├── .gitignore ├── .yamllint ├── LICENSE ├── README.md ├── defaults └── main.yml ├── handlers └── main.yml ├── local.yml ├── tasks ├── cat1.yml ├── cat2.yml ├── cat3.yml ├── main.yml └── prelim.yml ├── templates └── etc_default_grub.j2 └── vars └── main.yml /.gitignore: -------------------------------------------------------------------------------- 1 | benchparse/ 2 | *xccdf.xml 3 | *.retry 4 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | extends: default 4 | 5 | rules: 6 | indentation: 7 | spaces: 4 8 | truthy: disable 9 | braces: 10 | max-spaces-inside: 1 11 | level: error 12 | brackets: 13 | max-spaces-inside: 1 14 | level: error 15 | line-length: disable 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2018 ansible-lockdown 4 | Copyright (c) 2019, Massachusetts Institute of Technology (MIT) Lincoln Laboratory 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its contributors 17 | may be used to endorse or promote products derived from this software 18 | without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PGS9-STIG 2 | Ansible Role for the Postgresql 9.x DISA STIG 3 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | pgs9stig_cat1: yes 4 | pgs9stig_cat2: yes 5 | pgs9stig_cat3: yes 6 | 7 | pgs9stig_postgres_module_name: postgresql 8 | pgs9stig_postgres_module_version: 12 9 | 10 | pgs9stig_postgres_packages: >- 11 | {{ pgs9stig_postgres_packages_simple 12 | if ansible_distribution_major_version | default('8') is version_compare('8', '>=') 13 | else pgs9stig_postgres_packages_el7 }} 14 | pgs9stig_postgres_packages_simple: 15 | - postgresql-server 16 | - postgresql 17 | pgs9stig_postgres_packages_el7: 18 | - rh-postgresql12-postgresql-server-syspaths 19 | - rh-postgresql12-postgresql-syspaths 20 | 21 | pgs9stig_configure_pgaudit: yes 22 | pgs9stig_pgaudit_packages: 23 | - >- 24 | {{ 'pgaudit' 25 | if ansible_distribution_major_version | default('8') is version_compare('8', '>=') 26 | else 'rh-postgresql12-pgaudit' }} 27 | 28 | pgs9stig_postgres_user: postgres 29 | pgs9stig_postgres_service: postgresql 30 | 31 | pgs9stig_allowed_superusers: 32 | - "{{ pgs9stig_postgres_user }}" 33 | 34 | # Appendix C: Logging 35 | # possible values: stderr, syslog 36 | pgs9stig_log_destination: syslog 37 | 38 | # only takes effect for stderr logging 39 | pgs9stig_log_directory: "{{ pgs9stig_pgdata }}/pg_log" 40 | 41 | # Configure rsyslog and logrotate 42 | # only takse effect for syslog logging 43 | pgs9stig_configure_rsyslog: yes 44 | 45 | # only takes effect for syslog logging with rsyslog 46 | pgs9stig_rsyslog_log_path: /var/log/postgres 47 | pgs9stig_rsyslog_conf: /etc/rsyslog.d/postgres.conf 48 | 49 | 50 | # Show Changed for values requiring local documentation 51 | pgs9stig_warn_docs: yes 52 | 53 | # Show Changed for items requiring manual verification 54 | pgs9stig_warn_manual: yes 55 | 56 | # Show Changed for uncorrected open findings 57 | pgs9stig_warn_finding: yes 58 | 59 | # tweak role to run in a non-privileged container 60 | pgs9stig_system_is_container: no 61 | 62 | # log_line_prefix 63 | # PGS9-00-000200: '< %m %u %d %e: >' 64 | # PGS9-00-004600: '< %m %u %c: >' 65 | # PGS9-00-004700: '< %m %u %c: >' 66 | # PGS9-00-005100: '< %m %u %d %c: >' 67 | # PGS9-00-006200: If log_line_prefix does not contain at least %m %u %d %c, this is a finding. 68 | # PGS9-00-007100: If log_line_prefix does not contain %m %u %d %s, this is a finding. '< %m %a %u %d %r %p %i %e %s>' 69 | # PGS9-00-007700: If log_line_prefix does not contain %m, this is a finding. 70 | # PGS9-00-007800: If log_line_prefix does not contain %m, %u, %d, %p, %r, %a, this is a finding. '< %m %u %d %p %r %a >' 71 | # PGS9-00-008800: '< %m %a %u %d %r %p %m >' 72 | # PGS9-00-009700: If log_line_prefix does not contain at least '< %m %a %u %d %r %p %m >', this is a finding. 73 | # PGS9-00-010400: '< %m %u %d %c: >' 74 | # PGS9-00-011100: If the query result does not contain "%m", this is a finding. 75 | # PGS9-00-012600: '< %m %u %c: >' 76 | # this line includes all of the above except %i %e, not explicitly required 77 | pgs9stig_log_line_prefix: "'< %m %a %u %d %r %p %c %s >'" 78 | 79 | # pgaudit.log 80 | # PGS9-00-000200: 'all, -misc' 81 | # PGS9-00-004400: If pgaudit.log does not contain, "ddl, write, role", this is a finding. 'ddl, write, role' 82 | # PGS9-00-004900: 'role' 83 | # PGS9-00-005000: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 84 | # PGS9-00-005200: 'ddl' 85 | # PGS9-00-005500: 'read' 86 | # PGS9-00-005600: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 87 | # PGS9-00-005800: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 88 | # PGS9-00-005900: If pgaudit.log does not contain, "ddl, write, role", this is a finding. 'ddl, write, role' 89 | # PGS9-00-006000: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 90 | # PGS9-00-006100: If the output does not contain role, read, write, and ddl, this is a finding. 'role' 91 | # PGS9-00-006300: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 92 | # PGS9-00-006400: If the output does not contain role, this is a finding. 'role' 93 | # PGS9-00-006600: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 94 | # PGS9-00-006700: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 95 | # PGS9-00-009800: If pgaudit.log does not contain ddl, role, read, write, function this is a finding. 'write, ddl, role, read, function' 96 | # PGS9-00-010000: 'role' 97 | # PGS9-00-012500: If the output does not contain role, read, write, and ddl, this is a finding. 'ddl, role, read, write' 98 | # PGS9-00-012600: If the output does not contain role, read, write, and ddl, this is a finding. 'read, write' 99 | # PGS9-00-012600: 'ddl, role, read, write' 100 | pgs9stig_pgaudit_log: "'write, ddl, role, read, function'" 101 | 102 | 103 | # STIG items that have been documented locally (squashes "changed" for these) 104 | # set '{pgs9stig_warn_docs: no}' above to squash all 105 | pgs9stig_doc_001200: no 106 | pgs9stig_max_connections: 100 107 | pgs9stig_doc_003700: no 108 | pgs9stig_doc_006500: no 109 | pgs9stig_doc_010400: no 110 | pgs9stig_doc_011300: no 111 | 112 | 113 | # STIG items that require manual verification (squashes "changed" for these) 114 | # set '{pgs9stig_warn_manual: no}' above to squash all 115 | pgs9stig_manual_000400: no 116 | pgs9stig_manual_002300: no 117 | pgs9stig_manual_003800: no 118 | pgs9stig_manual_004200: no 119 | pgs9stig_manual_011300: no 120 | pgs9stig_manual_012200: no 121 | 122 | 123 | # PGS9-00-000100 124 | pgs9stig_port: 5432 125 | 126 | # PGS9-00-002400 127 | pgs9stig_log_timezone: UTC 128 | 129 | # PGS9-00-004300 130 | pgs9stig_multiple_versions_in_use: no 131 | 132 | # PGS9-00-010600 133 | pgs9stig_statement_timeout: 10000 134 | pgs9stig_tcp_keepalives_idle: 10 135 | pgs9stig_tcp_keepalives_interval: 10 136 | pgs9stig_tcp_keepalives_count: 10 137 | 138 | 139 | # HIGH 140 | pgs9_00_000300: yes 141 | pgs9_00_008000: yes 142 | pgs9_00_008200: yes 143 | pgs9_00_010200: yes 144 | pgs9_00_011700: yes 145 | pgs9_00_012300: yes 146 | pgs9_00_012800: yes 147 | 148 | # MEDIUM 149 | pgs9_00_000100: yes 150 | pgs9_00_000200: yes 151 | pgs9_00_000400: yes 152 | pgs9_00_000500: yes 153 | pgs9_00_000600: yes 154 | pgs9_00_000700: yes 155 | pgs9_00_000710: yes 156 | pgs9_00_000800: yes 157 | pgs9_00_000900: yes 158 | pgs9_00_001100: yes 159 | pgs9_00_001200: yes 160 | pgs9_00_001300: yes 161 | pgs9_00_001400: yes 162 | pgs9_00_001700: yes 163 | pgs9_00_001800: yes 164 | pgs9_00_001900: yes 165 | pgs9_00_002000: yes 166 | pgs9_00_002100: yes 167 | pgs9_00_002200: yes 168 | pgs9_00_002300: yes 169 | pgs9_00_002400: yes 170 | pgs9_00_002500: yes 171 | pgs9_00_002600: yes 172 | pgs9_00_002700: yes 173 | pgs9_00_003000: yes 174 | pgs9_00_003100: yes 175 | pgs9_00_003200: yes 176 | pgs9_00_003300: yes 177 | pgs9_00_003500: yes 178 | pgs9_00_003600: yes 179 | pgs9_00_003700: yes 180 | pgs9_00_003800: yes 181 | pgs9_00_004000: yes 182 | pgs9_00_004100: yes 183 | pgs9_00_004200: yes 184 | pgs9_00_004300: yes 185 | pgs9_00_004400: yes 186 | pgs9_00_004500: yes 187 | pgs9_00_004600: yes 188 | pgs9_00_004700: yes 189 | pgs9_00_004800: yes 190 | pgs9_00_004900: yes 191 | pgs9_00_005000: yes 192 | pgs9_00_005100: yes 193 | pgs9_00_005200: yes 194 | pgs9_00_005300: yes 195 | pgs9_00_005400: yes 196 | pgs9_00_005500: yes 197 | pgs9_00_005600: yes 198 | pgs9_00_005700: yes 199 | pgs9_00_005800: yes 200 | pgs9_00_005900: yes 201 | pgs9_00_006000: yes 202 | pgs9_00_006100: yes 203 | pgs9_00_006200: yes 204 | pgs9_00_006300: yes 205 | pgs9_00_006400: yes 206 | pgs9_00_006500: yes 207 | pgs9_00_006600: yes 208 | pgs9_00_006700: yes 209 | pgs9_00_006800: yes 210 | pgs9_00_006900: yes 211 | pgs9_00_007000: yes 212 | # Need to generate certs first 213 | pgs9_00_007200: no 214 | pgs9_00_007400: yes 215 | pgs9_00_007700: yes 216 | pgs9_00_007800: yes 217 | pgs9_00_008100: yes 218 | pgs9_00_008300: yes 219 | pgs9_00_008400: yes 220 | pgs9_00_008500: yes 221 | pgs9_00_008600: yes 222 | pgs9_00_008700: yes 223 | pgs9_00_008800: yes 224 | pgs9_00_008900: yes 225 | pgs9_00_009100: yes 226 | pgs9_00_009200: yes 227 | pgs9_00_009400: yes 228 | pgs9_00_009500: yes 229 | pgs9_00_009600: yes 230 | pgs9_00_009700: yes 231 | pgs9_00_009800: yes 232 | pgs9_00_009900: yes 233 | pgs9_00_010000: yes 234 | pgs9_00_010100: yes 235 | pgs9_00_010300: yes 236 | pgs9_00_010400: yes 237 | pgs9_00_010500: yes 238 | pgs9_00_010600: yes 239 | pgs9_00_010700: yes 240 | pgs9_00_011100: yes 241 | pgs9_00_011200: yes 242 | pgs9_00_011300: yes 243 | pgs9_00_011400: yes 244 | pgs9_00_011500: yes 245 | pgs9_00_011600: yes 246 | pgs9_00_011800: yes 247 | pgs9_00_011900: yes 248 | pgs9_00_012000: yes 249 | pgs9_00_012200: yes 250 | pgs9_00_012500: yes 251 | pgs9_00_012600: yes 252 | pgs9_00_012700: yes 253 | pgs9_00_007100: yes 254 | 255 | 256 | pgs9stig_boot_part: "{{ pgs9_00_boot_part.stdout }}" 257 | 258 | pgs9stig_lineinfile: 259 | lineinfile: 260 | line: "{{ item.key }} = {{ item.value }}" 261 | regexp: "^{{ item.key | regex_escape }} *=" 262 | insertafter: "#{{ item.key | regex_escape }} *=" 263 | 264 | 265 | pgs9stig_machine_uses_uefi: "{{ pgs9_00_sys_firmware_efi.stat.exists }}" 266 | pgs9stig_grub_cfg_path: "{{ pgs9stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}" 267 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart rsyslog 3 | service: 4 | name: rsyslog 5 | state: restarted 6 | 7 | - name: restart postgres 8 | service: 9 | name: "{{ pgs9stig_postgres_service }}" 10 | state: restarted 11 | 12 | - name: reload postgres 13 | service: 14 | name: "{{ pgs9stig_postgres_service }}" 15 | state: reloaded 16 | 17 | - name: make grub2 config 18 | command: /usr/sbin/grub2-mkconfig --output={{ pgs9stig_grub_cfg_path }} 19 | when: 20 | - not pgs9stig_system_is_container 21 | 22 | - name: rebuild initramfs 23 | command: dracut -f 24 | -------------------------------------------------------------------------------- /local.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Apply DISA Postgresql 9.x STIG remediations to the local host 3 | hosts: localhost 4 | connection: local 5 | become: yes 6 | roles: 7 | - "{{ playbook_dir }}" 8 | -------------------------------------------------------------------------------- /tasks/cat1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. 3 | # 4 | #This material is based upon work supported by the Department of the Air Force and MISSILE DEFENSE AGENCY under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of the Air Force and MISSILE DEFENSE AGENCY. 5 | # 6 | #© 2019 Massachusetts Institute of Technology. 7 | # 8 | #The software/firmware is provided to you on an As-Is basis 9 | # 10 | #Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. 11 | 12 | - name: "HIGH | PGS9-00-000300 | Security-relevant software updates to PostgreSQL must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs)." 13 | yum: 14 | name: "{{ pgs9stig_postgres_packages }}" 15 | state: latest 16 | security: true 17 | when: pgs9_00_000300 18 | tags: 19 | - PGS9-00-000300 20 | 21 | 22 | - name: | 23 | "HIGH | PGS9-00-008000 | PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes." 24 | "HIGH | PGS9-00-008200 | PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements." 25 | block: 26 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | PostgreSQL must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes." 27 | yum: 28 | name: dracut-fips 29 | state: present 30 | notify: rebuild initramfs 31 | 32 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | AUDIT | Check if prelink package is installed" 33 | command: rpm -q prelink 34 | args: 35 | warn: no 36 | changed_when: no 37 | failed_when: no 38 | check_mode: no 39 | register: pgs9_00_008000_prelink_installed 40 | 41 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | PATCH | Disable prelinking." 42 | lineinfile: 43 | dest: /etc/sysconfig/prelink 44 | regexp: ^#?PRELINKING 45 | line: PRELINKING=no 46 | when: pgs9_00_008000_prelink_installed.rc == 0 47 | notify: undo existing prelinking 48 | 49 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" 50 | command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub 51 | check_mode: no 52 | failed_when: no 53 | changed_when: pgs9_00_008000_default_grub_missing_audit.rc > 0 54 | register: pgs9_00_008000_default_grub_missing_audit 55 | 56 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" 57 | command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline 58 | check_mode: no 59 | changed_when: no 60 | failed_when: pgs9_00_008000_grub_cmdline_linux_audit.rc > 1 61 | when: pgs9_00_008000_default_grub_missing_audit is changed 62 | register: pgs9_00_008000_grub_cmdline_linux_audit 63 | 64 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | PATCH | Copy over a sane /etc/default/grub" 65 | template: 66 | src: etc_default_grub.j2 67 | dest: /etc/default/grub 68 | owner: root 69 | group: root 70 | mode: 0644 71 | vars: 72 | grub_cmdline_linux: "{{ pgs9_00_008000_grub_cmdline_linux_audit.stdout }}" 73 | when: pgs9_00_008000_default_grub_missing_audit is changed 74 | 75 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | PATCH | fips=1 must be in /etc/default/grub" 76 | replace: 77 | path: /etc/default/grub 78 | regexp: "{{ pgs9stig_regexp_quoted_params }}" 79 | replace: "{{ pgs9stig_replace_quoted_params }}" 80 | vars: 81 | key: GRUB_CMDLINE_LINUX 82 | param: fips 83 | value: 1 84 | append: yes # this is the default 85 | when: 86 | - not ansible_check_mode or 87 | pgs9_00_008000_default_grub_missing_audit is not changed 88 | notify: make grub2 config 89 | 90 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." 91 | replace: 92 | path: /etc/default/grub 93 | regexp: "{{ pgs9stig_regexp_quoted_params }}" 94 | replace: "{{ pgs9stig_replace_quoted_params }}" 95 | with_items: 96 | - "{{ ansible_mounts | json_query(query) }}" 97 | vars: 98 | query: "[?mount=='{{ pgs9stig_boot_part }}'] | [0]" 99 | key: GRUB_CMDLINE_LINUX 100 | param: boot 101 | value: UUID={{ item.uuid }} 102 | insert: yes 103 | when: 104 | - pgs9stig_boot_part not in ['/', ''] 105 | - not ansible_check_mode or 106 | pgs9_00_008000_default_grub_missing_audit is not changed 107 | notify: make grub2 config 108 | register: result 109 | 110 | - name: "HIGH | PGS9-00-008000 PGS9-00-008200 | AUDIT | Verify kernel parameters in /etc/default/grub" 111 | command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub 112 | check_mode: no 113 | with_items: 114 | - fips=1 115 | - boot=UUID={{ ansible_mounts | json_query(query) }} 116 | vars: 117 | query: "[?mount=='{{ pgs9stig_boot_part }}'].uuid | [0]" 118 | register: pgs9_00_008000_audit 119 | when: 120 | - not ansible_check_mode or 121 | pgs9_00_008000_default_grub_missing_audit is not changed 122 | - pgs9stig_boot_part not in ['/', ''] or 123 | 'boot=' not in item 124 | changed_when: 125 | - ansible_check_mode 126 | - pgs9_00_008000_audit is failed 127 | failed_when: 128 | - pgs9_00_008000_audit is failed 129 | - not ansible_check_mode or 130 | pgs9_00_008000_audit.rc > 1 131 | when: 132 | - pgs9_00_008000 or 133 | pgs9_00_008200 134 | tags: 135 | - PGS9-00-008000 136 | - PGS9-00-008200 137 | 138 | 139 | - name: "HIGH | PGS9-00-010200 | PostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL." 140 | block: 141 | - name: "HIGH | PGS9-00-010200 | AUDIT | PostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL." 142 | command: "true" 143 | register: pgs9_00_010200_audit 144 | check_mode: no 145 | changed_when: no 146 | with_items: 147 | - not implemented 148 | - name: "HIGH | PGS9-00-010200 | PATCH | PostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL." 149 | command: "true" 150 | changed_when: no 151 | with_items: 152 | - not implemented 153 | when: pgs9_00_010200 154 | tags: 155 | - PGS9-00-010200 156 | - notimplemented 157 | 158 | - name: "HIGH | PGS9-00-011700 | PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures." 159 | block: 160 | - name: "HIGH | PGS9-00-011700 | AUDIT | PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures." 161 | command: "true" 162 | register: pgs9_00_011700_audit 163 | check_mode: no 164 | changed_when: no 165 | with_items: 166 | - not implemented 167 | - name: "HIGH | PGS9-00-011700 | PATCH | PostgreSQL must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures." 168 | command: "true" 169 | changed_when: no 170 | with_items: 171 | - not implemented 172 | when: pgs9_00_011700 173 | tags: 174 | - PGS9-00-011700 175 | - notimplemented 176 | 177 | 178 | - name: "HIGH | PGS9-00-012300 | PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations." 179 | block: 180 | - name: "HIGH | PGS9-00-012300 | PATCH | PostgreSQL must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations." 181 | yum: 182 | name: openssl 183 | 184 | - name: "HIGH | PGS9-00-012300 | AUDIT | Check for FIPS validated version of openssl" 185 | shell: openssl version | grep 'fips' 186 | register: pgs9stig_openssl_fips_check 187 | failed_when: no 188 | changed_when: pgs9stig_openssl_fips_check.rc != 0 189 | 190 | - debug: 191 | msg: CAT 1 Finding non-FIPS validated version of openssl found 192 | changed_when: yes 193 | when: pgs9stig_openssl_fips_check is changed 194 | when: 195 | - pgs9_00_012300 196 | tags: 197 | - PGS9-00-012300 198 | 199 | 200 | - name: "HIGH | PGS9-00-012800 | The DBMS must be configured on a platform that has a NIST certified FIPS 140-2 installation of OpenSSL." 201 | debug: 202 | msg: CAT 1 Finding, non RHEL system 203 | changed_when: yes 204 | when: 205 | - pgs9_00_012800 206 | - ansible_distribution != "RedHat" 207 | tags: 208 | - PGS9-00-012800 209 | -------------------------------------------------------------------------------- /tasks/cat2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. 3 | # 4 | #This material is based upon work supported by the Department of the Air Force and MISSILE DEFENSE AGENCY under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of the Air Force and MISSILE DEFENSE AGENCY. 5 | # 6 | #© 2019 Massachusetts Institute of Technology. 7 | # 8 | #The software/firmware is provided to you on an As-Is basis 9 | # 10 | #Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. 11 | 12 | - name: "MEDIUM | PGS9-00-000100 | PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments." 13 | lineinfile: 14 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 15 | module_defaults: "{{ pgs9stig_lineinfile }}" 16 | notify: restart postgres 17 | with_items: 18 | - key: port 19 | value: "{{ pgs9stig_port }}" 20 | when: 21 | - pgs9_00_000100 22 | tags: 23 | - PGS9-00-000100 24 | 25 | - name: "MEDIUM | PGS9-00-000200 | PostgreSQL must produce audit records containing sufficient information to establish the outcome (success or failure) of the events." 26 | debug: 27 | msg: | 28 | "Using pgaudit PostgreSQL can be configured to audit various facets of PostgreSQL." 29 | "All errors, denials and unsuccessful requests are logged if logging is enabled." 30 | Logging and pgaudit are configured in PRELIM 31 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 32 | changed_when: 33 | - not pgs9stig_configure_pgaudit 34 | - pgs9stig_warn_finding 35 | when: 36 | - pgs9_00_000200 37 | tags: 38 | - PGS9-00-000200 39 | 40 | 41 | - name: | 42 | "MEDIUM | PGS9-00-000400 | AUDIT | The audit information produced by PostgreSQL must be protected from unauthorized modification." 43 | "MEDIUM | PGS9-00-002300 | AUDIT | The audit information produced by PostgreSQL must be protected from unauthorized deletion." 44 | debug: 45 | msg: "If the PostgreSQL server is configured to use syslog for logging, consult the organization syslog setting for permissions and ownership of logs." 46 | changed_when: 47 | - pgs9stig_warn_manual 48 | - not pgs9stig_manual_000400 or 49 | not pgs9stig_manual_002300 50 | when: 51 | - pgs9_00_000400 or 52 | pgs9_00_002300 53 | - pgs9stig_log_destination == 'syslog' 54 | - not pgs9stig_with_rsyslog 55 | tags: 56 | - PGS9-00-000400 57 | - PGS9-00-002300 58 | 59 | - name: | 60 | "MEDIUM | PGS9-00-000400 | The audit information produced by PostgreSQL must be protected from unauthorized modification." 61 | "MEDIUM | PGS9-00-002300 | The audit information produced by PostgreSQL must be protected from unauthorized deletion." 62 | "MEDIUM | PGS9-00-004200 | The audit information produced by PostgreSQL must be protected from unauthorized read access." 63 | block: 64 | - name: | 65 | "MEDIUM | PGS9-00-000400 | The audit information produced by PostgreSQL must be protected from unauthorized modification." 66 | "MEDIUM | PGS9-00-002300 | The audit information produced by PostgreSQL must be protected from unauthorized deletion." 67 | "MEDIUM | PGS9-00-004200 | The audit information produced by PostgreSQL must be protected from unauthorized read access." 68 | lineinfile: 69 | path: "{{ pgs9stig_rsyslog_conf }}" 70 | line: $umask 0077 71 | insertbefore: BOF 72 | notify: restart rsyslog 73 | 74 | - name: "MEDIUM | PGS9-00-000400 PGS9-00-002300 PGS9-00-004200 | Verify log access on disk." 75 | file: 76 | path: "{{ pgs9stig_rsyslog_log_path }}" 77 | mode: go-rwx 78 | when: 79 | - pgs9_00_000400 or 80 | pgs9_00_002300 or 81 | pgs9_00_004200 82 | - pgs9stig_with_rsyslog 83 | tags: 84 | - PGS9-00-000400 85 | - PGS9-00-002300 86 | - PGS9-00-004200 87 | 88 | - name: | 89 | "MEDIUM | PGS9-00-000400 | The audit information produced by PostgreSQL must be protected from unauthorized modification." 90 | "MEDIUM | PGS9-00-002300 | The audit information produced by PostgreSQL must be protected from unauthorized deletion." 91 | "MEDIUM | PGS9-00-004200 | The audit information produced by PostgreSQL must be protected from unauthorized read access." 92 | block: 93 | - name: | 94 | "MEDIUM | PGS9-00-000400 | PATCH | The audit information produced by PostgreSQL must be protected from unauthorized modification." 95 | "MEDIUM | PGS9-00-002300 | PATCH | The audit information produced by PostgreSQL must be protected from unauthorized deletion." 96 | "MEDIUM | PGS9-00-004200 | PATCH | The audit information produced by PostgreSQL must be protected from unauthorized read access." 97 | lineinfile: 98 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 99 | module_defaults: "{{ pgs9stig_lineinfile }}" 100 | notify: reload postgres 101 | with_dict: 102 | log_file_mode: "0600" 103 | 104 | - name: | 105 | "MEDIUM | PGS9-00-000400 | PATCH | The audit information produced by PostgreSQL must be protected from unauthorized modification." 106 | "MEDIUM | PGS9-00-002300 | PATCH | The audit information produced by PostgreSQL must be protected from unauthorized deletion." 107 | "MEDIUM | PGS9-00-004200 | PATCH | The audit information produced by PostgreSQL must be protected from unauthorized read access." 108 | file: 109 | path: "{{ pgs9stig_log_directory }}" 110 | mode: go-rwx 111 | owner: "{{ pgs9stig_postgres_user }}" 112 | group: "{{ pgs9stig_postgres_user }}" 113 | recurse: yes 114 | when: 115 | - pgs9_00_000400 or 116 | pgs9_00_002300 or 117 | pgs9_00_004200 or 118 | false 119 | - pgs9stig_log_destination == 'stderr' 120 | tags: 121 | - PGS9-00-000400 122 | - PGS9-00-002300 123 | - PGS9-00-004200 124 | 125 | 126 | - name: "MEDIUM | PGS9-00-000500 | PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals." 127 | block: 128 | - name: "MEDIUM | PGS9-00-000500 | AUDIT | PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals." 129 | command: "true" 130 | register: pgs9_00_000500_audit 131 | check_mode: no 132 | changed_when: no 133 | with_items: 134 | - not implemented 135 | - name: "MEDIUM | PGS9-00-000500 | PATCH | PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals." 136 | command: "true" 137 | changed_when: no 138 | with_items: 139 | - not implemented 140 | when: 141 | - pgs9_00_000500 142 | tags: 143 | - PGS9-00-000500 144 | - notimplemented 145 | 146 | - name: "MEDIUM | PGS9-00-000600 | PostgreSQL must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries." 147 | lineinfile: 148 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 149 | module_defaults: "{{ pgs9stig_lineinfile }}" 150 | notify: reload postgres 151 | with_items: 152 | - key: client_min_messages 153 | value: error 154 | when: 155 | - pgs9_00_000600 156 | tags: 157 | - PGS9-00-000600 158 | 159 | 160 | - name: "MEDIUM | PGS9-00-000700 | Privileges to change PostgreSQL software modules must be limited." 161 | block: 162 | - name: "MEDIUM | PGS9-00-000700 | AUDIT | Privileges to change PostgreSQL software modules must be limited." 163 | shell: rpm -Va {{ pgs9stig_postgres_packages | join(" ") }} | grep -v "^.\....\.\... c" 164 | args: 165 | warn: no 166 | register: pgs9_00_000700_audit 167 | check_mode: no 168 | changed_when: pgs9_00_000700_audit.rc == 0 169 | failed_when: pgs9_00_000700_audit.rc > 1 170 | 171 | - name: "MEDIUM | PGS9-00-000700 | PATCH | Privileges to change PostgreSQL software modules must be limited." 172 | shell: rpm --setugids -a {{ pgs9stig_postgres_packages | join(" ") }} ; rpm --setperms -a {{ pgs9stig_postgres_packages | join(" ") }} 173 | args: 174 | warn: no 175 | when: pgs9_00_000700_audit is changed 176 | 177 | - name: "MEDIUM | PGS9-00-000700 | PATCH | Privileges to change PostgreSQL software modules must be limited." 178 | file: 179 | path: "{{ pgs9stig_pgdata }}" 180 | owner: "{{ pgs9stig_postgres_user }}" 181 | group: "{{ pgs9stig_postgres_user }}" 182 | mode: o-w 183 | when: 184 | - pgs9_00_000700 185 | tags: 186 | - PGS9-00-000700 187 | 188 | 189 | - name: "MEDIUM | PGS9-00-000710 | PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL." 190 | block: 191 | - name: "MEDIUM | PGS9-00-000710 | AUDIT | PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL." 192 | command: "true" 193 | register: pgs9_00_000710_audit 194 | check_mode: no 195 | changed_when: no 196 | with_items: 197 | - not implemented 198 | - name: "MEDIUM | PGS9-00-000710 | PATCH | PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL." 199 | command: "true" 200 | changed_when: no 201 | with_items: 202 | - not implemented 203 | when: 204 | - pgs9_00_000710 205 | tags: 206 | - PGS9-00-000710 207 | - notimplemented 208 | 209 | - name: "MEDIUM | PGS9-00-000800 | If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords." 210 | replace: 211 | path: "{{ pgs9stig_pgdata }}/pg_hba.conf" 212 | regexp: '^([^#\n].*)password' 213 | replace: '\1md5' 214 | when: 215 | - pgs9_00_000800 216 | tags: 217 | - PGS9-00-000800 218 | 219 | - name: "MEDIUM | PGS9-00-000900 | PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." 220 | block: 221 | - name: "MEDIUM | PGS9-00-000900 | AUDIT | PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." 222 | command: "true" 223 | register: pgs9_00_000900_audit 224 | check_mode: no 225 | changed_when: no 226 | with_items: 227 | - not implemented 228 | - name: "MEDIUM | PGS9-00-000900 | PATCH | PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." 229 | command: "true" 230 | changed_when: no 231 | with_items: 232 | - not implemented 233 | when: 234 | - pgs9_00_000900 235 | tags: 236 | - PGS9-00-000900 237 | - notimplemented 238 | 239 | - name: "MEDIUM | PGS9-00-001100 | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission." 240 | block: 241 | - name: "MEDIUM | PGS9-00-001100 | AUDIT | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission." 242 | command: "true" 243 | register: pgs9_00_001100_audit 244 | check_mode: no 245 | changed_when: no 246 | with_items: 247 | - not implemented 248 | - name: "MEDIUM | PGS9-00-001100 | PATCH | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission." 249 | command: "true" 250 | changed_when: no 251 | with_items: 252 | - not implemented 253 | when: 254 | - pgs9_00_001100 255 | tags: 256 | - PGS9-00-001100 257 | - notimplemented 258 | 259 | 260 | - name: "MEDIUM | PGS9-00-001200 | PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types." 261 | block: 262 | - name: "MEDIUM | PGS9-00-001200 | AUDIT | PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types." 263 | debug: 264 | msg: "If the total amount of connections is greater than documented by an organization, this is a finding." 265 | changed_when: 266 | - pgs9stig_warn_docs 267 | - not pgs9stig_doc_001200 268 | 269 | - name: "MEDIUM | PGS9-00-001200 | PATCH | PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types." 270 | lineinfile: 271 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 272 | module_defaults: "{{ pgs9stig_lineinfile }}" 273 | notify: restart postgres 274 | with_items: 275 | - key: max_connections 276 | value: "{{ pgs9stig_max_connections }}" 277 | when: 278 | - pgs9_00_001200 279 | tags: 280 | - PGS9-00-001200 281 | 282 | 283 | - name: "MEDIUM | PGS9-00-001300 | The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users." 284 | block: 285 | - name: "MEDIUM | PGS9-00-001300 | AUDIT | The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users." 286 | command: "true" 287 | register: pgs9_00_001300_audit 288 | check_mode: no 289 | changed_when: no 290 | with_items: 291 | - not implemented 292 | - name: "MEDIUM | PGS9-00-001300 | PATCH | The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users." 293 | command: "true" 294 | changed_when: no 295 | with_items: 296 | - not implemented 297 | when: 298 | - pgs9_00_001300 299 | tags: 300 | - PGS9-00-001300 301 | - notimplemented 302 | 303 | - name: "MEDIUM | PGS9-00-001400 | PostgreSQL must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users)." 304 | block: 305 | - name: "MEDIUM | PGS9-00-001400 | AUDIT | PostgreSQL must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users)." 306 | command: "true" 307 | register: pgs9_00_001400_audit 308 | check_mode: no 309 | changed_when: no 310 | with_items: 311 | - not implemented 312 | - name: "MEDIUM | PGS9-00-001400 | PATCH | PostgreSQL must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users)." 313 | command: "true" 314 | changed_when: no 315 | with_items: 316 | - not implemented 317 | when: 318 | - pgs9_00_001400 319 | tags: 320 | - PGS9-00-001400 321 | - notimplemented 322 | 323 | - name: "MEDIUM | PGS9-00-001700 | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage." 324 | block: 325 | - name: "MEDIUM | PGS9-00-001700 | AUDIT | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage." 326 | command: "true" 327 | register: pgs9_00_001700_audit 328 | check_mode: no 329 | changed_when: no 330 | with_items: 331 | - not implemented 332 | - name: "MEDIUM | PGS9-00-001700 | PATCH | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage." 333 | command: "true" 334 | changed_when: no 335 | with_items: 336 | - not implemented 337 | when: 338 | - pgs9_00_001700 339 | tags: 340 | - PGS9-00-001700 341 | - notimplemented 342 | 343 | - name: "MEDIUM | PGS9-00-001800 | PostgreSQL must check the validity of all data inputs except those specifically identified by the organization." 344 | block: 345 | - name: "MEDIUM | PGS9-00-001800 | AUDIT | PostgreSQL must check the validity of all data inputs except those specifically identified by the organization." 346 | command: "true" 347 | register: pgs9_00_001800_audit 348 | check_mode: no 349 | changed_when: no 350 | with_items: 351 | - not implemented 352 | - name: "MEDIUM | PGS9-00-001800 | PATCH | PostgreSQL must check the validity of all data inputs except those specifically identified by the organization." 353 | command: "true" 354 | changed_when: no 355 | with_items: 356 | - not implemented 357 | when: 358 | - pgs9_00_001800 359 | tags: 360 | - PGS9-00-001800 361 | - notimplemented 362 | 363 | - name: "MEDIUM | PGS9-00-001900 | PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it." 364 | block: 365 | - name: "MEDIUM | PGS9-00-001900 | AUDIT | PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it." 366 | command: "true" 367 | register: pgs9_00_001900_audit 368 | check_mode: no 369 | changed_when: no 370 | with_items: 371 | - not implemented 372 | - name: "MEDIUM | PGS9-00-001900 | PATCH | PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it." 373 | command: "true" 374 | changed_when: no 375 | with_items: 376 | - not implemented 377 | when: 378 | - pgs9_00_001900 379 | tags: 380 | - PGS9-00-001900 381 | - notimplemented 382 | 383 | - name: "MEDIUM | PGS9-00-002000 | PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack." 384 | block: 385 | - name: "MEDIUM | PGS9-00-002000 | AUDIT | PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack." 386 | command: "true" 387 | register: pgs9_00_002000_audit 388 | check_mode: no 389 | changed_when: no 390 | with_items: 391 | - not implemented 392 | - name: "MEDIUM | PGS9-00-002000 | PATCH | PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack." 393 | command: "true" 394 | changed_when: no 395 | with_items: 396 | - not implemented 397 | when: 398 | - pgs9_00_002000 399 | tags: 400 | - PGS9-00-002000 401 | - notimplemented 402 | 403 | - name: "MEDIUM | PGS9-00-002100 | PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements." 404 | block: 405 | - name: "MEDIUM | PGS9-00-002100 | AUDIT | PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements." 406 | command: "true" 407 | register: pgs9_00_002100_audit 408 | check_mode: no 409 | changed_when: no 410 | with_items: 411 | - not implemented 412 | - name: "MEDIUM | PGS9-00-002100 | PATCH | PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements." 413 | command: "true" 414 | changed_when: no 415 | with_items: 416 | - not implemented 417 | when: 418 | - pgs9_00_002100 419 | tags: 420 | - PGS9-00-002100 421 | - notimplemented 422 | 423 | - name: "MEDIUM | PGS9-00-002200 | PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects." 424 | block: 425 | - name: "MEDIUM | PGS9-00-002200 | AUDIT | PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects." 426 | command: "true" 427 | register: pgs9_00_002200_audit 428 | check_mode: no 429 | changed_when: no 430 | with_items: 431 | - not implemented 432 | - name: "MEDIUM | PGS9-00-002200 | PATCH | PostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects." 433 | command: "true" 434 | changed_when: no 435 | with_items: 436 | - not implemented 437 | when: 438 | - pgs9_00_002200 439 | tags: 440 | - PGS9-00-002200 441 | - notimplemented 442 | 443 | - name: "MEDIUM | PGS9-00-002400 | PostgreSQL must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT)." 444 | lineinfile: 445 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 446 | module_defaults: "{{ pgs9stig_lineinfile }}" 447 | notify: reload postgres 448 | with_items: 449 | - key: log_timezone 450 | value: "{{ pgs9stig_log_timezone }}" 451 | when: 452 | - pgs9_00_002400 453 | tags: 454 | - PGS9-00-002400 455 | 456 | - name: "MEDIUM | PGS9-00-002500 | PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA and DBA." 457 | block: 458 | - name: "MEDIUM | PGS9-00-002500 | AUDIT | PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA and DBA." 459 | command: "true" 460 | register: pgs9_00_002500_audit 461 | check_mode: no 462 | changed_when: no 463 | with_items: 464 | - not implemented 465 | - name: "MEDIUM | PGS9-00-002500 | PATCH | PostgreSQL must reveal detailed error messages only to the ISSO, ISSM, SA and DBA." 466 | command: "true" 467 | changed_when: no 468 | with_items: 469 | - not implemented 470 | when: 471 | - pgs9_00_002500 472 | tags: 473 | - PGS9-00-002500 474 | - notimplemented 475 | 476 | 477 | - name: | 478 | "MEDIUM | PGS9-00-002600 | PostgreSQL must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." 479 | "MEDIUM | PGS9-00-010700 | PostgreSQL must protect its audit features from unauthorized access." 480 | block: 481 | - name: | 482 | "MEDIUM | PGS9-00-002600 | PATCH | PostgreSQL must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." 483 | "MEDIUM | PGS9-00-010700 | PATCH | PostgreSQL must protect its audit features from unauthorized access." 484 | file: 485 | path: "{{ pgs9stig_pgdata }}" 486 | owner: "{{ pgs9stig_postgres_user }}" 487 | group: "{{ pgs9stig_postgres_user }}" 488 | recurse: yes 489 | 490 | - name: | 491 | "MEDIUM | PGS9-00-002600 | AUDIT | PostgreSQL must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." 492 | "MEDIUM | PGS9-00-010700 | AUDIT | PostgreSQL must protect its audit features from unauthorized access." 493 | shell: set -o pipefail ; psql -c '\du' | grep Superuser | awk '{print $1}' 494 | become_user: "{{ pgs9stig_postgres_user }}" 495 | register: pgs9_00_002600_audit 496 | check_mode: no 497 | changed_when: disallowed_superusers | length != 0 498 | 499 | - name: | 500 | "MEDIUM | PGS9-00-002600 | AUDIT | PostgreSQL must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." 501 | "MEDIUM | PGS9-00-010700 | AUDIT | PostgreSQL must protect its audit features from unauthorized access." 502 | debug: 503 | msg: | 504 | Found unauthorized superusers: 505 | {{ disallowed_superusers | join('\n') }} 506 | changed_when: yes 507 | when: pgs9_00_002600_audit is changed 508 | 509 | - name: | 510 | "MEDIUM | PGS9-00-002600 | PATCH | PostgreSQL must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." 511 | "MEDIUM | PGS9-00-010700 | PATCH | PostgreSQL must protect its audit features from unauthorized access." 512 | command: psql -c 'alter user {{ item }} with nosuperuser ;' 513 | become_user: "{{ pgs9stig_postgres_user }}" 514 | with_items: "{{ disallowed_superusers }}" 515 | vars: 516 | disallowed_superusers: "{{ pgs9_00_002600_audit.stdout_lines | difference(pgs9stig_allowed_superusers) }}" 517 | when: 518 | - pgs9_00_002600 or 519 | pgs9_00_010700 or 520 | false 521 | tags: 522 | - PGS9-00-002600 523 | - PGS9-00-010700 524 | 525 | 526 | - name: "MEDIUM | PGS9-00-002700 | PostgreSQL must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts." 527 | block: 528 | - name: "MEDIUM | PGS9-00-002700 | AUDIT | PostgreSQL must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts." 529 | command: "true" 530 | register: pgs9_00_002700_audit 531 | check_mode: no 532 | changed_when: no 533 | with_items: 534 | - not implemented 535 | - name: "MEDIUM | PGS9-00-002700 | PATCH | PostgreSQL must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts." 536 | command: "true" 537 | changed_when: no 538 | with_items: 539 | - not implemented 540 | when: 541 | - pgs9_00_002700 542 | tags: 543 | - PGS9-00-002700 544 | - notimplemented 545 | 546 | - name: "MEDIUM | PGS9-00-003000 | PostgreSQL must maintain the confidentiality and integrity of information during reception." 547 | block: 548 | - name: "MEDIUM | PGS9-00-003000 | AUDIT | PostgreSQL must maintain the confidentiality and integrity of information during reception." 549 | command: "true" 550 | register: pgs9_00_003000_audit 551 | check_mode: no 552 | changed_when: no 553 | with_items: 554 | - not implemented 555 | - name: "MEDIUM | PGS9-00-003000 | PATCH | PostgreSQL must maintain the confidentiality and integrity of information during reception." 556 | command: "true" 557 | changed_when: no 558 | with_items: 559 | - not implemented 560 | when: 561 | - pgs9_00_003000 562 | tags: 563 | - PGS9-00-003000 564 | - notimplemented 565 | 566 | - name: "MEDIUM | PGS9-00-003100 | Database objects (including but not limited to tables, indexes, storage, trigger procedures, functions, links to software external to PostgreSQL, etc.) must be owned by database/DBMS principals authorized for ownership." 