dcoker inspec_如何在Ubuntu 18.04上使用InSpec审核PostgreSQL数据库

dcoker inspec

介绍 (Introduction)

InSpec is an open-source, automated testing framework for testing and auditing your system to ensure the compliance of integration, security, and other policy requirements. Developers can test the actual state of their infrastructure and applications against a target state using InSpec code.

InSpec是一个开放源代码的自动化测试框架，用于测试和审核系统，以确保集成，安全性和其他策略要求的合规性。 开发人员可以使用InSpec代码针对目标状态测试其基础结构和应用程序的实际状态。

To specify the policy requirements you’re testing for, InSpec includes audit controls. Traditionally, developers manually enforce policy requirements and often do this right before deploying changes to production. With InSpec however, developers can continuously evaluate compliance at every stage of product development, which aids in solving issues earlier in the process of development. The InSpec DSL (Domain Specific Language) built on RSpec, a DSL testing tool written in Ruby, specifies the syntax used to write the audit controls.

要指定要测试的策略要求，InSpec包括审核控件 。 传统上，开发人员手动执行策略要求，并且通常在将更改部署到生产之前会正确执行。 但是，借助InSpec，开发人员可以在产品开发的每个阶段不断评估合规性，从而有助于在开发过程中尽早解决问题。 基于RSpec (用Ruby编写的DSL测试工具)构建的InSpec DSL(特定于域的语言)指定用于编写审核控件的语法。

InSpec also includes a collection of resources to assist in configuring specific parts of your system and to simplify making audit controls. There is a feature to write your own custom resources when you need to define a specific solution that isn’t available. Universal matchers allow you to compare resource values to expectations across all InSpec tests.

InSpec还包括一组资源，以帮助配置系统的特定部分并简化进行审核控制的过程。 当您需要定义不可用的特定解决方案时，有一项功能可以编写您自己的自定义资源。 通用匹配器使您可以将所有InSpec测试中的资源值与期望值进行比较。

In this tutorial, you’ll install InSpec on a server running Ubuntu 18.04. You will start by writing a test that verifies the operating system family of the server, then you’ll create a PostgreSQL audit profile from the ground up. This audit profile starts by checking that you have PostgreSQL installed on the server and that its services are running. Then you’ll add tests to check that the PostgreSQL service is running with the correct port, address, protocol, and user. Next you’ll test specific PostgreSQL configuration parameters, and finally, you’ll audit client authentication configuration.

在本教程中，您将在运行Ubuntu 18.04的服务器上安装InSpec。 您将首先编写一个验证服务器操作系统家族的测试，然后从头开始创建一个PostgreSQL审核配置文件。 该审核配置文件首先检查服务器上是否已安装PostgreSQL，并且其服务正在运行。 然后，您将添加测试以检查PostgreSQL服务是否以正确的端口，地址，协议和用户运行。 接下来，您将测试特定的PostgreSQL配置参数，最后，您将审核客户端身份验证配置。

先决条件 (Prerequisites)

Before following this tutorial, you will need the following:

在学习本教程之前，您需要满足以下条件：

• One Ubuntu 18.04 server, set up by using the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user and a firewall.

  一台Ubuntu 18.04服务器，通过使用带有Ubuntu 18.04的初始服务器设置进行设置 ，包括sudo非root用户和防火墙。

• A working PostgreSQL 10 installation, following this installation guide.

  遵循本安装指南进行有效的PostgreSQL 10安装。

第1步-准备环境 (Step 1 — Preparing the Environment)

In this step, you’ll download and unpack the latest stable version of InSpec into your home directory. InSpec provides installable binaries on their downloads page.

在此步骤中，您将下载InSpec的最新稳定版本并将其解压缩到主目录中。 InSpec在其下载页面上提供了可安装的二进制文件。

Navigate to your home directory:

导航到您的主目录：

Now download the binary with curl:

现在使用curl下载二进制文件：

Next, use the sha256sum command to generate a checksum of the downloaded file. This is to verify the integrity and authenticity of the downloaded file.

接下来，使用sha256sum命令生成下载文件的校验和。 这是为了验证下载文件的完整性和真实性。

Checksums for each binary are listed on the InSpec downloads page, so visit the downloads page to compare with your output from this command.

InSpec下载页面上列出了每个二进制文件的校验和，因此，请访问下载页面以与该命令的输出进行比较。

   
   

    
    Output
   
   
e665948f9c0441e8648b08f8d3c8d34a86f9e994609877a7e4853c012dbc7523 inspec_3.7.11-1_amd64.deb

If the checksums are different, delete the downloaded file and repeat the download process.

如果校验和不同，请删除下载的文件并重复下载过程。

Next, you’ll install the downloaded binary. For this, you’ll use the dpkg command that you can use for package management, and which comes with all Debian-based systems, such as Ubuntu, by default. The -i flag prompts the dpkg command to install the package files.

接下来，您将安装下载的二进制文件。 为此，您将使用dpkg命令，该命令可用于软件包管理，并且默认情况下，所有基于Debian的系统(例如Ubuntu)都附带该命令。 -i标志提示dpkg命令安装软件包文件。

If there are no errors, it means that you’ve installed InSpec successfully. To verify the installation, enter the following command:

如果没有错误，则表明您已成功安装InSpec。 要验证安装，请输入以下命令：

You’ll receive output showing the version of InSpec you just installed:

您将收到显示刚刚安装的InSpec版本的输出：

   
   

    
    Output
   
   
3.7.11

If you don’t see a version number displayed, run over step 1 again.

