Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

postgres-hardening (Postgres cookbook)

Supermarket Build Status Code Coverage Dependencies Gitter Chat


Provides security configurations for postgres.

Note: This is currently work in progress and not tested on all supported platforms


  • Chef >= 12.5.1


  • Debian 7, 8
  • Ubuntu 12.04, 14.04, 16.04
  • RHEL 6, 7
  • CentOS 6, 7
  • Oracle Linux 6, 7


This cookbook is optimized to work with os-hardening and ssh-hardening. It will play well without, but you need to ensure all preconditions like apt-get update or yum update are met.

add the following to your runlist and customize security option attributes


You should also use the official postgres packages, because those offer the latest fixes. Enable the suitable option for the postgres cookbook.

"postgresql": {

   # debian, ubuntu
   "enable_pgdg_apt": true

   # rhel
   "enable_pgdg_yum": true


The hardening cookbook is only optimized for Postgresql 9.4. This can be activated for [postgres cookbook](

"postgresql": {
   version: "9.4"

Enable SSL

Please read first.

This cookbook will delete the links from /var/lib/postgresql/#{node['postgresql']['version']}/main/server.crt to /etc/ssl/certs/ssl-cert-snakeoil.pem and /var/lib/postgresql/#{node['postgresql']['version']}/main/server.key to /etc/ssl/private/ssl-cert-snakeoil.key on Debian systems. This certificates are self-signed (see and therefore not trusted. You have to provide your own trusted certificates for SSL.

Security Options


# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# fast test on one machine
bundle exec kitchen test default-apt-ubuntu-1604

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-apt-ubuntu-1604
bundle exec kitchen converge default-apt-ubuntu-1604

Contributors + Kudos

License and Author

  • Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.


This chef cookbook provides security configuration for PostgreSQL.





No packages published


You can’t perform that action at this time.