Verify controls in running configuration

[FLiPp3r90]

Instead of checking the server configuration file we check the lifetime parameters now. So we can be sure that the params are active.

[rndmh3ro]

LGTM! We do the same for the mysql-baseline, too.

[chris-rock]

Great work @FLiPp3r90

[schurzi]

Nice PR. I really like the approach in checking the running config.

But now comes a big "but" from me:
I don't want to loose the checks of the static configuration. I think it would be best, if we keep the old config file checks an add the new running config checks. This way we can be sure, that the persistent configuration matches the running config.

oppinions? @rndmh3ro @chris-rock

[rndmh3ro]

We'd essentially duplicate the code if we keep both. If there's a way to not duplicate this, it'd be great.

To counter your objections @schurzi: there are probably two ways to use the hardening and checks.

1. we use the config-management and the cinc-profiles in an automated fashion. So we probably roll the config out, than check it. In this order, checking the running config should be enough.
2. we reguarly check the configuration without hardening it. This way checking running state should be enough, too.

So while I agree that checking both config-files and the running state would be best, if we cannot do this without duplicating code, I'd only check running state.

[schurzi]

yes, I'm also concerned about all this duplication. I thought maybe we can introduce a helper function, that generated two describe blocks for each single configuration, but I found no good way to do this.

One alternative, that may be acceptable is:

  [
          {name: "logging_collector", value: "on"},
          {name: "log_connections", value: "on"},
          {name: "log_disconnections", value: "on"},
          {name: "log_duration", value: "on"},
  ].each do |config|
        describe postgres_conf(POSTGRES_CONF_PATH) do
          its(config[:name]) { should eq config[:value] }
        end
        describe postgres_session(USER, PASSWORD).query('SHOW' + config[:name] +';') do
          its('output') { should eq config[:value] }
        end
  end

This would avoid many duplicated lines, and the intent can be seen with a little bit more effort. We can also structure the config hash a bit better and put it in an extra variable.