Automated ingestion of profiles

Signed-off-by: MITRE SAF <[email protected]>
mitre · Dec 22, 2023 · 80ae036 · 80ae036
1 parent b2f1074
commit 80ae036
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json b/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json
@@ -2828,7 +2828,7 @@
           "CM-7 a"
         ]
       },
-      "code": "control 'V-233592' do\n  title 'Unused database components, PostgreSQL software, and database objects must be removed.'\n  desc 'Information systems are capable of providing a wide variety of functions and services. Some of the\n\tfunctions and services, provided by default, may not be necessary to support essential organizational operations\n\t(e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or\nmission objectives.\n\nPostgreSQL must adhere to the principles of least functionality by providing only essential capabilities.'\n  desc 'check', %q(To get a list of all extensions installed, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"select * from pg_extension where extname != 'plpgsql'\"\n\nIf any extensions exist that are not approved, this is a finding.)\n  desc 'fix', 'To remove extensions, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"DROP EXTENSION <extension_name>\"\n\nNote: It is recommended that plpgsql not be removed.'\n  impact 0.5\n  tag severity: 'medium'\n  tag gtitle: 'SRG-APP-000141-DB-000091'\n  tag gid: 'V-233592'\n  tag rid: 'SV-233592r607001_rule'\n  tag stig_id: 'CD12-00-008900'\n  tag fix_id: 'F-36751r607000_fix'\n  tag cci: ['CCI-000381']\n  tag nist: ['CM-7 a']\n\n  sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n\n  installed_extensions = sql.query('select extname from pg_extension where extname != \\'plpgsql\\';').lines\n\n  if installed_extensions.empty?\n    describe 'The list of installed extensions' do\n      subject { installed_extensions }\n      it { should be_empty }\n    end\n  else\n    installed_extensions.each do |extension|\n      describe \"The installed extension: #{extension}\" do\n        subject { extension }\n        it { should be_in input('approved_ext') }\n      end\n    end\n  end\nend\n",
+      "code": "control 'V-233592' do\n  title 'Unused database components, PostgreSQL software, and database objects must be removed.'\n  desc 'Information systems are capable of providing a wide variety of functions and services. Some of the\n\tfunctions and services, provided by default, may not be necessary to support essential organizational operations\n\t(e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or\nmission objectives.\n\nPostgreSQL must adhere to the principles of least functionality by providing only essential capabilities.'\n  desc 'check', %q(To get a list of all extensions installed, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"select * from pg_extension where extname != 'plpgsql'\"\n\nIf any extensions exist that are not approved, this is a finding.)\n  desc 'fix', 'To remove extensions, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"DROP EXTENSION <extension_name>\"\n\nNote: It is recommended that plpgsql not be removed.'\n  impact 0.5\n  tag severity: 'medium'\n  tag gtitle: 'SRG-APP-000141-DB-000091'\n  tag gid: 'V-233592'\n  tag rid: 'SV-233592r607001_rule'\n  tag stig_id: 'CD12-00-008900'\n  tag fix_id: 'F-36751r607000_fix'\n  tag cci: ['CCI-000381']\n  tag nist: ['CM-7 a']\n\n  sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n\n  installed_extensions = sql.query(\"select extname from pg_extension where extname != 'plpgsql';\").lines\n\n  if installed_extensions.empty?\n    describe 'The list of installed extensions' do\n      subject { installed_extensions }\n      it { should be_empty }\n    end\n  else\n    installed_extensions.each do |extension|\n      describe \"The installed extension: #{extension}\" do\n        subject { extension }\n        it { should be_in input('approved_ext') }\n      end\n    end\n  end\nend\n",
       "source_location": {
         "ref": "crunchy-data-postgresql-stig-baseline-main/controls/V-233592.rb",
         "line": 1
@@ -2945,8 +2945,8 @@
       "desc": "The DoD standard for authentication is DoD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate,\nand requires Authorizing Official (AO) approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would\nbe vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes\nwhen stored internally or externally to PostgreSQL.",
       "descriptions": {
         "default": "The DoD standard for authentication is DoD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate,\nand requires Authorizing Official (AO) approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would\nbe vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes\nwhen stored internally or externally to PostgreSQL.",
-        "check": "To check if password encryption is enabled, as the database\n    administrator (shown here as \"postgres\"), run the following SQL:\n    $ psql -c \"SHOW password_encryption\"",
-        "fix": "Set password_encryption to 'on' or 'true'"
+        "check": "Note: The following instructions use the PGVER environment variables. See supplementary content\n\tAPPENDIX-H for PGVER.\n\nTo check if password encryption is enabled, as the database administrator (shown here as \"postgres\"), run the\nfollowing SQL:\n\n$ sudo su - postgres\n$ psql -c \"SHOW password_encryption\"\n\nIf password_encryption is not \"scram-sha-256\", this is a finding.\n\nNext, to identify if any passwords have been stored without being hashed and salted, as the database administrator\n(shown here as \"postgres\"), run the following SQL:\n\n$ sudo su - postgres\n$ psql -x -c \"SELECT usename, passwd FROM pg_shadow WHERE passwd IS NULL AND passwd NOT LIKE 'SCRAM-SHA-256%';\"\n\nIf any password is in plaintext, this is a finding.",
+        "fix": "Note: The following instructions use the PGDATA and PGVER environment variables. See\n\tsupplementary content APPENDIX-F for instructions on configuring PGDATA and APPENDIX-H for PGVER.\n\nTo enable password_encryption, as the database administrator, edit postgresql.conf:\n\n\n$ sudo su - postgres\n$ vi ${PGDATA?}/postgresql.conf\npassword_encryption = 'scram-sha-256'\n\nInstitute a policy of not using the \"WITH UNENCRYPTED PASSWORD\" option with the CREATE ROLE/USER and ALTER\nROLE/USER commands. (This option overrides the setting of the password_encryption configuration parameter).\n\nAs the system administrator, restart the server with the new configuration:\n\n# SYSTEMD SERVER ONLY\n$ sudo systemctl restart postgresql-${PGVER?}"
       },
       "impact": 0.7,
       "refs": [
@@ -2968,7 +2968,7 @@
           "IA-5 (1) (c)"
         ]
       },
-      "code": "  control 'V-233596' do\n    desc 'check', \"To check if password encryption is enabled, as the database\n    administrator (shown here as \\\"postgres\\\"), run the following SQL:\n    $ psql -c \\\"SHOW password_encryption\\\" \"\n\n    desc 'fix', \"Set password_encryption to 'on' or 'true'\"\n\n    pg_dba = input('pg_dba')\n\n    pg_dba_password = input('pg_dba_password')\n\n    pg_db = input('pg_db')\n\n    pg_host = input('pg_host')\n\n    sql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\n\n    describe sql.query('SHOW password_encryption;', [pg_db]) do\n      its('output') { should match /on|true/i }\n    end\n  end\n",
+      "code": "  control 'V-233596' do\n    pg_dba = input('pg_dba')\n\n    pg_dba_password = input('pg_dba_password')\n\n    pg_db = input('pg_db')\n\n    pg_host = input('pg_host')\n\n    sql = postgres_session(pg_dba, pg_dba_password, pg_host, input('pg_port'))\n\n    describe sql.query('SHOW password_encryption;', [pg_db]) do\n      its('output') { should match /on|true|scram-sha-256/i }\n    end\n  end\n",
       "source_location": {
         "ref": "crunchy-data-postgresql-stig-baseline-main/controls/V-233596.rb",
         "line": 1
@@ -4692,7 +4692,7 @@
       "id": "crunchy-data-postgresql-stig-baseline-main/controls/V-233623.rb"
     }
   ],
-  "sha256": "71c3098391ce286352e89c46714967d299865ba105cbaa8bd3a9f7b8d148a6f4",
+  "sha256": "8e30455e1bdabfa29e2f30232bf0dc17d7d1266b546b8046ba2b26c9b4bc864a",
   "status_message": "",
   "status": "loaded",
   "generator": {

diff --git a/src/assets/data/baselineProfiles/crunchy-data-postgresql-stig-baseline.json b/src/assets/data/baselineProfiles/crunchy-data-postgresql-stig-baseline.json
@@ -939,7 +939,7 @@
           "CM-7 a"
         ]
       },
-      "code": "control 'V-233592' do\n  title 'Unused database components, PostgreSQL software, and database objects must be removed.'\n  desc 'Information systems are capable of providing a wide variety of functions and services. Some of the\n\tfunctions and services, provided by default, may not be necessary to support essential organizational operations\n\t(e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or\nmission objectives.\n\nPostgreSQL must adhere to the principles of least functionality by providing only essential capabilities.'\n  desc 'check', %q(To get a list of all extensions installed, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"select * from pg_extension where extname != 'plpgsql'\"\n\nIf any extensions exist that are not approved, this is a finding.)\n  desc 'fix', 'To remove extensions, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"DROP EXTENSION <extension_name>\"\n\nNote: It is recommended that plpgsql not be removed.'\n  impact 0.5\n  tag severity: 'medium'\n  tag gtitle: 'SRG-APP-000141-DB-000091'\n  tag gid: 'V-233592'\n  tag rid: 'SV-233592r607001_rule'\n  tag stig_id: 'CD12-00-008900'\n  tag fix_id: 'F-36751r607000_fix'\n  tag cci: ['CCI-000381']\n  tag nist: ['CM-7 a']\n\n  sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n\n  installed_extensions = sql.query('select extname from pg_extension where extname != \\'plpgsql\\';').lines\n\n  if installed_extensions.empty?\n    describe 'The list of installed extensions' do\n      subject { installed_extensions }\n      it { should be_empty }\n    end\n  else\n    installed_extensions.each do |extension|\n      describe \"The installed extension: #{extension}\" do\n        subject { extension }\n        it { should be_in input('approved_ext') }\n      end\n    end\n  end\nend\n",
+      "code": "control 'V-233592' do\n  title 'Unused database components, PostgreSQL software, and database objects must be removed.'\n  desc 'Information systems are capable of providing a wide variety of functions and services. Some of the\n\tfunctions and services, provided by default, may not be necessary to support essential organizational operations\n\t(e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or\nmission objectives.\n\nPostgreSQL must adhere to the principles of least functionality by providing only essential capabilities.'\n  desc 'check', %q(To get a list of all extensions installed, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"select * from pg_extension where extname != 'plpgsql'\"\n\nIf any extensions exist that are not approved, this is a finding.)\n  desc 'fix', 'To remove extensions, use the following commands:\n\n$ sudo su - postgres\n$ psql -c \"DROP EXTENSION <extension_name>\"\n\nNote: It is recommended that plpgsql not be removed.'\n  impact 0.5\n  tag severity: 'medium'\n  tag gtitle: 'SRG-APP-000141-DB-000091'\n  tag gid: 'V-233592'\n  tag rid: 'SV-233592r607001_rule'\n  tag stig_id: 'CD12-00-008900'\n  tag fix_id: 'F-36751r607000_fix'\n  tag cci: ['CCI-000381']\n  tag nist: ['CM-7 a']\n\n  sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n\n  installed_extensions = sql.query(\"select extname from pg_extension where extname != 'plpgsql';\").lines\n\n  if installed_extensions.empty?\n    describe 'The list of installed extensions' do\n      subject { installed_extensions }\n      it { should be_empty }\n    end\n  else\n    installed_extensions.each do |extension|\n      describe \"The installed extension: #{extension}\" do\n        subject { extension }\n        it { should be_in input('approved_ext') }\n      end\n    end\n  end\nend\n",
       "source_location": {
         "ref": "./PostgreSQL STIG/controls/V-233592.rb",
         "line": 1
@@ -4325,7 +4325,7 @@
       "id": "controls/V-233591.rb"
     }
   ],
-  "sha256": "006252574f60cf51247e07acfe443b75fbd696540c7d7170a5e841ed6ac3cf66",
+  "sha256": "e51dd718facd700e817698c44a623b0869282d93510ad64c9c4651c291e5baff",
   "status_message": "",
   "status": "loaded",
   "generator": {