Repository files navigation

Provides security configurations for postgres.

Note: This is currently work in progress and not tested on all supported platforms

• Chef >= 12.5.1

• Debian 7, 8
• Ubuntu 12.04, 14.04, 16.04
• RHEL 6, 7
• CentOS 6, 7
• Oracle Linux 6, 7

This cookbook is optimized to work withos-hardening andssh-hardening. It will play well without, but you need to ensure all preconditions likeapt-get update oryum update are met.

add the following to your runlist and customize security option attributes

"recipe[postgresql::server]","recipe[postgres-hardening]"

You should also use the official postgres packages, because those offer the latest fixes. Enable the suitable option for thepostgres cookbook.

"postgresql": {# debian, ubuntu"enable_pgdg_apt":true# rhel"enable_pgdg_yum":true}

The hardening cookbook is only optimized for Postgresql 9.4. This can be activated for [postgres cookbook](https://github.com/sous-chefs/postgresql.

"postgresql": {   version:"9.4"}

Please readhttp://www.postgresql.org/docs/9.1/static/ssl-tcp.html first.

This cookbook will delete the links from/var/lib/postgresql/#{node['postgresql']['version']}/main/server.crt to/etc/ssl/certs/ssl-cert-snakeoil.pem and/var/lib/postgresql/#{node['postgresql']['version']}/main/server.key to/etc/ssl/private/ssl-cert-snakeoil.key on Debian systems. This certificates are self-signed (seehttp://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29) and therefore not trusted. You have to provide your own trusted certificates for SSL.

• node['postgresql']['config']['logging_collector'] = trueThis parameter enables the logging collector, which is a background processthat captures log messages sent to stderr and redirects them into log files.Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for detailsDefaults to:true

• node['postgresql']['config']['log_directory'] = 'pg_log'When logging_collector is enabled, this parameter determines thedirectory in which log files will be created.Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for detailsDefaults to:pg_log

• node['postgresql']['config']['log_connections'] = trueCauses each attempted connection to the server to be logged, as well as successfulcompletion of client authentication.Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for detailsDefaults to:true

• node['postgresql']['config']['log_disconnections'] = trueThis outputs a line in the server log similar to log_connections but at sessiontermination, and includes the duration of the session.Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for detailsDefaults to:true

• node['postgresql']['config']['log_duration'] = trueCauses the duration of every completed statement to be loggedSeehttp://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for detailsDefaults to:true

• node['postgresql']['config']['log_hostname'] = trueBy default, connection log messages only show the IP address of the connecting host.Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for detailsDefaults to:true

• node['postgresql']['config']['log_line_prefix'] = '%t %u %d %h'This is a printf-style string that is output at the beginning of each log line.Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-logging.html for detailsDefaults to:%t %u %d %h

• node['postgresql']['config']['password_encryption'] = trueWhen a password is specified in CREATE USER or ALTER ROLE without writing eitherENCRYPTED or UNENCRYPTED, this parameter determines whether the password is to be encrypted.Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-connection.html for detailsDefaults to:true

• node['postgresql']['config']['ssl'] = falseEnables SSL connections. Please readhttp://www.postgresql.org/docs/9.1/static/ssl-tcp.htmlSSL certificates are out of scope of this module. This is why this setting defaults tooff.You have to provide ssl certificatesbefore the startup of postgres, otherwise it will fail to start.
  Seehttp://www.postgresql.org/docs/9.1/static/runtime-config-connection.html for detailsDefaults to:false

# Install dependenciesgem install bundlerbundle install# Do lint checksbundleexec rake lint# fast test on one machinebundleexec kitchentest default-apt-ubuntu-1604# test on all machinesbundleexec kitchentest# for developmentbundleexec kitchen create default-apt-ubuntu-1604bundleexec kitchen converge default-apt-ubuntu-1604

• Edmund Haselwanterehaselwanter
• Dominik Richterarlimus
• Christoph Hartmannchris-rock
• Patrick Muenchatomic111

• Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License");you may not use this file except in compliance with the License.You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, softwaredistributed under the License is distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License for the specific language governing permissions andlimitations under the License.