Pushing latest release - 1.0.1

rulesets/PostgreSQL_v9_V-72841.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72841",
+  "previousName": "",
+  "_id": 9079,
+  "title": "PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. (V-72841)((UPDATED)) (CCI: 000382, 001762) (Rule ID: SV-87493r2_rule)",
+  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -iname postgresql.conf 2>/dev/null)\nelse\n  filename=\"/var/lib/postgresql/data/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  port=$(grep -i port \"$filename\")\n  if [ -z \"$port\" ]\n  then\n    echo \"Port not set in postgresql.conf.\"\n    exit 1\n  else\n    echo \"Port is set to $port. Please verify this is the proper configuration.\"\n    exit 1\n  fi\nelse\n  echo \"postgresql.conf file not found.\"\n  exit 1\nfi\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72845.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72845",
+  "previousName": "",
+  "_id": 9073,
+  "title": "Security-relevant software updates to PostgreSQL must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). (V-72845) (CCI: 002605) (Rule ID: SV-87497r1_rule)",
+  "script": "#!/bin/bash\npsqlVersion=$(psql --version)\necho \"Institue policies and procedures to ensure patches are consistently applied. PostgreSQL version is $psqlVersion.\"\nexit 1",
+  "severity": "critical"
+}
+]

rulesets/PostgreSQL_v9_V-72847.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72847",
+  "previousName": "",
+  "_id": 9062,
+  "title": "The audit information produced by PostgreSQL must be protected from unauthorized modification. (V-72847) (CCI: 000163) (Rule ID: SV-87499r2_rule)",
+  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -iname postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  file_mode=$(grep -i log_file_mode \"$filename\" | grep 0600)\n  if [ -z \"$file_mode\" ] || [ \"$file_mode\" != \"0600\" ]\n  then\n    echo \"log_file_mode is not set to 0600 in postgresql.conf.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72849.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72849",
+  "previousName": "",
+  "_id": 9064,
+  "title": "PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. (V-72849) (CCI: 000015) (Rule ID: SV-87501r1_rule)",
+  "script": "#!/bin/bash\necho \"Integrate PostgreSQL security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals.\"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72851.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72851",
+  "previousName": "",
+  "_id": 9061,
+  "title": "PostgreSQL must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. (V-72851) (CCI: 001312) (Rule ID: SV-87503r3_rule)",
+  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  min_messages=$(grep -i client_min_messages \"$filename\" | grep -i error)\n  if [ -z \"$min_messages\" ] || [ \"$min_messages\" != \"error\" ]\n  then\n    echo \"client_min_messages is not set or is set incorrectly in postgresql.conf.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72853.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72853",
+  "previousName": "",
+  "_id": 9059,
+  "title": "Privileges to change PostgreSQL software modules must be limited. (V-72853) (CCI: 001499) (Rule ID: SV-87505r2_rule)",
+  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  whoami=$(whoami)\n  owner=$(ls -l $filename | cut -d \" \" -f 3)\n  if [ \"$owner\" != \"$whoami\" ] || [ \"$owner\" == \"root\" ]\n  then\n    echo \"Owner is not set correctly on postgresql.conf.\"\n    exit 1\n  fi\n\n  groups=$(id | cut -d \" \" -f 2 | cut -d \"(\" -f 2 | cut -d \")\" -f 1)\n  group=$(ls -l $filename | cut -d \" \" -f 4)\n  if [ \"$groups\" != \"$group\" ] || [ \"$group\" == \"root\" ]\n  then\n    echo \"Group is not set correctly on postgresql.conf\"\n    exit 1\n  fi\n\n  mode=$(ls -l $filename | cut -d \" \" -f 1)\n  if [ \"$mode\" != \"-rw-------.\" ]\n  then\n    echo \"File permissions on postgresql.conf are not set to 0600.\"\n    exit 1\n  fi\nelse\n  echo \"postgresql.conf file not found.\"\n  exit 1\nfi\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72855.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72855",
+  "previousName": "",
+  "_id": 9058,
+  "title": "PostgreSQL must limit privileges to change functions and triggers, and links to software external to PostgreSQL. (V-72855) (CCI: 001499) (Rule ID: SV-87507r1_rule)",
+  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  whoami=$(whoami)\n  owner=$(ls -l \"$filename\" | cut -d \" \" -f 3)\n  if [ \"$owner\" != \"$whoami\" ] || [ \"$owner\" == \"root\" ]\n  then\n    echo \"Owner is not set correctly on postgresql.con.\"\n    exit 1\n  fi\n\n  groups=$(id | cut -d \" \" -f 2 | cut -d \"(\" -f 2 | cut -d \")\" -f 1)\n  group=$(ls -l \"$filename\" | cut -d \" \" -f 4)\n  if [ \"$groups\" != \"$group\" ] || [ \"$group\" == \"root\" ]\n  then\n    echo \"Group is not set correctly on postgresql.conf.\"\n    exit 1\n  fi\n\n  mode=$(ls -l $filename | cut -d \" \" -f 1)\n  if [ \"$mode\" != \"-rw-------.\" ]\n  then\n    echo \"File permissions on postgresql.conf are not set to 0600.\"\n    exit 1\n  fi\nelse\n  echo \"postgresql.conf file not found.\"\n  exit 1\nfi\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72857.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72857",
+  "previousName": "",
+  "_id": 9090,
+  "title": "If passwords are used for authentication, PostgreSQL must transmit only encrypted representations of passwords. (V-72857) (CCI: 000197) (Rule ID: SV-87509r1_rule)",
