ccp_monitoring user violates STIG V-233519

[szelenka]

Please ensure you do the following when reporting a bug:

• Provide a concise description of what the bug is.
• Provide information about your environment.
• Provide clear steps to reproduce the bug.
• Attach applicable logs. Please do not attach screenshots showing logs unless you are unable to copy and paste the log data.
• Ensure any code / output examples are properly formatted for legibility.

Overview

The monitoring user ccp_monitoring is hard coded to use md5 authentication at this line:
https://github.com/CrunchyData/postgres-operator/blob/master/internal/pgmonitor/postgres.go#L41-L44

This violates STIG V-233519, which is expecting any password authenticated users to use scram-sha-256.

This happens even if we explicitly tell Postgres to use scram-sha-256 for authentication via the CRD:

patroni:
  dynamicConfiguration:
    postgresql:
      parameters:
        password_encryption: "scram-sha-256"

However, the _crunchypgbouncer user will get created with scram-sha-256, it seems to only be the ccp_monitoring user which has this problem.

Environment

Please provide the following details:

• Platform: GKE
• Platform Version: 1.22
• PGO Image Tag: ubi8-5.2.0-0
• Postgres Version 14
• Storage: PVC

Steps to Reproduce

REPRO

Provide steps to get to the error condition:

1. Create a new cluster via CRD with patroni.dynamicConfiguration.postgresql.parameters.password_encryption: "scram-sha-256"
2. Shell into one of the instances
3. execute cat /pgdata/pg14/pg_hba.conf | grep md5

EXPECTED

1. Would expect all system accounts created to follow the configuration provided to the CRD

ACTUAL

1. User ccp_monitoring is hard coded to use md5 for authentication

Logs

n/a

Additional Information

n/a

[szelenka]

It seems any entry into the CRD yaml is simply appended to the pg_hba.conf created by the operator. How do we force this user to use scram-sha-256?

[Agalin]

Not sure when it was introduced (it's in docs at least since PG11) but you can authenticate using SCRAM even when user is set to md5 in pg_hba.conf.

To ease transition from the md5 method to the newer SCRAM method, if md5 is specified as a method in pg_hba.conf but the user's password on the server is encrypted for SCRAM (see below), then SCRAM-based authentication will automatically be chosen instead.

Confirmed - working just fine although Operator had some troubles with setting things up.

Relevant docs: https://www.postgresql.org/docs/current/auth-password.html

[szelenka]

Yes, it will "work", but it's a clear finding from the STIG for Crunchy:

If any entries use the auth_method (last column in records) "password" or "md5", this is a finding.

The expectation is that we can use the Crunchy PGO to configure a postgres cluster that will not violate the STIG written by Crunchy.

[andrewlecuyer]

Just referencing the associated discussion in PR #3425:

#3425 (comment).