Open
Description
Describe the bug
We're trying to run the postgres inspec as an inspec user so that we don't need to configure password authentication for our DB owner. However we see two problems when this happens:
- The control doesn't specify a database name, so it attempts to log into a database named after the user. Since we don't have an
inspecdatabase to match, it fails to create a postgres_session. - Checks like ownership seem to assume that the user we specify will be the DB owner, with failures like
"message": "expectedFile /var/lib/postgresql/12/main.owned_by?("inspec")to be truthy, got false",
Expected behavior
We had hoped to be able to run this as a user other than the DB owner/superuser. Is that possible?
Actual behavior
Apparently it has to run as the DB owner (postgres) and so we'd have to allow md5 auth from 127.0.0.1. That would be a huge security concern to me. Hopefully I'm missing something obvious.
Example code
/opt/chef/embedded/bin/inspec exec https://github.com/dev-sec/postgres-baseline/archive/master.zip --reporter=json --input-file /opt/foo/inspec-cron/postgres-inputs.yaml | jq -c '.profiles[].controls | map(.results=(.results | map(select(.status=="failed"))) | select(.results | length > 0)) | .[] | {inspec: .}' >> /var/log/inspec-reports/postgres-report.json
OS / Environment
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.6 LTS"
Inspec Version
Our inspec script pulls https://github.com/dev-sec/postgres-baseline/archive/master.zip every time.
Metadata
Metadata
Assignees
Labels
No labels