567 | block: 568 | - name: "MEDIUM | PGS9-00-003100 | AUDIT | Database objects (including but not limited to tables, indexes, storage, trigger procedures, functions, links to software external to PostgreSQL, etc.) must be owned by database/DBMS principals authorized for ownership." 569 | command: "true" 570 | register: pgs9_00_003100_audit 571 | check_mode: no 572 | changed_when: no 573 | with_items: 574 | - not implemented 575 | - name: "MEDIUM | PGS9-00-003100 | PATCH | Database objects (including but not limited to tables, indexes, storage, trigger procedures, functions, links to software external to PostgreSQL, etc.) must be owned by database/DBMS principals authorized for ownership." 576 | command: "true" 577 | changed_when: no 578 | with_items: 579 | - not implemented 580 | when: 581 | - pgs9_00_003100 582 | tags: 583 | - PGS9-00-003100 584 | - notimplemented 585 | 586 | - name: "MEDIUM | PGS9-00-003200 | The PostgreSQL software installation account must be restricted to authorized users." 587 | block: 588 | - name: "MEDIUM | PGS9-00-003200 | AUDIT | The PostgreSQL software installation account must be restricted to authorized users." 589 | command: "true" 590 | register: pgs9_00_003200_audit 591 | check_mode: no 592 | changed_when: no 593 | with_items: 594 | - not implemented 595 | - name: "MEDIUM | PGS9-00-003200 | PATCH | The PostgreSQL software installation account must be restricted to authorized users." 596 | command: "true" 597 | changed_when: no 598 | with_items: 599 | - not implemented 600 | when: 601 | - pgs9_00_003200 602 | tags: 603 | - PGS9-00-003200 604 | - notimplemented 605 | 606 | 607 | - name: "MEDIUM | PGS9-00-003300 | Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications." 608 | block: 609 | - name: "MEDIUM | PGS9-00-003300 | AUDIT | Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications." 610 | shell: rpm -qla '*postg*' | xargs sh -c 'find $@ -maxdepth 0 -type d' | 611 | grep -P '^/(usr|opt).*/lib' | 612 | xargs sh -c 'find /etc/system-release $@ -exec rpm -qf --quiet {} \; -o -print' arg0 613 | args: 614 | warn: no 615 | register: pgs9_00_003300_audit 616 | check_mode: no 617 | changed_when: pgs9_00_003300_audit.stdout_lines | length > 0 618 | 619 | - name: "MEDIUM | PGS9-00-003300 | PATCH | Database software, including PostgreSQL configuration files, must be stored in dedicated directories separate from the host OS and other applications." 620 | debug: 621 | msg: | 622 | If any non-PostgreSQL software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the PostgreSQL, this is a finding. 623 | 624 | Only applications that are required for the functioning and administration, not use, of the PostgreSQL software library should be located in the same disk directory as the PostgreSQL software libraries. 625 | 626 | If other applications are located in the same directory as PostgreSQL, this is a finding. 627 | 628 | ITEMS FOUND: 629 | {{ pgs9_00_003300_audit.stdout }} 630 | changed_when: yes 631 | when: pgs9_00_003300_audit is changed 632 | when: 633 | - pgs9_00_003300 634 | tags: 635 | - PGS9-00-003300 636 | 637 | 638 | - name: "MEDIUM | PGS9-00-003500 | PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject." 639 | block: 640 | - name: "MEDIUM | PGS9-00-003500 | AUDIT | PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject." 641 | command: "true" 642 | register: pgs9_00_003500_audit 643 | check_mode: no 644 | changed_when: no 645 | with_items: 646 | - not implemented 647 | - name: "MEDIUM | PGS9-00-003500 | PATCH | PostgreSQL must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject." 648 | command: "true" 649 | changed_when: no 650 | with_items: 651 | - not implemented 652 | when: 653 | - pgs9_00_003500 654 | tags: 655 | - PGS9-00-003500 656 | - notimplemented 657 | 658 | - name: "MEDIUM | PGS9-00-003600 | Execution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only." 659 | block: 660 | - name: "MEDIUM | PGS9-00-003600 | AUDIT | Execution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only." 661 | command: "true" 662 | register: pgs9_00_003600_audit 663 | check_mode: no 664 | changed_when: no 665 | with_items: 666 | - not implemented 667 | - name: "MEDIUM | PGS9-00-003600 | PATCH | Execution of software modules (to include functions and trigger procedures) with elevated privileges must be restricted to necessary cases only." 668 | command: "true" 669 | changed_when: no 670 | with_items: 671 | - not implemented 672 | when: 673 | - pgs9_00_003600 674 | tags: 675 | - PGS9-00-003600 676 | - notimplemented 677 | 678 | - name: "MEDIUM | PGS9-00-003700 | When invalid inputs are received, PostgreSQL must behave in a predictable and documented manner that reflects organizational and system objectives." 679 | debug: 680 | msg: | 681 | Review system documentation to determine how input errors from application to PostgreSQL are to be handled in general and if any special handling is defined for specific circumstances. 682 | 683 | If it does not implement the documented behavior, this is a finding. 684 | changed_when: 685 | - pgs9stig_warn_docs 686 | - not pgs9stig_doc_003700 687 | tags: 688 | - PGS9-00-003700 689 | 690 | - name: "MEDIUM | PGS9-00-003800 | PostgreSQL must utilize centralized management of the content captured in audit records generated by all components of PostgreSQL." 691 | debug: 692 | msg: "If PostgreSQL audit records are not written directly to or systematically transferred to a centralized log management system, this is a finding." 693 | changed_when: 694 | - pgs9stig_warn_manual 695 | - not pgs9stig_manual_003800 696 | when: 697 | - pgs9_00_003800 698 | tags: 699 | - PGS9-00-003800 700 | 701 | - name: "MEDIUM | PGS9-00-004000 | PostgreSQL must isolate security functions from non-security functions." 702 | block: 703 | - name: "MEDIUM | PGS9-00-004000 | AUDIT | PostgreSQL must isolate security functions from non-security functions." 704 | command: "true" 705 | register: pgs9_00_004000_audit 706 | check_mode: no 707 | changed_when: no 708 | with_items: 709 | - not implemented 710 | - name: "MEDIUM | PGS9-00-004000 | PATCH | PostgreSQL must isolate security functions from non-security functions." 711 | command: "true" 712 | changed_when: no 713 | with_items: 714 | - not implemented 715 | when: 716 | - pgs9_00_004000 717 | tags: 718 | - PGS9-00-004000 719 | - notimplemented 720 | 721 | 722 | - name: "MEDIUM | PGS9-00-004100 | PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s)." 723 | block: 724 | - name: "MEDIUM | PGS9-00-004100 | AUDIT | PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s)." 725 | debug: 726 | msg: "All denials are logged if logging is enabled. Logging is configured in PRELIM." 727 | 728 | - name: "MEDIUM | PGS9-00-004100 | PATCH | PostgreSQL must produce audit records of its enforcement of access restrictions associated with changes to the configuration of PostgreSQL or database(s)." 729 | file: 730 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 731 | mode: u+rw 732 | owner: "{{ pgs9stig_postgres_user }}" 733 | group: "{{ pgs9stig_postgres_user }}" 734 | when: 735 | - pgs9_00_004100 736 | tags: 737 | - PGS9-00-004100 738 | 739 | 740 | - name: "MEDIUM | PGS9-00-004200 | The audit information produced by PostgreSQL must be protected from unauthorized read access." 741 | debug: 742 | msg: "If PostgreSQL is configured to use syslog for logging, consult organization location and permissions for syslog log files." 743 | changed_when: 744 | - pgs9stig_warn_manual 745 | - not pgs9stig_manual_004200 746 | when: 747 | - pgs9_00_004200 748 | - pgs9stig_log_destination == 'syslog' 749 | - not pgs9stig_with_rsyslog 750 | tags: 751 | - PGS9-00-004200 752 | 753 | - name: "MEDIUM | PGS9-00-004200 | The audit information produced by PostgreSQL must be protected from unauthorized read access." 754 | block: 755 | - name: "MEDIUM | PGS9-00-004200 | AUDIT | The audit information produced by PostgreSQL must be protected from unauthorized read access." 756 | find: 757 | path: "{{ pgs9stig_log_directory }}" 758 | register: pgs9_00_004200_audit 759 | changed_when: pgs9_00_004200_audit.files | length == 0 760 | 761 | - name: "MEDIUM | PGS9-00-004200 | PATCH | The audit information produced by PostgreSQL must be protected from unauthorized read access." 762 | debug: 763 | msg: | 764 | "If logs with 600 permissions do not exist in log_destination, this is a finding." 765 | 766 | NO FILES FOUND IN {{ pgs9stig_log_directory }} 767 | changed_when: yes 768 | when: pgs9_00_004200_audit is changed 769 | when: 770 | - pgs9_00_004200 771 | - pgs9stig_log_destination == 'stderr' 772 | tags: 773 | - PGS9-00-004200 774 | 775 | 776 | - name: "MEDIUM | PGS9-00-004300 | When updates are applied to PostgreSQL software, any software components that have been replaced or made unnecessary must be removed." 777 | block: 778 | - name: "MEDIUM | PGS9-00-004300 | AUDIT | When updates are applied to PostgreSQL software, any software components that have been replaced or made unnecessary must be removed." 779 | command: rpm -qa *postgres*-server 780 | args: 781 | warn: no 782 | register: pgs9_00_004300_audit 783 | check_mode: no 784 | changed_when: pgs9_00_004300_audit.stdout_lines | length > 1 785 | 786 | - name: "MEDIUM | PGS9-00-004300 | PATCH | When updates are applied to PostgreSQL software, any software components that have been replaced or made unnecessary must be removed." 787 | debug: 788 | msg: | 789 | If multiple versions of postgres are installed but are unused, this is a finding. 790 | 791 | VERSIONS FOUND INSTALLED: 792 | {{ pgs9_00_004300_audit.stdout }} 793 | changed_when: yes 794 | when: pgs9_00_004300_audit is changed 795 | when: 796 | - pgs9_00_004300 797 | - not pgs9stig_multiple_versions_in_use 798 | tags: 799 | - PGS9-00-004300 800 | 801 | 802 | - name: "MEDIUM | PGS9-00-004400 | PostgreSQL must generate audit records when categorized information (e.g., classification levels/security levels) is accessed." 803 | debug: 804 | msg: | 805 | pgaudit is configured in PRELIM 806 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 807 | changed_when: 808 | - not pgs9stig_configure_pgaudit 809 | - pgs9stig_warn_finding 810 | when: 811 | - pgs9_00_004400 812 | tags: 813 | - PGS9-00-004400 814 | 815 | - name: "MEDIUM | PGS9-00-004500 | PostgreSQL must generate audit records when unsuccessful attempts to access security objects occur." 816 | debug: 817 | msg: "All denials are logged if logging is enabled. Logging is configured in PRELIM." 818 | when: 819 | - pgs9_00_004500 820 | tags: 821 | - PGS9-00-004500 822 | 823 | - name: | 824 | "MEDIUM | PGS9-00-004600 PGS9-00-004700 | PostgreSQL must generate audit records when unsuccessful logons or connection attempts occur." 825 | "MEDIUM | PGS9-00-005100 | PostgreSQL must generate audit records when successful logons or connections occur." 826 | "MEDIUM | PGS9-00-006200 | PostgreSQL must generate audit records when concurrent logons/connections by the same user from different workstations occur." 827 | "MEDIUM | PGS9-00-010400 | PostgreSQL must produce audit records containing sufficient information to establish what type of events occurred." 828 | lineinfile: 829 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 830 | module_defaults: "{{ pgs9stig_lineinfile }}" 831 | notify: reload postgres 832 | with_items: 833 | - key: log_connections 834 | value: "on" 835 | - key: log_line_prefix 836 | value: "{{ pgs9stig_log_line_prefix }}" 837 | when: 838 | - pgs9_00_004600 or 839 | pgs9_00_004700 or 840 | pgs9_00_005100 or 841 | pgs9_00_006200 or 842 | pgs9_00_010400 or 843 | false 844 | tags: 845 | - PGS9-00-004600 846 | - PGS9-00-004700 847 | - PGS9-00-005100 848 | - PGS9-00-006200 849 | - PGS9-00-010400 850 | 851 | - name: | 852 | "MEDIUM | PGS9-00-004700 | PostgreSQL must generate audit records showing starting and ending time for user access to the database(s)." 853 | "MEDIUM | PGS9-00-006200 | PostgreSQL must generate audit records when concurrent logons/connections by the same user from different workstations occur." 854 | "MEDIUM | PGS9-00-010400 | PostgreSQL must produce audit records containing sufficient information to establish what type of events occurred." 855 | lineinfile: 856 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 857 | module_defaults: "{{ pgs9stig_lineinfile }}" 858 | notify: reload postgres 859 | with_items: 860 | - key: log_disconnections 861 | value: "on" 862 | when: 863 | - pgs9_00_004700 or 864 | pgs9_00_006200 or 865 | pgs9_00_010400 or 866 | false 867 | tags: 868 | - PGS9-00-004700 869 | - PGS9-00-006200 870 | - PGS9-00-010400 871 | 872 | - name: "MEDIUM | PGS9-00-004800 | PostgreSQL must generate audit records when unsuccessful attempts to modify security objects occur." 873 | debug: 874 | msg: "Unsuccessful attempts to modifying security objects can be logged if logging is enabled. Logging is configured in PRELIM." 875 | when: 876 | - pgs9_00_004800 877 | tags: 878 | - PGS9-00-004800 879 | 880 | - name: "MEDIUM | PGS9-00-004900 | PostgreSQL must generate audit records when privileges/permissions are added." 