V-72853

control "V-72853" do
  title "Privileges to change PostgreSQL software modules must be limited."
  desc  "If the system were to allow any user to make changes to software
  libraries, those changes might be implemented without undergoing the
  appropriate testing and approvals that are part of a robust change management
  process.  Accordingly, only qualified and authorized individuals must be
  allowed to obtain access to information system components for purposes of
  initiating changes, including upgrades and modifications.  Unmanaged changes
  that occur to the database software libraries or configuration can lead to
  unauthorized or compromised installations."
  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "SRG-APP-000133-DB-000179"
  tag "gid": "V-72853"
  tag "rid": "SV-87505r1_rule"
  tag "stig_id": "PGS9-00-000700"
  tag "cci": "CCI-001499"
  tag "nist": ["CM-5 (6)", "Rev_4"]

  tag "check": "Note: The following instructions use the PGDATA environment
  variable. See supplementary content APPENDIX-F for instructions on configuring
  PGDATA.  As the database administrator (shown here as \"postgres\"), check the
  permissions of configuration files for the database:

  $ sudo su - postgres
  $ ls -la ${PGDATA?}

  If any files are not owned by the database owner or have permissions allowing
  others to modify (write) configuration files, this is a finding.

  As the server administrator, check the permissions on the shared libraries for
  PostgreSQL:

  $ sudo ls -la /usr/pgsql-9.5
  $ sudo ls -la /usr/pgsql-9.5/bin
  $ sudo ls -la /usr/pgsql-9.5/include
  $ sudo ls -la /usr/pgsql-9.5/lib
  $ sudo ls -la /usr/pgsql-9.5/share

  If any files are not owned by root or have permissions allowing others to
  modify (write) configuration files, this is a finding."

  tag "fix": "Note: The following instructions use the PGDATA environment
  variable. See supplementary content APPENDIX-F for instructions on configuring
  PGDATA.  As the database administrator (shown here as \"postgres\"), change
  the ownership and permissions of configuration files in PGDATA:

  $ sudo su - postgres
  $ chown postgres:postgres ${PGDATA?}/postgresql.conf
  $ chmod 0600 ${PGDATA?}/postgresql.conf

  As the server administrator, change the ownership and permissions of shared
  objects in /usr/pgsql-9.5/*.so

  $ sudo chown root:root /usr/pgsql-9.5/lib/*.so
  $ sudo chmod 0755 /usr/pgsql-9.5/lib/*.so

  As the service administrator, change the ownership and permissions of
  executables in /usr/pgsql-9.5/bin:

  $ sudo chown root:root /usr/pgsql-9.5/bin/*
  $ sudo chmod 0755 /usr/pgsql-9.5/bin/*"

  describe directory(PG_DATA) do
    it { should be_directory }
    it { should be_owned_by PG_OWNER }
    its('mode') { should cmp '0700' }
  end

  find_insecure_files= "find -L #{PG_DATA} -type f \\( ! -user #{PG_OWNER} "\
    "-or -perm -g=w -or -perm -o=w \\)"

  describe command(find_insecure_files) do
    its('stdout') { should eq '' }
    its('exit_status') { should cmp 0 }
  end

  PG_SHARED_LIBS.each do |dir|
    describe directory(dir) do
      it { should be_directory }
      it { should be_owned_by 'root' }
      its('mode') { should cmp '0755' }
    end

    find_insecure_libs = "find -L #{dir} -type f \\( ! -user root "\
      "-or -perm -g=w -or -perm -o=w \\)"

    describe command(find_insecure_libs) do
      its('stdout') { should eq '' }
      its('exit_status') { should cmp 0 }
    end
  end
end