add reame info for ssl and attributes, default ssl to false/off, remove snake-oil cert links

README.md

@@ -14,10 +14,68 @@ Note: This is currently work in progress and not tested on all supported platfor
 
 This cookbook is optimized to work with [os-hardening](https://github.com/TelekomLabs/postgres-os-hardening) and [ssh-hardening](https://github.com/TelekomLabs/chef-ssh-hardening). It will play well without, but you need to ensure all preconditions like `apt-get update` or `yum update` are met.
 
-tbd.
+add `recipe[postgres-hardening::server]` to your runlist and customize security option attributes
+
+### Enable SSL
+
+Please read http://www.postgresql.org/docs/9.1/static/ssl-tcp.html first. 
+
+This cookbook will delete the links from `/var/lib/postgresql/#{node['postgresql']['version']}/main/server.crt` to `/etc/ssl/certs/ssl-cert-snakeoil.pem` and `/var/lib/postgresql/#{node['postgresql']['version']}/main/server.key` to `/etc/ssl/private/ssl-cert-snakeoil.key` on Debian systems. This certificates are self-signed (see http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29) and therefore not trusted. You have to provide your own trusted certificates for SSL.
 
 ## Security Options
 
+* `node['postgresql']['config']['logging_collector'] = true`
+   This parameter enables the logging collector, which is a background process 
+   that captures log messages sent to stderr and redirects them into log files. 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
+   Defaults to: `true`
+
+* `node['postgresql']['config']['log_directory'] = 'pg_log'`
+   When logging_collector is enabled, this parameter determines the 
+   directory in which log files will be created. 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
+   Defaults to: `pg_log`
+
+* `node['postgresql']['config']['log_connections'] = true`
+   Causes each attempted connection to the server to be logged, as well as successful 
+   completion of client authentication. 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
+   Defaults to: `true`
+
+* `node['postgresql']['config']['log_disconnections'] = true`
+   This outputs a line in the server log similar to log_connections but at session 
+   termination, and includes the duration of the session. 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
+   Defaults to: `true`
+
+* `node['postgresql']['config']['log_duration'] = true`
+   Causes the duration of every completed statement to be logged 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
+   Defaults to: `true`
+
+* `node['postgresql']['config']['log_hostname'] = true`
+   By default, connection log messages only show the IP address of the connecting host. 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
+   Defaults to: `true`
+
+* `node['postgresql']['config']['log_line_prefix'] = '%t %u %d %h'`
+   This is a printf-style string that is output at the beginning of each log line. 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for details
+   Defaults to: `%t %u %d %h`
+
+* `node['postgresql']['config']['password_encryption'] = true`
+   When a password is specified in CREATE USER or ALTER ROLE without writing either 
+   ENCRYPTED or UNENCRYPTED, this parameter determines whether the password is to be encrypted. 
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-connection.html for details
+   Defaults to: `true`
+
+* `node['postgresql']['config']['ssl'] = false`
+   Enables SSL connections. Please read http://www.postgresql.org/docs/9.1/static/ssl-tcp.html 
+   SSL certificates are out of scope of this module. This is why this setting defaults to `off`.
+   You have to provide ssl certificates *before* the startup of postgres, otherwise it will fail to start.  
+   See http://www.postgresql.org/docs/9.1/static/runtime-config-connection.html for details
+   Defaults to: `false`
+
 ## Tests
 
     # fast test on one machine

attributes/hardening.rb

@@ -37,12 +37,7 @@
 
 default['postgresql']['config']['password_encryption'] = true
 
-case node['platform_family']
-when 'debian'
-  default['postgresql']['config']['ssl'] = true
-else
-  default['postgresql']['config']['ssl'] = false
-end
+default['postgresql']['config']['ssl'] = false
 
 default['postgresql']['config']['ssl_ciphers'] = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
 

recipes/server.rb

@@ -30,4 +30,19 @@
       mode 0700
     end
   end
+
+  change_notify = node['postgresql']['server']['config_change_notify']
+
+  link "/var/lib/postgresql/#{node['postgresql']['version']}/main/server.crt" do
+    action :delete
+    only_if "ls -l /var/lib/postgresql/#{node['postgresql']['version']}/main/server.crt |grep /etc/ssl/certs/ssl-cert-snakeoil.pem"
+    notifies change_notify, 'service[postgresql]'
+  end
+
+  link "/var/lib/postgresql/#{node['postgresql']['version']}/main/server.key" do
+    action :delete
+    only_if "ls -l /var/lib/postgresql/#{node['postgresql']['version']}/main/server.key |grep /etc/ssl/private/ssl-cert-snakeoil.key"
+    notifies change_notify, 'service[postgresql]'
+  end
+
 end