You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
We're trying to run the postgres inspec as an inspec user so that we don't need to configure password authentication for our DB owner. However we see two problems when this happens:
The control doesn't specify a database name, so it attempts to log into a database named after the user. Since we don't have an inspec database to match, it fails to create a postgres_session.
Checks like ownership seem to assume that the user we specify will be the DB owner, with failures like "message": "expected File /var/lib/postgresql/12/main.owned_by?("inspec") to be truthy, got false",
Expected behavior
We had hoped to be able to run this as a user other than the DB owner/superuser. Is that possible?
Actual behavior
Apparently it has to run as the DB owner (postgres) and so we'd have to allow md5 auth from 127.0.0.1. That would be a huge security concern to me. Hopefully I'm missing something obvious.
Describe the bug
We're trying to run the postgres inspec as an
inspec
user so that we don't need to configure password authentication for our DB owner. However we see two problems when this happens:inspec
database to match, it fails to create a postgres_session."message": "expected
File /var/lib/postgresql/12/main.owned_by?("inspec")to be truthy, got false",
Expected behavior
We had hoped to be able to run this as a user other than the DB owner/superuser. Is that possible?
Actual behavior
Apparently it has to run as the DB owner (
postgres
) and so we'd have to allow md5 auth from 127.0.0.1. That would be a huge security concern to me. Hopefully I'm missing something obvious.Example code
OS / Environment
Inspec Version
Our inspec script pulls https://github.com/dev-sec/postgres-baseline/archive/master.zip every time.
The text was updated successfully, but these errors were encountered: