Automated ingestion of profiles

Signed-off-by: MITRE SAF <[email protected]>
mitre · May 21, 2024 · 4cb586b · 4cb586b
1 parent 3bf2e2a
commit 4cb586b
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json b/src/assets/data/baselineProfiles/aws-rds-crunchy-data-postgresql-stig-baseline.json
@@ -1006,7 +1006,7 @@
           "CM-5 (6)"
         ]
       },
-      "code": "  control 'V-233539' do\n    sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n    authorized_owners = input('pg_superusers')\n    pg_db = input('pg_db')\n    pg_owner = input('pg_owner')\n\n    databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{pg_db}';\"\n    databases_query = sql.query(databases_sql, [pg_db])\n    databases = databases_query.lines\n    types = %w(t s v) # tables, sequences views\n\n    databases.each do |database|\n      schemas_sql = ''\n      functions_sql = ''\n\n      if database == 'postgres'\n        schemas_sql = 'SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_namespace n '\\\n          \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{pg_owner}' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin';\"\n        functions_sql = 'SELECT n.nspname, p.proname, '\\\n          'pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_proc p '\\\n          'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace '\\\n          \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{pg_owner}' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin';\"\n      else\n        schemas_sql = 'SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_namespace n '\\\n          'WHERE pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\\\n          \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n        functions_sql = 'SELECT n.nspname, p.proname, '\\\n          'pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_proc p '\\\n          'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace '\\\n          'WHERE pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\\\n          \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n      end\n\n      connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n        'accepting connections'\n      connection_error_regex = Regexp.new(connection_error)\n\n      sql_result = sql.query(schemas_sql, [database])\n\n      describe.one do\n        describe sql_result do\n          its('output') { should eq '' }\n        end\n\n        describe sql_result do\n          it { should match connection_error_regex }\n        end\n      end\n\n      sql_result = sql.query(functions_sql, [database])\n\n      describe.one do\n        describe sql_result do\n          its('output') { should eq '' }\n        end\n\n        describe sql_result do\n          it { should match connection_error_regex }\n        end\n      end\n\n      types.each do |type|\n        objects_sql = ''\n\n        if database == 'postgres'\n          objects_sql = 'SELECT n.nspname, c.relname, c.relkind, '\\\n            'pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c '\\\n            'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace '\\\n            \"WHERE c.relkind IN ('#{type}','s','') \"\\\n            \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{pg_owner}' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\n          \"AND n.nspname !~ '^pg_toast';\"\n        else\n          objects_sql = 'SELECT n.nspname, c.relname, c.relkind, '\\\n            'pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c '\\\n            'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace '\\\n            \"WHERE c.relkind IN ('#{type}','s','') \"\\\n            'AND pg_catalog.pg_get_userbyid(n.nspowner) '\\\n            \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\\\n            \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n            \" AND n.nspname !~ '^pg_toast';\"\n        end\n\n        sql_result = sql.query(objects_sql, [database])\n\n        describe.one do\n          describe sql_result do\n            its('output') { should eq '' }\n          end\n\n          describe sql_result do\n            it { should match connection_error_regex }\n          end\n        end\n      end\n    end\n  end\n",
+      "code": "  control 'V-233539' do\n    sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n    authorized_owners = input('rds_superusers')\n    pg_db = input('pg_db')\n    pg_owner = input('pg_owner')\n\n    databases_sql = \"SELECT datname FROM pg_catalog.pg_database where datname = '#{pg_db}';\"\n    databases_query = sql.query(databases_sql, [pg_db])\n    databases = databases_query.lines\n    types = %w(t s v) # tables, sequences views\n\n    databases.each do |database|\n      schemas_sql = ''\n      functions_sql = ''\n\n      if database == 'postgres'\n        schemas_sql = 'SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_namespace n '\\\n          \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{pg_owner}' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin';\"\n        functions_sql = 'SELECT n.nspname, p.proname, '\\\n          'pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_proc p '\\\n          'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace '\\\n          \"WHERE