fixed typo; improved postgres hba

secshellnet · Sep 13, 2023 · b0bd468 · b0bd468
1 parent 9fb1d64
commit b0bd468
Show file tree

Hide file tree

Showing 18 changed files with 3 additions and 1,668,906 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Secure Shell Networks: [Hetzner Cloud](https://www.hetzner.com/cloud) Ansible Inventory
 
-This repository template provides a ansible inventory to manage cloud server in 
+This repository template provides an ansible inventory to manage cloud server in 
 hetzner cloud (hcloud). It performes some basic linux hardening (unattended upgrades, 
 ssh, fail2ban) and can be extended by roles or tasks to perform whatever you need.
 
@@ -147,39 +147,3 @@ postgresql_users_e:
 - Use `\c <database>` to connect to a database
 - You can also connect using tcp (like any other application): 
   `psql -h 127.0.0.1 -U <user> <database>`
-
-## TODO
-- run OpenSCAP and check what could be improved (see openscap reports / fixes)
-  ```shell
-  # on ubuntu:
-  sudo apt install libopenscap8
-  scp -o "StrictHostKeyChecking=no" -i .keys/id_ecdsa \
-    -r ~/OpenSCAP/policies worker@[2a01:4f9:c011:a617::1]:
-
-  # on debian:
-  sudo apt install openscap-scanner
-  scp -o "StrictHostKeyChecking=no" -i .keys/id_ecdsa \
-    -r ~/OpenSCAP/policies worker@[2a01:4f9:c011:a617::1]:
-
-  # on rhel
-  sudo dnf install -y openscap-scanner scap-security-guide
-
-  oscap info /usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml
-  oscap xccdf eval \
-    --profile xccdf_org.ssgproject.content_profile_standard \
-    --results-arf arf.xml \
-    --report report.html \
-    /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml  # on debian/ubuntu policies/ssg-debian11-ds.xml
-  sudo oscap xccdf \
-    generate fix \
-    --fetch-remote-resources \
-    --fix-type ansible \
-    --result-id "" \
-    arf.xml > fixes.yml
-  ```
-
-### think about
-- (iptables/firewalld) firewall rules and/or hcloud firewall rules -> integration of hcloud would be independent of distribution -> if we want to support distros like fedora in future it would be better for now
-- auditd / rkhunter / AIDE / snort -> how to log it
-- disable core dumps via soft / hard limits
-- disable unused filesystems (cramfs, freevxfs, jffs2, hfs, hfsplus, udf, squashfs, dccp, rds, sctp, tips)
diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml
@@ -8,13 +8,8 @@ image: ubuntu-22.04
 enable_ipv4: false
 enable_ipv6: true
 
-# ansible-role-postgresql default host based authentication config 
-# role default uses md5 to authenticate, which is why we override it
-postgresql_hba_entries:
-  - { type: local, database: all, user: postgres, auth_method: peer }
-  - { type: local, database: all, user: all, auth_method: peer }
-  - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: scram-sha-256 }
-  - { type: host, database: all, user: all, address: '::1/128', auth_method: scram-sha-256 }
+# ansible-role-postgresql host based authentication defaults to md5
+postgresql_auth_method: scram-sha-256
 
 # features / roles to install
 install_nginx: false