+  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name pg_hba.conf 2>/dev/null)\nelse\n  filename=\"$pgdata/pg_hba.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  method=$(grep -i host \"$filename\" | grep -i md5)\n  if [ -z \"$method\" ]\n  then\n    echo \"MD5 authentication not found.\"\n    exit 1\n  fi\nelse\n  echo \"pg_hba.conf file not found.\"\n  exit 1\nfi\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72859.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72859",
+  "previousName": "",
+  "_id": 9066,
+  "title": "PostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. (V-72859) (CCI: 000213) (Rule ID: SV-87511r2_rule)",
+  "script": "#!/bin/bash\necho \"Create and maintain documentation of each group role's appropriate permissions on database objects.\"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72861.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72861",
+  "previousName": "",
+  "_id": 9069,
+  "title": "PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in transmission. (V-72861) (CCI: 002264) (Rule ID: SV-87513r1_rule)",
+  "script": "#!/bin/bash\necho \"If security labeling is required, validate that it is enabled.\"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72863.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72863",
+  "previousName": "",
+  "_id": 9071,
+  "title": "PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types. (V-72863) (CCI: 000054) (Rule ID: SV-87515r2_rule)",
+  "script": "#!/bin/bash\npgdata=\"$PGDATA\"\nif [ -z \"$pgdata\" ]\nthen\n  filename=$(find / -name postgresql.conf 2>/dev/null)\n  pgdata=$(echo \"$filename\" | tr -d \"\\postgresql.conf\")\nelse\n  filename=\"$pgdata/postgresql.conf\"\nfi\n\nif [ -f \"$filename\" ]\nthen\n  max_connections=$(grep -i max_connections \"$filename\" | cut -d \"=\" -f 2 | tr -d ' ')\n  if [ -z \"$max_connections\" ] || [ \"$max_connections\" -gt 10 ]\n  then\n    echo \"max_connections is either not defined or is set greater than 10.\"\n    exit 1 \n  fi \nelse\n  echo \"postgresql.conf not found.\"\n  exit 1\nfi\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72865.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72865",
+  "previousName": "",
+  "_id": 9074,
+  "title": "The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (functions, trigger procedures, links to software external to PostgreSQL, etc.) must be restricted to authorized users. (V-72865) (CCI: 001499) (Rule ID: SV-87517r1_rule)",
+  "script": "#!/bin/bash\npgdata=`echo $PGDATA`\n\nif [ -z \"$pgdata\" ]\nthen\n   echo \"PGDATA is not set.\"\n   exit 1\nfi\n\nexit 0",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72867.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72867",
+  "previousName": "",
+  "_id": 9080,
+  "title": "PostgreSQL must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). (V-72867) (CCI: 000804) (Rule ID: SV-87519r1_rule)",
+  "script": "#!/bin/bash\npsqlDBroles=$(su postgres -c 'psql -c \"\\du\"')\necho \"Validate users are uniquely identified as per organizational documentation. Current DB Roles are $psqlDBroles.\"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72869.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72869",
+  "previousName": "",
+  "_id": 9084,
+  "title": "PostgreSQL must associate organization-defined types of security labels having organization-defined security label values with information in storage. (V-72869) (CCI: 002262) (Rule ID: SV-87521r1_rule)",
+  "script": "#!/bin/bash\necho \"Validate security labeling is in use if required.\"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72871.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72871",
+  "previousName": "",
+  "_id": 9057,
+  "title": "PostgreSQL must check the validity of all data inputs except those specifically identified by the organization. (V-72871) (CCI: 001310) (Rule ID: SV-87523r1_rule)",
+  "script": "#!/bin/bash\necho \"Review PostgreSQL code (trigger procedures, functions), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input.\"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72873.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72873",
+  "previousName": "",
+  "_id": 9060,
+  "title": "PostgreSQL and associated applications must reserve the use of dynamic code execution for situations that require it. (V-72873) (CCI: 001310) (Rule ID: SV-87525r1_rule)",
+  "script": "#!/bin/bash\necho \"Review PostgreSQL source code (trigger procedures, functions) and application source code, to identify cases of dynamic code execution. Any user input should be handled through prepared statements.\"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72875.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72875",
+  "previousName": "",
+  "_id": 9063,
+  "title": "PostgreSQL and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack. (V-72875) (CCI: 001310) (Rule ID: SV-87527r1_rule)",
+  "script": "#!/bin/bash\necho \"Review PostgreSQL source code (trigger procedures, functions) and application source code to identify cases of dynamic code execution. \"\nexit 1",
+  "severity": "high"
+}
+]

rulesets/PostgreSQL_v9_V-72877.json

+[
+{
+  "modified": "2020-10-08T11:45:54Z",
+  "owner": "admin",
+  "name": "PostgreSQL v9 V-72877",
+  "previousName": "",
+  "_id": 9065,
+  "title": "PostgreSQL must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. (V-72877) (CCI: 001849) (Rule ID: SV-87529r1_rule)",
+  "script": "#!/bin/bash\necho \"Investigate if there have been any incidents where audit log space has been depleted.\"\nexit 1",
+  "severity": "high"
+}
+]