2016-09-22 12:43:57 +00:00
|
|
|
---
|
|
|
|
title: About the postgres_session Resource
|
|
|
|
---
|
|
|
|
|
|
|
|
# postgres_session
|
|
|
|
|
|
|
|
Use the `postgres_session` InSpec audit resource to test SQL commands run against a PostgreSQL database.
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
## Syntax
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
|
|
|
|
|
|
|
|
sql = postgres_session('username', 'password')
|
|
|
|
|
|
|
|
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
|
|
|
|
its('output') { should eq('') }
|
|
|
|
end
|
|
|
|
|
|
|
|
where
|
|
|
|
|
|
|
|
* `sql = postgres_session` declares a username and password with permission to run the query
|
|
|
|
* `sql.query('')` contains the query to be run
|
|
|
|
* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
## Matchers
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
This InSpec audit resource has the following matchers:
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### be
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
<%= partial "/shared/matcher_be" %>
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### cmp
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
<%= partial "/shared/matcher_cmp" %>
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### eq
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
<%= partial "/shared/matcher_eq" %>
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### include
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
<%= partial "/shared/matcher_include" %>
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### match
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
<%= partial "/shared/matcher_match" %>
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### output
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
The `output` matcher tests the results of the query:
|
|
|
|
|
|
|
|
its('output') { should eq(/^0/) }
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
## Examples
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### Test the PostgreSQL shadow password
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
sql = postgres_session('my_user', 'password')
|
|
|
|
|
|
|
|
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
|
|
|
|
its('output') { should eq('') }
|
|
|
|
end
|
|
|
|
|
2016-09-27 19:03:23 +00:00
|
|
|
### Test for risky database entries
|
2016-09-22 12:43:57 +00:00
|
|
|
|
|
|
|
describe postgres_session('my_user', 'password').query('SELECT count (*)
|
|
|
|
FROM pg_language
|
|
|
|
WHERE lanpltrusted = \'f\'
|
|
|
|
AND lanname!=\'internal\'
|
|
|
|
AND lanname!=\'c\';') do
|
|
|
|
its('output') { should eq '0' }
|
|
|
|
end
|