如果没有显示版本号，请再次执行步骤1。

After this, you can delete inspec_3.7.11-1_amd64.deb since you don’t need it anymore as you’ve installed the package:

之后，您可以删除inspec_3.7.11-1_amd64.deb因为在安装软件包后不再需要它：

You’ve successfully installed InSpec on your server. In the next step, you will write a test to verify the operating system family of your server.

您已经在服务器上成功安装了InSpec。 在下一步中，您将编写测试以验证服务器的操作系统系列。

第2步-完成您的第一个InSpec测试 (Step 2 — Completing Your First InSpec Test)

In this step, you’ll complete your first InSpec test, which will be testing that your operating system family is debian.

在此步骤中，您将完成第一个InSpec测试，该测试将测试您的操作系统家族是debian 。

You will use the os resource, which is a built-in InSpec audit resource to test the platform on which the system is running. You’ll also use the eq matcher. The eq matcher is a universal matcher that tests for the exact equality of two values.

您将使用os资源(这是内置的InSpec审核资源)来测试运行系统的平台。 您还将使用eq匹配器。 eq匹配器是一个通用匹配器，用于测试两个值的确切相等性。

An InSpec test consists of a describe block, which contains one or more it and its statements each of which validates one of the resource’s features. Each statement describes an expectation of a specific condition of the system as assertions. Two keywords that you can include to make an assertion are should and should_not, which assert that the condition should be true and false respectively.

InSpec测试由一个describe块组成，它包含一个或多个it以及its语句，每个语句都可以验证资源的功能之一。 每个语句都将对系统特定条件的期望描述为断言 。 您可以包括两个关键词来进行断言， should和should_not ，它们分别声明条件应该为true和false。

Create a file called os_family.rb to hold your test and open it with your text editor:

创建一个名为os_family.rb的文件来保存测试，并使用文本编辑器将其打开：

Add the following to your file:

将以下内容添加到您的文件中：

describe os.family do
  it {should eq 'debian'}
end

This test ensures that the operating system family of the target system is debian. Other possible values are windows, unix, bsd, and so on. You can find a complete list in the os resource documentation. Save and exit the file.

该测试确保目标系统的操作系统家族是debian 。 其他可能的值是windows ， unix ， bsd等。 您可以在os资源文档中找到完整列表。 保存并退出文件。

Next, run your test with the following command:

接下来，使用以下命令运行测试：

The test will pass, and you’ll receive output resembling the following:

测试将通过，并且您将收到类似于以下内容的输出：

   
   

    
    Output
   
   
Profile: tests from os_family.rb (tests from os_family.rb)
Version: (not specified)
Target:  local://

  debian
     ✔  should eq "debian"

Test Summary: 1 successful, 0 failures, 0 skipped

In your output, the Profile contains the name of the profile that just executed. Since this test is not included in a profile, InSpec generates a default profile name from the test’s file name tests from os_family.rb. (You’ll work with InSpec profiles in the next section where you will start building your PostgreSQL InSpec profile.) Here InSpec presents the Version as not specified, because you can only specify versions in profiles.

在您的输出中， Profile包含刚执行的概要文件的名称。 由于此测试未包含在配置文件中，因此InSpec tests from os_family.rb的测试文件名tests from os_family.rb生成默认的配置文件名称。 (您将在下一部分中开始构建PostgreSQL InSpec概要文件的地方使用InSpec 概要文件。)InSpec在此显示的Version not specified ，因为您只能在概要文件中指定版本。

The Target field specifies the target system that the test is executed on, which can be local or a remote system via ssh. In this case, you’ve executed your test on the local system so the target shows local://.

Target字段指定执行测试的目标系统，可以是ssh本地系统或远程系统。 在这种情况下，您已经在本地系统上执行了测试，因此目标显示local:// 。

Usefully, the output also displays the executed test with a checkmark symbol (✔) to the left indicating a successful test. The output will show a cross symbol (✘) if the test fails.

有用的是，输出还显示了已执行的测试，并在左侧带有对勾符号(✔)表示测试成功。 如果测试失败，输出将显示一个叉号(✘)。

Finally, the test summary gives overall details about how many tests were successful, failed, and skipped. In this instance, you had a single successful test.

最后，测试摘要提供了有关成功，失败和跳过了多少测试的总体详细信息。 在这种情况下，您有一个成功的测试。

Now you’ll see what the output looks like for a failed test. Open os_family.rb:

现在，您将看到测试失败的输出结果。 打开os_family.rb ：

In the test you created earlier in this step, you’ll now change the expected value of the operating system family from debian to windows. Your file contents after this will be the following:

在此步骤前面创建的测试中，现在将操作系统系列的期望值从debian更改为windows 。 之后的文件内容如下：

describe os.family do
  it {should eq 'windows'}
end

Save and exit the file.

保存并退出文件。

Next, run the updated test with the following command:

接下来，使用以下命令运行更新的测试：

You will get output similar to the following:

您将获得类似于以下内容的输出：

   
   

    
    Output
   
   
Profile: tests from os_family.fail.rb (tests from os_family.fail.rb)
Version: (not specified)
Target:  local://

  debian
     (✘)  should eq "windows"

     expected: "windows"
          got: "debian"

     (compared using ==)


Test Summary: 0 successful, 1 failure, 0 skipped

As expected, the test failed. The output indicates that your expected (windows) and actual (debian) values do not match for the os.family property. The (compared using ==) output indicates that the eq matcher performed a string comparison between the two values to come up with this result.