881 | debug: 882 | msg: | 883 | pgaudit is configured in PRELIM 884 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 885 | changed_when: 886 | - not pgs9stig_configure_pgaudit 887 | - pgs9stig_warn_finding 888 | when: 889 | - pgs9_00_004900 890 | tags: 891 | - PGS9-00-004900 892 | 893 | - name: "MEDIUM | PGS9-00-005000 | PostgreSQL must generate audit records when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur." 894 | debug: 895 | msg: | 896 | pgaudit is configured in PRELIM 897 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 898 | changed_when: 899 | - not pgs9stig_configure_pgaudit 900 | - pgs9stig_warn_finding 901 | when: 902 | - pgs9_00_005000 903 | tags: 904 | - PGS9-00-005000 905 | 906 | - name: "MEDIUM | PGS9-00-005200 | PostgreSQL must generate audit records when security objects are deleted." 907 | debug: 908 | msg: | 909 | pgaudit is configured in PRELIM 910 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 911 | changed_when: 912 | - not pgs9stig_configure_pgaudit 913 | - pgs9stig_warn_finding 914 | when: 915 | - pgs9_00_005200 916 | tags: 917 | - PGS9-00-005200 918 | 919 | - name: "MEDIUM | PGS9-00-005300 | PostgreSQL must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur." 920 | debug: 921 | msg: "All denials are logged if logging is enabled. Logging is configured in PRELIM." 922 | when: 923 | - pgs9_00_005300 924 | tags: 925 | - PGS9-00-005300 926 | 927 | - name: "MEDIUM | PGS9-00-005400 | PostgreSQL must generate audit records when unsuccessful attempts to delete privileges/permissions occur." 928 | debug: 929 | msg: "All denials are logged if logging is enabled. Logging is configured in PRELIM." 930 | when: 931 | - pgs9_00_005400 932 | tags: 933 | - PGS9-00-005400 934 | 935 | - name: "MEDIUM | PGS9-00-005500 | PostgreSQL must be able to generate audit records when privileges/permissions are retrieved." 936 | debug: 937 | msg: | 938 | pgaudit is configured in PRELIM 939 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 940 | changed_when: 941 | - not pgs9stig_configure_pgaudit 942 | - pgs9stig_warn_finding 943 | when: 944 | - pgs9_00_005500 945 | tags: 946 | - PGS9-00-005500 947 | 948 | - name: "MEDIUM | PGS9-00-005600 | PostgreSQL must generate audit records when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur." 949 | debug: 950 | msg: | 951 | pgaudit is configured in PRELIM 952 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 953 | changed_when: 954 | - not pgs9stig_configure_pgaudit 955 | - pgs9stig_warn_finding 956 | when: 957 | - pgs9_00_005600 958 | tags: 959 | - PGS9-00-005600 960 | 961 | - name: "MEDIUM | PGS9-00-005700 | PostgreSQL must generate audit records when unsuccessful accesses to objects occur." 962 | debug: 963 | msg: "All errors and denials are logged if logging is enabled. Logging is configured in PRELIM." 964 | when: 965 | - pgs9_00_005700 966 | tags: 967 | - PGS9-00-005700 968 | 969 | - name: "MEDIUM | PGS9-00-005800 | PostgreSQL must generate audit records for all privileged activities or other system-level access." 970 | block: 971 | - name: "MEDIUM | PGS9-00-005800 | AUDIT | PostgreSQL must generate audit records for all privileged activities or other system-level access." 972 | command: "true" 973 | register: pgs9_00_005800_audit 974 | check_mode: no 975 | changed_when: no 976 | with_items: 977 | - not implemented 978 | - name: "MEDIUM | PGS9-00-005800 | PATCH | PostgreSQL must generate audit records for all privileged activities or other system-level access." 979 | command: "true" 980 | changed_when: no 981 | with_items: 982 | - not implemented 983 | when: 984 | - pgs9_00_005800 985 | tags: 986 | - PGS9-00-005800 987 | - notimplemented 988 | 989 | - name: "MEDIUM | PGS9-00-005900 | PostgreSQL must generate audit records when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur." 990 | debug: 991 | msg: | 992 | pgaudit is configured in PRELIM 993 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 994 | changed_when: 995 | - not pgs9stig_configure_pgaudit 996 | - pgs9stig_warn_finding 997 | when: 998 | - pgs9_00_005900 999 | tags: 1000 | - PGS9-00-005900 1001 | 1002 | - name: "MEDIUM | PGS9-00-006000 | PostgreSQL must be able to generate audit records when security objects are accessed." 1003 | debug: 1004 | msg: | 1005 | pgaudit is configured in PRELIM 1006 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1007 | changed_when: 1008 | - not pgs9stig_configure_pgaudit 1009 | - pgs9stig_warn_finding 1010 | when: 1011 | - pgs9_00_006000 1012 | tags: 1013 | - PGS9-00-006000 1014 | 1015 | - name: "MEDIUM | PGS9-00-006100 | PostgreSQL must generate audit records when privileges/permissions are deleted." 1016 | debug: 1017 | msg: | 1018 | pgaudit is configured in PRELIM 1019 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1020 | changed_when: 1021 | - not pgs9stig_configure_pgaudit 1022 | - pgs9stig_warn_finding 1023 | when: 1024 | - pgs9_00_006100 1025 | tags: 1026 | - PGS9-00-006100 1027 | 1028 | - name: "MEDIUM | PGS9-00-006300 | PostgreSQL must generate audit records when unsuccessful attempts to delete security objects occur." 1029 | debug: 1030 | msg: | 1031 | pgaudit is configured in PRELIM 1032 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1033 | changed_when: 1034 | - not pgs9stig_configure_pgaudit 1035 | - pgs9stig_warn_finding 1036 | when: 1037 | - pgs9_00_006300 1038 | tags: 1039 | - PGS9-00-006300 1040 | 1041 | - name: "MEDIUM | PGS9-00-006400 | PostgreSQL must generate audit records when privileges/permissions are modified." 1042 | debug: 1043 | msg: | 1044 | pgaudit is configured in PRELIM 1045 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1046 | changed_when: 1047 | - not pgs9stig_configure_pgaudit 1048 | - pgs9stig_warn_finding 1049 | when: 1050 | - pgs9_00_006400 1051 | tags: 1052 | - PGS9-00-006400 1053 | 1054 | - name: "MEDIUM | PGS9-00-006500 | PostgreSQL must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur." 1055 | debug: 1056 | msg: | 1057 | "System documentation should include a definition of the functionality considered privileged." 1058 | "All denials are logged by default if logging is enabled." 1059 | Logging is configured in PRELIM. 1060 | changed_when: 1061 | - pgs9stig_warn_docs 1062 | - not pgs9stig_doc_006500 1063 | when: 1064 | - pgs9_00_006500 1065 | tags: 1066 | - PGS9-00-006500 1067 | 1068 | - name: "MEDIUM | PGS9-00-006600 | PostgreSQL must generate audit records when security objects are modified." 1069 | debug: 1070 | msg: | 1071 | pgaudit is configured in PRELIM 1072 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1073 | changed_when: 1074 | - not pgs9stig_configure_pgaudit 1075 | - pgs9stig_warn_finding 1076 | when: 1077 | - pgs9_00_006600 1078 | tags: 1079 | - PGS9-00-006600 1080 | 1081 | - name: "MEDIUM | PGS9-00-006700 | PostgreSQL must generate audit records when categorized information (e.g., classification levels/security levels) is modified." 1082 | debug: 1083 | msg: | 1084 | pgaudit is configured in PRELIM 1085 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1086 | changed_when: 1087 | - not pgs9stig_configure_pgaudit 1088 | - pgs9stig_warn_finding 1089 | when: 1090 | - pgs9_00_006700 1091 | tags: 1092 | - PGS9-00-006700 1093 | 1094 | - name: "MEDIUM | PGS9-00-006800 | PostgreSQL must generate audit records when unsuccessful attempts to modify privileges/permissions occur." 1095 | debug: 1096 | msg: "All denials are logged by default if logging is enabled. Logging is configured in PRELIM." 1097 | when: 1098 | - pgs9_00_006800 1099 | tags: 1100 | - PGS9-00-006800 1101 | 1102 | - name: "MEDIUM | PGS9-00-006900 | PostgreSQL must generate audit records when unsuccessful attempts to add privileges/permissions occur." 1103 | debug: 1104 | msg: "All denials are logged by default if logging is enabled. Logging is configured in PRELIM." 1105 | when: 1106 | - pgs9_00_006900 1107 | tags: 1108 | - PGS9-00-006900 1109 | 1110 | - name: "MEDIUM | PGS9-00-007000 | PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation." 1111 | block: 1112 | - name: "MEDIUM | PGS9-00-007000 | AUDIT | PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation." 1113 | command: "true" 1114 | register: pgs9_00_007000_audit 1115 | check_mode: no 1116 | changed_when: no 1117 | with_items: 1118 | - not implemented 1119 | - name: "MEDIUM | PGS9-00-007000 | PATCH | PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation." 1120 | command: "true" 1121 | changed_when: no 1122 | with_items: 1123 | - not implemented 1124 | when: 1125 | - pgs9_00_007000 1126 | tags: 1127 | - PGS9-00-007000 1128 | - notimplemented 1129 | 1130 | - name: "MEDIUM | PGS9-00-007200 | PostgreSQL must maintain the confidentiality and integrity of information during preparation for transmission." 1131 | lineinfile: 1132 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1133 | module_defaults: "{{ pgs9stig_lineinfile }}" 1134 | notify: restart postgres 1135 | with_items: 1136 | - key: ssl 1137 | value: "on" 1138 | when: 1139 | - pgs9_00_007200 1140 | tags: 1141 | - PGS9-00-007200 1142 | 1143 | - name: "MEDIUM | PGS9-00-007400 | PostgreSQL must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components." 1144 | block: 1145 | - name: "MEDIUM | PGS9-00-007400 | AUDIT | PostgreSQL must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components." 1146 | command: "true" 1147 | register: pgs9_00_007400_audit 1148 | check_mode: no 1149 | changed_when: no 1150 | with_items: 1151 | - not implemented 1152 | - name: "MEDIUM | PGS9-00-007400 | PATCH | PostgreSQL must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components." 1153 | command: "true" 1154 | changed_when: no 1155 | with_items: 1156 | - not implemented 1157 | when: 1158 | - pgs9_00_007400 1159 | tags: 1160 | - PGS9-00-007400 1161 | - notimplemented 1162 | 1163 | - name: | 1164 | "MEDIUM | PGS9-00-007100 | PostgreSQL must produce audit records containing sufficient information to establish where the events occurred." 1165 | "MEDIUM | PGS9-00-007700 | PostgreSQL must generate time stamps, for audit records and application data, with a minimum granularity of one second." 1166 | "MEDIUM | PGS9-00-007800 | PostgreSQL must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event." 1167 | lineinfile: 1168 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1169 | module_defaults: "{{ pgs9stig_lineinfile }}" 1170 | notify: reload postgres 1171 | with_items: 1172 | - key: log_line_prefix 1173 | value: "{{ pgs9stig_log_line_prefix }}" 1174 | when: 1175 | - pgs9_00_007100 or 1176 | pgs9_00_007700 or 1177 | pgs9_00_007800 or 1178 | false 1179 | tags: 1180 | - PGS9-00-007100 1181 | - PGS9-00-007700 1182 | - PGS9-00-007800 1183 | 1184 | - name: "MEDIUM | PGS9-00-008100 | PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements." 1185 | block: 1186 | - name: "MEDIUM | PGS9-00-008100 | AUDIT | PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements." 1187 | command: "true" 1188 | register: pgs9_00_008100_audit 1189 | check_mode: no 1190 | changed_when: no 1191 | with_items: 1192 | - not implemented 1193 | - name: "MEDIUM | PGS9-00-008100 | PATCH | PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements." 1194 | command: "true" 1195 | changed_when: no 1196 | with_items: 1197 | - not implemented 1198 | when: 1199 | - pgs9_00_008100 1200 | tags: 1201 | - PGS9-00-008100 1202 | - notimplemented 1203 | 1204 | - name: "MEDIUM | PGS9-00-008300 | PostgreSQL must protect the confidentiality and integrity of all information at rest." 1205 | block: 1206 | - name: "MEDIUM | PGS9-00-008300 | AUDIT | PostgreSQL must protect the confidentiality and integrity of all information at rest." 1207 | command: "true" 1208 | register: pgs9_00_008300_audit 1209 | check_mode: no 1210 | changed_when: no 1211 | with_items: 1212 | - not implemented 1213 | - name: "MEDIUM | PGS9-00-008300 | PATCH | PostgreSQL must protect the confidentiality and integrity of all information at rest." 1214 | command: "true" 1215 | changed_when: no 1216 | with_items: 1217 | - not implemented 1218 | when: 1219 | - pgs9_00_008300 1220 | tags: 1221 | - PGS9-00-008300 1222 | - notimplemented 1223 | 1224 | - name: "MEDIUM | PGS9-00-008400 | PostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status." 1225 | block: 1226 | - name: "MEDIUM | PGS9-00-008400 | AUDIT | PostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status." 1227 | command: "true" 1228 | register: pgs9_00_008400_audit 1229 | check_mode: no 1230 | changed_when: no 1231 | with_items: 1232 | - not implemented 1233 | - name: "MEDIUM | PGS9-00-008400 | PATCH | PostgreSQL must prohibit user installation of logic modules (functions, trigger procedures, views, etc.) without explicit privileged status." 1234 | command: "true" 1235 | changed_when: no 1236 | with_items: 1237 | - not implemented 1238 | when: 1239 | - pgs9_00_008400 1240 | tags: 1241 | - PGS9-00-008400 1242 | - notimplemented 1243 | 1244 | - name: "MEDIUM | PGS9-00-008500 | PostgreSQL must separate user functionality (including user interface services) from database management functionality." 1245 | block: 1246 | - name: "MEDIUM | PGS9-00-008500 | AUDIT | PostgreSQL must separate user functionality (including user interface services) from database management functionality." 1247 | command: "true" 1248 | register: pgs9_00_008500_audit 1249 | check_mode: no 1250 | changed_when: no 1251 | with_items: 1252 | - not implemented 1253 | - name: "MEDIUM | PGS9-00-008500 | PATCH | PostgreSQL must separate user functionality (including user interface services) from database management functionality." 1254 | command: "true" 1255 | changed_when: no 1256 | with_items: 1257 | - not implemented 1258 | when: 1259 | - pgs9_00_008500 1260 | tags: 1261 | - PGS9-00-008500 1262 | - notimplemented 1263 | 1264 | - name: "MEDIUM | PGS9-00-008600 | PostgreSQL must initiate session auditing upon startup." 1265 | debug: 1266 | msg: | 1267 | "Using pgaudit PostgreSQL can be configured to audit various facets of PostgreSQL." 1268 | "All errors, denials and unsuccessful requests are logged if logging is enabled." 1269 | Logging and pgaudit are configured in PRELIM 1270 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1271 | changed_when: 1272 | - not pgs9stig_configure_pgaudit 1273 | - pgs9stig_warn_finding 1274 | when: 1275 | - pgs9_00_008600 1276 | tags: 1277 | - PGS9-00-008600 1278 | 1279 | - name: "MEDIUM | PGS9-00-008700 | PostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components." 1280 | block: 1281 | - name: "MEDIUM | PGS9-00-008700 | AUDIT | PostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components." 1282 | command: "true" 1283 | register: pgs9_00_008700_audit 1284 | check_mode: no 1285 | changed_when: no 1286 | with_items: 1287 | - not implemented 1288 | - name: "MEDIUM | PGS9-00-008700 | PATCH | PostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components." 1289 | command: "true" 1290 | changed_when: no 1291 | with_items: 1292 | - not implemented 1293 | when: 1294 | - pgs9_00_008700 1295 | tags: 1296 | - PGS9-00-008700 1297 | - notimplemented 1298 | 1299 | - name: "MEDIUM | PGS9-00-008800 | PostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events." 1300 | lineinfile: 1301 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1302 | module_defaults: "{{ pgs9stig_lineinfile }}" 1303 | notify: restart postgres 1304 | with_items: 1305 | - key: log_line_prefix 1306 | value: "{{ pgs9stig_log_line_prefix }}" 1307 | - key: log_hostname 1308 | value: "on" 1309 | when: 1310 | - pgs9_00_008800 1311 | tags: 1312 | - PGS9-00-008800 1313 | 1314 | - name: "MEDIUM | PGS9-00-008900 | Unused database components, PostgreSQL software, and database objects must be removed." 1315 | block: 1316 | - name: "MEDIUM | PGS9-00-008900 | AUDIT | Unused database components, PostgreSQL software, and database objects must be removed." 1317 | command: "true" 1318 | register: pgs9_00_008900_audit 1319 | check_mode: no 1320 | changed_when: no 1321 | with_items: 1322 | - not implemented 1323 | - name: "MEDIUM | PGS9-00-008900 | PATCH | Unused database components, PostgreSQL software, and database objects must be removed." 1324 | command: "true" 1325 | changed_when: no 1326 | with_items: 1327 | - not implemented 1328 | when: 1329 | - pgs9_00_008900 1330 | tags: 1331 | - PGS9-00-008900 1332 | - notimplemented 1333 | 1334 | - name: "MEDIUM | PGS9-00-009100 | Access to external executables must be disabled or restricted." 1335 | block: 1336 | - name: "MEDIUM | PGS9-00-009100 | AUDIT | Access to external executables must be disabled or restricted." 1337 | command: "true" 1338 | register: pgs9_00_009100_audit 1339 | check_mode: no 1340 | changed_when: no 1341 | with_items: 1342 | - not implemented 1343 | - name: "MEDIUM | PGS9-00-009100 | PATCH | Access to external executables must be disabled or restricted." 1344 | command: "true" 1345 | changed_when: no 1346 | with_items: 1347 | - not implemented 1348 | when: 1349 | - pgs9_00_009100 1350 | tags: 1351 | - PGS9-00-009100 1352 | - notimplemented 1353 | 1354 | # TODO: give this distruption-high treatment 1355 | - name: "MEDIUM | PGS9-00-009200 | Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled." 1356 | block: 1357 | - name: "MEDIUM | PGS9-00-009200 | AUDIT | Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled." 1358 | command: rpm -qa *postgres* --qf='%{name}\n' 1359 | args: 1360 | warn: no 1361 | register: pgs9_00_009200_audit_installed 1362 | check_mode: no 1363 | changed_when: no 1364 | 1365 | - name: "MEDIUM | PGS9-00-009200 | AUDIT | Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled." 1366 | shell: yumdb search reason dep | grep postgres | xargs rpm -q --qf='%{name}\n' 1367 | register: pgs9_00_009200_audit_dep 1368 | check_mode: no 1369 | changed_when: no 1370 | 1371 | - name: "MEDIUM | PGS9-00-009200 | PATCH | Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled." 1372 | command: yumdb set reason dep {{ item }} 1373 | register: pgs9_00_009200_audit_unneeded 1374 | with_items: "{{ pgs9_00_009200_audit_installed.stdout_lines | 1375 | difference(pgs9_00_009200_audit_dep.stdout_lines) | 1376 | difference(pgs9stig_postgres_packages + pgs9stig_pgaudit_packages ) }}" 1377 | 1378 | - name: "MEDIUM | PGS9-00-009200 | PATCH | Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled." 1379 | command: yum autoremove{{ ansible_check_mode | ternary('', ' -y') }} 1380 | check_mode: no 1381 | args: 1382 | warn: no 1383 | register: pgs9_00_009200_patch 1384 | changed_when: 1385 | - >- 1386 | "No Packages marked for removal" not in pgs9_00_009200_patch.stdout or 1387 | pgs9_00_009200_audit_unneeded.results | length > 0 1388 | failed_when: 1389 | - pgs9_00_009200_patch is failed 1390 | - not ansible_check_mode 1391 | when: 1392 | - pgs9_00_009200 1393 | - ansible_pkg_mgr == 'yum' 1394 | tags: 1395 | - PGS9-00-009200 1396 | 1397 | 1398 | - name: "MEDIUM | PGS9-00-009400 | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in process." 1399 | block: 1400 | - name: "MEDIUM | PGS9-00-009400 | AUDIT | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in process." 1401 | command: "true" 1402 | register: pgs9_00_009400_audit 1403 | check_mode: no 1404 | changed_when: no 1405 | with_items: 1406 | - not implemented 1407 | - name: "MEDIUM | PGS9-00-009400 | PATCH | PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in process." 1408 | command: "true" 1409 | changed_when: no 1410 | with_items: 1411 | - not implemented 1412 | when: 1413 | - pgs9_00_009400 1414 | tags: 1415 | - PGS9-00-009400 1416 | - notimplemented 1417 | 1418 | - name: "MEDIUM | PGS9-00-009500 | If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords." 1419 | block: 1420 | - name: "MEDIUM | PGS9-00-009500 | AUDIT | If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords." 1421 | command: "true" 1422 | register: pgs9_00_009500_audit 1423 | check_mode: no 1424 | changed_when: no 1425 | with_items: 1426 | - not implemented 1427 | - name: "MEDIUM | PGS9-00-009500 | PATCH | If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords." 1428 | command: "true" 1429 | changed_when: no 1430 | with_items: 1431 | - not implemented 1432 | when: 1433 | - pgs9_00_009500 1434 | tags: 1435 | - PGS9-00-009500 1436 | - notimplemented 1437 | 1438 | - name: "MEDIUM | PGS9-00-009600 | PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s)." 1439 | block: 1440 | - name: "MEDIUM | PGS9-00-009600 | AUDIT | PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s)." 1441 | command: "true" 1442 | register: pgs9_00_009600_audit 1443 | check_mode: no 1444 | changed_when: no 1445 | with_items: 1446 | - not implemented 1447 | - name: "MEDIUM | PGS9-00-009600 | PATCH | PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s)." 1448 | command: "true" 1449 | changed_when: no 1450 | with_items: 1451 | - not implemented 1452 | when: 1453 | - pgs9_00_009600 1454 | tags: 1455 | - PGS9-00-009600 1456 | - notimplemented 1457 | 1458 | - name: "MEDIUM | PGS9-00-009700 | PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions." 1459 | block: 1460 | - name: "MEDIUM | PGS9-00-009700 | AUDIT | PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions." 1461 | command: "true" 1462 | register: pgs9_00_009700_audit 1463 | check_mode: no 1464 | changed_when: no 1465 | with_items: 1466 | - not implemented 1467 | - name: "MEDIUM | PGS9-00-009700 | PATCH | PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions." 1468 | command: "true" 1469 | changed_when: no 1470 | with_items: 1471 | - not implemented 1472 | when: 1473 | - pgs9_00_009700 1474 | tags: 1475 | - PGS9-00-009700 1476 | - notimplemented 1477 | 1478 | 1479 | - name: "MEDIUM | PGS9-00-009800 | PostgreSQL must provide the capability for authorized users to capture, record, and log all content related to a user session." 1480 | block: 1481 | - name: "MEDIUM | PGS9-00-009800 | PATCH | PostgreSQL must provide the capability for authorized users to capture, record, and log all content related to a user session." 1482 | lineinfile: 1483 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1484 | module_defaults: "{{ pgs9stig_lineinfile }}" 1485 | notify: reload postgres 1486 | with_dict: 1487 | log_connections: "on" 1488 | log_disconnections: "on" 1489 | 1490 | - name: "MEDIUM | PGS9-00-009800 | AUDIT | PostgreSQL must provide the capability for authorized users to capture, record, and log all content related to a user session." 1491 | debug: 1492 | msg: | 1493 | pgaudit is configured in PRELIM 1494 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1495 | changed_when: 1496 | - not pgs9stig_configure_pgaudit 1497 | - pgs9stig_warn_finding 1498 | when: 1499 | - pgs9_00_009800 1500 | tags: 1501 | - PGS9-00-009800 1502 | 1503 | 1504 | - name: "MEDIUM | PGS9-00-009900 | The system must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity." 1505 | block: 1506 | - name: "MEDIUM | PGS9-00-009900 | AUDIT | The system must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity." 1507 | command: "true" 1508 | register: pgs9_00_009900_audit 1509 | check_mode: no 1510 | changed_when: no 1511 | with_items: 1512 | - not implemented 1513 | - name: "MEDIUM | PGS9-00-009900 | PATCH | The system must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity." 1514 | command: "true" 1515 | changed_when: no 1516 | with_items: 1517 | - not implemented 1518 | when: 1519 | - pgs9_00_009900 1520 | tags: 1521 | - PGS9-00-009900 1522 | - notimplemented 1523 | 1524 | - name: "MEDIUM | PGS9-00-010000 | PostgreSQL must provide the means for individuals in authorized roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds." 1525 | debug: 1526 | msg: | 1527 | pgaudit is configured in PRELIM 1528 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1529 | changed_when: 1530 | - not pgs9stig_configure_pgaudit 1531 | - pgs9stig_warn_finding 1532 | when: 1533 | - pgs9_00_010000 1534 | tags: 1535 | - PGS9-00-010000 1536 | 1537 | - name: "MEDIUM | PGS9-00-010100 | PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication." 1538 | block: 1539 | - name: "MEDIUM | PGS9-00-010100 | AUDIT | PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication." 1540 | command: "true" 1541 | register: pgs9_00_010100_audit 1542 | check_mode: no 1543 | changed_when: no 1544 | with_items: 1545 | - not implemented 1546 | - name: "MEDIUM | PGS9-00-010100 | PATCH | PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication." 1547 | command: "true" 1548 | changed_when: no 1549 | with_items: 1550 | - not implemented 1551 | when: 1552 | - pgs9_00_010100 1553 | tags: 1554 | - PGS9-00-010100 1555 | - notimplemented 1556 | 1557 | - name: "MEDIUM | PGS9-00-010300 | PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions." 1558 | block: 1559 | - name: "MEDIUM | PGS9-00-010300 | AUDIT | PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions." 1560 | command: "true" 1561 | register: pgs9_00_010300_audit 1562 | check_mode: no 1563 | changed_when: no 1564 | with_items: 1565 | - not implemented 1566 | - name: "MEDIUM | PGS9-00-010300 | PATCH | PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions." 1567 | command: "true" 1568 | changed_when: no 1569 | with_items: 1570 | - not implemented 1571 | when: 1572 | - pgs9_00_010300 1573 | tags: 1574 | - PGS9-00-010300 1575 | - notimplemented 1576 | 1577 | - name: "MEDIUM | PGS9-00-010400 | PostgreSQL must produce audit records containing sufficient information to establish what type of events occurred." 1578 | debug: 1579 | msg: | 1580 | "Verify that the current settings are appropriate for the organization." for log_line_prefix 1581 | "If the audit record does not log events required by the organization, this is a finding." 1582 | changed_when: 1583 | - pgs9stig_warn_docs 1584 | - not pgs9stig_doc_010400 1585 | when: 1586 | - pgs9_00_010400 1587 | tags: 1588 | - PGS9-00-010400 1589 | 1590 | - name: "MEDIUM | PGS9-00-010500 | PostgreSQL must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components." 1591 | block: 1592 | - name: "MEDIUM | PGS9-00-010500 | AUDIT | PostgreSQL must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components." 1593 | command: "true" 1594 | register: pgs9_00_010500_audit 1595 | check_mode: no 1596 | changed_when: no 1597 | with_items: 1598 | - not implemented 1599 | - name: "MEDIUM | PGS9-00-010500 | PATCH | PostgreSQL must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components." 1600 | command: "true" 1601 | changed_when: no 1602 | with_items: 1603 | - not implemented 1604 | when: 1605 | - pgs9_00_010500 1606 | tags: 1607 | - PGS9-00-010500 1608 | - notimplemented 1609 | 1610 | - name: "MEDIUM | PGS9-00-010600 | PostgreSQL must invalidate session identifiers upon user logout or other session termination." 