pg_catalog.pg_get_userbyid(n.nspowner) <> '#{pg_owner}' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin';\"\n      else\n        schemas_sql = 'SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_namespace n '\\\n          'WHERE pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\\\n          \"AND n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n        functions_sql = 'SELECT n.nspname, p.proname, '\\\n          'pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          'FROM pg_catalog.pg_proc p '\\\n          'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace '\\\n          'WHERE pg_catalog.pg_get_userbyid(n.nspowner) '\\\n          \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\\\n          \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema';\"\n      end\n\n      connection_error = \"FATAL:\\\\s+database \\\"#{database}\\\" is not currently \"\\\n        'accepting connections'\n      connection_error_regex = Regexp.new(connection_error)\n\n      sql_result = sql.query(schemas_sql, [database])\n\n      describe.one do\n        describe sql_result do\n          its('output') { should eq '' }\n        end\n\n        describe sql_result do\n          it { should match connection_error_regex }\n        end\n      end\n\n      sql_result = sql.query(functions_sql, [database])\n\n      describe.one do\n        describe sql_result do\n          its('output') { should eq '' }\n        end\n\n        describe sql_result do\n          it { should match connection_error_regex }\n        end\n      end\n\n      types.each do |type|\n        objects_sql = ''\n\n        if database == 'postgres'\n          objects_sql = 'SELECT n.nspname, c.relname, c.relkind, '\\\n            'pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c '\\\n            'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace '\\\n            \"WHERE c.relkind IN ('#{type}','s','') \"\\\n            \"AND pg_catalog.pg_get_userbyid(n.nspowner) <> '#{pg_owner}' AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\n          \"AND n.nspname !~ '^pg_toast';\"\n        else\n          objects_sql = 'SELECT n.nspname, c.relname, c.relkind, '\\\n            'pg_catalog.pg_get_userbyid(n.nspowner) FROM pg_catalog.pg_class c '\\\n            'LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace '\\\n            \"WHERE c.relkind IN ('#{type}','s','') \"\\\n            'AND pg_catalog.pg_get_userbyid(n.nspowner) '\\\n            \"NOT IN (#{authorized_owners.map { |e| \"'#{e}'\" }.join(',')}) AND pg_catalog.pg_get_userbyid(n.nspowner) <> 'rdsadmin' \"\\\n            \"AND n.nspname <> 'pg_catalog' AND n.nspname <> 'information_schema'\"\\\n            \" AND n.nspname !~ '^pg_toast';\"\n        end\n\n        sql_result = sql.query(objects_sql, [database])\n\n        describe.one do\n          describe sql_result do\n            its('output') { should eq '' }\n          end\n\n          describe sql_result do\n            it { should match connection_error_regex }\n          end\n        end\n      end\n    end\n  end\n",
       "source_location": {
         "ref": "crunchy-data-postgresql-stig-baseline-main/controls/V-233539.rb",
         "line": 1
@@ -3005,7 +3005,7 @@
           "CM-5 (1) (a)"
         ]
       },
-      "code": "  control 'V-233597' do\n    desc 'check', \"To list all the permissions of individual roles, as the database\n    administrator (shown here as \\\"postgres\\\"), run the following SQL:\n    $ psql -c \\\"\\\\du\n    If any role has SUPERUSER that should not, this is a finding.\n    Next, list all the permissions of databases and schemas by running the following SQL:\n    $ psql -c \\\"\\\\l\\\"\n    $ psql -c \\\"\\\\dn+\\\"\n    If any database or schema has update (\\\"W\\\") or create (\\\"C\\\") privileges and should\n    not, this is a finding.\"\n    desc 'fix', \"Configure PostgreSQL to enforce access restrictions associated with\n    changes to the configuration of PostgreSQL or database(s).\n    Use ALTER ROLE to remove accesses from roles:\n    $ psql -c \\\"ALTER ROLE <role_name> NOSUPERUSER\\\"\n    Use REVOKE to remove privileges from databases and schemas:\n    $ psql -c \\\"REVOKE ALL PRIVILEGES ON <table> FROM <role_name>;\"\n\n    sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n\n    pg_superusers = input('pg_superusers')\n    pg_db = input('pg_db')\n\n    roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n    roles_query = sql.query(roles_sql, [pg_db])\n    roles = roles_query.lines\n\n    roles.each do |role|\n      next if pg_superusers.include?