如预期的那样，测试失败。 输出表明os.family属性的预期( windows )和实际( debian )值不匹配。 (compared using ==)输出指示eq匹配器在两个值之间执行了字符串比较，以得出此结果。

In this step, you’ve written a successful test that verifies the operating system family of the server. You’ve also created a failed test in order to see what the InSpec output for a failed test looks like. In the next step, you will start building the audit profile to test your PostgreSQL installation.

在此步骤中，您编写了成功的测试，以验证服务器的操作系统家族。 您还创建了一个失败的测试，以查看失败的测试的InSpec输出是什么样。 在下一步中，您将开始构建审核配置文件以测试PostgreSQL安装。

第3步-审核PostgreSQL安装 (Step 3 — Auditing Your PostgreSQL Installation)

Now, you will audit your PostgreSQL installation. You’ll start by checking that you have PostgreSQL installed and its service is running correctly. Finally, you’ll audit the PostgreSQL system port and process. For your PostgreSQL audit, you will create various InSpec controls, all within an InSpec profile named PostgreSQL.

现在，您将审核PostgreSQL安装。 首先，请检查您是否已安装PostgreSQL及其服务正在正确运行。 最后，您将审核PostgreSQL系统端口和进程。 为了进行PostgreSQL审核，您将创建各种InSpec控件，所有这些控件都在一个名为PostgreSQL的InSpec profile 。

An InSpec control is a high-level grouping of related tests. Within a control, you can have multiple describe blocks, as well as metadata to describe your tests such as impact level, title, description, and tags. InSpec profiles organize controls to support dependency management and code reuse, which both help manage test complexity. They are also useful for packaging and sharing tests with the public via the Chef Supermarket. You can use profiles to define custom resources that you would implement as regular Ruby classes.

InSpec 控件是相关测试的高级分组。 在一个控件中，您可以具有多个describe块以及元数据来描述您的测试，例如影响级别，标题，描述和标签。 InSpec配置文件组织控件以支持依赖关系管理和代码重用，这两者都有助于管理测试的复杂性。 它们对于通过Chef Supermarket与公众打包和共享测试也很有用。 您可以使用配置文件来定义将作为常规Ruby类实现的自定义资源。

To create an InSpec profile, you will use the init command. Enter this command to create the PostgreSQL profile:

要创建InSpec配置文件，您将使用init命令。 输入以下命令以创建PostgreSQL配置文件：

This creates the profile in a new directory with the same name as your profile, in this case PostgreSQL. Now, move into the new directory:

这将在与您的配置文件同名的新目录中创建配置文件，在本例中为PostgreSQL 。 现在，进入新目录：

The directory structure will look like this:

目录结构如下所示：

PostgreSQL/
├── controls
│   └── example.rb
├── inspec.yml
├── libraries
└── README.md

The controls/example.rb file contains a sample control that tests to see if the /tmp folder exists on the target system. This is present only as a sample and you will replace it with your own test.

controls/example.rb文件包含一个示例控件，该控件进行测试以查看/tmp文件夹在目标系统上是否存在。 它仅作为示例提供，您将用自己的测试替换它。

Your first test will be to ensure that you have the package postgresql-10 installed on your system and that you have the postgresql service installed, enabled, and running.

您的第一个测试将是确保系统上已安装软件包postgresql-10 ，并且已安装，启用并运行了postgresql服务。

Rename the controls/example.rb file to controls/postgresql.rb:

将controls/example.rb文件重命名为controls/postgresql.rb ：

Next, open the file with your text editor:

接下来，使用文本编辑器打开文件：

Replace the content of the file with the following:

用以下内容替换文件的内容：

control '1-audit_installation' do
  impact 1.0
  title 'Audit PostgreSQL Installation'
  desc 'Postgres should be installed and running'

  describe package('postgresql-10') do
    it {should be_installed}
    its('version') {should cmp >= '10'}
  end

  describe service('postgresql@10-main') do
    it {should be_enabled}
    it {should be_installed}
    it {should be_running}
  end
end

In the preceding code block, you begin by defining the control with its name and metadata.

在前面的代码块中，首先定义控件的名称和元数据。

In the first describe block, you use the package resource and pass in the PostgreSQL package name postgresql-10 as a resource argument. The package resource provides the matcher be_installed to test that the named package is installed on the system. It returns true if you have the package installed, and false otherwise. Next, you used the its statement to validate that the version of the installed PostgreSQL package is at least 10. You are using cmp instead of eq because package version strings usually contain other attributes apart from the numerical version. eq returns true only if there is an exact match while cmp is less-restrictive.

在第一个describe块中，您使用package资源，并传入PostgreSQL包名称postgresql-10作为资源参数。 package资源提供了be_installed的匹配器，以测试命名软件包是否已安装在系统上。 如果已安装软件包，则返回true ，否则返回false 。 接下来，您使用its语句验证已安装的PostgreSQL软件包的版本至少为10。您使用的是cmp而不是eq因为软件包的版本字符串通常包含除数字版本以外的其他属性。 仅当存在完全匹配而cmp的限制较少时， eq返回true 。

In the second describe block, you use the service resource and pass in the PostgreSQL 10 service name postgresql@10-main as a resource argument. The service resource provides the matchers be_enabled, be_installed, and be_running and they return true if you have the named service installed, enabled, and running on the target system respectively.

在第二个describe块中，您将使用service资源，并将PostgreSQL 10服务名称postgresql@10-main传递为资源参数。 service资源提供了匹配器be_enabled ， be_installed和be_running ，如果分别在目标系统上安装，启用和运行了命名服务，则它们返回true 。

Save and exit your file.

保存并退出文件。

Next, you will run your profile. Make sure you’re in the ~/PostgreSQL directory before running the following command:

接下来，您将运行您的个人资料。 运行以下命令之前，请确保您位于~/PostgreSQL目录中：

Since you completed the PostgreSQL prerequisite tutorial, your test will pass. Your output will look similar to the following:

自完成PostgreSQL先决条件教程以来，您的测试将通过。 您的输出将类似于以下内容：

   
   

    
    Output
   
   
Profile: InSpec Profile (PostgreSQL)
Version: 0.1.0
Target:  local://

  ✔  1-audit_installation: Audit PostgreSQL Installation
     ✔  System Package postgresql-10 should be installed
     ✔  System Package postgresql-10 version should cmp >= "10"
     ✔  Service postgresql@10-main should be enabled
     ✔  Service postgresql@10-main should be installed
     ✔  Service postgresql@10-main should be running


Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 5 successful, 0 failures, 0 skipped

The output indicates that your control was successful. A control is successful if, and only if, all the tests in it are successful. The output also confirms that all your tests were successful.

输出表明您的控制成功。 且仅当控件中的所有测试均成功时，控件才成功。 输出还确认您的所有测试均成功。

Now that you’ve verified that the correct version of PostgreSQL is installed and the service is fine, you will create a new control that ensures that PostgreSQL is listening on the correct port, address, and protocol.

现在，您已经确认安装了正确的PostgreSQL版本并且服务很好，您将创建一个新控件，以确保PostgreSQL正在侦听正确的端口，地址和协议。

For this test, you will also use attributes. An InSpec attribute is used to parameterize a profile to enable easy re-use in different environments or target systems. You’ll define the PORT attribute.

对于此测试，您还将使用attribute 。 InSpec属性用于参数化配置文件，以便在不同的环境或目标系统中轻松重用。 您将定义PORT属性。

Open the inspec.yml file in your text editor:

在文本编辑器中打开inspec.yml文件：

You’ll append the port attribute to the end of the file. Add the following at the end of your file:

您将port属性附加到文件末尾。 在文件末尾添加以下内容：

...
attributes:
  - name: port
    type: string
    default: '5432'

In the preceding code block, you added the port attribute and set it to a default value of 5432 because that is the port PostgreSQL listens on by default.

在前面的代码块中，您添加了port属性并将其设置为默认值5432因为这是PostgreSQL默认监听的端口。

Save and exit the file. Then run inspec check to verify the profile is still valid since you just edited inspec.yml:

保存并退出文件。 然后运行inspec check来验证配置文件仍然有效，因为您刚刚编辑了inspec.yml ：

If there are no errors, you can proceed. Otherwise, open the inspec.yml file and ensure that the attribute is present at the end of the file.

如果没有错误，则可以继续。 否则，请打开inspec.yml文件，并确保该属性出现在文件末尾。

Now you’ll create the control that checks that the PostgreSQL process is running and configured with the correct user. Open controls/postgresql.rb in your text editor:

现在，您将创建用于检查PostgreSQL进程是否正在运行并使用正确的用户配置的控件。 在文本编辑器中打开controls/postgresql.rb ：

Append the following control to the end of your current tests file controls/postgresql.rb:

将以下控件追加到当前测试文件controls/postgresql.rb的末尾：

...
PORT = attribute('port')

control '2-audit_address_port' do
  impact 1.0
  title 'Audit Process and Port'
  desc 'Postgres port should be listening and the process should be running'

  describe port(PORT) do
    it {should be_listening}
    its('addresses') {should include '127.0.0.1'}
    its('protocols') {should cmp 'tcp'}
  end

  describe processes('postgres') do
    it {should exist}
    its('users') {should include 'postgres'}
  end

  describe user('postgres') do
    it {should exist}
  end
end

Here you begin by declaring a PORT variable to hold the value of the port profile attribute. Then you declare the control and its metadata.

在这里，您首先声明一个PORT变量以保存port配置文件属性的值。 然后，声明控件及其元数据。

In the first describe block, you include the port resource to test basic port properties. The port resource provides the matchers be_listening, addresses, and protocols. You use the be_listening matcher to test that the named port is listening on the target system. It returns true if the port 5432 is listening and returns false otherwise. The addresses matcher tests if the specified address is associated with the port. In this case, PostgreSQL will be listening on the local address, 127.0.0.1. The protocols matcher tests the Internet protocol the port is listening for, which can be icmp, tcp/tcp6, or udp/udp6. PostgreSQL will be listening for tcp connections.

在第一个describe块中，您包括port资源以测试基本端口属性。 port资源为匹配器提供be_listening ， addresses和protocols 。 您可以使用be_listening匹配器来测试命名端口是否正在目标系统上进行侦听。 如果端口返回true 5432监听否则，返回假 。 addresses匹配器测试指定的地址是否与端口关联。 在这种情况下，PostgreSQL将监听本地地址127.0.0.1 。 protocols匹配器测试端口正在侦听的Internet协议，可以是icmp ， tcp / tcp6或udp / udp6 。 PostgreSQL将监听tcp连接。

In the second describe block, you include the processes resource. You use the processes resource to test properties for programs that are running on the system. First, you verify that the postgres process exists on the system, then you use the users matcher to test that the postgres user owns the postgres process.

