pgsectest's Introduction

pgsectest

A tool to run security checks against postgres and return a score

The origin

We wanted to run security tests, but ajutomated across all instances we manage, and deliver results to our clients. And thus pgsectest was born.

Downloading pgsectest

The most straight forward way is to download pgsectest directly from the github release page. But there are other options, like

using the container image from dockerhub
direct build from source (if you feel you must)

Please refer to our download instructions for more details on all options.

Usage

After downloading the binary to a folder in your path, you can run pgsectest with a command like:

pgsectest ./mytest*.yml ./andonemoretest.yml

Or using stdin:

cat ./mytests*.yml | pgsectest

Verbosity

You can improve verbosity of output by adding one or more -v arguments:

pgsectest ./mytest*.yml ./andonemoretest.yml -vvv

Number of V's	Output
0	Only end score
1	Also score for failed tests
2	Also advisory and url for failed tests
3	Also score for succeded tests (max score)

Defining your tests

A more detailed description can be found in our test definition guide.

TLDR; you can define one or more test chapters as yaml documents (separated by the '---' yaml doc separator). Each test chapter can have the following information defined:

a dsn, whith all connection details to connect to postgres.
- Note that instead of configuring in this chapter, the libpq environment variables can also be used, but options configured in this chapter take precedence.
You can set the number of retries, delay and debugging options
Each test can define
- a name (defaults to the query when not set),
- a query for the dividend and a query for the divisor
- an advisory how to improve your score
- a url for more information
- the expected result (a list of key/value pairs)
- the option to reverse the outcome (Ok results are counted as errors and vice versa)

Some example test definitions can be found in the testdata folder.

pgsectest's People

Contributors

Watchers

pgsectest's Issues

Additional test

It would be awesome if we could also have tests for the following points:

Postgres version
- Note CVE-2013-1899 Argument injection vulnerability in PostgreSQL before 9.2.4, 9.1.9, and 9.0.13)
Portscanning (N/A)
pg_shadow
pg_extensions
users with CREATEROLE
Privesc
Modify password
Members of:
- pg_execute_server_program (execute programs)
- pg_read_server_files (read files)
- pg_write_server_files (write files)
Users with execute permissions on
- pg_ls_dir
- pg_read_file
- pg_read_binary_file
- pg_read_server_files (required for COPY)
- pg_write_server_files (required for COPY)
- pg_execute_server_program (required for COPY)
- blink_connect_u (required for dblink without superuser privilleges)
Ownership of objects (to be refined what is actually to be checked)
pg_hba trust
function with SECURITY DEFINER
rce-with-postgresql-languages
rce-with-postgresql-extensions
postgresql-configuration-file-rce
rce-with-ssl_passphrase_command
rce-with-archive_command
alter-table-privesc
priv esc with local login
pl-pgsql-password-bruteforce
upload big binary files e.a. to abuse a modified version of udfhack, or bind a shell
- Note that there is ACL permissions that would limit the vulnerability

We want more details if we can produce them

It would be awesome, if a test fails we could also have the actual records printed out

Change from 1 query wich returns a float into 2 queries which return 2 floats

We constantly write a cumbersome query which basically runs 2 queries returning integers, converts both to floats, divides them and returns the division.
As an example we query the number of users with an md5 password (dividend) and divide by total number of users (divisor).
Then we convert both into a float, divide the dividend by the divisor, and the result is returned as a float.
This is very cumbersome to write, and having defaults is difficult aswel.
Lets change this so that we have 2 queries:

One for the dividend
One for the divisor

Both could return an integer (we can easily convert the into float in go), and the division can be done in go aswel.
Interestingly, we could run with 'sane defaults', such that

empty string for the dividend would become min
empty string for the divisor would become 1
divisor returning zero would not be a division by zero error, but rather max

Lets add a loglevel where you get info for every result being less than 100%

We could have more info such as a url, or a message helping to resolve the issue.
But we should also have another log level, where

debug is most verbose
new level is info for every test
info is only the end result

Also, 'reading from stdin' should be debug level msg

Recommend Projects

mannemsolutions / pgsectest Goto Github PK

pgsectest's Introduction

pgsectest

The origin

Downloading pgsectest

Usage

Verbosity

Defining your tests

pgsectest's People

Contributors

Watchers

pgsectest's Issues

Additional test

We want more details if we can produce them

Change from 1 query wich returns a float into 2 queries which return 2 floats

Lets add a loglevel where you get info for every result being less than 100%

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent