Feat: Add basis for postgres-hardening

Signed-off-by: Mahdi Fooladgar (professormahi) <professormahi_f@yahoo.com>

Author: professormahi

.github/labeler.yml

@@ -28,3 +28,11 @@ nginx_hardening:
           - roles/nginx_hardening/**
           - molecule/nginx_hardening/**
           - .github/workflows/nginx_hardening.yml
+
+
+postgres_hardening:
+  - changed-files:
+      - any-glob-to-any-file:
+        - "roles/postgres_hardening/**"
+        - "molecule/postgres_hardening/**"
+        - ".github/workflows/postgres_hardening.yml"

.github/workflows/postgres_hardening.yml

@@ -0,0 +1,89 @@
+---
+name: "devsec.postgres_hardening"
+on: # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  push:
+    branches: [master]
+    paths:
+      - "roles/postgres_hardening/**"
+      - "molecule/postgres_hardening/**"
+      - ".github/workflows/postgres_hardening.yml"
+      - "requirements.txt"
+  pull_request:
+    branches: [master]
+    paths:
+      - "roles/postgres_hardening/**"
+      - "molecule/postgres_hardening/**"
+      - ".github/workflows/postgres_hardening.yml"
+      - "requirements.txt"
+  schedule:
+    - cron: "0 6 * * 1"
+
+concurrency:
+  group: >-
+    ${{ github.workflow }}-${{
+      github.event.pull_request.number || github.sha
+    }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        molecule_distro:
+          # - centos7
+          # - centosstream8
+          # - centosstream9
+          # - rocky8
+          # - rocky9
+          - ubuntu1804
+          - ubuntu2004
+          - ubuntu2204
+          # - debian10
+          # - debian11
+          # - debian12
+          # - amazon2023
+          # - arch  # needs to be fixed
+          # - opensuse_tumbleweed  # needs to be fixed
+          # - fedora  # no support from geerlingguy role
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          path: ansible_collections/devsec/hardening
+          submodules: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12
+
+      - name: Install dependencies
+        run: |
+          sudo apt install git
+          python -m pip install --no-cache-dir --upgrade pip
+          pip install -r requirements.txt
+        working-directory: ansible_collections/devsec/hardening
+
+      # Molecule has problems detecting the proper location for installing roles
+      # https://github.com/ansible/molecule/issues/3806
+      # we do not set a custom role path, but the automatically determined install path used is not compatible with the location molecule expects the role
+      # see CI logs of this action "INFO     Set ANSIBLE_ROLES_PATH" should not be present, since we do not set a custom path
+      # we have to find a proper way to configure this
+      - name: Temporary fix for roles
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
+
+      - name: Test with molecule
+        run: |
+          molecule --version
+          molecule test -s postgres_hardening
+        env:
+          MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+        working-directory: ansible_collections/devsec/hardening

molecule/postgres_hardening/converge.yml

@@ -0,0 +1,13 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-postgres-hardening" with custom settings
+  become: true
+  hosts: all
+  collections:
+    - devsec.hardening
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - include_role:
+        name: postgres_hardening

molecule/postgres_hardening/molecule.yml

@@ -0,0 +1,60 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    privileged: true
+    cgroupns_mode: host
+    pre_build_image: true
+provisioner:
+  name: ansible
+  options:
+    diff: true
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+      callbacks_enabled: profile_tasks, timer, yaml
+  inventory:
+    host_vars:
+      # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user
+      # setting for the platform instance named 'instance'
+      instance:
+        ansible_user: ansible
+verifier:
+  name: ansible
+
+scenario:
+  create_sequence:
+    - dependency
+    - create
+    - prepare
+  check_sequence:
+    - dependency
+    - destroy
+    - create
+    - prepare
+    - converge
+    - check
+    - destroy
+  converge_sequence:
+    - dependency
+    - create
+    - prepare
+    - converge
+  destroy_sequence:
+    - destroy
+  test_sequence:
+    - dependency
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - check
+    - converge
+    - idempotence
+    - verify
+    - destroy

molecule/postgres_hardening/prepare.yml

@@ -0,0 +1,17 @@
+---
+- name: prepare playbook for kitchen testing "ansible-postgres-hardening" with custom settings
+  become: true
+  hosts: all
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: install required packages
+      package:
+        name: "python3-apt"
+        update_cache: true
+      ignore_errors: true # noqa ignore-errors
+
+    - include_role:
+        name: geerlingguy.postgres

molecule/postgres_hardening/verify.yml

@@ -0,0 +1,36 @@
+---
+- name: Verify
+  hosts: all
+  become: true
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: Execute cinc-auditor tests
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/postgres-baseline/archive/refs/heads/master.zip
+      register: test_results
+      changed_when: false
+      ignore_errors: true
+
+    - name: Display details about the cinc-auditor results
+      debug:
+        msg: "{{ test_results.stdout_lines }}"
+
+    - name: Fail when tests fail
+      fail:
+        msg: "Inspec failed to validate"
+      when: test_results.rc != 0

roles/postgres_hardening/CHANGELOG.md

@@ -0,0 +1,18 @@
+# devsec.postgres_hardening
+
+[![devsec.postgres_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/postgres_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/postgres_hardening.yml)
+
+## Description
+
+This role provides secure postgres configuration. It is intended to be compliant with the [DevSec Postgres Baseline](https://github.com/dev-sec/postgres-baseline).
+
+
+**NOTE: This role does not work with postgres 1.0.15 or older! Please use the latest version from the official postgres repositories!**
+
+<!-- BEGIN_ANSIBLE_DOCS -->
+
+## Supported Operating Systems [For Now]
+- Ubuntu
+  - bionic, focal, jammy
+
+## Role Variables

roles/postgres_hardening/README.md

@@ -0,0 +1,7 @@
+---
+# switcher to enable/disable role
+postgres_hardening_enabled: true
+
+postgres_daemon_enabled: true
+
+postgres_hardening_restart_postgres: true

roles/postgres_hardening/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart postgres
+  ansible.builtin.service:
+    name: "{{ postgres_daemon }}"
+    state: restarted
+  when: postgres_hardening_restart_postgres | bool