Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Must run as postgres user? #47

Open
dtseiler opened this issue Jul 20, 2022 · 0 comments
Open

Must run as postgres user? #47

dtseiler opened this issue Jul 20, 2022 · 0 comments

Comments

@dtseiler
Copy link

dtseiler commented Jul 20, 2022

Describe the bug
We're trying to run the postgres inspec as an inspec user so that we don't need to configure password authentication for our DB owner. However we see two problems when this happens:

  1. The control doesn't specify a database name, so it attempts to log into a database named after the user. Since we don't have an inspec database to match, it fails to create a postgres_session.
  2. Checks like ownership seem to assume that the user we specify will be the DB owner, with failures like "message": "expected File /var/lib/postgresql/12/main.owned_by?("inspec") to be truthy, got false",

Expected behavior
We had hoped to be able to run this as a user other than the DB owner/superuser. Is that possible?

Actual behavior

Apparently it has to run as the DB owner (postgres) and so we'd have to allow md5 auth from 127.0.0.1. That would be a huge security concern to me. Hopefully I'm missing something obvious.

Example code

/opt/chef/embedded/bin/inspec exec https://github.com/dev-sec/postgres-baseline/archive/master.zip --reporter=json --input-file /opt/foo/inspec-cron/postgres-inputs.yaml | jq -c '.profiles[].controls | map(.results=(.results | map(select(.status=="failed"))) | select(.results | length > 0)) | .[] | {inspec: .}' >> /var/log/inspec-reports/postgres-report.json

OS / Environment

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.6 LTS"

Inspec Version
Our inspec script pulls https://github.com/dev-sec/postgres-baseline/archive/master.zip every time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant