ansible-lockdown / postgres-9-stig Goto Github PK

A good place to start would be the template ansible role README.

James/Repo Owners,

Can you provide me access to upload the latest version?
Description: | RELEASE REVIEW # 124339 for Angel,Michael
Approved for Public Release, 10/07/2019 09:05 AM

Michael Angel
[email protected]

configure a basic TLS setup using sscg ( https://github.com/sgallagher/sscg ), which is included with RHEL 8, and in EPEL for RHEL 7.

Would allow us to tackle HIGH item PGS9-00-010200 and other TLS related items in a generic way.

MEDIUM | PGS9-00-011200 | AUDIT | PostgreSQL must protect its audit features from unauthorized removal.

The rule as implemented today only works for the SCLs and the pgdg repos, not the RHEL 8 repos.

MEDIUM | PGS9-00-009200 | PATCH | Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled.

rule is broken without yumdb available

In the RHEL7-STIG role, we've marked certain tasks as potentially disruptive for role user convenience. Do we want to do something similar here, or only target fresh installations? (Or anything else in between?)

For starters:

• #17

This will detect PGDATA for the postgresql systemd unit.
(set -euo pipefail ; eval "$(systemctl show -p Environment postgresql | grep -oP '(?<=^Environment=).*' || echo false)" ; echo $PGDATA)

Inspired by how postgresql-setup script detects the correct location.