在第二个describe块中，包含了processes资源。 您使用processes资源来测试系统上运行的程序的属性。 首先，您验证系统上存在postgres进程，然后使用users匹配器测试postgres用户是否拥有postgres进程。

In the third describe block, you have the user resource. You include the user resource to test user properties for a user such as whether the user exists or not, the group the user belongs to, and so on. Using this resource, you test that the postgres user exists on the system. Save and exit controls/postgresql.rb.

在第三个describe块中，您具有user资源。 您包括user资源，以测试用户的用户属性，例如该用户是否存在，该用户所属的组等等。 使用此资源，您测试postgres用户在系统上是否存在。 保存并退出controls/postgresql.rb 。

Next, run your profile with the following command:

接下来，使用以下命令运行您的配置文件：

The tests will pass, and your output will resemble the following:

测试将通过，并且您的输出将类似于以下内容：

   
   

    
    Output
   
   
Profile: InSpec Profile (PostgreSQL)
Version: 0.1.0
Target:  local://

  ✔  1-audit_installation: Audit PostgreSQL Installation
     ✔  System Package postgresql-10 should be installed
     ✔  System Package postgresql-10 version should cmp >= "10"
     ✔  Service postgresql@10-main should be enabled
     ✔  Service postgresql@10-main should be installed
     ✔  Service postgresql@10-main should be running
  ✔  2-audit_address_port: Audit Process and Port
     ✔  Port 5432 should be listening
     ✔  Port 5432 addresses should include "127.0.0.1"
     ✔  Port 5432 protocols should cmp == "tcp"
     ✔  Processes postgres should exist
     ✔  Processes postgres users should include "postgres"
     ✔  User postgres should exist


Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
Test Summary: 11 successful, 0 failures, 0 skipped

The output indicates that both of your controls and all of your tests were successful.

输出表明您的控件和所有测试均成功。

In this section, you have created your first InSpec profile and control and used them to organize your tests. You’ve used several InSpec resources to ensure that you have the correct version of PostgreSQL installed, the PostgreSQL service enabled and running correctly, and that the PostgreSQL user exists on the system. With this set up you’re ready to audit your configuration.

在本部分中，您已经创建了第一个InSpec配置文件和控件，并使用它们来组织测试。 您已经使用了多个InSpec资源来确保您安装了正确版本的PostgreSQL，已启用PostgreSQL服务并正确运行，以及该系统上存在PostgreSQL用户。 通过此设置，您可以准备审核您的配置。

步骤4 —审核PostgreSQL配置 (Step 4 — Auditing Your PostgreSQL Configuration)

In this step, you’ll audit some PostgreSQL configuration values, which will give you a foundation for working with these configuration files, allowing you to audit any PostgreSQL configuration parameters as desired.

在此步骤中，您将审核一些PostgreSQL配置值，这将为使用这些配置文件打下基础，从而使您可以根据需要审核任何PostgreSQL配置参数。

Now that you have tests auditing the PostgreSQL installation, you’ll audit your PostgreSQL configuration itself. PostgreSQL has several configuration parameters that you can use to tune it as desired, and these are stored in the configuration file located by default at /etc/postgresql/10/main/postgresql.conf. You could have different requirements regarding PostgreSQL configuration for your various deployments such as logging, password encryption, SSL, and replication strategies — these requirements you specify in the configuration file.

既然已经完成了审计PostgreSQL安装的测试，那么您将审计PostgreSQL配置本身。 PostgreSQL有几个配置参数，您可以根据需要对其进行调整，这些参数存储在默认情况下位于/etc/postgresql/10/main/postgresql.conf的配置文件中。 您可能对各种部署的PostgreSQL配置有不同的要求，例如日志记录，密码加密，SSL和复制策略，这些要求是您在配置文件中指定的。

You will be using the postgres_conf resource that tests for specific, named configuration options against expected values in the contents of the PostgreSQL configuration file.

您将使用postgres_conf资源，以针对PostgreSQL配置文件内容中的预期值测试特定的命名配置选项。

This test will assume some non-default PostgreSQL configuration values that you’ll set manually.

此测试将假定您将手动设置一些非默认的PostgreSQL配置值。

Open the PostgreSQL configuration file in your favorite text editor:

在您喜欢的文本编辑器中打开PostgreSQL配置文件：

Set the following configuration values. If the option already exists in the file but is commented out, uncomment it by removing the #, and set the value as provided:

设置以下配置值。 如果该选项已存在于文件中但已被注释掉，请通过删除#取消注释，并按提供的值进行设置：

password_encryption = scram-sha-256
logging_collector = on
log_connections = on
log_disconnections = on
log_duration = on

The configuration values you have set:

您设置的配置值：

• Ensure that saved passwords are always encrypted with the scram-sha-256 algorithm.
  确保始终使用scram-sha-256算法对保存的密码进行加密。

• Enable the logging collector, which is a background process that captures log messages from the standard error (stderr) and redirects them to a log file.

  启用logging collector ，这是一个后台进程，可捕获来自标准错误( stderr )的日志消息并将其重定向到日志文件。

• Enable logging of connection attempts to the PostgreSQL server as well as successful connections.
  启用对到PostgreSQL服务器的连接尝试以及成功连接的日志记录。
• Enable logging of session terminations.
  启用会话终止的日志记录。
• Enable logging of the duration of every completed statement.
  启用记录每个已完成语句的持续时间。

Save and exit the configuration file. Then restart the PostgreSQL service:

保存并退出配置文件。 然后重新启动PostgreSQL服务：

You’ll test for only a few configuration options, but you can test any PostgreSQL configuration option with the postgres_conf resource.

您将仅测试一些配置选项，但可以使用postgres_conf资源测试任何PostgreSQL配置选项。

You will pass in your PostgreSQL configuration directory, which is at /etc/postgresql/10/main, using a new profile attribute, postgres_conf_dir. This configuration directory is not the same across all operating systems and platforms, so by passing it in as a profile attribute, you’ll be making this profile easier to reuse in different environments.

您将使用新的配置文件属性postgres_conf_dir传入/etc/postgresql/10/main的PostgreSQL配置目录。 在所有操作系统和平台上，此配置目录都不相同，因此通过将其作为配置文件属性传递，可以使此配置文件在不同环境中更易于重用。

Open your inspec.yml file:

打开您的inspec.yml文件：

Add this new attribute to the attributes section of inspec.yml:

增加这个新属性的attributes的部分inspec.yml ：

...
  - name: postgres_conf_dir
    type: string
    default: '/etc/postgresql/10/main'

Save and exit your file. Then run the following command to verify the InSpec profile is still valid because you just edited the inspec.yml:

保存并退出文件。 然后运行以下命令以验证InSpec配置文件仍然有效，因为您刚刚编辑了inspec.yml ：

If there are no errors, you can proceed. Otherwise, open the inspec.yml file and ensure that the above lines are present at the end of the file.

如果没有错误，则可以继续。 否则，请打开inspec.yml文件，并确保文件末尾出现上述行。

Now you will create the control that audits the configuration values you are enforcing. Append the following control to the end of the tests file controls/postgresql.rb:

现在，您将创建用于审核您要强制执行的配置值的控件。 将以下控件追加到测试文件controls/postgresql.rb的末尾：

...
POSTGRES_CONF_DIR = attribute('postgres_conf_dir')
POSTGRES_CONF_PATH = File.join(POSTGRES_CONF_DIR, 'postgresql.conf')

control '3-postgresql' do
  impact 1.0
  title 'Audit PostgreSQL Configuration'
  desc 'Audits specific configuration options'

  describe postgres_conf(POSTGRES_CONF_PATH) do
    its('port') {should eq PORT}
    its('password_encryption') {should eq 'scram-sha-256'}
    its('ssl') {should eq 'on'}
    its('logging_collector') {should eq 'on'}
    its('log_connections') {should eq 'on'}
    its('log_disconnections') {should eq 'on'}
    its('log_duration') {should eq 'on'}
  end
end

Here you define two variables:

在这里定义两个变量：

• POSTGRES_CONF_DIR holds the postgres_conf_dir attribute as defined in the profile configuration.

  POSTGRES_CONF_DIR拥有配置文件配置中定义的postgres_conf_dir属性。

• POSTGRES_CONF_PATH holds the absolute path of the configuration file by concatenating the configuration file name with the configuration directory using File.join.

  POSTGRES_CONF_PATH通过使用File.join将配置文件名与配置目录并置来保存配置文件的绝对路径。

Next, you define the control with its name and metadata. Then you use the postgres_conf resource together with the eq matcher to ensure your required values for the configuration options are correct. Save and exit controls/postgresql.rb.

接下来，使用控件的名称和元数据定义控件。 然后，将postgres_conf资源与eq匹配器一起使用，以确保配置选项所需的值正确。 保存并退出controls/postgresql.rb 。

Next, you will run the test with the following command:

接下来，您将使用以下命令运行测试：

The tests will pass, and your outputs will resemble the following:

测试将通过，并且您的输出将类似于以下内容：

   
   

    
    Output
   
   
Profile: InSpec Profile (PostgreSQL)
Version: 0.1.0
Target:  local://

  ✔  1-audit_installation: Audit PostgreSQL Installation
     ✔  System Package postgresql-10 should be installed
     ✔  System Package postgresql-10 version should cmp >= "10"
     ✔  Service postgresql@10-main should be enabled
     ✔  Service postgresql@10-main should be installed
     ✔  Service postgresql@10-main should be running
  ✔  2-audit_address_port: Audit Process and Port
     ✔  Port 5432 should be listening
     ✔  Port 5432 addresses should include "127.0.0.1"
     ✔  Port 5432 protocols should cmp == "tcp"
     ✔  Processes postgres should exist
     ✔  Processes postgres users should include "postgres"
     ✔  User postgres should exist
  ✔  3-postgresql: Audit PostgreSQL Configuration
     ✔  PostgreSQL Configuration port should eq "5432"
     ✔  PostgreSQL Configuration password_encryption should eq "scram-sha-256"
     ✔  PostgreSQL Configuration ssl should eq "on"
     ✔  PostgreSQL Configuration logging_collector should eq "on"
     ✔  PostgreSQL Configuration log_connections should eq "on"
     ✔  PostgreSQL Configuration log_disconnections should eq "on"
     ✔  PostgreSQL Configuration log_duration should eq "on"


Profile Summary: 3 successful controls, 0 control failures, 0 controls skipped
Test Summary: 18 successful, 0 failures, 0 skipped

The output indicates that your three controls and all your tests were successful without any skipped tests or controls.

输出表明您的三个控件和所有测试都成功，没有任何跳过的测试或控件。

In this step, you’ve added a new InSpec control that tests specific PostgreSQL configuration values from the configuration file using the postgres_conf resource. You audited a few values in this section, but you can use it to test any configuration option from the configuration file.