1611 | lineinfile: 1612 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1613 | module_defaults: "{{ pgs9stig_lineinfile }}" 1614 | notify: reload postgres 1615 | with_dict: 1616 | statement_timeout: "{{ pgs9stig_statement_timeout }}" 1617 | tcp_keepalives_idle: "{{ pgs9stig_tcp_keepalives_idle }}" 1618 | tcp_keepalives_interval: "{{ pgs9stig_tcp_keepalives_interval }}" 1619 | tcp_keepalives_count: "{{ pgs9stig_tcp_keepalives_count }}" 1620 | when: 1621 | - pgs9_00_010600 1622 | tags: 1623 | - PGS9-00-010600 1624 | 1625 | 1626 | - name: "MEDIUM | PGS9-00-010700 | PostgreSQL must protect its audit features from unauthorized access." 1627 | block: 1628 | - name: "MEDIUM | PGS9-00-010700 | PATCH | PostgreSQL must protect its audit features from unauthorized access." 1629 | file: 1630 | path: "{{ pgs9stig_log_directory }}" 1631 | owner: "{{ pgs9stig_postgres_user }}" 1632 | group: "{{ pgs9stig_postgres_user }}" 1633 | recurse: yes 1634 | 1635 | - name: "MEDIUM | PGS9-00-010700 | PATCH | PostgreSQL must protect its audit features from unauthorized access." 1636 | file: 1637 | path: "{{ pgs9stig_pgdata }}" 1638 | owner: "{{ pgs9stig_postgres_user }}" 1639 | group: "{{ pgs9stig_postgres_user }}" 1640 | recurse: yes 1641 | 1642 | - name: "MEDIUM | PGS9-00-010700 | AUDIT | PostgreSQL must protect its audit features from unauthorized access." 1643 | command: rpm -V {{ pgs9stig_pgaudit_packages | join(" ") }} 1644 | args: 1645 | warn: no 1646 | register: pgs9_00_010700_audit 1647 | check_mode: no 1648 | failed_when: no 1649 | changed_when: pgs9_00_010700_audit.stdout != "" 1650 | 1651 | - name: "MEDIUM | PGS9-00-010700 | PATCH | PostgreSQL must protect its audit features from unauthorized access." 1652 | shell: rpm --setugids {{ pgs9stig_pgaudit_packages | join(" ") }} ; rpm --setperms {{ pgs9stig_pgaudit_packages | join(" ") }} 1653 | args: 1654 | warn: no 1655 | when: pgs9_00_010700_audit is changed 1656 | when: 1657 | - pgs9_00_010700 1658 | tags: 1659 | - PGS9-00-010700 1660 | 1661 | 1662 | - name: "MEDIUM | PGS9-00-011100 | PostgreSQL must produce audit records containing time stamps to establish when the events occurred." 1663 | lineinfile: 1664 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1665 | module_defaults: "{{ pgs9stig_lineinfile }}" 1666 | notify: reload postgres 1667 | with_dict: 1668 | log_line_prefix: "{{ pgs9stig_log_line_prefix }}" 1669 | when: 1670 | - pgs9_00_011100 1671 | tags: 1672 | - PGS9-00-011100 1673 | 1674 | 1675 | - name: "MEDIUM | PGS9-00-011200 | PostgreSQL must protect its audit features from unauthorized removal." 1676 | block: 1677 | - name: "MEDIUM | PGS9-00-011200 | AUDIT | PostgreSQL must protect its audit features from unauthorized removal." 1678 | shell: rpm -qal *postgres* | grep /usr/ | grep -E '/(bin|include|lib|share)$' 1679 | args: 1680 | warn: no 1681 | register: pgs9_00_011200_audit 1682 | check_mode: no 1683 | changed_when: no 1684 | 1685 | - name: "MEDIUM | PGS9-00-011200 | PATCH | PostgreSQL must protect its audit features from unauthorized removal." 1686 | file: 1687 | path: "{{ item }}" 1688 | owner: root 1689 | group: root 1690 | register: pgs9_00_011200_patch 1691 | failed_when: 1692 | - pgs9_00_011200_patch is failed 1693 | # - pgs9_00_011200_patch.state != "absent" 1694 | # workaround for https://github.com/ansible/ansible/issues/66171 1695 | - >- 1696 | " is absent, cannot continue" not in pgs9_00_011200_patch.msg 1697 | with_items: "{{ pgs9_00_011200_audit.stdout_lines }}" 1698 | when: 1699 | - pgs9_00_011200 1700 | - ansible_distribution_major_version is version_compare('7', '==') 1701 | - ansible_pkg_mgr == 'RedHat' 1702 | tags: 1703 | - PGS9-00-011200 1704 | 1705 | 1706 | - name: "MEDIUM | PGS9-00-011300 | PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems." 1707 | block: 1708 | - name: "MEDIUM | PGS9-00-011300 | AUDIT | PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems." 1709 | debug: 1710 | msg: | 1711 | "If log_destination is not syslog, this is a finding." 1712 | CURRENT LOG DESTINATION: {{ pgs9stig_log_destination }} 1713 | changed_when: 1714 | - pgs9stig_log_destination != 'syslog' 1715 | - pgs9stig_warn_finding 1716 | 1717 | - name: "MEDIUM | PGS9-00-011300 | AUDIT | PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems." 1718 | debug: 1719 | msg: | 1720 | Check with the organization to see how syslog facilities are defined in their organization. 1721 | If the wrong facility is configured, this is a finding. 1722 | changed_when: 1723 | - pgs9stig_warn_docs 1724 | - not pgs9stig_doc_011300 1725 | 1726 | - name: "MEDIUM | PGS9-00-011300 | AUDIT | PostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems." 1727 | debug: 1728 | msg: | 1729 | If PostgreSQL does not have a continuous network connection to the centralized log management system, and PostgreSQL audit records are not transferred to the centralized log management system weekly or more often, this is a finding. 1730 | changed_when: 1731 | - pgs9stig_warn_manual 1732 | - not pgs9stig_manual_011300 1733 | when: 1734 | - pgs9_00_011300 1735 | tags: 1736 | - PGS9-00-011300 1737 | 1738 | - name: "MEDIUM | PGS9-00-011400 | PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values." 1739 | block: 1740 | - name: "MEDIUM | PGS9-00-011400 | AUDIT | PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values." 1741 | command: "true" 1742 | register: pgs9_00_011400_audit 1743 | check_mode: no 1744 | changed_when: no 1745 | with_items: 1746 | - not implemented 1747 | - name: "MEDIUM | PGS9-00-011400 | PATCH | PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values." 1748 | command: "true" 1749 | changed_when: no 1750 | with_items: 1751 | - not implemented 1752 | when: 1753 | - pgs9_00_011400 1754 | tags: 1755 | - PGS9-00-011400 1756 | - notimplemented 1757 | 1758 | - name: "MEDIUM | PGS9-00-011500 | PostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)." 1759 | block: 1760 | - name: "MEDIUM | PGS9-00-011500 | AUDIT | PostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)." 1761 | command: "true" 1762 | register: pgs9_00_011500_audit 1763 | check_mode: no 1764 | changed_when: no 1765 | with_items: 1766 | - not implemented 1767 | - name: "MEDIUM | PGS9-00-011500 | PATCH | PostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)." 1768 | command: "true" 1769 | changed_when: no 1770 | with_items: 1771 | - not implemented 1772 | when: 1773 | - pgs9_00_011500 1774 | tags: 1775 | - PGS9-00-011500 1776 | - notimplemented 1777 | 1778 | - name: "MEDIUM | PGS9-00-011600 | PostgreSQL must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect." 1779 | block: 1780 | - name: "MEDIUM | PGS9-00-011600 | AUDIT | PostgreSQL must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect." 1781 | command: "true" 1782 | register: pgs9_00_011600_audit 1783 | check_mode: no 1784 | changed_when: no 1785 | with_items: 1786 | - not implemented 1787 | - name: "MEDIUM | PGS9-00-011600 | PATCH | PostgreSQL must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect." 1788 | command: "true" 1789 | changed_when: no 1790 | with_items: 1791 | - not implemented 1792 | when: 1793 | - pgs9_00_011600 1794 | tags: 1795 | - PGS9-00-011600 1796 | - notimplemented 1797 | 1798 | - name: "MEDIUM | PGS9-00-011800 | PostgreSQL must map the PKI-authenticated identity to an associated user account." 1799 | block: 1800 | - name: "MEDIUM | PGS9-00-011800 | AUDIT | PostgreSQL must map the PKI-authenticated identity to an associated user account." 1801 | command: "true" 1802 | register: pgs9_00_011800_audit 1803 | check_mode: no 1804 | changed_when: no 1805 | with_items: 1806 | - not implemented 1807 | - name: "MEDIUM | PGS9-00-011800 | PATCH | PostgreSQL must map the PKI-authenticated identity to an associated user account." 1808 | command: "true" 1809 | changed_when: no 1810 | with_items: 1811 | - not implemented 1812 | when: 1813 | - pgs9_00_011800 1814 | tags: 1815 | - PGS9-00-011800 1816 | - notimplemented 1817 | 1818 | - name: "MEDIUM | PGS9-00-011900 | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy." 1819 | block: 1820 | - name: "MEDIUM | PGS9-00-011900 | AUDIT | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy." 1821 | command: "true" 1822 | register: pgs9_00_011900_audit 1823 | check_mode: no 1824 | changed_when: no 1825 | with_items: 1826 | - not implemented 1827 | - name: "MEDIUM | PGS9-00-011900 | PATCH | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy." 1828 | command: "true" 1829 | changed_when: no 1830 | with_items: 1831 | - not implemented 1832 | when: 1833 | - pgs9_00_011900 1834 | tags: 1835 | - PGS9-00-011900 1836 | - notimplemented 1837 | 1838 | - name: "MEDIUM | PGS9-00-012000 | Access to database files must be limited to relevant processes and to authorized, administrative users." 1839 | file: 1840 | path: "{{ pgs9stig_pgdata }}" 1841 | mode: go-rwx 1842 | owner: "{{ pgs9stig_postgres_user }}" 1843 | group: "{{ pgs9stig_postgres_user }}" 1844 | recurse: yes 1845 | when: 1846 | - pgs9_00_012000 1847 | tags: 1848 | - PGS9-00-012000 1849 | 1850 | 1851 | - name: "MEDIUM | PGS9-00-012200 | PostgreSQL must protect its audit configuration from unauthorized modification." 1852 | block: 1853 | - name: "MEDIUM | PGS9-00-012200 | PostgreSQL must protect its audit configuration from unauthorized modification." 1854 | file: 1855 | path: "{{ pgs9stig_pgdata }}" 1856 | mode: go-rwx 1857 | owner: "{{ pgs9stig_postgres_user }}" 1858 | group: "{{ pgs9stig_postgres_user }}" 1859 | recurse: yes 1860 | 1861 | - name: "MEDIUM | PGS9-00-012200 | PostgreSQL must protect its audit configuration from unauthorized modification." 1862 | lineinfile: 1863 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1864 | module_defaults: "{{ pgs9stig_lineinfile }}" 1865 | notify: reload postgres 1866 | with_dict: 1867 | log_file_mode: "0600" 1868 | when: pgs9stig_log_destination == 'stderr' 1869 | 1870 | - name: "MEDIUM | PGS9-00-012200 | PostgreSQL must protect its audit configuration from unauthorized modification." 1871 | lineinfile: 1872 | path: "{{ pgs9stig_rsyslog_conf }}" 1873 | line: $umask 0077 1874 | insertbefore: BOF 1875 | notify: restart rsyslog 1876 | when: pgs9stig_with_rsyslog 1877 | 1878 | - name: "MEDIUM | PGS9-00-012200 | Verify log access on disk." 1879 | file: 1880 | path: "{{ pgs9stig_rsyslog_log_path }}" 1881 | mode: go-rwx 1882 | when: pgs9stig_with_rsyslog 1883 | 1884 | - name: "MEDIUM | PGS9-00-012200 | AUDIT | PostgreSQL must protect its audit configuration from unauthorized modification." 1885 | debug: 1886 | msg: "If PostgreSQL is configured to use syslog, verify that the logs are owned by root and have 0600 permissions. If they are not, this is a finding." 1887 | changed_when: 1888 | - pgs9stig_warn_manual 1889 | - not pgs9stig_manual_012200 1890 | when: 1891 | - pgs9stig_log_destination == 'syslog' 1892 | - not pgs9stig_with_rsyslog 1893 | when: 1894 | - pgs9_00_012200 1895 | tags: 1896 | - PGS9-00-012200 1897 | 1898 | 1899 | - name: "MEDIUM | PGS9-00-012500 | Audit records must be generated when categorized information (e.g., classification levels/security levels) is deleted." 1900 | debug: 1901 | msg: | 1902 | pgaudit is configured in PRELIM 1903 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1904 | changed_when: 1905 | - not pgs9stig_configure_pgaudit 1906 | - pgs9stig_warn_finding 1907 | when: 1908 | - pgs9_00_012500 1909 | tags: 1910 | - PGS9-00-012500 1911 | 1912 | - name: "MEDIUM | PGS9-00-012600 | PostgreSQL must generate audit records when successful accesses to objects occur." 1913 | debug: 1914 | msg: | 1915 | pgaudit is configured in PRELIM 1916 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1917 | changed_when: 1918 | - not pgs9stig_configure_pgaudit 1919 | - pgs9stig_warn_finding 1920 | when: 1921 | - pgs9_00_012600 1922 | tags: 1923 | - PGS9-00-012600 1924 | 1925 | 1926 | - name: "MEDIUM | PGS9-00-012700 | PostgreSQL must generate audit records for all direct access to the database(s)." 1927 | block: 1928 | - name: "MEDIUM | PGS9-00-012700 | PATCH | PostgreSQL must generate audit records for all direct access to the database(s)." 1929 | lineinfile: 1930 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 1931 | module_defaults: "{{ pgs9stig_lineinfile }}" 1932 | notify: reload postgres 1933 | with_dict: 1934 | log_connections: "on" 1935 | log_disconnections: "on" 1936 | 1937 | - name: "MEDIUM | PGS9-00-012700 | AUDIT | PostgreSQL must generate audit records for all direct access to the database(s)." 1938 | debug: 1939 | msg: | 1940 | pgaudit is configured in PRELIM 1941 | {{ pgs9stig_configure_pgaudit | ternary('', 'WARNING: pgaudit configuration was not selected') }} 1942 | changed_when: 1943 | - not pgs9stig_configure_pgaudit 1944 | - pgs9stig_warn_finding 1945 | when: 1946 | - pgs9_00_012700 1947 | tags: 1948 | - PGS9-00-012700 1949 | -------------------------------------------------------------------------------- /tasks/cat3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. 3 | # 4 | #This material is based upon work supported by the Department of the Air Force and MISSILE DEFENSE AGENCY under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of the Air Force and MISSILE DEFENSE AGENCY. 5 | # 6 | #© 2019 Massachusetts Institute of Technology. 7 | # 8 | #The software/firmware is provided to you on an As-Is basis 9 | # 10 | #Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. 11 | 12 | - name: prevent ansible warnings of empty file 13 | debug: 14 | msg: "There are currently no CAT3 STIG items for PGS9-STIG" 15 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. 