improve SCRAM-SHA-256 password handling

chris-rock · chris-rock · commit 19afcfbb65ce · 2019-02-25T13:35:38.000+01:00
Signed-off-by: Christoph Hartmann &lt;chris@lollyrock.com&gt;
diff --git a/README.md b/README.md
@@ -1,5 +1,4 @@
-DevSec PostgreSQL Baseline
-==========================
+# DevSec PostgreSQL Baseline
 
 This Compliance Profile ensures, that all hardening projects keep the same quality.
 
@@ -23,12 +22,12 @@ $ inspec exec https://github.com/dev-sec/postgres-baseline
 
 ## License and Author
 
-* Author:: Patrick Muench <patrick.muench1111@gmail.com >
-* Author:: Dominik Richter <dominik.richter@googlemail.com>
-* Author:: Christoph Hartmann <chris@lollyrock.com>
-* Author:: Edmund Haselwanter <me@ehaselwanter.com>
+- Author:: Patrick Muench <patrick.muench1111@gmail.com >
+- Author:: Dominik Richter <dominik.richter@googlemail.com>
+- Author:: Christoph Hartmann <chris@lollyrock.com>
+- Author:: Edmund Haselwanter <me@ehaselwanter.com>
 
-* Copyright 2014-2017, The Hardening Framework Team
+- Copyright 2014-2019, The DevSec Hardening Framework Team
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/controls/postgres_spec.rb b/controls/postgres_spec.rb
@@ -1,6 +1,7 @@
 # encoding: utf-8
 
 # Copyright 2016, Patrick Muench
+# Copyright 2016-2019 DevSec Hardening Framework Team
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -155,26 +156,23 @@
 
 control 'postgres-06' do
   impact 1.0
-  title 'Use salted MD5 to store postgresql passwords'
+  title 'Use salted hash to store postgresql passwords'
   desc 'Store postgresql passwords in salted hash format (e.g. salted MD5).'
-  describe command('psql -V') do
-    case its('output') 
-      when /^9/
-        describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do
-      	  its('output') { should match(/^md5\S*$/) }
-        end
-        describe postgres_conf(POSTGRES_CONF_PATH) do
-          its('password_encryption') { should eq 'on' }
-        end
-      when /^10/
-        describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do
-      	  its('output') { should match(/^scram-sha-256\S*$/) }
-        end
-        describe postgres_conf(POSTGRES_CONF_PATH) do
-          its('password_encryption') { should eq 'scram-sha-256' }
-        end
+  case postgres.version
+  when /^9/
+      describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do
+        its('output') { should match(/^md5\S*$/) }
+      end
+      describe postgres_conf(POSTGRES_CONF_PATH) do
+        its('password_encryption') { should eq 'on' }
+      end
+  when /^10/
+      describe postgres_session(USER, PASSWORD).query('SELECT passwd FROM pg_shadow;') do
+        its('output') { should match(/^scram-sha-256\S*$/) }
+      end
+      describe postgres_conf(POSTGRES_CONF_PATH) do
+        its('password_encryption') { should eq 'scram-sha-256' }
       end
-    end
   end
 end
 