在此步骤中，您添加了一个新的InSpec控件，该控件使用postgres_conf资源测试配置文件中的特定PostgreSQL配置值。 您在本节中审核了一些值，但是您可以使用它来测试配置文件中的任何配置选项。

第5步—审核PostgreSQL客户端身份验证 (Step 5 — Auditing PostgreSQL Client Authentication)

Now that you’ve written some tests for your PostgreSQL configuration, you’ll write some tests for client authentication. This is important for installations that need to ensure specific authentication methods for different kinds of users; for example, to ensure clients connecting to PostgreSQL locally always need to authenticate with a password, or to reject connections from a specific IP address or IP address range, and so on.

现在，您已经为PostgreSQL配置编写了一些测试，接下来将为客户端身份验证编写一些测试。 这对于需要确保针对不同类型用户的特定身份验证方法的安装非常重要； 例如，要确保在本地连接到PostgreSQL客户端始终需要使用密码进行身份验证，或拒绝来自特定IP地址或IP地址范围的连接，等等。

An important configuration for PostgreSQL installations where security is a concern is to only allow encrypted password authentications. PostgreSQL 10 supports two password encryption methods for client authentication: md5 and scram-sha-256. This test will require password encryption for all clients so this means that the METHOD field for all clients in the client configuration file must be set to either md5 or scram-sha-256. For these tests, you will use scram-sha-256 since it is more secure than md5.

对于关注安全性的PostgreSQL安装，重要配置是仅允许加密密码身份验证。 PostgreSQL 10 支持两种用于客户端身份验证的密码加密方法 ： md5和scram-sha-256 。 此测试将要求所有客户端使用密码加密，因此这意味着必须将客户端配置文件中所有客户端的METHOD字段设置为md5或scram-sha-256 。 对于这些测试，您将使用scram-sha-256因为它比md5更安全。

By default, local clients have their peer authentication method in the pg_hba.conf file. For the test, you need to change these to scram-sha-256. Open the /etc/postgresql/10/main/pg_hba.conf file:

默认情况下， local客户端在pg_hba.conf文件中具有其peer身份验证方法。 对于测试，您需要将其更改为scram-sha-256 。 打开/etc/postgresql/10/main/pg_hba.conf文件：

The top of the file contains comments. Scroll down and look for uncommented lines where the authentication type is local, and change the authentication method from peer to scram-sha-256. For example, change:

文件顶部包含注释。 向下滚动并查找身份验证类型为local注释的行，然后将身份验证方法从peer更改为scram-sha-256 。 例如，更改：

...
local   all             postgres                                peer
...

to:

至：

...
local   all             postgres                                scram-sha-256
...

At the end, your pg_hba.conf configuration will resemble the following:

最后，您的pg_hba.conf配置将类似于以下内容：

...
local   all             postgres                                scram-sha-256

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     scram-sha-256
# IPv4 local connections:
host    all             all             127.0.0.1/32            scram-sha-256
# IPv6 local connections:
host    all             all             ::1/128                 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     scram-sha-256
host    replication     all             127.0.0.1/32            scram-sha-256
host    replication     all             ::1/128                 scram-sha-256
...

Save and exit the configuration file. Then restart the PostgreSQL service:

保存并退出配置文件。 然后重新启动PostgreSQL服务：

For this test, you’ll use the postgres_hba_conf resource. This resource is used to test the client authentication data defined in the pg_hba.conf file. You’ll pass in the path of your pg_hba.conf file as a parameter to this resource.

对于此测试，您将使用postgres_hba_conf资源。 此资源用于测试pg_hba.conf文件中定义的客户端身份验证数据。 您将传入pg_hba.conf文件的路径作为该资源的参数。

Your control will consist of two describe blocks that check the auth_method fields for both local and host clients respectively to ensure that they are both equal to scram-sha-256. Open controls/postgresql.rb in your text editor:

您的控件将由两个describe块组成，这两个块分别检查local和host客户端的auth_method字段，以确保它们都等于scram-sha-256 。 在文本编辑器中打开controls/postgresql.rb ：

Append the following control to the end of the test file controls/postgresql.rb:

将以下控件追加到测试文件controls/postgresql.rb的末尾：

POSTGRES_HBA_CONF_FILE = File.join(POSTGRES_CONF_DIR, 'pg_hba.conf')

control '4-postgres_hba' do
  impact 1.0
  title 'Require SCRAM-SHA-256 for ALL users, peers in pg_hba.conf'
  desc 'Require SCRAM-SHA-256 for ALL users, peers in pg_hba.conf. Do not allow untrusted authentication methods.'

  describe postgres_hba_conf(POSTGRES_HBA_CONF_FILE).where { type == 'local' } do
    its('auth_method') { should all eq 'scram-sha-256' }
  end

  describe postgres_hba_conf(POSTGRES_HBA_CONF_FILE).where { type == 'host' } do
    its('auth_method') { should all eq 'scram-sha-256' }
  end
end

In this code block, you define a new variable POSTGRES_HBA_CONF_FILE to store the absolute location of your pg_hba.conf file. File.join is a Ruby method to concatenate two file path segments with /. You use it here to join the POSTGRES_CONF_DIR variable, declared in the previous section, with the PostgreSQL configuration file pg_hba.conf. This will produce an absolute file path of the pg_hba.conf file and store it in the POSTGRES_HBA_CONF_FILE variable.

在此代码块中，您定义了一个新变量POSTGRES_HBA_CONF_FILE来存储pg_hba.conf文件的绝对位置。 File.join是一个Ruby方法，使用/串联两个文件路径段。 您可以在此处使用它将上一节中声明的POSTGRES_CONF_DIR变量与PostgreSQL配置文件pg_hba.conf结合在一起。 这将生成pg_hba.conf文件的绝对文件路径，并将其存储在POSTGRES_HBA_CONF_FILE变量中。

After that, you declare and configure the control and its metadata. The first describe block checks that all configuration entries where the client type is local also have scram-sha-256 as their authentication methods. The second describe block does the same for cases where the client type is host. Save and exit controls/postgresql.rb.

之后，您声明并配置控件及其元数据。 第一个describe块检查是否所有客户端类型为local配置条目也都将scram-sha-256作为其身份验证方法。 对于客户端类型为host情况，第二个describe块的作用相同。 保存并退出controls/postgresql.rb 。

You’ll execute this control as the postgres user because Read access to the PostgreSQL HBA configuration is granted only to Owner and Group, which is the postgres user. Execute the profile by running:

你会执行这个控制的postgres ，因为用户Read访问PostgreSQLHBA配置，目前只能以货主和集团，这是理所当然postgres用户。 通过运行以下命令来执行配置文件：

Your output will resemble the following:

您的输出将类似于以下内容：

   
   

    
    Output
   
   
Profile: InSpec Profile (PostgreSQL)
Version: 0.1.0
Target:  local://

  ✔  1-audit_installation: Audit PostgreSQL Installation
     ✔  System Package postgresql-10 should be installed
     ✔  System Package postgresql-10 version should cmp >= "10"
     ✔  Service postgresql@10-main should be enabled
     ✔  Service postgresql@10-main should be installed
     ✔  Service postgresql@10-main should be running
  ✔  2-audit_address_port: Audit Process and Port
     ✔  Port 5432 should be listening
     ✔  Port 5432 addresses should include "127.0.0.1"
     ✔  Port 5432 protocols should cmp == "tcp"
     ✔  Processes postgres should exist
     ✔  Processes postgres users should include "postgres"
     ✔  User postgres should exist
  ✔  3-postgresql: Audit PostgreSQL Configuration
     ✔  PostgreSQL Configuration port should eq "5432"
     ✔  PostgreSQL Configuration password_encryption should eq "scram-sha-256"
     ✔  PostgreSQL Configuration ssl should eq "on"
     ✔  PostgreSQL Configuration logging_collector should eq "on"
     ✔  PostgreSQL Configuration log_connections should eq "on"
     ✔  PostgreSQL Configuration log_disconnections should eq "on"
     ✔  PostgreSQL Configuration log_duration should eq "on"
  ✔  4-postgres_hba: Require SCRAM-SHA-256 for ALL users, peers in pg_hba.conf
     ✔  Postgres Hba Config /etc/postgresql/10/main/pg_hba.conf with type == "local" auth_method should all eq "scram-sha-256"
     ✔  Postgres Hba Config /etc/postgresql/10/main/pg_hba.conf with type == "host" auth_method should all eq "scram-sha-256"


Profile Summary: 4 successful controls, 0 control failures, 0 controls skipped
Test Summary: 20 successful, 0 failures, 0 skipped

This output indicates that the new control you added, together with all of the previous controls, are successful. It also indicates that all the tests in your profile are successful.

此输出表明您添加的新控件以及所有先前的控件都成功。 它还表明您的配置文件中的所有测试均已成功。

In this step, you have added a control to your profile that successfully audited your PostgreSQL client authentication configuration to ensure that all clients are authenticated via scram-sha-256 using the postgres_hba_conf resource.

在此步骤中，您已将一个控件添加到您的配置文件中，该控件成功审核了PostgreSQL客户端身份验证配置，以确保使用postgres_hba_conf资源通过scram-sha-256对所有客户端进行身份验证。

结论 (Conclusion)

You’ve set up InSpec and successfully audited a PostgreSQL 10 installation. In the process, you’ve used a selection of InSpec tools, such as: the InSpec DSL, matchers, resources, profiles, attributes, and the CLI. From here, you can incorporate other resources that InSpec provides in the Resources section of their documentation. InSpec also provides a mechanism for defining custom resources for your specific needs. These custom resources are written as a regular Ruby class.

您已经设置了InSpec并成功审核了PostgreSQL 10安装。 在此过程中，您使用了一系列InSpec工具，例如：InSpec DSL，匹配器，资源，配置文件，属性和CLI。 从这里，您可以合并InSpec在其文档的“ 资源”部分中提供的其他资源。 InSpec还提供了一种机制来定义满足您特定需求的自定义资源 。 这些自定义资源被编写为常规Ruby类。

You can also explore the Compliance Profiles section of the Chef supermarket that contains publicly shared InSpec profiles that you can execute directly or extend in your own profiles. You can also share your own profiles with the general public in the Chef Supermarket.

您还可以浏览Chef超市的Compliance Profiles部分，其中包含可以直接执行或在自己的配置文件中扩展的公开共享的InSpec配置文件。 您还可以在Chef超市中与公众共享自己的个人资料。

You can go further by exploring other tools in the Chef universe such as Chef and Habitat. InSpec is integrated with Habitat and this provides the ability to ship your compliance controls together with your Habitat-packaged applications and continuously run them. You can explore official and community InSpec tutorials on the tutorials page. For more advanced InSpec references, check the official InSpec documentation.

您可以通过探索Chef世界中的其他工具(例如Chef和Habitat来走得更远。 InSpec与人居环境集成在一起 ，这使您可以将合规性控件与人居环境打包的应用程序一起运送并连续运行它们。 您可以在教程页面上浏览InSpec官方和社区教程 。 有关更高级的InSpec参考，请查阅官方的InSpec文档 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-audit-a-postgresql-database-with-inspec-on-ubuntu-18-04

dcoker inspec