3 | # 4 | #This material is based upon work supported by the Department of the Air Force and MISSILE DEFENSE AGENCY under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of the Air Force and MISSILE DEFENSE AGENCY. 5 | # 6 | #© 2019 Massachusetts Institute of Technology. 7 | # 8 | #The software/firmware is provided to you on an As-Is basis 9 | # 10 | #Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. 11 | 12 | - name: import preliminary tasks 13 | import_tasks: prelim.yml 14 | 15 | - name: Include CAT 1 patches 16 | import_tasks: cat1.yml 17 | when: pgs9stig_cat1 18 | tags: 19 | - cat1 20 | - high 21 | 22 | - name: Include CAT 2 patches 23 | import_tasks: cat2.yml 24 | when: pgs9stig_cat2 25 | tags: 26 | - cat2 27 | - medium 28 | 29 | - name: Include CAT 3 patches 30 | import_tasks: cat3.yml 31 | when: pgs9stig_cat3 32 | tags: 33 | - cat3 34 | - low 35 | -------------------------------------------------------------------------------- /tasks/prelim.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. 3 | # 4 | #This material is based upon work supported by the Department of the Air Force and MISSILE DEFENSE AGENCY under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of the Air Force and MISSILE DEFENSE AGENCY. 5 | # 6 | #© 2019 Massachusetts Institute of Technology. 7 | # 8 | #The software/firmware is provided to you on an As-Is basis 9 | # 10 | #Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work. 11 | 12 | - name: "PRELIM | Gather mount information" 13 | setup: 14 | gather_subset: hardware,!all,!min 15 | filter: ansible_mounts 16 | when: 17 | - ansible_mounts is not defined 18 | - pgs9_00_008000 or 19 | pgs9_00_008200 20 | tags: 21 | - cat1 22 | - high 23 | - PGS9-00-008000 24 | - PGS9-00-008200 25 | 26 | - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based" 27 | stat: 28 | path: /sys/firmware/efi 29 | register: pgs9_00_sys_firmware_efi 30 | when: 31 | - pgs9_00_008000 or 32 | pgs9_00_008200 33 | tags: 34 | - cat1 35 | - high 36 | - PGS9-00-008000 37 | - PGS9-00-008200 38 | 39 | - name: "PRELIM | PGS9-00-008000 | Check if /boot or /boot/efi reside on separate partitions" 40 | shell: df --output=target /boot | tail -n 1 41 | changed_when: no 42 | check_mode: no 43 | register: pgs9_00_boot_part 44 | when: 45 | - pgs9_00_008000 or 46 | pgs9_00_008200 47 | tags: 48 | - cat1 49 | - high 50 | - PGS9-00-008000 51 | - PGS9-00-008200 52 | 53 | 54 | - name: "PRELIM | Install and start Postgres" 55 | block: 56 | - name: "PRELIM | Ensure postgres is started" 57 | service: 58 | name: "{{ pgs9stig_postgres_service }}" 59 | state: started 60 | rescue: 61 | - name: workaround ansible bug 62 | meta: noop 63 | 64 | - name: PRELIM | Enable Postgres YUM module 65 | block: 66 | - name: PRELIM | check current yum module 67 | shell: >- 68 | yum module list --enabled {{ pgs9stig_postgres_module_name }} 69 | | grep -E ^{{ pgs9stig_postgres_module_name | regex_escape }} 70 | | awk '{print $2}' 71 | check_mode: no 72 | register: pgs9stig_discovered_yum_module 73 | changed_when: pgs9stig_discovered_yum_module.stdout == "" 74 | failed_when: >- 75 | pgs9stig_discovered_yum_module.stdout 76 | | default(pgs9stig_postgres_module_version, True) 77 | is version_compare(pgs9stig_postgres_module_version, '<') 78 | 79 | - name: PRELIM | enable yum module 80 | command: yum module enable -y {{ pgs9stig_postgres_module_name }}:{{ pgs9stig_postgres_module_version }} 81 | when: pgs9stig_discovered_yum_module is changed 82 | when: 83 | - ansible_distribution_major_version is version_compare('8', '>=') 84 | - ansible_os_family == 'RedHat' 85 | 86 | - name: "PRELIM | Install Postgres packages" 87 | package: 88 | name: "{{ pgs9stig_postgres_packages }}" 89 | - name: "PRELIM | find postgresql-setup binary" 90 | shell: rpm -ql {{ pgs9stig_postgres_packages | join(" ") }} | grep bin/postgresql.*-setup$ 91 | args: 92 | warn: no 93 | check_mode: no 94 | changed_when: no 95 | register: pgs9stig_setup_bin 96 | failed_when: 97 | - pgs9stig_setup_bin is failed or 98 | pgs9stig_setup_bin.stdout_lines | count != 1 99 | 100 | - name: "PRELIM | Initialize Postgres Database" 101 | command: "{{ pgs9stig_setup_bin.stdout }} initdb" 102 | register: pgs9stig_initdb_result 103 | failed_when: 104 | - pgs9stig_initdb_result is failed 105 | - >- 106 | 'is not empty!' not in pgs9stig_initdb_result.stderr 107 | changed_when: 108 | - >- 109 | 'is not empty!' not in pgs9stig_initdb_result.stderr 110 | 111 | - name: "PRELIM | Ensure postgres is started" 112 | service: 113 | name: "{{ pgs9stig_postgres_service }}" 114 | state: started 115 | tags: 116 | - always 117 | 118 | 119 | - name: "PRELIM | Appendix F: Finding the PostgreSQL Configured Data Directory (PGDATA)" 120 | block: 121 | - name: "PRELIM | Appendix F: Finding the PostgreSQL Configured Data Directory (PGDATA)" 122 | shell: set -o pipefail ; psql -c 'show data_directory' | tail -n+3 | head -n 1 | cut -c2- 123 | check_mode: no 124 | changed_when: no 125 | register: pgs9stig_pgdata_cmd 126 | become: yes 127 | become_user: "{{ pgs9stig_postgres_user }}" 128 | 129 | - name: "PRELIM | make pgdata available as variable" 130 | set_fact: 131 | pgs9stig_pgdata: "{{ pgs9stig_pgdata_cmd.stdout }}" 132 | when: pgs9stig_pgdata is not defined 133 | tags: 134 | - always 135 | 136 | 137 | - name: "PRELIM | Appendix B: pgaudit" 138 | block: 139 | - name: "PRELIM | Appendix B: install pgaudit" 140 | package: 141 | name: "{{ pgs9stig_pgaudit_packages }}" 142 | 143 | - name: "PRELIM | Appendix B: configure pgaudit" 144 | lineinfile: 145 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 146 | module_defaults: "{{ pgs9stig_lineinfile }}" 147 | register: pgs9stig_pgaudit_conf_install 148 | notify: restart postgres 149 | with_dict: 150 | shared_preload_libraries: "'pgaudit'" 151 | pgaudit.log_catalog: "'on'" 152 | pgaudit.log_level: "'log'" 153 | pgaudit.log_parameter: "'on'" 154 | pgaudit.log_relation: "'off'" 155 | pgaudit.log_statement_once: "'off'" 156 | pgaudit.log: "{{ pgs9stig_pgaudit_log }}" 157 | 158 | - name: "PRELIM | Appendix C: Logging | reload postgres" 159 | service: 160 | name: "{{ pgs9stig_postgres_service }}" 161 | state: reloaded 162 | when: 163 | - pgs9stig_pgaudit_conf_install is changed 164 | when: 165 | - pgs9stig_configure_pgaudit 166 | - pgs9_00_000200 or 167 | pgs9_00_004400 or 168 | pgs9_00_004900 or 169 | pgs9_00_005000 or 170 | pgs9_00_005200 or 171 | pgs9_00_005500 or 172 | pgs9_00_005600 or 173 | pgs9_00_005900 or 174 | pgs9_00_006000 or 175 | pgs9_00_006100 or 176 | pgs9_00_006300 or 177 | pgs9_00_006400 or 178 | pgs9_00_006600 or 179 | pgs9_00_006700 or 180 | pgs9_00_008600 or 181 | pgs9_00_009800 or 182 | pgs9_00_010000 or 183 | pgs9_00_012500 or 184 | pgs9_00_012600 or 185 | pgs9_00_012700 or 186 | false 187 | tags: 188 | - cat2 189 | - medium 190 | - PGS9-00-000200 191 | - PGS9-00-004400 192 | - PGS9-00-004900 193 | - PGS9-00-005000 194 | - PGS9-00-005200 195 | - PGS9-00-005500 196 | - PGS9-00-005600 197 | - PGS9-00-005900 198 | - PGS9-00-006000 199 | - PGS9-00-006100 200 | - PGS9-00-006300 201 | - PGS9-00-006400 202 | - PGS9-00-006600 203 | - PGS9-00-006700 204 | - PGS9-00-008600 205 | - PGS9-00-009800 206 | - PGS9-00-010000 207 | - PGS9-00-012500 208 | - PGS9-00-012600 209 | - PGS9-00-012700 210 | 211 | 212 | - name: "PRELIM | Appendix C: Logging" 213 | block: 214 | - name: "PRELIM | Appendix C: Logging | stderr" 215 | lineinfile: 216 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 217 | module_defaults: "{{ pgs9stig_lineinfile }}" 218 | register: pgs9stig_log_stderr_result 219 | with_dict: 220 | log_destination: "'stderr'" 221 | logging_collector: "on" 222 | log_directory: "'pg_log'" 223 | log_filename: "'postgresql-%a.log'" 224 | log_file_mode: "0600" 225 | log_truncate_on_rotation: "on" 226 | log_rotation_age: "1d" 227 | log_rotation_size: 0 228 | when: pgs9stig_log_destination == 'stderr' 229 | 230 | - name: "PRELIM | Appendix C: Logging | syslog" 231 | lineinfile: 232 | path: "{{ pgs9stig_pgdata }}/postgresql.conf" 233 | module_defaults: "{{ pgs9stig_lineinfile }}" 234 | register: pgs9stig_log_syslog_result 235 | with_dict: 236 | log_destination: "'syslog'" 237 | syslog_facility: "'LOCAL0'" 238 | syslog_ident: "'postgres'" 239 | when: pgs9stig_log_destination == 'syslog' 240 | 241 | - name: "PRELIM | Appendix C: Logging | rsyslog" 242 | block: 243 | - name: "PRELIM | Appendix C: Logging | install rsyslog" 244 | yum: 245 | name: rsyslog 246 | 247 | - name: "PRELIM | Appendix C: Logging | configure rsyslog" 248 | blockinfile: 249 | path: "{{ pgs9stig_rsyslog_conf }}" 250 | create: yes 251 | mode: 0644 252 | block: | 253 | # Log postgres items to file 254 | local0.* {{ pgs9stig_rsyslog_log_path }} 255 | register: pgs9stig_rsyslog_conf_result 256 | 257 | - name: "PRELIM | Appendix C: Logging | start rsyslog" 258 | service: 259 | name: rsyslog 260 | state: "{{ pgs9stig_rsyslog_conf_result is changed | ternary('re', '') }}started" 261 | 262 | - name: "PRELIM | Appendix C: Logging | configure logrotate" 263 | lineinfile: 264 | path: /etc/logrotate.d/syslog 265 | insertbefore: ^{$ 266 | line: "{{ pgs9stig_rsyslog_log_path }}" 267 | when: pgs9stig_with_rsyslog 268 | 269 | - name: "PRELIM | Appendix C: Logging | reload postgres" 270 | service: 271 | name: "{{ pgs9stig_postgres_service }}" 272 | state: reloaded 273 | when: 274 | - pgs9stig_log_stderr_result is changed or 275 | pgs9stig_log_syslog_result is changed or 276 | pgs9stig_rsyslog_conf_result is changed 277 | when: 278 | - pgs9_00_000200 or 279 | pgs9_00_000400 or 280 | pgs9_00_003700 or 281 | pgs9_00_004100 or 282 | pgs9_00_004200 or 283 | pgs9_00_004500 or 284 | pgs9_00_004600 or 285 | pgs9_00_004700 or 286 | pgs9_00_004800 or 287 | pgs9_00_005100 or 288 | pgs9_00_005300 or 289 | pgs9_00_005400 or 290 | pgs9_00_005700 or 291 | pgs9_00_006200 or 292 | pgs9_00_006500 or 293 | pgs9_00_006800 or 294 | pgs9_00_006900 or 295 | pgs9_00_008600 or 296 | pgs9_00_010400 or 297 | pgs9_00_011100 or 298 | pgs9_00_011300 or 299 | false 300 | tags: 301 | - cat2 302 | - medium 303 | - PGS9-00-000200 304 | - PGS9-00-000400 305 | - PGS9-00-003700 306 | - PGS9-00-004100 307 | - PGS9-00-004200 308 | - PGS9-00-004500 309 | - PGS9-00-004600 310 | - PGS9-00-004700 311 | - PGS9-00-004800 312 | - PGS9-00-005100 313 | - PGS9-00-005300 314 | - PGS9-00-005400 315 | - PGS9-00-005700 316 | - PGS9-00-006200 317 | - PGS9-00-006500 318 | - PGS9-00-006800 319 | - PGS9-00-006900 320 | - PGS9-00-008600 321 | - PGS9-00-010400 322 | - PGS9-00-011100 323 | - PGS9-00-011300 324 | -------------------------------------------------------------------------------- /templates/etc_default_grub.j2: -------------------------------------------------------------------------------- 1 | GRUB_TIMEOUT=5 2 | GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" 3 | GRUB_DEFAULT=saved 4 | GRUB_DISABLE_SUBMENU=true 5 | GRUB_TERMINAL_OUTPUT="console" 6 | GRUB_CMDLINE_LINUX="{{ grub_cmdline_linux }}" 7 | {#{% for param, value in ansible_cmdline.iteritems() 8 | %}{% if param not in blacklist %} {{ param }}{% if value is string %}={{ value }}{% 9 | endif %}{% endif %}{% endfor %}"#} 10 | GRUB_DISABLE_RECOVERY="true" 11 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # these variables are for enabling tasks to run that will be further controled 3 | # by check_mode to prevent the remediation task from making changes as 4 | # requested 5 | pgs9stig_complex: "{{ pgs9stig_complexity_high or pgs9stig_audit_complex }}" 6 | pgs9stig_disruptive: "{{ pgs9stig_disruption_high or pgs9stig_audit_disruptive }}" 7 | 8 | # These vars are made to go in the check_mode property of a task that is 9 | # complex or disruptive, respectively. 10 | pgs9stig_complex_check_mode: "{{ ansible_check_mode or pgs9stig_audit_complex and not pgs9stig_complexity_high }}" 11 | pgs9stig_disruptive_check_mode: "{{ ansible_check_mode or pgs9stig_audit_disruptive and not pgs9stig_disruption_high }}" 12 | 13 | # True if we have configured rsyslog 14 | pgs9stig_with_rsyslog: "{{ pgs9stig_configure_rsyslog and pgs9stig_log_destination == 'syslog' }}" 15 | 16 | # this allows us to insert a name=value into a line of the format: 17 | # key="name1=value1 name2=value2 nameN=valueN" 18 | pgs9stig_regexp_quoted_params: ^({{ pgs9stig_re_qp_key }})({{ pgs9stig_re_qp_other_params }})({{ 19 | pgs9stig_re_qp_param }}?)({{ pgs9stig_re_qp_other_params }})({{ pgs9stig_re_qp_key_end }}) 20 | pgs9stig_replace_quoted_params: \1\2{{ pgs9stig_re_qp_insert | ternary('', ' ') }}{{ param }}={{ 21 | value }}{{ pgs9stig_re_qp_insert | ternary(' ', '') }}\4\5 22 | 23 | # none of these regexes create capture groups 24 | pgs9stig_re_qp_key: (?:\s*{{ key }}=") 25 | pgs9stig_re_qp_param: (?:{{ pgs9stig_re_qp_insert | ternary('', ' ?') }}{{ 26 | pgs9stig_re_qp_param_start }}{{ param }}=.*?{{ 27 | pgs9stig_re_qp_param_end }}{{ pgs9stig_re_qp_insert | ternary(' ?', '') }}) 28 | pgs9stig_re_qp_other_params: (?:(?!{{ pgs9stig_re_qp_param }}.*).)*{{ 29 | pgs9stig_re_qp_insert | ternary('?', '') }} 30 | pgs9stig_re_qp_param_start: (?<=[" ]) 31 | pgs9stig_re_qp_param_end: (?=[" ]) 32 | pgs9stig_re_qp_key_end: (?:" *) 33 | 34 | # insert the parameter at the beginning or append to the end, default append 35 | pgs9stig_re_qp_insert: "{{ insert | default(not (append | default(true))) }}" 36 | --------------------------------------------------------------------------------