(role)\n      superuser_sql = 'SELECT r.rolsuper FROM pg_catalog.pg_roles r '\\\n        \"WHERE r.rolname = '#{role}';\"\n\n      describe sql.query(superuser_sql, [pg_db]) do\n        its('output') { should_not eq 't' }\n      end\n    end\n\n    authorized_owners = pg_superusers\n    owners = authorized_owners.join('|')\n\n    database_granted_privileges = 'CTc'\n    database_public_privileges = 'c'\n    database_acl = \"^((((#{owners})=[#{database_granted_privileges}]+|\"\\\n      \"=[#{database_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n    database_acl_regex = Regexp.new(database_acl)\n\n    schema_granted_privileges = 'UC'\n    schema_public_privileges = 'U'\n    schema_acl = \"^((((#{owners})=[#{schema_granted_privileges}]+|\"\\\n      \"=[#{schema_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n    schema_acl_regex = Regexp.new(schema_acl)\n\n    databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate AND datname != \\'rdsadmin\\';'\n    databases_query = sql.query(databases_sql, [pg_db])\n    databases = databases_query.lines\n\n    databases.each do |database|\n      datacl_sql = \"SELECT pg_catalog.array_to_string(datacl, E','), datname \"\\\n        \"FROM pg_catalog.pg_database WHERE datname = '#{database}';\"\n\n      describe sql.query(datacl_sql, [pg_db]) do\n        its('output') { should match database_acl_regex }\n      end\n\n      schemas_sql = 'SELECT n.nspname, FROM pg_catalog.pg_namespace n '\\\n        \"WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n      schemas_query = sql.query(schemas_sql, [database])\n      # Handle connection disabled on database\n      next unless schemas_query.methods.include?(:output)\n      schemas = schemas_query.lines\n\n      schemas.each do |schema|\n        nspacl_sql = \"SELECT pg_catalog.array_to_string(n.nspacl, E','), \"\\\n          'n.nspname FROM pg_catalog.pg_namespace n '\\\n          \"WHERE n.nspname = '#{schema}';\"\n\n        describe sql.query(nspacl_sql) do\n          its('output') { should match schema_acl_regex }\n        end\n      end\n    end\n  end\n",
+      "code": "  control 'V-233597' do\n    desc 'check', \"To list all the permissions of individual roles, as the database\n    administrator (shown here as \\\"postgres\\\"), run the following SQL:\n    $ psql -c \\\"\\\\du\n    If any role has SUPERUSER that should not, this is a finding.\n    Next, list all the permissions of databases and schemas by running the following SQL:\n    $ psql -c \\\"\\\\l\\\"\n    $ psql -c \\\"\\\\dn+\\\"\n    If any database or schema has update (\\\"W\\\") or create (\\\"C\\\") privileges and should\n    not, this is a finding.\"\n    desc 'fix', \"Configure PostgreSQL to enforce access restrictions associated with\n    changes to the configuration of PostgreSQL or database(s).\n    Use ALTER ROLE to remove accesses from roles:\n    $ psql -c \\\"ALTER ROLE <role_name> NOSUPERUSER\\\"\n    Use REVOKE to remove privileges from databases and schemas:\n    $ psql -c \\\"REVOKE ALL PRIVILEGES ON <table> FROM <role_name>;\"\n\n    sql = postgres_session(input('pg_dba'), input('pg_dba_password'), input('pg_host'), input('pg_port'))\n\n    pg_superusers = input('pg_superusers')\n    authorized_owners = input('rds_superusers')\n    owners = authorized_owners.join('|')\n    pg_db = input('pg_db')\n\n    roles_sql = 'SELECT r.rolname FROM pg_catalog.pg_roles r;'\n    roles_query = sql.query(roles_sql, [pg_db])\n    roles = roles_query.lines\n\n    roles.each do |role|\n      next if pg_superusers.include?(role)\n      superuser_sql = 'SELECT r.rolsuper FROM pg_catalog.pg_roles r '\\\n        \"WHERE r.rolname = '#{role}';\"\n\n      describe sql.query(superuser_sql, [pg_db]) do\n        its('output') { should_not eq 't' }\n      end\n    end\n\n    database_granted_privileges = 'CTc'\n    database_public_privileges = 'c'\n    database_acl = \"^((((#{owners})=[#{database_granted_privileges}]+|\"\\\n      \"=[#{database_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n    database_acl_regex = Regexp.new(database_acl)\n\n    schema_granted_privileges = 'UC'\n    schema_public_privileges = 'U'\n    schema_acl = \"^((((#{owners})=[#{schema_granted_privileges}]+|\"\\\n      \"=[#{schema_public_privileges}]+)\\/\\\\w+,?)+|)\\\\|\"\n    schema_acl_regex = Regexp.new(schema_acl)\n\n    databases_sql = 'SELECT datname FROM pg_catalog.pg_database where not datistemplate AND datname != \\'rdsadmin\\';'\n    databases_query = sql.query(databases_sql, [pg_db])\n    databases = databases_query.lines\n\n    databases.each do |database|\n      datacl_sql = \"SELECT pg_catalog.array_to_string(datacl, E','), datname \"\\\n        \"FROM pg_catalog.pg_database WHERE datname = '#{database}';\"\n\n      describe sql.query(datacl_sql, [pg_db]) do\n        its('output') { should match database_acl_regex }\n      end\n\n      schemas_sql = 'SELECT n.nspname, FROM pg_catalog.pg_namespace n '\\\n        \"WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema';\"\n      schemas_query = sql.query(schemas_sql, [database])\n      # Handle connection disabled on database\n      next unless schemas_query.methods.include?(:output)\n      schemas = schemas_query.lines\n\n      schemas.each do |schema|\n        nspacl_sql = \"SELECT pg_catalog.array_to_string(n.nspacl, E','), \"\\\n          'n.nspname FROM pg_catalog.pg_namespace n '\\\n          \"WHERE n.nspname = '#{schema}';\"\n\n        describe sql.query(nspacl_sql) do\n          its('output') { should match schema_acl_regex }\n        end\n      end\n    end\n  end\n",
       "source_location": {
         "ref": "crunchy-data-postgresql-stig-baseline-main/controls/V-233597.rb",
         "line": 1
@@ -4733,7 +4733,7 @@
       "id": "crunchy-data-postgresql-stig-baseline-main/controls/V-259740.rb"
     }
   ],
-  "sha256": "dbc28a82fd137e2ac997a9f1a48413c3932311b9625fc62500c044b6119271e9",
+  "sha256": "cea7f4ba4908b8b91283087aa6e5fcb8d10489cf2c4ad727652c820863a9d7c9",
   "status_message": "",
   "status": "loaded",
   "generator": {