Skip to content

Add Support for PostgreSQL#725

Open
professormahi wants to merge 26 commits intodev-sec:masterfrom
professormahi:master
Open

Add Support for PostgreSQL#725
professormahi wants to merge 26 commits intodev-sec:masterfrom
professormahi:master

Conversation

@professormahi
Copy link

@professormahi professormahi commented Dec 1, 2023

I'm working on adding PostgreSQL hardening role to this collection.

@rndmh3ro
Copy link
Member

rndmh3ro commented Dec 1, 2023

Wow, that's awesome! Thank you!

If you have any problems or questions, feel free to reach out!

@professormahi professormahi force-pushed the master branch 2 times, most recently from 224aeae to fcfe9c6 Compare December 6, 2023 18:09
This was referenced Dec 7, 2023
Closed
Closed
@professormahi
Feat: Add basis for postgres-hardening
9cceb77 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Fix a typo on geerlingguy.postgresql
bcdf88d 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Fix: Add galaxy dependecy
d53986a 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Fix: change test version to galaxyproject.postgresql
1b19d6f 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add postgres-01 and postgres-02
6bce1f9 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Fix: user fqcn of builtin modules
f66e1ea 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Change molecule postgres collection to geerlingguy
1a33ca4 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add postgres-10
2e8c638 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Add geerlingguy_postgresql to .gitignore
6ddf542 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add configration for postgres user/group
9048b6c 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add postgres-11/12
27997f3 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add Postgres-16
5c3c04f 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add Postgres-20
05f3c60 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add Postgres-13/14/15
d87d37e 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Feat: Add support for Postgres-07 and Ubuntu2004
f171c9d 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Fix: geerlingguy_postgresql_vars.yml should be excluded from ansible-…
82fb017 
…lint

Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi
Fix: refactor all linting problems
ebb1d9d 
Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>
@professormahi professormahi marked this pull request as ready for review December 8, 2023 12:18
@professormahi
Copy link
Author

professormahi commented Dec 8, 2023

I think the base version is ready for review after merging dev-sec/postgres-baseline#54.

@professormahi
Copy link
Author

professormahi commented Apr 17, 2024

This PR is ready to review after the workflow approval. @rndmh3ro

@rndmh3ro
Copy link
Member

rndmh3ro commented Apr 19, 2024

Thanks @professormahi, sounds awesome. I'll try to take a look next week!

rndmh3ro
rndmh3ro reviewed Apr 22, 2024
View reviewed changes
Copy link
Member

@rndmh3ro rndmh3ro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took an initial look and have some remarks, but great work nonetheless!

roles/postgres_hardening/tasks/hardening.yml
#################################
# POSTGRES-02 ###################
#################################
- name: Get postgres version
Copy link
Member

@rndmh3ro rndmh3ro Apr 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use the postgresql_info_module here? According to the docs, getting the version is supported by the module.

Or don't you want to do this because then we'd have to connect to the postgres?

Copy link
Member

@rndmh3ro rndmh3ro May 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@professormahi What do you think about this?

roles/postgres_hardening/tasks/hardening.yml
# POSTGRES-07/11/12/16 ##########
#################################
- name: Secure postgresql.conf Configuration
ansible.builtin.lineinfile:
Copy link
Member

@rndmh3ro rndmh3ro Apr 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a fan of using lineinfile. I'd rather use template.
Now I guess templating the whole postgresql.conf-file would be inconvenient, can we use includes?

Copy link
Member

@rndmh3ro rndmh3ro May 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@professormahi What do you think about this?

@professormahi @rndmh3ro
Fix: Remove debug Tasks
c28749d 
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
professormahi and others added 7 commits April 27, 2024 09:40
@professormahi @rndmh3ro
Fix: remove typo about supporting Debian
c3b6601 
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
@professormahi @rndmh3ro
Fix: Remove debug Tasks
c8c6982 
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
@professormahi @rndmh3ro
Fix: Remove Debug Tasks.
8da4e0d 
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
@professormahi @rndmh3ro
Fix: use octal format for modes
88bc364 
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
@professormahi
Merge branch 'dev-sec:master' into master
82e9f46
update ssh_hardening readme
533b8c4
update os_hardening readme
22c9f59
@jpmc3630
Copy link

jpmc3630 commented Jan 29, 2025

What's the status of this?

@professormahi
Copy link
Author

professormahi commented Mar 20, 2025

What's the status of this?

Sorry for long delay. I will work on this issue in next week and hope to fix your comments soon.

@stroebel
Copy link

stroebel commented Mar 24, 2025

Good day. I've pulled this branch to extend the supported OSes for postgres hardening. I can address the comments that are still outstanding but it looks like there are some unsigned commits from @professormahi and the CI tool. I've specifically pulled @professormahi 's branch to avoid clobbering the work that he has done so far.

Would you prefer that I wait until this PR is merged or can I extend this contribution after the unsigned commits are signed?

@idNoRD
Copy link

idNoRD commented Jun 19, 2025

@stroebel Please feel free to move forward independently of this PR. Be sure to resolve the unsigned commit issues, and if you're planning to add support for AL2023, I’m happy to assist with reviewing and verifying your changes. Since this PR is specific to Ubuntu, support for other operating systems doesn’t need to wait. Let’s keep the momentum going.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rndmh3ro rndmh3ro rndmh3ro left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@professormahi @rndmh3ro @jpmc3630 @stroebel @idNoRD