This chef cookbook provides security configuration for PostgreSQL.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
attributes
recipes
spec
templates/default
.gitignore
.kitchen.vagrant.yml
.kitchen.yml
.rubocop.yml
.travis.yml
Berksfile
CHANGELOG.md
Gemfile
Guardfile
LICENSE
README.md
Rakefile
metadata.rb

README.md

postgres-hardening (Postgres cookbook)

Supermarket Build Status Code Coverage Dependencies Gitter Chat

Description

Provides security configurations for postgres.

Note: This is currently work in progress and not tested on all supported platforms

Requirements

  • Chef >= 12.5.1

Platform

  • Debian 7, 8
  • Ubuntu 12.04, 14.04, 16.04
  • RHEL 6, 7
  • CentOS 6, 7
  • Oracle Linux 6, 7

Usage

This cookbook is optimized to work with os-hardening and ssh-hardening. It will play well without, but you need to ensure all preconditions like apt-get update or yum update are met.

add the following to your runlist and customize security option attributes

  "recipe[postgresql::server]",
  "recipe[postgres-hardening]"

You should also use the official postgres packages, because those offer the latest fixes. Enable the suitable option for the postgres cookbook.

"postgresql": {

   # debian, ubuntu
   "enable_pgdg_apt": true

   # rhel
   "enable_pgdg_yum": true

}

The hardening cookbook is only optimized for Postgresql 9.4. This can be activated for [postgres cookbook](https://github.com/sous-chefs/postgresql.

"postgresql": {
   version: "9.4"
}

Enable SSL

Please read http://www.postgresql.org/docs/9.1/static/ssl-tcp.html first.

This cookbook will delete the links from /var/lib/postgresql/#{node['postgresql']['version']}/main/server.crt to /etc/ssl/certs/ssl-cert-snakeoil.pem and /var/lib/postgresql/#{node['postgresql']['version']}/main/server.key to /etc/ssl/private/ssl-cert-snakeoil.key on Debian systems. This certificates are self-signed (see http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29) and therefore not trusted. You have to provide your own trusted certificates for SSL.

Security Options

Tests

# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# fast test on one machine
bundle exec kitchen test default-apt-ubuntu-1604

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-apt-ubuntu-1604
bundle exec kitchen converge default-apt-ubuntu-1604

Contributors + Kudos

License and Author

  • Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.