/README.md

@@ -0,0 +1,18 @@
+# devsec.postgres_hardening
+
+[![devsec.postgres_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/postgres_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/postgres_hardening.yml)
+
+## Description
+
+This role provides secure postgres configuration. It is intended to be compliant with the [DevSec Postgres Baseline](https://github.com/dev-sec/postgres-baseline).
+
+
+**NOTE: This role does not work with postgres 1.0.15 or older! Please use the latest version from the official postgres repositories!**
+
+<!-- BEGIN_ANSIBLE_DOCS -->
+
+## Supported Operating Systems [For Now]
+- Ubuntu
+ - bionic, focal, jammy
+
+## Role Variables

roles/postgres_hardening/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+# switcher to enable/disable role
+postgres_hardening_enabled: true
+
+postgres_daemon_enabled: true
+
+postgres_hardening_restart_postgres: true
+
+# Postgres user/group
+postgres_user: postgres
+postgres_group: postgres
+
+# Password Authentication
+password_encryption: scram-sha-256
+
+# SSL
+ssl_enabled: "on"
+ssl_ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+
+# Logging
+logging_collector: "on"
+log_connections: "on"
+log_disconnections: "on"
+log_duration: "on"
+log_hostname: "on"
+log_directory: pg_log
+log_line_prefix: "%t %u %d %h"

roles/postgres_hardening/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart postgres
+ ansible.builtin.service:
+ name: "{{ postgres_daemon }}"
+ state: restarted
+ when: postgres_hardening_restart_postgres | bool